NOS-Gate: Queue-Aware Streaming IDS for Consumer Gateways under Timing-Controlled Evasion

TL;DR

NOS-Gate is a lightweight, queue-aware streaming intrusion detection system for encrypted consumer gateways that effectively detects timing-based evasion attacks with minimal latency and resource overhead.

Contribution

It introduces NOS-Gate, a novel queue-aware streaming IDS using a two-state model for encrypted traffic, improving detection accuracy and latency under resource constraints.

Findings

Achieves 0.952 incident recall at 0.1% false positives.

Reduces queueing delay and collateral delay significantly.

Operates with a mean scoring cost of ~2.09 microseconds per flow-window.

Abstract

Timing and burst patterns can leak through encryption, and an adaptive adversary can exploit them. This undermines metadata-only detection in a stand-alone consumer gateway. Therefore, consumer gateways need streaming intrusion detection on encrypted traffic using metadata only, under tight CPU and latency budgets. We present a streaming IDS for stand-alone gateways that instantiates a lightweight two-state unit derived from Network-Optimised Spiking (NOS) dynamics per flow, named NOS-Gate. NOS-Gate scores fixed-length windows of metadata features and, under a $K$-of-$M$ persistence rule, triggers a reversible mitigation that temporarily reduces the flow's weight under weighted fair queueing (WFQ). We evaluate NOS-Gate under timing-controlled evasion using an executable 'worlds' benchmark that specifies benign device processes, auditable attacker budgets, contention structure, and packet-level WFQ replay to quantify queue impact. All methods are calibrated label-free via burn-in quantile thresholding. Across multiple reproducible worlds and malicious episodes, at an achieved $0.1%$ false-positive operating point, NOS-Gate attains 0.952 incident recall versus 0.857 for the best baseline in these runs. Under gating, it reduces p99.9 queueing delay and p99.9 collateral delay with a mean scoring cost of ~ 2.09 {\mu}s per flow-window on CPU.