Proceedings of the Posters and Demos

Abstract: Real-time communication (RTC) is crucial in digital life, with latency significantly affecting user experience. Latency spikes often occur due to mismatches between video codec bitrates and network capacity, especially during sudden bandwidth drops. Current video encoders adjust bitrates too slowly, increasing latency. This poster suggests that encoders should adapt more quickly to network changes by dynamically adjusting codec parameters, maintaining compression efficiency. Preliminary tests with the x264 codec show these strategies can reduce latency by 28.66% to 78.87% while slightly improving video quality by 0.8% to 3%.

Abstract: The cloud-native microservice architecture provides flexibility and scalability. However, communications between microservices create privacy risks. Attackers can infer sensitive information about microservices by analyzing network side-channel metrics such as packet sizes and arrival time. Current traffic shaping methods lack service-level control, bidirectional shaping, and adaptability to fluctuating traffic. In this paper, we propose TrafficGuard, an adaptive bidirectional traffic shaping mechanism. Specifically, we design a WASM-based service-level bidirectional traffic shaping mechanism to hide the actual traffic characteristics of services and achieve strategy hot updates without service interruption. In addition, we design a sliding window-based adaptive traffic shaping method and a target service identification method to achieve effective traffic shaping with minimal resource overhead.

Abstract: The absence of effective performance isolation mechanisms hinders deploying Data Processing Units (DPUs) in public clouds for multi-application co-location scenarios. To address this challenge, we introduce Astraea, an efficient DPU performance isolation framework targeting DPU-specific computational resources. Astraea overcomes significant obstacles posed by proprietary, high-level SDK interfaces and coarse-grained First-Come-First-Served (FCFS) scheduling via resource occupation profiling, task splitting and workload-guided scheduling. Our open-source prototype on NVIDIA BlueField-3 DPUs reduces SLA violation rates for latency-sensitive applications from 47.66% to just 14.84% versus natives, while introducing less than 4% performance overhead.

Abstract: QUIC represents a re-design of the transport stack in response to the requirements of modern applications. While it provides a myriad of benefits, studies have shown that its performance penalties in several contexts keep it from being more widely adopted. While these studies provide a good overview of when QUIC can lack performance compared to TCP, they do little to specifically pinpoint where in the QUIC stack these slowdowns come from and how they can be fixed. To address this gap, we present Nesquic, a testing infrastructure for QUIC stacks. It collects library-internal metrics of each stack component without changing the library's source code. Our preliminary findings show that not only can Nesquic help developers pinpoint which components of their QUIC stacks are less performant, but it also gives them actionable insights into fixing these issues.

Abstract: Memory safety is critical in network programming to prevent vulnerabilities like buffer overflows and use-after-free. Rust's memory-safe design eliminates common bugs, making secure software a necessity. We present nethuns-rs, a Rust-based, memory-safe socket library for high-performance network I/O.

Abstract: Resource allocation in distributed environments remains a key challenge. In this study, we analyze VM scheduling and placement in the SAP cloud platform, the infrastructure behind the world's largest enterprise resource planning provider. Using observability data from approximately 1,800 hypervisors and 48,000 VMs over a 30-day period, we identify inefficiencies in workload management. Unlike existing datasets, our dataset provides fine-grained time series of fully virtualized, enterprise-grade workloads, including long-running, memory-intensive SAP HANA instances as well as general-purpose VMs.

Abstract: Edge computing reduces latency and network congestion by offloading computation from the cloud to edge devices. However, deploying software across heterogeneous edge platforms presents portability and dependency challenges. Containerization with Docker offers lightweight isolation but introduces overheads on resource-constrained devices. In this work, we empirically evaluate Docker performance on Raspberry Pi nodes using microbenchmarks (CPU, memory, network) and macrobenchmarks including AI workloads with sensor/camera interaction, compression, and encryption tasks. Our measurements highlight key limitations: insecure sensor access, spin-up delays for short tasks, and isolation-performance tradeoffs. These insights inform container use for stable, long-running edge workloads and guide future tuning for real-time, resource-constrained environments.

Abstract: Recently, TCP performance studies [1, 3, 4, 8] have focused on BBR which estimates the available bandwidth based on packet delay - instead of strictly reacting to packet loss as a sign of congestion. In contrast to packet loss, delay is more susceptible to jitter induced by the various system components in experimental setups and real-world deployments, including virtualization. Considering that BBR deployments in the wild are often running in Cloud-based virtualized environments, we measure how the choice of virtualization affects BBR v1-3 throughput in different BBR-enabled Linux kernels. Our results reveal that when using Google's custom kernels - the only publicly available source of BBRv2/v3 - BBR performance deteriorates under virtualized scheduling conditions, reducing throughput to almost zero in VirtualBox-based VMs. Overall, our work raises questions about the robustness of BBR under certain sub-optimal scheduling conditions.

