|
MIPRO Technical cosponsorship
|
|
|
|
|
|
|
|
|
|
 |
Hybrid Event
|
| Papers |
M. Vaněk (VSB – Technical University of Ostrava, Ostrava, Czech Republic), N. Saadi, V. Isoard (Institut Mimes Télécom – Mines Alès, Alès, France), F. Lauterbach, M. Vozňák (VSB – Technical University of Ostrava, Ostrava, Czech Republic)
Hybridization of Post-Quantum Cryptography and Quantum Key Distribution: A Survey of Key Establishment Approaches 
The emergence of quantum computing threatens classical cryptographic systems, motivating the development of cryptographic solutions based on Post-Quantum Cryp tography (PQC) and Quantum Key Distribution (QKD). This paper surveys hybrid key-establishment techniques combining PQC and QKD, including XOR/concatenation, KEM combiners, split usage, and cascade approaches, and evaluates their applicability to protocols such as TLS and IPsec. It further compares positions of major standardization bodies (ANSSI, BSI, NCSC, NIST, ETSI) and identifies key challenges in standardization, performance, scalability, and complexity. While not a universal solution, hybridization remains relevant for high-assurance environments.
|
K. Boras (Faculty of Electrical Engineering and Computing, Zagreb, Croatia), I. Draganjac (RIT Croatia, Zagreb, Croatia)
Challenges and Solutions in Replacing the Diffie-Hellman Key Exchange in Secure Post-Quantum Network Protocols
The threat of quantum computers becoming strong enough to break classical cryptographic primitives grows only more realistic with time. With increasing urgency, organizations are beginning to migrate their systems to quantum-resistant solutions. One of the areas encompassed by the post-quantum migration is secure network protocols. To protect traffic from quantum adversaries, classical cryptographic primitives inside network protocols must be replaced with quantum-resistant ones. While this transition is relatively straightforward for protocols that use key encapsulation mechanisms (KEMs) in their classical variants, that is not the case for protocols that rely on the Diffie-Hellman key exchange (DH). This simple cryptographic primitive plays a key role in many secure network protocols. It is the component that ensures asynchronicity of instant messaging protocols such as Signal – a property that key encapsulation mechanisms cannot achieve. Because of this, replacing the Diffie-Hellman key exchange with a post-quantum solution – many of which are based on KEMs – is non-trivial and may require changes to these protocols. We examine the obstacles and challenges of post-quantum migration in DHbased protocols and provide a comprehensive comparison of potential solutions proposed in the existing literature.
|
I. Gribanova, V. Kondratiev, A. Semenov (Matrosov Institute for System Dynamics and Control Theory SB RAS, Irkutsk, Russian Federation)
Using Special Variant of (1+1)-Evolutionary Algorithm to Construct Relaxation Constraints for MD4 Compression Function Inversion
The inversion problem for the full-round MD4 cryptographic hash function remains computationally hard despite the function being classified as obsolete. In this paper we propose new results about sets of weak values of the MD4 full-round compression function. Specifically, we synthesize new relaxation constraints considering this problem in the context of pseudo-Boolean optimization and use a special variant of the (1+1)-Evolutionary Algorithm to solve it. Also, we involve a new algorithm that allows constructing estimations of the hardness of CircuitSAT instances, and using it, we expand the known set of weak values of the full-round MD4 compression function.
|
Ž. Tomić (-, Petrinja, Croatia), D. Gernhardt (-, Zagreb, Croatia)
Developing Competencies in Information and Cybersecurity
In today’s digital environment, the human factor remains a critical element of information and cybersecurity alongside technical and organizational controls. Security incidents are often linked to limited user knowledge, weak threat understanding, and inconsistent security practices. This paper reports an indicative case study of an 18-hour blended training approach for developing competencies related to social-engineering (phishing) threats. The study was conducted with a single participant group (n=13) in a controlled professional training setting. The training sequence included 12 hours of lecture-based instruction and a 6-hour experiential component. Lecture-taught topics were evaluated quantitatively using an exit test, while the experiential component consisted of a live demonstration of a simulated credential-harvesting scenario followed by an incident-classification exercise aligned with the Croatian national taxonomy of computer-security incidents and internal organizational reporting procedures. Because no standardized post-test followed the experiential activity, its effects were assessed indirectly through structured observations, guided reflection, and exercise outcomes. Results show solid acquisition of foundational declarative knowledge after lectures and suggest that the experiential activities were associated with higher engagement and supported applied incident reasoning. Although findings are not generalizable and do not provide a direct pre/post comparison for the experiential content, they indicate that integrating experiential learning can complement traditional instruction by helping participants translate security principles into decisions under realistic conditions.
