Table of Contents
Fetching ...

NOS-Gate: Queue-Aware Streaming IDS for Consumer Gateways under Timing-Controlled Evasion

Muhammad Bilal, Omer Tariq, Hasan Ahmed

TL;DR

NOS-Gate tackles the challenge of detecting intrusions on encrypted traffic at stand-alone consumer gateways by using a metadata-only, streaming IDS. It employs a per-flow two-state Network-Optimised Spiking (NOS) unit driven by an evidence signal from online normalized metadata, with a persistence-based alarm and a reversible WFQ gating action to mitigate suspected flows. The authors introduce a reproducible worlds benchmark to evaluate detection and queue impact under explicit timing-controlled evasion budgets, calibrated without labels. Empirically, NOS-Gate achieves higher incident recall at a strict 0.1% benign false-positive rate and reduces tail queue delays in replay, while maintaining a small and stable per-window compute cost, supporting practical gateway deployment. The work provides a falsifiable evaluation protocol and demonstrates how detection can be effectively coupled to queue-aware mitigation in resource-constrained gateway environments.

Abstract

Timing and burst patterns can leak through encryption, and an adaptive adversary can exploit them. This undermines metadata-only detection in a stand-alone consumer gateway. Therefore, consumer gateways need streaming intrusion detection on encrypted traffic using metadata only, under tight CPU and latency budgets. We present a streaming IDS for stand-alone gateways that instantiates a lightweight two-state unit derived from Network-Optimised Spiking (NOS) dynamics per flow, named NOS-Gate. NOS-Gate scores fixed-length windows of metadata features and, under a $K$-of-$M$ persistence rule, triggers a reversible mitigation that temporarily reduces the flow's weight under weighted fair queueing (WFQ). We evaluate NOS-Gate under timing-controlled evasion using an executable 'worlds' benchmark that specifies benign device processes, auditable attacker budgets, contention structure, and packet-level WFQ replay to quantify queue impact. All methods are calibrated label-free via burn-in quantile thresholding. Across multiple reproducible worlds and malicious episodes, at an achieved $0.1%$ false-positive operating point, NOS-Gate attains 0.952 incident recall versus 0.857 for the best baseline in these runs. Under gating, it reduces p99.9 queueing delay and p99.9 collateral delay with a mean scoring cost of ~ 2.09 μs per flow-window on CPU.

NOS-Gate: Queue-Aware Streaming IDS for Consumer Gateways under Timing-Controlled Evasion

TL;DR

NOS-Gate tackles the challenge of detecting intrusions on encrypted traffic at stand-alone consumer gateways by using a metadata-only, streaming IDS. It employs a per-flow two-state Network-Optimised Spiking (NOS) unit driven by an evidence signal from online normalized metadata, with a persistence-based alarm and a reversible WFQ gating action to mitigate suspected flows. The authors introduce a reproducible worlds benchmark to evaluate detection and queue impact under explicit timing-controlled evasion budgets, calibrated without labels. Empirically, NOS-Gate achieves higher incident recall at a strict 0.1% benign false-positive rate and reduces tail queue delays in replay, while maintaining a small and stable per-window compute cost, supporting practical gateway deployment. The work provides a falsifiable evaluation protocol and demonstrates how detection can be effectively coupled to queue-aware mitigation in resource-constrained gateway environments.

Abstract

Timing and burst patterns can leak through encryption, and an adaptive adversary can exploit them. This undermines metadata-only detection in a stand-alone consumer gateway. Therefore, consumer gateways need streaming intrusion detection on encrypted traffic using metadata only, under tight CPU and latency budgets. We present a streaming IDS for stand-alone gateways that instantiates a lightweight two-state unit derived from Network-Optimised Spiking (NOS) dynamics per flow, named NOS-Gate. NOS-Gate scores fixed-length windows of metadata features and, under a -of- persistence rule, triggers a reversible mitigation that temporarily reduces the flow's weight under weighted fair queueing (WFQ). We evaluate NOS-Gate under timing-controlled evasion using an executable 'worlds' benchmark that specifies benign device processes, auditable attacker budgets, contention structure, and packet-level WFQ replay to quantify queue impact. All methods are calibrated label-free via burn-in quantile thresholding. Across multiple reproducible worlds and malicious episodes, at an achieved false-positive operating point, NOS-Gate attains 0.952 incident recall versus 0.857 for the best baseline in these runs. Under gating, it reduces p99.9 queueing delay and p99.9 collateral delay with a mean scoring cost of ~ 2.09 μs per flow-window on CPU.
Paper Structure (29 sections, 20 equations, 3 figures, 4 tables, 1 algorithm)

This paper contains 29 sections, 20 equations, 3 figures, 4 tables, 1 algorithm.

Figures (3)

  • Figure 1: Online, the gateway windows metadata-only traffic, updates NOS-Gate state $(v,u)$, applies burn-in quantile thresholding and a $K$-of-$M$ persistence rule to produce an actionable flag $z_{i,t}$, and temporarily reduces WFQ weight $\omega_0\!\to\!\omega_-$ for $T_g$. Offline, worlds generates trace-driven traffic and labels, runs the same runtime to log gating decisions, and replays WFQ to report detection metrics and queue-tail and collateral outcomes; labels are used only for reporting. Solid arrows: deployed online loop. Dashed arrows: offline evaluation harness.
  • Figure 2: Detection under the strict false-alarm budget. Panels (a) and (b) show per-world behaviour and latency dispersion, not only pooled totals. Panel (c) summarises episode-level discordants (NOS-Gate only vs baseline), pooled across worlds.
  • Figure 3: Action-level evaluation under the strict operating point ($\text{FPR}=0.1\%$). NOS-Gate is the only method that improves both queue-tail delay and collateral tail delay while maintaining the highest incident recall under the same label-free calibration protocol. Delays are reported in ms (raw logs are in $\mu$s).