Title: NOS-Gate: A Queue-Aware Streaming Intrusion Detection System for Consumer Gateways Against Timing-Controlled Evasion

Abstract:

Encryption does not fully conceal timing and burst patterns, leaving metadata vulnerable to exploitation by adaptive adversaries. This vulnerability compromises the efficacy of metadata-only detection mechanisms deployed on standalone consumer gateways. Consequently, there is a critical need for streaming intrusion detection systems (IDS) capable of analyzing encrypted traffic using only metadata, while operating within stringent CPU and latency constraints. To address this, we introduce NOS-Gate, a streaming IDS designed for standalone gateways. The system employs a lightweight, two-state unit based on Network-Optimised Spiking (NOS) dynamics for each individual flow. NOS-Gate evaluates fixed-length windows of metadata features and, upon meeting a $K$-of-$M$ persistence rule, initiates a reversible mitigation strategy. This strategy temporarily lowers the flow’s weight within a weighted fair queueing (WFQ) framework.

We assess NOS-Gate’s performance against timing-controlled evasion techniques using an executable worlds benchmark. This benchmark defines benign device processes, establishes auditable attacker budgets, outlines contention structures, and facilitates packet-level WFQ replay to measure queueing impacts. All detection methods in our evaluation are calibrated in a label-free manner using burn-in quantile thresholding. Our results, derived from multiple reproducible scenarios and malicious episodes, demonstrate that at a false-positive rate of $0.1\%$, NOS-Gate achieves an incident recall of 0.952, significantly outperforming the best baseline, which reached 0.857. Furthermore, when active gating is engaged, the system reduces the p99.9 queueing delay and p99.9 collateral delay, incurring a mean scoring cost of approximately $2.09\,\mu\mathrm{s}$ per flow-window on the CPU.

Source: arXiv Generated at: 2026-06-02 00:00:00 UTC