Axel Küpper

Awid Vaziry, Sandro Rodriguez Garzon, Axel Küpper

This research article presents a novel architecture to empower multi-agent economies by addressing two critical limitations of the emerging Agent2Agent (A2A) communication protocol: decentralized agent discoverability and agent-to-agent micropayments. By integrating distributed ledger technology (DLT), this architecture enables tamper-proof, on-chain publishing of AgentCards as smart contracts, providing secure and verifiable agent identities. The architecture further extends A2A with the x402 open standard, facilitating blockchain-agnostic, HTTP-based micropayments via the HTTP 402 status code. This enables autonomous agents to seamlessly discover, authenticate, and compensate each other across organizational boundaries. This work further presents a comprehensive technical implementation and evaluation, demonstrating the feasibility of DLT-based agent discovery and micropayments. The proposed approach lays the groundwork for secure, scalable, and economically viable multi-agent ecosystems, advancing the field of agentic AI toward trusted, autonomous economic interactions.

Sandro Rodriguez Garzon, Awid Vaziry, Enis Mert Kuzu et al.

A fundamental limitation of current LLM-based AI agents is their inability to build differentiated trust among each other at the onset of an agent-to-agent dialogue. However, autonomous and interoperable trust establishment becomes essential once agents start to operate beyond isolated environments and engage in dialogues across individual or organizational boundaries. A promising way to fill this gap in Agentic AI is to equip agents with long-lived digital identities and introduce tamper-proof and flexible identity-bound attestations of agents, provisioned by commonly trusted third parties and designed for cross-domain verifiability. This article presents a conceptual framework and a prototypical multi-agent system, where each agent is endowed with a self-sovereign digital identity. It combines a unique and ledger-anchored W3C Decentralized Identifier (DID) of an agent with a set of third-party issued W3C Verifiable Credentials (VCs). This enables agents at the start of a dialog to prove ownership of their self-controlled DIDs for authentication purposes and to establish various cross-domain trust relationships through the spontaneous exchange of their self-hosted DID-bound VCs. A comprehensive evaluation of the prototypical implementation demonstrates technical feasibility but also reveals limitations once an agent's LLM is in sole charge to control the respective security procedures.

Sandro Rodriguez Garzon, Carlo Segat, Axel Küpper

A Decentralized Identifier (DID) empowers an entity to prove control over a unique and self-issued identifier without relying on any identity provider. The public key material for the proof is encoded into an associated DID document (DDO). This is preferable shared via a distributed ledger because it guarantees algorithmically that everyone has access to the latest state of any tamper-proof DDO but only the entities in control of a DID are able to update theirs. Yet, it is possible to grant deputies the authority to update the DDO on behalf of the DID owner. However, the DID specification leaves largely open on how authorizations over a DDO are managed and enforced among multiple deputies. This article investigates what it means to govern a DID and discusses various forms of how a DID can be controlled by potentially more than one entity. It also presents a prototype of a DID-conform identifier management system where a selected set of governance policies are deployed as Smart Contracts. The article highlights the critical role of governance for the trustworthy and flexible deployment of ledger-anchored DIDs across various domains.

Thomas Cory, Axel Küpper

Automated privacy audits of web and mobile applications often analyse outbound HTTP traffic to detect Personally Identifiable Information (PII) leakage. However, existing learning-based detectors typically depend on scarce, manually labelled traffic and are tightly coupled to fixed label taxonomies, limiting transferability across domains and evolving definitions of PII. This paper investigates whether Large Language Models (LLMs) can support taxonomy-agnostic annotation of explicitly transmitted PII values in HTTP message bodies when the taxonomy is provided at runtime. We introduce a multi-stage LLM-based pipeline that combines deterministic pre-processing with label-level classification, targeted instance-level value annotation, and output validation. To enable controlled evaluation and exemplar-based prompting without relying on sensitive real-user captures, we further propose an LLM-based generator for synthetic HTTP traffic with manually validated, taxonomy-derived PII annotations. We evaluate the approach across three taxonomies spanning different PII domains and granularity levels. Results show that the pipeline accurately detects PII types and extracts corresponding values for concrete PII taxonomies. Overall, our findings position LLMs as a promising foundation for flexible, taxonomy-agnostic traffic annotation and for creating labelled data under evolving privacy taxonomies.

Wolf Rieder, Philip Raschke, Thomas Cory et al.

Web tracking is an omnipresent phenomenon in today's web, affecting users in their day-to-day lives. Filter lists and blockers were invented to detect trackers and to protect users. Due to limitations of said tools, researchers developed web tracker detectors to replace them. No review constructed a universal perspective and classification of web tracker detectors until now. Past reviews focused either on the field as a whole or on web tracking techniques. In this SoK paper, we present the most comprehensive meta-science study on web tracker detection by systematizing and synthesizing the available knowledge. We conduct a systematic review, resulting in 59 primary and 16 supplementary studies out of a corpus of 832 papers. Based on these findings we suggest a taxonomy, observe and evaluate trends, propose open research gaps, and recommendations with which we aim to lay the foundations for future web tracker detection research. In addition, we conduct a limited reproducibility study to assess the validity of past studies and highlight emerging problems in this field.

Thomas Cory, Wolf Rieder, Julia Krämer et al.

