[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-86291-en":3,"doc-seo-86291-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},86291,1099514068365,"Aurelia","https://ap-avatar.wpscdn.com/avatar/10000253d8d9f28188e?_k=1776742907772140068",6,"Technology","Closing the Loop An Access Control Architecture for Automated Anomaly Driven Network Revocation in IoT Deployments","Network-based anomaly detection for IoT devices has achieved strong accuracy, but many systems only raise alerts and do not enforce actions in production networks. This paper introduces a standards-only access-control architecture that authenticates devices via IEEE 802.1X with EAP-TLS, then uses a RADIUS dynamic authorization decision point to disconnect sessions and permanently exclude devices through certificate revocation. A central policy engine consumes anomaly outputs and triggers actions through a restricted channel. Experiments report an AUC of 0.9964, full detection across 24 scenarios, and average eviction latency of 335.8 ms plus 111.5 ms for revocation completion.","Closing the Loop: An Access-Control Architecture for Automated, Anomaly-Driven Network Revocation in IoT Deployments  \nMuhammet Emir Korkmaz∗ , Kemal Bicakci∗†, Yusuf Uzunay∗  \n∗ Securify Information Technology and Security Training Consulting Inc., 06378, Ankara, T¨URK˙IYE †Informatics Institute, Istanbul Technical University, Ayazaga Campus, 34467, Maslak, Istanbul, T¨URK˙IYE  \nCorresponding author: [kemal.bicakci@securifyidentity.com](kemal.bicakci@securifyidentity.com)  \narXiv :2607 . 1 1649v 1 [ cs .CR] 13 Jul 2026  \nAbstract—Network-based anomaly detection for IoT devices has matured to the point of reporting strong detection accuracy, yet most published systems stop at raising an alert and leave the question of automated enforcement to future work or to a programmable data plane that few real networks operate. This paper presents an access-control architecture that closes that loop using only standard, already-deployed protocols. Devices authenticate via IEEE 802.1X with EAP-TLS, and a RADIUS server acts asa continuous policy decision point capable of evicting an active session via a Change-of-Authorization Disconnect-Request and permanently excluding a device through certificate revocation. A central, contextual access policy engine continuously consumes the anomaly detector’s output and actuates this response over a narrowly restricted channel to the RADIUS server; the same engine is designed to be extensible to other access types, thoughthis paper evaluates only the network access-control mechanism. This mechanism is driven by an anomaly signal from a one-class detector adapted from a prior MUD/SDN-based design, replacing its per-flow multi-model pipeline with passive traffic capture anda single fused model that combines a cluster-based, a volumetric, and a protocol-signature score. On a single testbed device, the detector reaches an AUC of 0.9964 and detects all 24 evaluated attack scenarios (eight attack types at three intensities) using roughly 43 × less training data than the reference design, and the resulting alerts reliably trigger the automated disconnectthen-revoke response, which we measure to evict a device from the network in 335.8 ms on average and complete certificate revocation in a further 111.5 ms. We report this evaluation asa demonstration of the closed-loop architecture rather than of the detector itself, and discuss multi-device generalization as a concrete next step.  \nIndex Terms—IoT security, network access control, anomaly detection, IEEE 802.1X, RADIUS, dynamic authorization, automated incident response  \nI. INTRODUCTION  \nThe number and diversity of Internet of Things (IoT) devices connected to enterprise and industrial networks has grown far faster than the security tooling available to manage them. Security cameras, smart sensors, printers, and buildingautomation equipment now sit on the same networks as traditional IT assets, yet the vast majority of these devices offer no host-based defenses, receive infrequent firmware updates, and cannot run conventional endpoint security agents. The consequences of this imbalance are well documented: botnets such as Mirai compromised hundreds of thousands of consumer and enterprise IoT devices to launch some of the  \nlargest distributed denial-of-service attacks on record [1], and volumetric attacks that abuse or originate from IoT devices remain a persistent threat to both the devices themselves and the networks that host them.  \nThe research community has responded with a large body of work on network-based anomaly detection for IoT traffic. Because IoT devices exhibit a narrow, repetitive set of behaviors compared to general-purpose computers, one-class and unsupervised learning methods trained solely on benign traffic have proven effective at flagging deviations that correspond to attacks [2]–[4] . A parallel line of work has used the IETF Manufacturer Usage Description (MUD) standard [5] together with Software-Defined Networking (SDN) to formall","cbCaidnUb4QTrbQa","https://ap.wps.com/l/cbCaidnUb4QTrbQa","pdf",5818098,1,15,"English","en",105,"# Introduction\n## Closed-loop access control concept\n## IEEE 802.1X authentication and RADIUS decisioning\n## Anomaly detector design and performance results","[{\"question\":\"How does the proposed architecture connect anomaly detection to enforcement for IoT devices?\",\"answer\":\"A central access policy engine continuously consumes anomaly detector outputs and, when an alert fires, sends RADIUS dynamic authorization disconnect requests to evict the device and triggers certificate revocation for permanent exclusion.\"},{\"question\":\"Which protocols and components are used for authentication and policy enforcement?\",\"answer\":\"Devices authenticate using IEEE 802.1X with certificate-based EAP-TLS, while a RADIUS server with dynamic authorization extensions acts as the continuous network policy decision point.\"},{\"question\":\"What performance and response-time results are reported in the evaluation?\",\"answer\":\"On a single testbed device, the detector reaches an AUC of 0.9964 and detects all 24 evaluated attack scenarios. Automated disconnect evicts devices from the network in 335.8 ms on average, with certificate revocation completed in a further 111.5 ms.\"}]",1784210115,38,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"closing-the-loop-an-access-control-architecture-for-automated-anomaly-driven-network-revocation-in-iot-deployments","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/technology/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/closing-the-loop-an-access-control-architecture-for-automated-anomaly-driven-network-revocation-in-iot-deployments/86291/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"How does the proposed architecture connect anomaly detection to enforcement for IoT devices?","Question",{"text":75,"@type":76},"A central access policy engine continuously consumes anomaly detector outputs and, when an alert fires, sends RADIUS dynamic authorization disconnect requests to evict the device and triggers certificate revocation for permanent exclusion.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"Which protocols and components are used for authentication and policy enforcement?",{"text":80,"@type":76},"Devices authenticate using IEEE 802.1X with certificate-based EAP-TLS, while a RADIUS server with dynamic authorization extensions acts as the continuous network policy decision point.",{"name":82,"@type":73,"acceptedAnswer":83},"What performance and response-time results are reported in the evaluation?",{"text":84,"@type":76},"On a single testbed device, the detector reaches an AUC of 0.9964 and detects all 24 evaluated attack scenarios. Automated disconnect evicts devices from the network in 335.8 ms on average, with certificate revocation completed in a further 111.5 ms.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,113,118,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":111,"slug":112},50,"technology",{"id":114,"doc_module":4,"doc_module_name":45,"category_name":115,"show_sort_weight":116,"slug":117},7,"Healthcare",40,"healthcare",{"id":119,"doc_module":4,"doc_module_name":45,"category_name":120,"show_sort_weight":121,"slug":122},8,"Research & Report",30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":45,"category_name":137,"show_sort_weight":106,"slug":138},19,"General","general"]