English

NOS-Gate: Queue-Aware Streaming IDS for Consumer Gateways under Timing-Controlled Evasion

Cryptography and Security 2026-01-05 v1 Machine Learning Networking and Internet Architecture

Abstract

Timing and burst patterns can leak through encryption, and an adaptive adversary can exploit them. This undermines metadata-only detection in a stand-alone consumer gateway. Therefore, consumer gateways need streaming intrusion detection on encrypted traffic using metadata only, under tight CPU and latency budgets. We present a streaming IDS for stand-alone gateways that instantiates a lightweight two-state unit derived from Network-Optimised Spiking (NOS) dynamics per flow, named NOS-Gate. NOS-Gate scores fixed-length windows of metadata features and, under a KK-of-MM persistence rule, triggers a reversible mitigation that temporarily reduces the flow's weight under weighted fair queueing (WFQ). We evaluate NOS-Gate under timing-controlled evasion using an executable 'worlds' benchmark that specifies benign device processes, auditable attacker budgets, contention structure, and packet-level WFQ replay to quantify queue impact. All methods are calibrated label-free via burn-in quantile thresholding. Across multiple reproducible worlds and malicious episodes, at an achieved 0.10.1% false-positive operating point, NOS-Gate attains 0.952 incident recall versus 0.857 for the best baseline in these runs. Under gating, it reduces p99.9 queueing delay and p99.9 collateral delay with a mean scoring cost of ~ 2.09 {\mu}s per flow-window on CPU.

Keywords

Cite

@article{arxiv.2601.00389,
  title  = {NOS-Gate: Queue-Aware Streaming IDS for Consumer Gateways under Timing-Controlled Evasion},
  author = {Muhammad Bilal and Omer Tariq and Hasan Ahmed},
  journal= {arXiv preprint arXiv:2601.00389},
  year   = {2026}
}

Comments

9 pages, 3 figures, 4 tables

R2 v1 2026-07-01T08:47:54.462Z