|
M. Ersok, A. Banati, E. Kail (Obuda University, Budapest, Hungary), P. Palla (Independent Researcher, Budapest, Hungary)
Agentic Language Models for Vulnerability-Based Cyber Range Scenario Generation
With over 25,000 new CVEs disclosed annually, a significant gap exists between vulnerability intelligence and practical training content for cyber range environments. Manual scenario development requires substantial expert effort and cannot keep pace with emerging threats. This paper presents a three-agent Large Language Model framework that automatically generates structured cyber range scenarios from public vulnerability data. The system employs a vulnerability analyzer that enriches CVE data from the National Vulnerability Database and ExploitDB, a scenario architect that maps vulnerabilities to MITRE ATT&CK techniques and constructs multi-step attack flows, and a deployment generator that produces Ansible playbooks and Docker/Podman Compose files for infrastructure-agnostic deployment. We evaluate the framework on 28 high-severity CVEs across three open-source models (Mistral-Small~3.1, Qwen3.5, Llama~3.3) and one proprietary baseline (Claude Sonnet), showing that LLM-augmented generation substantially increases ATT&CK technique diversity and multi-host topology realism over rule-based templates while producing structurally valid deployment artifacts across all configurations.
|
K. Kövesi, E. Kail, A. Banati (Obuda University, Budapest, Hungary)
Towards AI-Driven Cyber Ranges: Automated Attack Graph Generation from Infrastructure-as-Code
Cyber ranges are increasingly used for security training, attack simulation, and AI-based cybersecurity research; however, most existing environments lack an explicit and machine-readable representation of their theoretical attack surface. This paper presents a novel framework for automatically generating attack graphs in parallel with Infrastructure-as-Code (IaC)–based cyber range deployment, ensuring that every instantiated network component, firewall rule, and communication policy is reflected in a corresponding graph representation.
In the proposed architecture, network topology, hosts, firewall rules, and traffic policies are instantiated simultaneously with a STIX-compliant attack graph stored in a Neo4j database. An AI-assisted analysis component evaluates firewall and traffic rules to identify and prioritize exposed infrastructure elements based on inferred attack feasibility and reachability.
By coupling IaC-driven cyber range provisioning with automated attack graph construction, the framework establishes a formalized ground truth for attack paths from the earliest design phase. This enables reproducible experimentation, structured dataset generation for AI-based cybersecurity research, and systematic evaluation of defensive mechanisms. The paper positions this work as a foundational step toward fully automated, AI-driven cyber range environments supporting advanced security analytics and machine learning research.
|
A. Bánáti, E. Kail (Óbuda University, Budapest, Hungary)
Enriched Attack Graphs as a Research Backbone for Cyber Ranges
The generation of attack graphs alongside cyber range infrastructures provides a structured representation of potential attack paths; however, their integration with execution-time observations remains limited. This paper investigates how design-time attack graphs can be extended with structured data collected during cyber exercises, enabling a closer connection between modeling and empirical evaluation. We interpret design-time attack graphs as representations of the feasible adversarial state space of a cyber range environment. By aligning execution traces and defensive actions with graph elements, the model can be extended to reflect changes in transition feasibility and reachability during exercise execution. The integration is not yet realized as a fully automated system, existing components, such as the incorporation of intrusion detection alerts into graph representations, demonstrate the feasibility of this approach. The paper outlines a framework in which enriched attack graphs serve as a conceptual bridge between cyber range engineering and data-driven security analysis. This perspective enables structured dataset creation, explainable analysis of security events, and graph-based evaluation of defensive actions, while providing a foundation for future adaptive, self-evolvig cyber range environments.
