Third-party Large Language Model (LLM) API gateways are rapidly emerging as unified access points to models offered by multiple vendors. However, the internal routing, caching, and billing policies of these gateways are largely undisclosed, leaving users with limited visibility into whether requests are served by the advertised models, whether responses remain faithful to upstream APIs, or whether invoices accurately reflect public pricing policies. To address this gap, we introduce GateScope, a lightweight black-box measurement framework for evaluating behavioral consistency and operational transparency in commercial LLM gateways. GateScope is designed to detect key misbehaviors, including model downgrading or switching, silent truncation, billing inaccuracies, and instability in latency by auditing gateways along four critical dimensions: response content analysis, multi-turn conversation performance, billing accuracy, and latency characteristics. Our measurements across 10 real-world commercial LLM API gateways reveal frequent gaps between expected and actual behaviors, including silent model substitutions, degraded memory retention, deviations from announced pricing, and substa
Timing and burst patterns can leak through encryption, and an adaptive adversary can exploit them. This undermines metadata-only detection in a stand-alone consumer gateway. Therefore, consumer gateways need streaming intrusion detection on encrypted traffic using metadata only, under tight CPU and latency budgets. We present a streaming IDS for stand-alone gateways that instantiates a lightweight two-state unit derived from Network-Optimised Spiking (NOS) dynamics per flow, named \emph{NOS-Gate}. NOS-Gate scores fixed-length windows of metadata features and, under a $K$-of-$M$ persistence rule, triggers a reversible mitigation that temporarily reduces the flow's weight under weighted fair queueing (WFQ). We evaluate NOS-Gate under timing-controlled evasion using an executable \emph{worlds} benchmark that specifies benign device processes, auditable attacker budgets, contention structure, and packet-level WFQ replay to quantify queue impact. All methods are calibrated label-free via burn-in quantile thresholding. Across multiple reproducible worlds and malicious episodes, at an achieved $0.1\%$ false-positive operating point, NOS-Gate attains 0.952 incident recall versus 0.857 for
Evaluating production LLM responses and routing requests across providers in LLM gateways requires fine-grained quality signals and operationally grounded decisions. To address this gap, we present SEAR, a schema-based evaluation and routing system for multi-model, multi-provider LLM gateways. SEAR defines an extensible relational schema covering both LLM evaluation signals (context, intent, response characteristics, issue attribution, and quality scores) and gateway operational metrics (latency, cost, throughput), with cross-table consistency links across around one hundred typed, SQL-queryable columns. To populate the evaluation signals reliably, SEAR proposes self-contained signal instructions, in-schema reasoning, and multi-stage generation that produces database-ready structured outputs. Because signals are derived through LLM reasoning rather than shallow classifiers, SEAR captures complex request semantics, enables human-interpretable routing explanations, and unifies evaluation and routing in a single query layer. Across thousands of production sessions, SEAR achieves strong signal accuracy on human-labeled data and supports practical routing decisions, including large cost
It is time for the legacy financial infrastructure to seamlessly connect with modern, decentralized infrastructure. Although it is increasingly evident that decentralized infrastructure for finance (namely distributed ledgers) will coexist with and complement legacy infrastructure, it is also clear that such interoperability efforts carry new risks and concerns. In particular, managing the range of heterogeneous (and not well-established) infrastructure brings security, privacy, and regulatory issues. The first step to overcome some of these challenges is to recognize that in many deployment instances using distributed ledgers, the purpose of the ledger is to share resources among the community members. The second step after recognizing that borders exist is to understand that interoperability across systems can be best achieved through the use of standardized service interfaces (or application programming interfaces (API)). In this paper we use the term ledger gateways (or simply gateways) to denote the computer and software systems that implement the standardized service interfaces into a distributed ledger. The main purpose of a gateway is to communicate with other peer gateways
The convergence of 5G and IoT enables fully connected, intelligent environments, but it faces challenges from the fragmentation of public/private 5G networks and the heterogeneity of IoT networks. We propose a unified framework using CAMARA open gateways, which provide standardized, open APIs to expose network capabilities, reducing fragmentation and simplifying interoperability, supported by a federated SDN architecture that ensures scalable cross-domain control. We further demonstrate 5G-based remote control of KNX devices, extending industrial and building automation. These contributions lay the foundation for a secure, dynamic "network of networks" supporting next-generation applications.
