Sokratis Katsikas

Ming-Chang Lee, Jia-Chun Lin, Sokratis Katsikas

Real-time lightweight time series anomaly detection has become increasingly crucial in cybersecurity and many other domains. Its ability to adapt to unforeseen pattern changes and swiftly identify anomalies enables prompt responses and critical decision-making. While several such anomaly detection approaches have been introduced in recent years, they primarily utilize a single type of recurrent neural networks (RNNs) and have been implemented in only one deep learning framework. It is unclear how the use of different types of RNNs available in various deep learning frameworks affects the performance of these anomaly detection approaches due to the absence of comprehensive evaluations. Arbitrarily choosing a RNN variant and a deep learning framework to implement an anomaly detection approach may not reflect its true performance and could potentially mislead users into favoring one approach over another. In this paper, we aim to study the influence of various types of RNNs available in popular deep learning frameworks on real-time lightweight time series anomaly detection. We reviewed several state-of-the-art approaches and implemented a representative anomaly detection approach using well-known RNN variants supported by three widely recognized deep learning frameworks. A comprehensive evaluation is then conducted to analyze the performance of each implementation across real-world, open-source time series datasets. The evaluation results provide valuable guidance for selecting the appropriate RNN variant and deep learning framework for real-time, lightweight time series anomaly detection.

Vyron Kampourakis, Efstratios Chatzoglou, Vasileios Gkioulos et al.

Wi-Fi is the dominant wireless access technology, but its widespread use also exposes systems to threats such as rogue access points, deauthentication attacks, and other IEEE 802.11-specific vulnerabilities. Although Cyber Ranges (CRs) have become valuable platforms for cybersecurity training and experimentation, existing wireless-oriented solutions mainly target heterogeneous IoT or mobile-network settings, with Wi-Fi typically treated as one among many. As a result, dedicated CR environments for Wi-Fi-specific security experimentation remain limited. This gap is particularly relevant because wireless attacks often require protocol-aware experimentation that is difficult to reproduce in conventional training environments. This paper introduces a conceptual architecture for a Wi-Fi-focused CR tailored to IEEE 802.11 security scenarios and an open-source prototype. The proposed design is grounded in established CR design principles and organized around core infrastructure, learning management and support, monitoring, management, and access-control zones. Structuring the platform into these distinct zones, the architecture supports modularity, scalability, and future extensibility. Part of the design is realized in a prototype publicly available in a GitHub repository that implements the scenario generation, storage, retrieval, and instantiation workflow, offering an initial practical foundation for the proposed architecture. Overall, the paper provides a structured foundation for the future implementation of Wi-Fi-specialized CR platforms for targeted experimentation.

Konstantinos E. Kampourakis, Vasileios Gkioulos, Sokratis Katsikas

Cyber attacks targeting Industrial Control Systems (ICS) have become increasingly sophisticated and hard to identify. Detecting such attacks requires integrating low-level behavioral cues with high-level semantic interpretation, a capability that traditional anomaly detectors lack. This paper presents a Digital Twin (DT)-driven hybrid detection approach that combines deterministic heuristics with systematic, constrained Large Language Model (LLM) reasoning to achieve real-time incident detection. The DT maintains a synchronized, feature-enriched representation of the Secure Water Treatment (SWaT) process, deriving behavioral descriptors. Heuristics identify characteristic signatures of spoofing, valve forcing, denial-of-service, and bias drift, while the LLM is invoked only when heuristics abstain. A constrained JSON schema and semantic plausibility filters ensure physically consistent LLM outputs, and a temporal smoothing layer stabilizes the final decision signal. Evaluation on four canonical SWaT attack scenarios shows that the proposed detector precisely localizes each attack interval with low time-to-detect and zero False Positives (FPs) in the evaluated benign region. Results are consistent across both a local LLaMA model and a cloud-based GPT model, demonstrating the robustness of the constrained hybrid architecture. The findings highlight the potential of DT-guided LLM reasoning as a reliable and interpretable approach to ICS anomaly detection.

Ming-Chang Lee, Jia-Chun Lin, Sokratis Katsikas

Gait anomaly detection is a task that involves detecting deviations from a person's normal gait pattern. These deviations can indicate health issues and medical conditions in the healthcare domain, or fraudulent impersonation and unauthorized identity access in the security domain. A number of gait anomaly detection approaches have been introduced, but many of them require offline data preprocessing, offline model learning, setting parameters, and so on, which might restrict their effectiveness and applicability in real-world scenarios. To address these issues, this paper introduces GAD, a real-time gait anomaly detection system. GAD focuses on detecting anomalies within an individual's three-dimensional accelerometer readings based on dimensionality reduction and Long Short-Term Memory (LSTM). Upon being launched, GAD begins collecting a gait segment from the user and training an anomaly detector to learn the user's walking pattern on the fly. If the subsequent model verification is successful, which involves validating the trained detector using the user's subsequent steps, the detector is employed to identify abnormalities in the user's subsequent gait readings at the user's request. The anomaly detector will be retained online to adapt to minor pattern changes and will undergo retraining as long as it cannot provide adequate prediction. We explored two methods for capturing users' gait segments: a personalized method tailored to each individual's step length, and a uniform method utilizing a fixed step length. Experimental results using an open-source gait dataset show that GAD achieves a higher detection accuracy ratio when combined with the personalized method.

Charalampos Stamatellis, Pavlos Papadopoulos, Nikolaos Pitropakis et al.

Electronic health record (EHR) management systems require the adoption of effective technologies when health information is being exchanged. Current management approaches often face risks that may expose medical record storage solutions to common security attack vectors. However, healthcare-oriented blockchain solutions can provide a decentralized, anonymous and secure EHR handling approach. This paper presents PREHEALTH, a privacy-preserving EHR management solution that uses distributed ledger technology and an Identity Mixer (Idemix). The paper describes a proof-of-concept implementation that uses the Hyperledger Fabric's permissioned blockchain framework. The proposed solution is able to store patient records effectively whilst providing anonymity and unlinkability. Experimental performance evaluation results demonstrate the scheme's efficiency and feasibility for real-world scale deployment.

Pavlos Papadopoulos, Nikolaos Pitropakis, William J. Buchanan et al.

The Domain Name System (DNS) was created to resolve the IP addresses of the web servers to easily remembered names. When it was initially created, security was not a major concern; nowadays, this lack of inherent security and trust has exposed the global DNS infrastructure to malicious actors. The passive DNS data collection process creates a database containing various DNS data elements, some of which are personal and need to be protected to preserve the privacy of the end users. To this end, we propose the use of distributed ledger technology. We use Hyperledger Fabric to create a permissioned blockchain, which only authorized entities can access. The proposed solution supports queries for storing and retrieving data from the blockchain ledger, allowing the use of the passive DNS database for further analysis, e.g. for the identification of malicious domain names. Additionally, it effectively protects the DNS personal data from unauthorized entities, including the administrators that can act as potential malicious insiders, and allows only the data owners to perform queries over these data. We evaluated our proposed solution by creating a proof-of-concept experimental setup that passively collects DNS data from a network and then uses the distributed ledger technology to store the data in an immutable ledger, thus providing a full historical overview of all the records.