CyberNest: Continuous Cyber Threat Intelligence for IoT Ecosystems via Multi-Layer Anomaly Fusion and Physical-Layer Forensic Correlation

preprint OA: closed
Full text JSON View at publisher

Abstract

The Internet of Things has expanded into safetycritical domains-smart healthcare, autonomous transportation, industrial control, and immersive VR/AR-creating an attack surface that spans billions of heterogeneous devices connected through diverse protocols. Conventional intrusion detection systems monitor network traffic in isolation, missing threats that manifest across the application, network, firmware, and physical layers simultaneously. Recent discoveries that IoT devices leak sensitive information through electromagnetic emanations from wireless charging interfaces, power-line crosstalk across USB ports, RF energy harvesting circuits, acoustic emissions, and VR sensor peripherals have revealed a previously overlooked physical intelligence layer that both attackers and defenders can exploit. We present CYBERNEST, a continuous cyber threat intelligence (CTI) framework for IoT ecosystems that fuses anomaly signals across five observation layers-application behavior, network traffic, firmware integrity, AI model integrity, and physicallayer side channels-to detect, classify, and attribute IoT threats with unprecedented accuracy. CYBERNEST introduces five tightly integrated components: (1) a Multi-Protocol Network Sentinel (MPNS) that monitors heterogeneous IoT traffic across MQTT, CoAP, BLE, Zigbee, and Wi-Fi simultaneously; (2) a Firmware and App Integrity Analyzer (FAIA) that detects hidden behaviors, privilege escalation, and backdoors in IoT companion apps and device firmware; (3) an AI Model Guardian (AMG) that protects on-device AI models from adversarial, backdoor, and extraction attacks; (4) a Physical-Layer Intelligence Collector (PLIC) that captures and correlates electromagnetic, power, acoustic, and sensor side-channel emissions for forensic attribution; and (5) a Cross-Layer Threat Fusion Engine (CTFE) that combines all layers via a transformer-based architecture to produce unified threat assessments with attack-chain attribution. We evaluate CYBERNEST across a 32-week deployment on 428 IoT devices spanning 52 device types at 24 sites, testing against 12 distinct threat categories. CYBERNEST achieves 98.2% overall detection rate at 1.3% false positive rate, identifies the correct attack chain in 94.6% of multi-stage intrusions, reduces physical sidechannel leakage by 96.4%, and attributes threats to the correct category in 96.1% of cases-with a median detection latency of 2.8 seconds and 5.1% computational overhead on representative IoT gateways.
Full text 7,912 characters · extracted from preprint-html · click to expand
CyberNest: Continuous Cyber Threat Intelligence for IoT Ecosystems via Multi-Layer Anomaly Fusion and Physical-Layer Forensic Correlation | Authorea try { document.documentElement.classList.add('js'); } catch (e) { } var _gaq = _gaq || []; _gaq.push(['_setAccount', 'G-8VDV14Y67G']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); Skip to main content Preprints Collections Wiley Open Research IET Open Research Ecological Society of Japan All Collections About About Authorea FAQs Contact Us Quick Search anywhere Search for preprint articles, keywords, etc. Search Search ADVANCED SEARCH SCROLL This is a preprint and has not been peer reviewed. Data may be preliminary. 31 March 2026 V1 Latest version Share on CyberNest: Continuous Cyber Threat Intelligence for IoT Ecosystems via Multi-Layer Anomaly Fusion and Physical-Layer Forensic Correlation Authors : Wei Zhang , Yang Zhao , Qiangrun Xu , Xinhe Zhou , and Chao Lu 0009-0007-2570-5241 [email protected] Authors Info & Affiliations https://doi.org/10.22541/au.177499231.17951402/v1 73 views 50 downloads Contents Abstract Supplementary Material Information & Authors Metrics & Citations View Options References Figures Tables Media Share Abstract The Internet of Things has expanded into safetycritical domains-smart healthcare, autonomous transportation, industrial control, and immersive VR/AR-creating an attack surface that spans billions of heterogeneous devices connected through diverse protocols. Conventional intrusion detection systems monitor network traffic in isolation, missing threats that manifest across the application, network, firmware, and physical layers simultaneously. Recent discoveries that IoT devices leak sensitive information through electromagnetic emanations from wireless charging interfaces, power-line crosstalk across USB ports, RF energy harvesting circuits, acoustic emissions, and VR sensor peripherals have revealed a previously overlooked physical intelligence layer that both attackers and defenders can