|
P. Grd, I. Tomičić ( Faculty of Organization and Informatics, Varaždin, Croatia), A. Bernik (University North, Varaždin, Croatia)
Evaluating the Unified Physical and Deepfake Attack Detection in Face Biometric Systems
Face recognition systems are increasingly exposed to attacks that compromise their security. The most common types of attacks are presentation attacks and digitally generated deepfake attacks. Presentation attacks rely on physical presentation attack instruments (PAI), such as printed photographs or video replays, while deepfake attacks involve synthetically generated or manipulated digital facial samples. Systematic evaluation of physical and digital detection systems is scarce despite previous research on unified frameworks. This paper explores the potential to combine different attack types into a singular ISO/IEC 30107-compliant binary detection system that identifies real data versus attack data without complex architecture or performance loss. Controlled tests are conducted on three different convolutional neural networks (MobileNetV3, EfficientNetV2S and ConvNeXtV2) to compare individual-modality baselines to unified training approaches. Results show that unified detection achieves almost perfect AUC (0.999) with low ACER (<1.2%) and consistent APCER/BPCER performance. These results indicate that unified attack detection is a promising baseline simplification strategy within the tested RGB, closed-set setting, while broader cross-dataset, openset, and deployment-oriented validation remains future work.
|
P. Puhtila, T. Heino, H. Terho, S. Rajapaksha, S. Harshani, L. Koivunen, T. Mäkilä (University of Turku, Turku, Finland)
Evaluating LLM Proficiency in Analyzing Privacy Aspects of Network Traffic
Important aspect of privacy research is the analysis of HTTP Archive (HAR) files, which record the network traffic happening out of a given domain. Large language models (LLMs) have demonstrated capabilities that could be useful in this kind of work, but research into the validity of the privacy analysis by the LLMs is lacking. Such investigation is necessary if we want to use these technologies reliably in research.
We measure and compare the efficiency of four LLMs in analysing the HAR files; GPT-4o, o1-preview, LLaMA3.3B70 and Claude Sonnet 3.5. We evaluate LLM ability to detect third parties present in the website, analysis of cookies and of User-Agent strings. We experiment on whether the use of Retrieval Augmented Generation (RAG) improves results, compared to default LLM.
Results indicate that all of the studied LLMs are incapable of absolutely correct analysis, with or without RAG assistance, although the flaws in their output are relatively small. In general o1-preview attained best results, for example in analysing third party URLs it was correct 88% of the time. In contrast, LLaMA3.3B70 was the worst, achieving only 34% of correct answers in this task. Results in other tasks followed similar pattern, while RAG gave inconclusive results.
|
N. Nelufule, Pretoria, South Africa), N. Siphambili, Pretoria, South Africa), D. Shadung (Council for Scientific and Industrial Research (CSIR), Pretoria, South Africa)
PrivSev: Privacy-Preserving Artificial Intelligence in 6G Open Radio Access Networks: A Survey
The disaggregated, multi-vendor architecture of Open Radio Access Networks (O-RAN) in 6G, promises an unprecedented flexibility through the AI-native intelligence, and cost efficiency. However, these benefits also introduce challenges such as severe privacy and security risks which include the model inversion, data poisoning, and unauthorized access across distributed edge nodes; mainly Open Radio Unit (O-RU), Open Distributed Unit (O-DU), Open Centralized Unit (O-CU), and Radio Access Controllers (RICs). In this paper, a systematic review based on the PRISMA framework was used to synthesize 42 peer-reviewed articles published between 2020 and 2026, particularly on the privacy-preserving AI techniques, Federated Learning (FL), Differential Privacy (DP), Secure Multi-Party Computation (SMPC), and emerging hybrid technologies applied to 6G O-RAN environments. The key research findings revealed that the combination of the Zero trust Architecture (ZTA) and FL can achieve up to 32% energy savings and Near-RT compliance, while the combination of DP and FL helps to secure the RIC and FBMP, and the Intrusion Detection System (IDS) helps to enable lightweight Multi-Party Computation (MPC). The notion of introducing a three-way FL, DP and SMPC integration for O-RAN remains unexplored, and this work bridges this gap, by introducing Privacy-Preserving (PrivSev), which is a novel layered hybrid framework that applies lightweight DP at the edge clients and threshold SMPC at the Non-RT RIC. The projected performance of the proposed framework tested against the reviewed benchmarks promises a 92% baseline accuracy retention.
|
I. Sladic, D. Delija, G. Sirovatka, M. Zagar (TVZ, Zagreb, Croatia)
LLMs as a Triage Tool in Network Forensic Analysis: An Evaluation on PCAP Metadata
The increasing volume of network traffic and the widespread use of encrypted protocols significantly complicate network forensic analysis. As payload inspection becomes less feasible, analysts must increasingly rely on metadata extracted from PCAP files, which can still be large and time-consuming to interpret. This paper evaluates the use of Large Language Models (LLMs) as a triage support tool in network forensic analysis, focusing exclusively on PCAP metadata rather than raw packet contents.