As science gateways mature, sustainability has become a central concern for funders, developers, and institutions. Although user experience (UX) is increasingly acknowledged as vital, it is often approached narrowly--limited to interface usability or deferred until late in development. This paper argues that UX should be understood not as a discrete feature or evaluation stage but as a design-oriented perspective for reasoning about sustainability. Drawing on principles from user-centered design and systems thinking, this view recognizes that infrastructure, staffing, community engagement, and development timelines all shape how gateways are experienced and maintained over time. Based on an interview study and consulting experience with more than 65 gateway projects, the paper identifies three recurring orientations toward UX--ad hoc, project-based, and strategic--that characterize how teams engage with users and integrate design thinking into their workflows. These orientations are not a maturity model but a reflective lens for understanding how UX is positioned within gateway practice. Reframing UX as a structural dimension of sustainability highlights its role in building adapta
The deployment of mobile LoRa gateways using low-cost single-channel hardware presents a significant challenge in maintaining reliable communication due to the lack of dynamic configuration support. In traditional LoRaWAN networks, Adaptive Data Rate (ADR) mechanisms optimize communication parameters in real time. However, such features are typically supported only by expensive multi-channel gateways. This study proposes a cost-effective and energy-efficient solution by statically selecting the optimal Spreading Factor (SF) using a two-phase algorithm. The method first applies rule-based exclusion to eliminate SFs that violate constraints related to distance, data rate, link margin, and regulatory limits. Remaining candidates are then evaluated using a weighted scoring model incorporating Time-on-Air, energy consumption, data rate, and link robustness. The proposed algorithm was validated through extensive field tests and NS-3 simulations under line-of-sight conditions. Results demonstrate that the selected SF matched the optimal SF in over 92% of cases across 672 simulated scenarios, confirming the algorithm's effectiveness. This approach offers a scalable alternative to dynamic p
The proliferation of Low Earth Orbit (LEO) satellites for universal IoT applications and the growing use of drones in emergency services, agriculture, and military operations highlight the transformative potential of non-terrestrial networks (NTN). However, these networks face two key challenges: (1) large coverage footprints that create frequent collisions and (2) moving gateways that cause dynamic links and demand synchronization-free, link-aware transmissions. Existing random access schemes such as ALOHA, CSMA, and BSMA fail in this setting, suffering from high collision rates, hidden terminals, or excessive gateway energy overhead. We propose Free Signal Multiple Access (FSMA), a gateway-controlled protocol that introduces a lightweight free signal chirp (FreeChirp). FreeChirp ensures that nodes transmit only when the channel is idle and when links are reliable, thereby reducing collisions and enabling link-aware access without the need for synchronization or complex scheduling. We evaluate FSMA using 25 commercial LoRa devices with a drone-mounted moving gateway and demonstrate up to 2x higher throughput, 2x to 5x better packet reception ratio, and 5x improved energy efficienc
In pervasive systems, mobile devices and other sensors access Gateways, which are Servers that communicate with the devices, provide low latency services, connect them with each other, and connect them to the Internet and backbone networks. Gateway Servers are often equipped with Attack Detection (AD) software that analyzes the incoming traffic to protect the system against Cyberattacks, which can overwhelm the Gateway and the system as a whole. This paper describes a traffiic shaping, attack detection and an optimum attack mitigation scheme to protect the Gateway and the system as a whole from Cyberattacks. The approach is described and evaluated in an experimental testbed. The key parameter of the optimum mitigation technique is chosen based on an analytical model whose predictions are validated through detailed experiments.