Abstract: The inherent complexity of operating modern network infrastructures has led to growing interest in using Large Language Models (LLMs) to support network operators, particularly in the area of Incident Management (IM). Yet, the absence of standardized benchmarks for evaluating such systems poses challenges in tracking progress, comparing approaches, and uncovering their limitations. As LLM-based tools become widespread, there is a clear need for a comprehensive benchmarking suite that reflects the diversity and complexity of operational tasks encountered in real-world networks. This poster outlines our vision for designing such a modular benchmarking suite. We describe an approach for generating operational tasks of varying complexity and discuss how to evaluate LLMs on these tasks and assess system-level performance. As a preliminary evaluation, we benchmark three LLMs --- GPT-4.1, Gemini 2.5-Pro, and Claude 3.7 Sonnet --- across over 100 test cases and two pipeline variants.

Abstract: Internet Exchange Points (IXPs) are essential for enhancing regional Internet performance by enabling efficient connections between ASes. In this poster, we show that BGP routes can be easily obtained from Alice Looking Glass servers and use this data set to study route diversity at IXPs. We develop a scraper that periodically collects route information from 16 major IXPs, maintaining a historical view through periodic snapshots. Our preliminary analysis, conducted on one of the largest European IXPs, reveals that approximately 50% of prefixes have alternative paths.

Abstract: DACE is a novel algorithm to improve real-time video quality by dynamically adjusting the complexity of the encoding to maximize resource utilization. It uniquely adapts the feedback control logic from network congestion algorithms such as RENO, using prior frame encoding time to select the highest sustainable complexity for the next frame. A saturation mechanism prevents stalls by throttling complexity as it approaches the time budget. Our evaluation using the x264 encoder shows significant SSIM gains across diverse content, demonstrating DACE's effectiveness in converting available computational power into improved visual fidelity on heterogeneous devices.

Abstract: Distributing quantum computations across heterogeneous devices introduces communication and coordination costs that depend on both quantum and classical operations. We present an architecture-aware approach using Hybrid Dependency Hypergraphs (HDHs) to model space, time, and type dependencies in distributed execution. This poster explores how HDHs support network-level reasoning about communication patterns, and how they can expose cost trade-offs across circuit-based, measurement-based, and quantum walk models. We highlight patterns in HDH structure that inform scheduling, device assignment, and cut placement in heterogeneous quantum clusters.

Abstract: Current automotive designs lack security solutions that span the vehicle lifetime. Future Service-Oriented Architectures (SOAs) in cars will enable post-sale updates and functional upgrades, which require prevalent proof of authenticity for the service suppliers as well as the manufacturer (OEM). In this poster, we decouple the cryptographic authentication of the service suppliers from that of OEMs with the help of DNSSEC. We propose to authenticate in-vehicle services by certificates that are solely generated by the service suppliers but published via DNSSEC TLSA records solely signed by the OEM. Building on the well-established Internet standard DNSSEC ensures updatability and interoperability with various protocols. Our approach enables credential management for millions of connected vehicles with proven security.

Abstract: We introduce a framework for comparing the performance of fast failover algorithms, with a particular focus on implementations using Extended Berkeley Packet Filter (eBPF) and eXpress Data Path within the Linux kernel. The study addresses the limitations of traditional failover methods, which often result in suboptimal routing and increased latency, by proposing an eBPF- and Netfilter-based solution that offers finer control and faster recovery from network failures. Through testing in both virtualized environments and on hardware platforms, this work demonstrates that the eBPF implementation significantly outperforms traditional Netfilter-based approaches in terms of latency, throughput, and system load. Our work hence provides insights for the further development of fast failover algorithms in the data plane and the potential for future research in hardware offloading.

Abstract: In this paper, we propose and evaluate a new congestion control algorithm, Multiplicity-Robust Congestion Control (MRCC), that predicts the buffering delay based on queueing theory. MRCC alleviates the increase in buffering delay when multiple flows share a bottleneck link.

