Device behavioural blueprint (DB2): A risk-aware framework for unique device behaviour profiling using microarchitectural variations
Selvam, M. 
ORCID: 0009-0008-6449-7972, Haque, S. ORCID: 0000-0003-3519-862X, Singh, A. K. ORCID: 0000-0003-2056-0569 , Cui, Z. & Rajarajan, M. ORCID: 0000-0001-5814-9922 (2026).
Device behavioural blueprint (DB2): A risk-aware framework for unique device behaviour profiling using microarchitectural variations.
Journal of Network and Computer Applications, 253,
article number 104526.
doi: 10.1016/j.jnca.2026.104526
Abstract
This paper introduces DB2, a risk-aware behavioural identity framework that derives device identity from CPU–RTC timing deviation and Performance Monitoring Unit (PMU) microarchitectural events, without relying on GPUs, radios, sensors, or dedicated hardware. The method captures oscillator-coupled timing variation and execution behaviour through a structured signal-processing pipeline, producing device-specific behavioural signatures that remain distinguishable across reboots, temperature variation, and core transitions. DB2 structures identity assurance into three layers: closed-set identification, calibrated open-set rejection, and stability-aware risk scoring. Evaluation under a strict three-way split with reboot separation for training, calibration, and unseen testing yields a macro-F1 of 0.957 on unseen reboots. The open-set layer rejects previously unseen devices with a mean true-positive rate of 0.990 at a calibrated event-level false-reject rate of approximately 0.08 under strict leave-one-device-out validation, with operating-point selection performed exclusively on the calibration split. A Dynamic-Aware Identification and Risk (DAIR) mechanism decomposes behavioural stability across temperature, reboot, and core factors to provide interpretable posture monitoring for enrolled devices. Under identity-claim manipulation via spoofing, Sybil, and relabelling scenarios involving cloning, targeted identities exhibit reduced identification consistency and elevated risk, while non-targeted devices remain stable under identical calibration settings. These results show that behavioural fingerprints can be derived from standard CPU, RTC, and PMU-accessible resources on edge devices, enabling device-identity and behavioural-assurance monitoring in IoT and edge environments without specialised hardware.
| Publication Type: | Article |
|---|---|
| Additional Information: | © 2026 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/). |
| Publisher Keywords: | Device Fingerprinting, Microarchitectural Behaviour, CPU–RTC Timing Drift, PMU-Based Identification, ClosedSet Identification, Open-Set Recognition, DAIR Risk Scoring, Edge Device Security |
| Subjects: | Q Science > QA Mathematics > QA75 Electronic computers. Computer science |
| Departments: | School of Science & Technology School of Science & Technology > Department of Engineering |
| SWORD Depositor: |
Available under License Creative Commons Attribution.
Download (2MB) | Preview
Available under License Creative Commons Attribution.
Download (672kB) | Preview
Export
Downloads
Downloads per month over past year
Metadata
MetadataActions (login required)
Admin Login