Ensuring transparency of data practices related to personal information is a fundamental requirement under the General Data Protection Regulation (GDPR), particularly as mandated by Articles 13 and 14. However, assessing compliance at scale remains a challenge due to the complexity and variability of privacy policy language. Manual audits are resource-intensive and inconsistent, while existing automated approaches lack the granularity needed to capture nuanced transparency disclosures. In this paper, we introduce a large language model (LLM)-based framework for word-level GDPR transparency compliance annotation. Our approach comprises a two-stage annotation pipeline that combines initial LLM-based annotation with a self-correction mechanism for iterative refinement. This annotation pipeline enables the systematic identification and fine-grained annotation of transparency-related content in privacy policies, aligning with 21 GDPR-derived transparency requirements. To enable large-scale analysis, we compile a dataset of 703,791 English-language policies, from which we generate a sample of 200 manually annotated privacy policies. To evaluate our approach, we introduce a two-tiered methodology assessing both label- and span-level annotation performance. We conduct a comparative analysis of eight high-profile LLMs, providing insights into their effectiveness in identifying GDPR transparency disclosures. Our findings contribute to advancing the automation of GDPR compliance assessments and provide valuable resources for future research in privacy policy analysis.

Boris Lorbeer, Axel Küpper

We live in a world full of complex systems which we need to improve our understanding of. To accomplish this, purely probabilistic investigations are often not enough. They are only the first step and must be followed by learning the system's underlying mechanisms. This is what the discipline of causality is concerned with. Many of those complex systems contain feedback loops which means that our methods have to allow for cyclic causal relations. Furthermore, systems are rarely sufficiently isolated, which means that there are usually hidden confounders, i.e., unmeasured variables that each causally affects more than one measured variable. Finally, data is often distorted by contaminating processes, and we need to apply methods that are robust against such distortions. That's why we consider the robustness of LLC, see \cite{llc}, one of the few causal analysis methods that can deal with cyclic models with hidden confounders. Following a theoretical analysis of LLC's robustness properties, we also provide robust extensions of LLC. To facilitate reproducibility and further research in this field, we make the source code publicly available.

Martin Westerkamp, Axel Küpper

Cross-Blockchain communication has gained traction due to the increasing fragmentation of blockchain networks and scalability solutions such as side-chaining and sharding. With SmartSync, we propose a novel concept for cross-blockchain smart contract interactions that creates client contracts on arbitrary blockchain networks supporting the same execution environment. Client contracts mirror the logic and state of the original instance and enable seamless on-chain function executions providing recent states. Synchronized contracts supply instant read-only function calls to other applications hosted on the target blockchain. Hereby, current limitations in cross-chain communication are alleviated and new forms of contract interactions are enabled. State updates are transmitted in a verifiable manner using Merkle proofs and do not require trusted intermediaries. To permit lightweight synchronizations, we introduce transition confirmations that facilitate the application of verifiable state transitions without re-executing transactions of the source blockchain. We prove the concept's soundness by providing a prototypical implementation that enables smart contract forks, state synchronizations, and on-chain validation on EVM-compatible blockchains. Our evaluation demonstrates SmartSync's applicability for presented use cases providing access to recent states to third-party contracts on the target blockchain. Execution costs scale sub-linearly with the number of value updates and depend on the depth and index of corresponding Merkle proofs.

Boris Lorbeer, Tanja Deutsch, Peter Ruppel et al.

This paper describes a new method, HMM gauge likelihood analysis, or GLA, of detecting anomalies in discrete time series using Hidden Markov Models and clustering. At the center of the method lies the comparison of subsequences. To achieve this, they first get assigned to their Hidden Markov Models using the Baum-Welch algorithm. Next, those models are described by an approximating representation of the probability distributions they define. Finally, this representation is then analyzed with the help of some clustering technique or other outlier detection tool and anomalies are detected. Clearly, HMMs could be substituted by some other appropriate model, e.g. some other dynamic Bayesian network. Our learning algorithm is unsupervised, so it does not require the labeling of large amounts of data. The usability of this method is demonstrated by applying it to synthetic and real-world syslog data.

Begüm İlke Zilci, Mathias Slawik, Axel Küpper

Service requesters with limited technical knowledge should be able to compare services based on their quality of service (QoS) requirements in cloud service marketplaces. Existing service matching approaches focus on QoS requirements as discrete numeric values and intervals. The analysis of existing research on non-functional properties reveals two improvement opportunities: list-typed QoS properties as well as explicit handling of preferences for lower or higher property values. We develop a concept and constraint models for a service matcher which contributes to existing approaches by addressing these issues using constraint solvers. The prototype uses an API at the standardisation stage and discovers implementation challenges. This paper concludes that constraint solvers provide a valuable tool to solve the service matching problem with soft constraints and are capable of covering all QoS property types in our analysis. Our approach is to be further investigated in the application context of cloud federations.

Mathias Slawik, Begüm İlke Zilci, Fabian Knaack et al.

When trying to discover, assess, and select cloud services, companies face many challenges, such as fast-moving markets, vast numbers of offerings, and highly ambiguous selection criteria. This publication presents the Open Service Compendium (OSC), an information system which supports businesses in their discovery, assessment and cloud service selection by offering a simple dynamic service description language, business-pertinent vocabularies, as well as matchmaking functionality. It contributes to the state of the art by offering a more practical, mature, simple, and usable approach than related works.