Abstract: Within the Key management process in IoT networks, the key refresh step is essential and unavoidable to defend against node compromise attacks. Periodic key refresh ensures the self-healing capability of key management solutions. However, the main challenge is to strike a balance between energy efficiency and effective threat mitigation when determining when to trigger key updates. To address this trade-off, we propose a Reinforcement Learning (RL)-based approach that dynamically adjusts refresh intervals based on real-time energy consumption and attack severity. Our method initiates key updates only when necessary, enabling efficient self-healing. Experimental results across various scenarios demonstrate that our solution significantly improves energy efficiency while preserving self-healing property, highlighting its potential for adaptive key refresh in IoT environments.

Abstract: The growing AI capabilities on edge devices, along with increasing privacy concerns, call for new paradigms for distributed inference. We introduce Federated Inference (FI), a novel framework enabling multiple heterogeneous edge devices to collaboratively execute complex inference tasks on local data without revealing private information. FI pioneers the first design of capability-aware, privacy-preserving model partitioning, where a central orchestra-tor adaptively splits models based on individual client profiles. To ensure privacy, FI injects calibrated differential privacy noise into intermediate activations before transmission. We prototype FI and demonstrate that our adaptive-split strategy significantly reduces latency for weak clients while maintaining privacy and communication efficiency.

Abstract: The Centralized Unit User Plane (CU-UP) in 5G networks works as an aggregation point of the RAN, facing increasing performance demands yet commonly limited by general-purpose processors. In this work, we present FlexUP, an architecture that offloads CU-UP functions to programmable switches and SmartNICs via a three-path abstraction: fast, medium, and slow. By matching function complexity to the appropriate hardware, FlexUP can improve latency, throughput, and resource efficiency while aligning with the modular and disaggregated principles of Open RAN (O-RAN).

Abstract: The Resource Public Key Infrastructure (RPKI) secures BGP routing by enabling validation of routing announcements via signed objects. Relying Party (RP) software, responsible for Route Origin Validation (ROV), is complex and error-prone, with over 20 vulnerabilities disclosed to date. These flaws could potentially compromise BGP security and affect routing decisions. We present RFuzz, a fuzzing framework that automatically uncovers subtle bugs in RP implementations by addressing two core challenges: (1) the semantic and structural complexity of RPKI inputs, and (2) the difficulty of detecting non-crashing behavioral deviations. RFuzz introduces a structured semantic mutator that ensures input validity and cross-file consistency using semantic templates and a grammar-based RPKI model, and a hybrid deviation monitor combining active canary injection with passive semantic checks across RPs. Evaluation shows RFuzz achieves 100% semantic validity and discovers 7 new flaws across three popular RP implementations, 6 of which have been confirmed and will be fixed by maintainers.

Abstract: Data centers manage complexity by offloading simple, high-speed packet forwarding to the network fabric and rely on virtual switches (vSwitches) at end hosts to enforce complex policies---managing connectivity across physical interfaces, containers, and VMs. Since their inception, vSwitches have seen major performance optimizations, including wildcard caches [14], learned-index lookups [15, 16], and high hit-rate SmartNIC offloads [24, 25]. Yet, fast vSwitch policy updates have remained largely overlooked, long considered non-critical to performance. We argue that architectural shifts in vSwitch design (from N-table policies to single-table caching [14, 16, 19]) and infrastructure scaling---driven by rising link rates and increasingly dynamic update patterns from emerging workloads (e.g., distributed training [9, 12, 20, 23] and low-latency inference [6, 21])---have turned the bottom-up vSwitch update mechanism (Figure 1a) into a key bottleneck, limiting cache scalability and performance. To address this, we introduce Kairo, which recasts vSwitch cache maintenance as an instance of the Incremental View Maintenance (IVM) problem [4, 10], enabling efficient top-down updates that react only to rule changes (Figure 1b) rather than recomputing from scratch. We also outline the core challenges of applying IVM in this context.

Abstract: Broadband Network Gateways (BNGs) implement Hierarchical QoS (HQoS) to meet subscriber and service-level demands. Software BNGs face scalability challenges due to the large number of queues needed for fine-grained scheduling. We propose a framework that partially offloads HQoS to high-speed NICs, extending DPDK's QoS features. By mapping parts of the HQoS tree to limited amount of hardware queues, we reduce software overhead. Our approach achieves up to 50× reduction in average HQoS processing latency. This enables scalable, low-latency BNGs on commodity hardware.