The paper combines classical network forensic techniques with LLM-assisted interpretation of structured artifacts, including protocol hierarchy statistics, conversation-level metadata, and auxiliary DNS, ARP, and ICMP data. The results show that LLMs can effectively summarize large datasets and highlight dominant communication patterns, central hosts, and potentially interesting connections that warrant further investigation.
However, the evaluation also confirms clear limitations. Without access to packet payloads, temporal context, and network topology, LLMs cannot reliably distinguish benign from malicious activity. Consequently, LLMs should be viewed as a triage and decision-support mechanism rather than a source of forensic evidence, with all findings requiring validation through classical forensic methods.
|
A. Schwartz, E. Rios, A. Clarke, S. Saimbhi, J. Pelletier (Rochester Institute of Technology, Rochester, United States)
A Field Experiment in USB Baiting at a Private University
This study investigates the efficacy of Universal Serial Bus (USB) baiting attacks in a spring 2025 field experiment conducted at a mid-sized private university. Drawing on Protection Motivation Theory (PMT) as a theoretical framework, the research examines user behaviors to consider how psychological factors such as fear, trust, and curiosity might influence how individuals interact with unknown USB devices. Fifty USB drives with specific label customizations were dropped across ten campus locations. Collecting data surrounding the independent variables of the physical appearance of the USB, file naming, and drop location allowed for the analysis of the dependent variable of the insecure behavior of individuals. Each drive included file embeddings, called "canary tokens", which record user interactions with the USB files without collecting personally identifiable information. The results showed that institutional labeling and curiosity-provoking file names influenced engagement rates, with 21 unique users interacting with USBs despite various warnings issued by some community members during the experimental window. The findings support previous studies on susceptibility to social engineering and emphasize the role of perceived risk and reward in decision making. Through analysis, actionable insights for designing targeted employee awareness programs were revealed and highlight the importance of field experimentation in understanding the human factors of cybersecurity.
|
R. Savela, S. Rauti, S. Rajapaksha, P. Puhtila (University of Turku, Turku, Finland)
Effects of Informing Finnish Website Owners about Third-Party Data Leaks
Users’ personal data is collected by various third-party services on modern websites. Often this happens without the users’ knowledge, creating serious privacy risks especially when sensitive information such as health or political data is being processed. This paper studies how website maintainers respond to disclosures of third-party data leaks in their web services. We conduct a longitudinal comparison with two time points for four different categories of Finnish websites – online pharmacies, healthcare service websites, municipal websites, and voting advice applications. The maintainers of these websites were informed about third-party data leaks on their websites. The findings show how effectively website maintainers reacted to these disclosures in different scenarios and how the data leak situation evolved over time. These results illustrate real-world data-leak prevention practices and their effectiveness in different kinds of sensitive web services.
|
I. Tomičić, P. Grd, D. Tuličić (Faculty of Organization and Informatics, Varaždin, Croatia)
A Framework for Assessing the Codifiability of NIS2-derived Cybersecurity Requirements
As cybersecurity regulation increasingly relies on technical enforcement and automation, a key open question is which regulatory requirements can be meaningfully translated into machine-enforceable controls. The EU NIS2 Directive defines high-level obligations and practical codifiability emerges only through national transposition that specifies concrete requirements. This paper proposes a lightweight, structured framework for assessing the codifiability of cybersecurity regulatory requirements based on their determinism, observability, technical enforceability, and contextual independence. The framework is demonstrated using a representative set of control-level requirements drawn from the Croatian Uredba o kibernetickoj sigurnosti. The goal of the paper is not ˇ to provide an exhaustive classification, but to use relevant examples from governance and policy controls, risk management, monitoring and technical controls, secure development, cryptographic and physical security controls, to validate the applicability and limitations of the proposed model. The results highlight structural boundaries between fully codifiable, partially codifiable, and inherently noncodifiable requirements, and establish a methodological foundation for subsequent work on policy automation and AI-assisted compliance under NIS2.
