The increasing complexity of cyber threats in distributed environments demands advanced frameworks for real-time detection and response across multimodal data streams. This paper introduces AgenticCyber, a generative AI powered multi-agent system that orchestrates specialized agents to monitor cloud logs, surveillance videos, and environmental audio concurrently. The solution achieves 96.2% F1-score in threat detection, reduces response latency to 420 ms, and enables adaptive security posture management using multimodal language models like Google's Gemini coupled with LangChain for agent orchestration. Benchmark datasets, such as AWS CloudTrail logs, UCF-Crime video frames, and UrbanSound8K audio clips, show greater performance over standard intrusion detection systems, reducing mean time to respond (MTTR) by 65% and improving situational awareness. This work introduces a scalable, modular proactive cybersecurity architecture for enterprise networks and IoT ecosystems that overcomes siloed security technologies with cross-modal reasoning and automated remediation.

Unsupervised anomaly-based intrusion detection requires models that can generalize to attack patterns not observed during training. This work presents the first large-scale evaluation of hybrid quantum-classical (HQC) autoencoders for this task. We construct a unified experimental framework that iterates over key quantum design choices, including quantum-layer placement, measurement approach, variational and non-variational formulations, and latent-space regularization. Experiments across three benchmark NIDS datasets show that HQC autoencoders can match or exceed classical performance in their best configurations, although they exhibit higher sensitivity to architectural decisions. Under zero-day evaluation, well-configured HQC models provide stronger and more stable generalization than classical and supervised baselines. Simulated gate-noise experiments reveal early performance degradation, indicating the need for noise-aware HQC designs. These results provide the first data-driven characterization of HQC autoencoder behavior for network intrusion detection and outline key factors that govern their practical viability. All experiment code and configurations are available at https://github.com/arasyi/hqcae-network-intrusion-detection.

Abstract--Modern Intrusion Detection Systems (IDS) face severe challenges due to heterogeneous network traffic, evolving cyber threats, and pronounced data imbalance between benign and attack flows. While generative models have shown promise in data augmentation, existing approaches are limited to single modalities and fail to capture cross-domain dependencies. This paper introduces MAGE-ID (Multimodal Attack Generator for Intrusion Detection), a diffusion-based generative framework that couples tabular flow features with their transformed images through a unified latent prior . By jointly training Transformer-and CNN-based variational encoders with an EDM-style denoiser, MAGE-ID achieves balanced and coherent multimodal synthesis. Evaluations on CIC-IDS-2017 and NSL-KDD demonstrate significant improvements in fidelity, diversity, and downstream detection performance over T abSyn and T abDDPM, highlighting MAGE-ID's effectiveness for multimodal IDS augmentation.

Abstract-- We study automated intrusion prediction in an IT system using statistical learning methods. The focus is on developing online attack predictors that detect attacks in real time and identify the current stage of the attack. While such predictors have been proposed in the recent literature, these works typically rely on constructing a monolithic predictor tailored to a specific attack type and scenario. Given that hundreds of attack types are cataloged in the MITRE framework, training a separate monolithic predictor for each of them is infeasible. In this paper, we propose a modular framework for rapidly assembling online attack predictors from reusable components. Using public datasets for training and evaluation, we provide many examples of modular predictors and show how an effective predictor can be dynamically assembled during training from a network of modular components. Traditional intrusion detection systems (IDS), such as Snort [1] or Suricata [2], rely on rule-based configurations that are manually crafted and maintained by domain experts. The growing complexity and rapid evolution of IT systems make the maintenance of these rules increasingly challenging and time-consuming. As a response, research efforts into automated cyberdefence have started, based on the idea that attack patterns can be dynamically learned. The rules are no longer defined by humans, but automatically inferred from observing systems under attack. Over the last decade, various approaches have been proposed for automated cyberdefence, most of them based on statistical learning, e.g., [3], [4], [5], [6]. We follow this direction in the paper. We are specifically interested in predicting the stage of an ongoing attack in real time, based on current and earlier observations of an IT system.

Intrusion Detection Systems (IDS) play a vital role in defending modern cyber physical systems against increasingly sophisticated cyber threats. Deep Reinforcement Learning-based IDS, have shown promise due to their adaptive and generalization capabilities. However, recent studies reveal their vulnerability to adversarial attacks, including Universal Adversarial Perturbations (UAPs), which can deceive models with a single, input-agnostic perturbation. In this work, we propose a novel UAP attack against Deep Reinforcement Learning (DRL)-based IDS under the domain-specific constraints derived from network data rules and feature relationships. To the best of our knowledge, there is no existing study that has explored UAP generation for the DRL-based IDS. In addition, this is the first work that focuses on developing a UAP against a DRL-based IDS under realistic domain constraints based on not only the basic domain rules but also mathematical relations between the features. Furthermore, we enhance the evasion performance of the proposed UAP, by introducing a customized loss function based on the Pearson Correlation Coefficient, and we denote it as Customized UAP. To the best of our knowledge, this is also the first work using the PCC value in the UAP generation, even in the broader context. Four additional established UAP baselines are implemented for a comprehensive comparison. Experimental results demonstrate that our proposed Customized UAP outperforms two input-dependent attacks including Fast Gradient Sign Method (FGSM), Basic Iterative Method (BIM), and four UAP baselines, highlighting its effectiveness for real-world adversarial scenarios.