Abstract: Remote Direct Memory Access (RDMA) networks require efficient switch buffer management to maintain high throughput, low latency, and losslessness. However, limited buffer size and diverse traffic types challenge existing non-preemptive approaches (e.g., DT), often leading to buffer choking and performance degradation. We present Nomad, a lossless preemptive buffer management system that allows high-priority flows to evict lower-priority packets and redirect them to neighboring switches. Nomad involves lightweight packet eviction, enhances DT by modeling remote buffer availability into local threshold calculation, and coordinates evictions via low-cost notifications. Simulations show that Nomad reduces high-priority QCT slowdown by 21-33% over DT.

Abstract: In response to the growing threat of cyber-attacks, there is a demand to understand modern, complex attack surfaces. To achieve this, different Internet Intelligence Platforms (IIPs) can be used. In this work, we show there are differences in the attack surfaces created using three IIPs: Shodan, Censys, and ZoomEye. Our results show these discrepancies manifest in the size and temporal characteristics of the identified attack surfaces. This could lead to organisations and decisionmakers potentially being misinformed about their true attack surface. These findings point towards the need for further research focused on understanding these discrepancies.

Abstract: A resilient domain name system (DNS) is essential for a resilient Internet. In this work, we propose an approach to measure authoritative DNS resilience at Internet-scale and showcase our method using comprehensive data from active DNS scans.

Abstract: Explainable intrusion detection systems (X-IDS) typically provide a set of explanations for each alert, while provided explanations may not be sufficient for security analysts to make time-critical decisions. Existing evaluation methods only consider such cases with a single set of explanations, as a result, limiting the scope of evaluation. This work expands a set of explanation evaluation metrics, our earlier work, to extend the scope of evaluation covering X-IDS providing multiple sets of explanations. Additional intermediate metrics are proposed to capture characteristics of multiple sets of explanations so the evaluation metrics can be computed for the multiple sets of explanations. The experimental results show the proposed metrics reveal more insights.

Abstract: Optical data center networks (DCNs) are renovating the infrastructure design for the cloud in the post-Moore's law era. The fact that optical DCNs rely on optical circuits of microsecond-scale durations makes nanosecond-precision time synchronization essential for the correct functioning of routing on the network fabric. However, current studies on optical DCNs neglect the fundamental need for accurate time synchronization. In this poster, we bridge the gap by developing Nanosecond Optical Synchronization (NOS), the first nanosecond-precision synchronization solution for optical DCNs general to various optical hardware. NOS builds clock propagation trees on top of the dynamically reconfigured circuits in optical DCNs, allowing nodes to seek better sync parents throughout time. It leverages the real-time error bounds of nodes to guide the tree-building process, minimizing synchronization errors. Our simulations demonstrate a synchronization accuracy of 23 ns in a 192-node configuration, surpassing the accuracy of state-of-the-art synchronization protocols in electrical DCNs of the same scale.

Abstract: Generative AI workloads and services have started to dominate cloud infrastructure capacities with exploding demand in terms of tokens being processed with each training, finetuning or inference workload beginning and ending with Tokenization. Exponentially increasing tokenization volume presents a unique opportunity to leverage network devices already present on the data path for AI pipelines and offload parts of it such as the tokenizer to programmable dataplanes. The tokenizer traditionally run on general purpose CPUs without any hardware accelerators has lightweight hashing as well as table lookups as majority of its tasks. To eliminate host OS kernel overhead and utilize specialized network flow processors we introduce NICTokenizer, a novel framework to offload the tokenizer to SmartNICs to cut down per token latency, boost throughput and freeing up CPU cycles for more intensive workloads. Initial evaluations show that NICTokenizer outperforms the conventional tokenizer implementations run on the server by lowering the latency by 61.3% and increasing the throughput by 407.62% while maintaining a short tail latency guarantee. In addition, offloading the tokenizer to a SmartNIC frees up CPU clock cycles which could be utilized by other processes.

Abstract: A new NVMe-oF transport architecture with direct optical paths is proposed. To mitigate performance degradation due to propagation latency, NVMe communications are localized. A prototype implemented on FPGAs demonstrates stable bandwidth over varying distances.

Abstract: As hardware design becomes outsourced, protecting intellectual property (IP) from reverse engineering and counterfeiting is a challenge. Logic locking provide a promising solution, but existing approaches fail to balance security, performance, and scalability. We present PARS, a scalable obfuscation platform that integrates locking techniques tailored to different hardware granularity: standalone IPs, multi-module, and Network-on-Chip (NoC) communications. PARS balances overhead and security (ranging from standalone to multi-module systems and networked architectures) to defeat SAT-based, approximate, and learning-based deobfuscation attacks and is a well-suited solution for large designs.