|
J. Lieponienė (Panevėžio kolegija/State Higher Education Institution, Panevėžys, Lithuania)
Automation of IT Security Policy Management in Small Enterprises
As information technologies become increasingly integrated into organizational operations, small enterprises face growing challenges in maintaining effective IT security policy management, largely due to limited technical and human resources. In practice, security policies in small organizations are often enforced manually and inconsistently, resulting in configuration errors and limited visibility into actual system states. This paper proposes an automated IT security policy management model tailored to small enterprise environments, focusing on configurationlevel policy enforcement, continuous compliance monitoring, and automated remediation. The proposed model is based on XML-structured security policies and dynamic PowerShell script generation, enabling automated initial configuration, systematic compliance assessment, detection of security misconfigurations, and execution of corrective actions. The study reviews existing IT security policy management solutions, analyzes their suitability for small enterprises, and presents the architecture and prototype implementation of the proposed model, followed by experimental evaluation. Experimental results obtained in a controlled smallenterprise test environment demonstrate that the proposed solution reliably supports automated policy execution, detects configuration deviations, and restores compliant system states. Performance evaluation shows stable system behavior, with policy processing time primarily dependent on the number of violated rules rather than the total number of defined policies. These findings indicate that the proposed approach provides a lightweight and practical solution for automated IT security policy management in small organizations without dedicated cybersecurity teams and offers a foundation for further research on automated security management in resource-constrained environments.
|
D. Tuličić, R. Fabac (Faculty of Organization and Informatics, Varaždin, Croatia), D. Delija (Zagreb University of Applied Sciences, Zagreb, Croatia)
Cyber or Cybernetic Security as a Naming Problem and the Referential Gap in the Ontology of Security
The adoption of the Cybernetic Security Act in the Republic of Croatia has sparked debate over the appropriateness of its title and its relation to the concepts of cybersecurity, information security, and information and communication technology (ICT) security. Critics maintain that cybernetic security is not an unambiguous translation of cybersecurity and does not follow the established international referential framework. This paper argues that the issue extends beyond translation and reflects a deeper mismatch between naming and the ontological framework within which security is conceptualized. Drawing on legislative definitions and Kripke’s theory of rigid designators, it contends that cybersecurity functions internationally as a stable designator, whereas cybernetic security does not inherit the same referential chain. Within the cybernetic paradigm and Norbert Wiener’s systems theory, however, cybernetic security acquires a broader meaning as the security of sociotechnical systems of control and communication. The justification of the Act’s title thus depends on the ontological framework adopted
|
|
Basic information:
Chair:
Stjepan Groš (Croatia)
Steering Committee:
Marin Golub (Croatia), Krešimir Grgić (Croatia), Miljenko Mikuc (Croatia), Toni Perković (Croatia), Marin Vuković (Croatia), Drago Žagar (Croatia)
Program Committee:
Stjepan Groš (Croatia), Tihomir Katulić (Croatia), Tonimir Kišasondi (Croatia), Dejan Škvorc (Croatia), Boris Vrdoljak (Croatia)
Registration / Fees:
|
REGISTRATION / FEES
|
Price in EUR
|
EARLY BIRD
Up to 15 May 2026 |
REGULAR
From 16 May 2026 |
| IEEE members |
297 |
324 |
| MIPRO members |
297 |
324 |
| Students (undergraduate and graduate), primary and secondary school teachers |
165 |
180 |
| Others |
330 |
360 |
The student discount doesn't apply to PhD students.
NOTE FOR AUTHORS: In order to have your paper published, it is required that you pay at least one registration fee for each paper. Authors of 2 or more papers are entitled to a 10% discount.
Contact:
Stjepan Gros
University of Zagreb
Faculty of Electrical Engineering and Computing
Unska 3
HR-10000 Zagreb, Croatia
E-mail: stjepan.gros@fer.hr
The best papers will get a special award.
Accepted papers will be published in the ISSN registered conference proceedings. Papers in English presented at the conference will be submitted for inclusion in the IEEE Xplore Digital Library.
Location:
 Opatija is the leading seaside resort of the Eastern Adriatic and one of the most famous tourist destinations on the Mediterranean. With its aristocratic architecture and style, Opatija has been attracting artists, kings, politicians, scientists, sportsmen, as well as business people, bankers and managers for more than 180 years.
The tourist offer in Opatija includes a vast number of hotels, excellent restaurants, entertainment venues, art festivals, superb modern and classical music concerts, beaches and swimming pools – this city satisfies all wishes and demands.
Opatija, the Queen of the Adriatic, is also one of the most prominent congress cities in the Mediterranean, particularly important for its ICT conventions, one of which is MIPRO, which has been held in Opatija since 1979, and attracts more than a thousand participants from over forty countries. These conventions promote Opatija as one of the most desirable technological, business, educational and scientific centers in South-eastern Europe and the European Union in general.
For more details, please visit www.opatija.hr and visitopatija.com.
|
|
|
|
| Currently there are no news |
|
|
|
|
|