The security twin (ST) paradigm is an emerging framework for dynamically modeling and defending complex cyber-physical systems. This paper extends NotLine, a fully automated, non-intrusive ST construction platform with three mechanisms. First, a lightweight statistical engine based on the numerically stable Welford algorithm maintains per-host behavioral baselines in O(1) time and space, enabling real-time Z-score standardization and denial-of-service classification across volumetric, resource-exhaustion, and application-layer attack categories via a similarity matrix framework. Second, a passive methodology identifies virtual machines by correlating deep packet inspection fingerprinting inconsistencies with SNMP-retrieved switch CAM table data, resolving both NAT and bridged VM topologies. Third, both mechanisms integrate into a unified, continuously updated ST that models structural topology, bandwidth saturation, and resource exhaustion within a single non-intrusive pipeline. Evaluations on ns-3 simulations and a physical testbed confirm zero misclassification across all three attack vectors and complete topology reconstruction, with negligible overhead compatible with real-time deployment.
DOS Classification, and Virtual Machine Detection via Passive Monitoring through Security Twins
Vincenzo Sammartino
Primo
;Fabrizio Baiardi;Salvatore Ruggieri
2026-01-01
Abstract
The security twin (ST) paradigm is an emerging framework for dynamically modeling and defending complex cyber-physical systems. This paper extends NotLine, a fully automated, non-intrusive ST construction platform with three mechanisms. First, a lightweight statistical engine based on the numerically stable Welford algorithm maintains per-host behavioral baselines in O(1) time and space, enabling real-time Z-score standardization and denial-of-service classification across volumetric, resource-exhaustion, and application-layer attack categories via a similarity matrix framework. Second, a passive methodology identifies virtual machines by correlating deep packet inspection fingerprinting inconsistencies with SNMP-retrieved switch CAM table data, resolving both NAT and bridged VM topologies. Third, both mechanisms integrate into a unified, continuously updated ST that models structural topology, bandwidth saturation, and resource exhaustion within a single non-intrusive pipeline. Evaluations on ns-3 simulations and a physical testbed confirm zero misclassification across all three attack vectors and complete topology reconstruction, with negligible overhead compatible with real-time deployment.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.