Abstract: Algebraic structures have been practical tools in the field of protocol analysis and design by providing formal answers to routing problems. However, by means of abstractions, some information from the underlying network is lost, thus providing only a coarse approximation of the real situation. We propose an algebra modelling attributes of the network probabilistically to better characterise dependencies and randomness of real networks. This opens up new perspectives for quality of service routing and traffic engineering.

Abstract: Network modeling has long been a well-established field of study. More recently, Graph Neural Network based models have demonstrated remarkable capability in capturing complex interactions in network data without assumptions about physical networks. While this characteristic facilitates integration across various telecom access networks, current benchmark models remain impractical for real-world deployment, due to real-time demands of modern infrastructure. This research develops a scalable solution for network modeling in large-scale domains such as telecommunication networks. By incorporating distributed learning into the architecture, we propose a novel framework that addresses computational inefficiency without compromising the accuracy offered by benchmark GNN-based models. The proposed architecture supports deeper and larger graphs, and natively handles fragmented datasets, reducing reliance on centralized aggregation and improving compatibility with real-world infrastructure. Beyond scalability, the design emphasizes stable optimization and resilience to enhance reliability in production environments. When applied to the state-of-the-art model, our proposed architecture outperforms the original, achieving a Pearson correlation of 0.999 with MSE under 0.0005. It also converges faster, with inference speedup scaling proportionally to the number of nodes. In a single-node, two-worker setup, it achieves ~48% inference speedup, with overall training efficiency improving by 20%, highlighting practical benefits for real-world scenarios.

Abstract: Cache misses limit performance of eBPF programs. Software prefetching is a technique to overcome the barrier, but eBPF runtime does not support it. In this poster we tackle this problem by enabling software prefetching for eBPF programs.

Abstract: Low Earth Orbit (LEO) constellations like Starlink now serve millions of users, including in disaster zones and unserved regions. However, LEO systems operate in a highly dynamic space environment, where solar activity can trigger geomagnetic storms that disturb ionospheric propagation, satellite drag, and radio link quality. In this work, we present a cross-layer empirical study of how the most intense solar storms of Solar Cycle 25---particularly those in May and October 2024---impacted the performance of LEO networks. Using active testbed probes (via LEOScope) and satellite telemetry we correlate geomagnetic storm activity with degradations in throughput, latency, and link stability. Our analysis reveals geographically skewed performance drops, latency inflation, and increased session drops. We conclude with a vision for a future prediction system that integrates solar observatory feeds, satellite tracking, and crowd-sourced measurements to forecast Internet disruptions under extreme space weather.

Abstract: Providing seamless service beyond geographical boundaries has long been a core objective of mobile networks, with roaming playing a pivotal role [1]. However, experimental support for 5G Standalone (5G SA) roaming remains limited---lagging behind both architectural progress and research needs. To address this, we present T-5GS, a full-scale, reproducible and open-source testbed. Unlike partially implemented stacks in existing platforms that cover only 38% of the roaming protocol stack, T-5GS improves protocol coverage to nearly 100%. By enabling realistic end-to-end testing through VM-based isolation---avoiding the kernel-sharing issues common in container-based setups---T-5GS offers a forward-looking foundation for advancing 5G roaming design, interoperability, and security research. The complete implementation is publicly available at https://github.com/T-5GS/T-5GS.

Abstract: We present a new measurement approach to detect ECH deployments. Our method leverages standard-compliant behavior of ECH servers. This reveals a set of ECH deployments not detected by prior measurements. Prior measurements reported only one major ECH deployment (Cloudflare). Our measurements reveal another large deployment (Meta). Meta servers support ECH, but ECH configuration is not exposed via the DNS. Furthermore, we study potential latency penalties due to ECH by analyzing the time differences between ECH and non-ECH connections.

Abstract: Essential networking applications, such as video streaming, require accurate network models to estimate current and future network states (e.g., is the network congested?). Due to the complexity of today's networks and the subsequent difficulty of this modeling task, Machine Learning (ML)-based approaches have emerged as an alternative to first-principle modeling methods. However, proposed ML algorithms suffer from a generalization crisis: they often fail to perform in deployments outside of their training environment. Moreover, simple solutions such as naively training on more data do not guarantee improved generalization performance. We propose an interpretable approach to improving model generalization by focusing on the quality of a dataset over sample quantity already during data collection. Notably, our approach's interpretability allows us to reason on which environments to prioritize at the data acquisition stage. To this end, we investigate the impact of dataset metrics such as Round Trip Time (RTT) and throughput on both in-distribution (ID) and out-of-distribution (OOD) model performance. Our results suggest that strategically performing data collection in environments with broader statespace coverage in areas of higher RTT and lower throughput is key to achieving improved model generalization and OOD performance.