Given Name Surname line 2: dept. Abstract -- The lack of epidemiological data in wireless sensor networks (WSNs) is a fundamental difficulty in constructing robust models to forecast and mitigate threats like viruses and worms. Many studies have looked at different epidemic models for WSNs, focusing on the manner in which malware infections spread given the network's specific properties, including energy limits and node mobili ty. In this study, an agent - based realization of the susceptible - exposed - infected - recovered - vaccinated (SEIRV) mathematical model was employed for machine learning (ML) predictions. Using tools such as Netlogo's BehaviorSpace and Python, two epidemic synth etic datasets were generated and prepared for the application of several ML algorithms. Posed as a regression problem, the infected and recovered nodes were predicted, and the performance of these algorithms is compared using the error metrics of the train and the test sets. The predictions performed quite well, with low error metrics and high R values (0.997, 1.000, 0.999, 1.000), indicating an effective fit to the training set. The validation values were lowered (0.992, 0.998, 0.971, and 0.999), as is ty pical when evaluating model performance on unknown data. Judging from the recorded performances, support vector, linear, Lasso, Ridge, and ElasticNet regression were among the worst performing algorithms, while Random Forest, XGBoost, Decision Trees, and K nearest neighbor had the best model performances. In recent years, the globe as we know it has been changing due to bre akthroughs in numerous linked innovations including smart electrical grids [1], the IoT, long - term evolution, 5G connectivity [2] and cyber physical systems [3] such as wireless sensor networks (WSN).

With more and more existing networks being transformed to Software-Defined Networking (SDN), they need to be more secure and demand smarter ways of traffic control. This work, SmartSecChain-SDN, is a platform that combines machine learning based intrusion detection, blockchain-based storage of logs, and application-awareness-based priority in SDN networks. To detect network intrusions in a real-time, precision and low-false positives setup, the framework utilizes the application of advanced machine learning algorithms, namely Random Forest, XGBoost, CatBoost, and CNN-BiLSTM. SmartSecChain-SDN is based on the Hyperledger Fabric, which is a permissioned blockchain technology, to provide secure, scalable, and privacy-preserving storage and, thus, guarantee that the Intrusion Detection System (IDS) records cannot be altered and can be analyzed comprehensively. The system also has Quality of Service (QoS) rules and traffic shaping based on applications, which enables prioritization of critical services, such as VoIP, video conferencing, and business applications, as well as de-prioritization of non-essential traffic, such as downloads and updates. Mininet can simulate real-time SDN scenarios because it is used to prototype whole architectures. It is also compatible with controllers OpenDaylight and Ryu. It has tested the framework using the InSDN dataset and proved that it can identify different kinds of cyberattacks and handle bandwidth allocation efficiently under circumstances of resource constraints. SmartSecChain-SDN comprehensively addresses SDN system protection, securing and enhancing. The proposed study offers an innovative, extensible way to improve cybersecurity, regulatory compliance, and the administration of next-generation programmable networks.

The routing protocol for low-power and lossy networks (RPL) has become the de facto routing standard for resource-constrained IoT systems, but its lightweight design exposes critical vulnerabilities to a wide range of routing-layer attacks such as hello flood, decreased rank, and version number manipulation. Traditional countermeasures, including protocol-level modifications and machine learning classifiers, can achieve high accuracy against known threats, yet they fail when confronted with novel or zero-day attacks unless fully retrained, an approach that is impractical for dynamic IoT environments. In this paper, we investigate incremental learning as a practical and adaptive strategy for intrusion detection in RPL-based networks. We systematically evaluate five model families, including ensemble models and deep learning models. Our analysis highlights that incremental learning not only restores detection performance on new attack classes but also mitigates catastrophic forgetting of previously learned threats, all while reducing training time compared to full retraining. By combining five diverse models with attack-specific analysis, forgetting behavior, and time efficiency, this study provides systematic evidence that incremental learning offers a scalable pathway to maintain resilient intrusion detection in evolving RPL-based IoT networks.

Next, we propose AnoShift, a protocol splitting the data in IID, NEAR, and FAR testing splits.

V. CONCLUSION This study developed an interpretable Intrusion Detection System (IDS) capable of detecting Advanced Persistent Threats (APTs) with high accuracy. By integrating Recursive Feature Elimination (RFE) and Random Forest (RF), the framework efficiently reduced dimensionality and improved detection performance . SHapley Additive exPlanations (SHAP) was integrated to provide both global and instance - level interpretability, enabling transparent insight into the model's decision - making process. Experimental evaluation demonstrated that the system achieved a detection accuracy of 99.9% and exhibited robust performance . Future work will evaluate the proposed RF - RFE framework in real - time deployment environments, where rapid response is crucial . Deep learning and ensemble - based models, such as Long Short - Term Memory (LSTM) networks can be explored to better capture temporal patterns in evolving cyber threats. These enhancements can improve the system's effectiveness and operational relevance in real - world intrusion detection scenarios. The framework will also be benchmarked against advanced classifiers, including LSTM, XGBoost, and ge nerative AI - based techniques to compare performance in terms of accuracy, interpretability, and adaptability.