Shereen Ismail

Tonia Haikal, Shereen Ismail, Eman Hammad

Intent-Based Networking (IBN) structures a core management pillar for autonomous 6G networks by translating high-level administrative goals into autonomous configurations, yet a critical validation gap persists between declarative intent and data-plane execution. This paper investigates this gap by formalizing low-level flow headers into standardized 7-tuple vectors, establishing an Internal Low-Level Intent (ILI) telemetry interface. Leveraging an empirical dataset of 100.91 million flow records from a distributed honeynet, we evaluate three administrative policy regimes (Strict, Balanced, and Permissive) across two metrics: Policy Violations ($V$) and Intent Drift ($D$). Our results expose a distinct Compliance Paradox where widening policy permissiveness systematically suppresses violation counts, yet underlying operational intent drift remains mostly invariant. This demonstrates that conventional, violation-centric tracking are unreliable. Furthermore, an empirical case study show that ILI metrics structural violations can inform closed-loop orchestrators to dynamically recalculate and enforce low-level rules that maintain high-level operational intent.

Alex Carbajal, Caleb Faultersack, Jonahtan Vasquez et al.

The rise of automated scanning tools and AI assisted reconnaissance agents has significantly altered internet background traffic patterns, threatening the baseline assumptions underlying intrusion detection systems (IDS) deployed in critical infrastructure networks. This paper characterizes the evolution of automated bot traffic by analyzing a longitudinal dataset of 192 million passive darknet packets captured across 2021 and 2025 from the Merit ORION Network Telescope. A modular analysis pipeline was developed to compute metrics including average packet rate, global Shannon entropy, inter-arrival time (IAT) burstiness, geographic attribution, and destination port targeting across key industrial protocols. Results reveal a highly distributed yet focused reconnaissance landscape, with traffic targeting ICS-relevant ports nearly doubling from 0.82% to 1.51% over the four-year period. Furthermore, burstiness analysis exposes intentional micro-pacing behaviors (1ms to 100ms delays) that allow modern botnets to artificially smooth their overall volume. Our simulated anomaly-based IDS demonstrates that these evasion techniques enable 97.47% of modern bot traffic to bypass standard volumetric thresholds undetected. Compensatory sensitivity tuning triggers a 68.10% false-positive rate, highlighting fundamental visibility and alerting gaps in operational technology (OT) environments.

Shereen Ismail, Taelyn Dyer, Raul Martinez et al.

Network telescopes serve as a critical passive monitoring tool for capturing unsolicited Internet traffic, providing insights into global scanning and reconnaissance behavior. This study analyzes a 10-day dataset during January 2025 consisting of approximately 22 million packets collected by the ORION network telescope at Merit Network. By employing privacy-preserving metadata analysis and lightweight behavioral heuristics, we identify scanning and backscatter patterns without payload inspection. Our results reveal a highly structured and centralized ecosystem, where the top 1% of source IP addresses generate over 81% of total traffic. A significant finding is the dominance of Port 23 (Telnet) and Port 2323 (Telnet Alt), which highlights the persistent nature of IoT security threats and widespread attempts to exploit weak credentials in legacy IoT devices. Furthermore, synchronized surges in packet volume and Shannon entropy indicate coordinated, multi-vector reconnaissance campaigns. These findings offer a practical framework for identifying large-scale threat activity and support cybersecurity research and education.