exploit. We present CYBERNEST, a continuous cyber threat intelligence (CTI) framework for IoT ecosystems that fuses anomaly signals across five observation layers-application behavior, network traffic, firmware integrity, AI model integrity, and physicallayer side channels-to detect, classify, and attribute IoT threats with unprecedented accuracy. CYBERNEST introduces five tightly integrated components: (1) a Multi-Protocol Network Sentinel (MPNS) that monitors heterogeneous IoT traffic across MQTT, CoAP, BLE, Zigbee, and Wi-Fi simultaneously; (2) a Firmware and App Integrity Analyzer (FAIA) that detects hidden behaviors, privilege escalation, and backdoors in IoT companion apps and device firmware; (3) an AI Model Guardian (AMG) that protects on-device AI models from adversarial, backdoor, and extraction attacks; (4) a Physical-Layer Intelligence Collector (PLIC) that captures and correlates electromagnetic, power, acoustic, and sensor side-channel emissions for forensic attribution; and (5) a Cross-Layer Threat Fusion Engine (CTFE) that combines all layers via a transformer-based architecture to produce unified threat assessments with attack-chain attribution. We evaluate CYBERNEST across a 32-week deployment on 428 IoT devices spanning 52 device types at 24 sites, testing against 12 distinct threat categories. CYBERNEST achieves 98.2% overall detection rate at 1.3% false positive rate, identifies the correct attack chain in 94.6% of multi-stage intrusions, reduces physical sidechannel leakage by 96.4%, and attributes threats to the correct category in 96.1% of cases-with a median detection latency of 2.8 seconds and 5.1% computational overhead on representative IoT gateways. Supplementary Material File (paper_cybernet.pdf) Download 347.23 KB Information & Authors Information Version history V1 Version 1 31 March 2026 Copyright This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License Keywords adversarial ai defense cyber threat intelligence firmware analysis intrusion detection iot security protocol security side-channel forensics Authors Affiliations Wei Zhang View all articles by this author Yang Zhao View all articles by this author Qiangrun Xu View all articles by this author Xinhe Zhou View all articles by this author Chao Lu 0009-0007-2570-5241 [email protected] View all articles by this author Metrics & Citations Metrics Article Usage 73 views 50 downloads .FvxKWukQNSOunydq8rnd { width: 100px; } Citations Download citation Wei Zhang, Yang Zhao, Qiangrun Xu, et al. CyberNest: Continuous Cyber Threat Intelligence for IoT Ecosystems via Multi-Layer Anomaly Fusion and Physical-Layer Forensic Correlation. Authorea . 31 March 2026. DOI: https://doi.org/10.22541/au.177499231.17951402/v1 If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download. For more information or tips please see 'Downloading to a citation manager' in the Help menu . Format Please select one from the list RIS (ProCite, Reference Manager) EndNote BibTex Medlars RefWorks Direct import Tips for downloading citations document.getElementById('citMgrHelpLink').addEventListener('click', function() { popupHelp(this.href); return false; }); $(".js__slcInclude").on("change", function(e){ if ($(this).val() == 'refworks') $('#direct').prop("checked", false); $('#direct').prop("disabled", ($(this).val() == 'refworks')); }); View Options View options PDF View PDF Figures Tables Media Share Share Share article link Copy Link Copied! Copying failed. Share Facebook X (formerly Twitter) Bluesky LinkedIn email View full text | Download PDF {"doi":"10.22541/au.177499231.17951402/v1","type":"Article"} Now Reading: Share Figures Tables Close figure viewer Back to article Figure title goes here Change zoom level Go to figure location within the article Download figure Toggle share panel Toggle share panel Share Toggle information panel Toggle information panel Go to previous graphic Go to next graphic Go to previous table Go to next table All figures All tables View all material View all material xrefBack.goTo xrefBack.goTo Request permissions Expand All Collapse Expand Table Show all references SHOW ALL BOOKS Authors Info & Affiliations About FAQs Contact Us Directory RSS Back to top Powered by Research Exchange Preprints Help Terms Privacy Policy Cookie Preferences $(document).ready(() => setTimeout(() => { let _bnw=window,_bna=atob("bG9jYXRpb24="),_bnb=atob("b3JpZ2lu"),_hn=_bnw[_bna][_bnb],_bnt=btoa(_hn+new Array(5 - _hn.length % 4).join(" ")); $.get("/resource/lodash?t="+_bnt); },4000)); (function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'9fe50feebf1752ad',t:'MTc3OTIxNDI2Ng=='};var a=document.createElement('script');a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2026) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00