Abstract: Scanning is prevalent on the Internet. Researchers, commercial services as well as malicious actors probe the Internet regularly and with high intensity. Stateless TCP SYN scanning has been established as an efficient approach to explore the IPv4 service landscape within minutes. The huge IPv6 address space renders this impossible. In this poster, we analyze 18 months of IPv6 SYN scanning using the reactive network telescope Spoki, which responds to TCP SYN packets. In case of two-phase scans, it engages in TCP handshakes initiated in a second phase. Spoki has been successful in identifying malicious scanning behavior in IPv4 and found a stable share of ≈ 75% irregular TCP SYNs, which typically characterize a first, stateless scanning phase. On the IPv6 Internet, the share of irregular TCP SYNs has not saturated but fluctuates on a 30 days average between 20% and 80%. Fewer scanners return after an irregular SYN and returns happen significantly later than in IPv4, which may indicate larger address traversals that delay the second phase.

Abstract: This paper introduces a Blockchain-based overlay network that allows users to authenticate and access services across different MNOs without requiring prior agreements. The overlay leverages smart contracts for decentralized access control and IPFS for secure, shared storage of encrypted subscription data. A hybrid testbed using OpenAirInterface, Magma Core, Go Ethereum, and IPFS validates the system, demonstrating comparable latency, secure, and scalable cross-operator authentication---supporting flexible inter-operator collaboration in future B5G/6G networks.

Abstract: Accurate mapping of Autonomous Systems (ASes) to their owner organizations is fundamental for understanding the structure and dynamics of the Internet. However, as AS numbers have traditionally been delegated in an ad-hoc manner and organizational ownership has evolved over time, many organizations have registered resources under different names. Traditionally, researchers have relied on datasets like AS2Org, which map ASNs to organizations primarily using WHOIS records, but WHOIS inconsistencies often lead to missed and false relationships. We propose a new approach by leveraging the Resource Public Key Infrastructure (RPKI) to map ASNs to their managing organization. Our methodology combines multiple data sources: WHOIS records to extract organization names, RPKI certificates to identify potential siblings, and Large Language Models (LLMs) to find evidence not visible in WHOIS records currently. This integrated approach enables a more robust and accurate mapping of ASNs to organizations, notably improving inferences for 14% of multi-ASN clusters.

Abstract: This article presents a standards-based architecture for V2X communication using CoAP and EdgeX Foundry. By mapping ETSI ITS messages to CoAP, the system enables efficient risk alerting at the edge. An inference module illustrates the architecture's extensibility, and the simulation confirms responsiveness and scalability under mixed traffic conditions.

Abstract: Collective communication becomes increasingly crucial as large language models rapidly evolve, but the RDMA it uses inevitably faces network performance anomalies (NPAs). Vedrfolnir is an accurate and efficient diagnosis system for RDMA NPAs in collective communication, which (1) constructs waiting graphs through algorithm decomposition, (2) adaptively detects anomalies while efficiently collecting diagnostic data, and (3) precisely analyzes performance bottlenecks and root causes. Evaluation shows that Vedrfolnir can achieve accurate diagnosis results with low overhead.

Abstract: Microservice autoscaling balances service quality and operational costs through heuristic-based solutions that often overlook robustness. We adopt an adversarial perspective to expose vulnerabilities in autoscaling by identifying a seconds-scale irregular pulsing pattern. It comes with a traffic-aware attack scheduler that significantly outperforms traditional uniform DoS and existing pulsing attacks. Our proposed attack, which we call WaveSurfer, can exploit benign traffic patterns to increase attack effectiveness by up to 5.3×. This work highlights the urgent need for robust autoscaling mechanisms that can withstand sophisticated adversarial patterns.

Abstract: Industrial and home building automation industries share a common goal: transforming passive buildings into smart environments capable of efficient resource usage and increased user comfort. Both have so far failed to enable operation of truly smart automation deployments, although facing different challenges. Industrial systems are robust but rigid, whereas home automation systems are more flexible but unreliable - could we have the best of both worlds? We propose KaOS: a distributed control platform built around three key concepts: running the control architecture in the form of portable containerised control tasks, managed communication channels with guarantees to support dataflows between them and a distributed operations platform to enable incremental change of control goals and its deployment.