At ByteDance, cloud gateway clusters orchestrate petabit-scale aggregate traffic. Traditional ASIC-only gateways fail to meet these escalating demands due to severe on-chip resource constraints and limited programmable flexibility, while pure software solutions or alternatives like disaggregated SmartNICs struggle to match terabit-scale line-rate throughput. To bridge this gap, we present Gryphon, a hyperscale cloud gateway built on a hybrid architecture that integrates DPUs directly into the switching ASIC's forwarding path. This design resolves the fundamental tension between capacity and speed, expanding table scale by up to 1000$\times$ and augmenting programmability, while sustaining 1.6 Tbps line-rate throughput at a cost of only ~8$μs$ in additional average latency. To manage this hardware heterogeneity, we introduce Hierarchical Co-Offloading (HLCO) in the data plane, achieving >99.9% fast path hit rate, while retaining software fallback for complex operations. In the control plane, we develop an abstraction layer (P4Bridge) that decouples hardware specifics from policy configuration. Gryphon has been operating at production scale for over a year, deployed on hundreds of
Pearl's Causal Hierarchy (PCH) is a central framework for reasoning about probabilistic, interventional, and counterfactual statements, yet the satisfiability problem for PCH formulas is computationally intractable in almost all classical settings. We revisit this challenge through the lens of parameterized complexity and identify the first gateways to tractability. Our results include fixed-parameter and XP-algorithms for satisfiability in key probabilistic and counterfactual fragments, using parameters such as primal treewidth and the number of variables, together with matching hardness results that map the limits of tractability. Technically, we depart from the dynamic programming paradigm typically employed for treewidth-based algorithms and instead exploit structural characterizations of well-formed causal models, providing a new algorithmic toolkit for causal reasoning.
The most recent Linux kernels have a new feature for securing applications: Landlock. Like Seccomp before it, Landlock makes it possible for a running process to give up access to resources. For applications running as Science Gateways, network access is required while starting up MPI, but for the sake of security, it should be taken away prior to the reading of user-supplied parameter files. We explore the usefulness of Landlock by modifying and locking down three mature scientific codes: The Einstein Toolkit (a code that studies the dynamics of relativistic astrophysics, e.g. neutron star collisions), Octo-Tiger (a code for studying the dynamics of non-relativistic astrophysics, e.g. white dwarfs), and FUKA (an initial data solver for relativistic codes). Finally, we implement a fully-functioning FUKA science gateway that relies on Landlock (instead of user authentication) for security.
The increased adoption of the Model Context Protocol (MCP) for AI Agents necessitates robust security for Enterprise integrations. This paper introduces the MCP Gateway to simplify self-hosted MCP server integration. The proposed architecture integrates security principles, authentication, intrusion detection, and secure tunneling, enabling secure self-hosting without exposing infrastructure. Key contributions include a reference architecture, threat model mapping, simplified integration strategies, and open-source implementation recommendations. This work focuses on the unique challenges of enterprise-centric, self-hosted AI integrations, unlike existing public MCP server solutions.
Interoperability is a significant challenge in blockchain technology, hindering seamless data and service sharing across diverse blockchain networks. This study introduces Automated Gateways as a novel framework leveraging smart contracts to facilitate interoperability. Unlike existing solutions, which often require adopting new technologies or relying on external services, Automated Gateways framework is integrated directly with a blockchain's core infrastructure to enhance systems with built-in interoperability features. By implementing fine-grained access control mechanisms, smart contracts within this framework manage accessibility and authorization for cross-chain interactions and facilitate streamlining the selective sharing of services between blockchains. Our evaluation demonstrates the framework's capability to handle cross-chain interactions efficiently, significantly reduce operational complexities, and uphold transactional integrity and security across different blockchain networks. With its focus on user-friendliness, self-managed permissions, and independence from external platforms, this framework is designed to achieve broader adoption within the blockchain communit
The rapid development of the Internet of Things (IoT) has enabled novel user-centred applications, including many in safety-critical areas such as healthcare, smart environment security, and emergency response systems. The diversity in IoT manufacturers, standards, and devices creates a combinatorial explosion of such deployment scenarios, leading to increased security and safety threats due to the difficulty of managing such heterogeneity. In almost every IoT deployment, wireless gateways are crucial for interconnecting IoT devices and providing services, yet they are vulnerable to external threats and serve as key entry points for large-scale IoT attacks. Memory-based vulnerabilities are among the most serious threats in software, with no universal solution yet available. Legacy memory protection mechanisms, such as canaries, RELRO, NX, and Fortify, have enhanced memory safety but remain insufficient for comprehensive protection. Emerging technologies like ARM-MTE, CHERI, and Rust are based on more universal and robust Secure-by-Design (SbD) memory safety principles, yet each entails different trade-offs in hardware or code modifications. Given the challenges of balancing securit
In the current work we discuss the notion of gateways as a means for interoperability across different blockchain systems. We discuss two key principles for the design of gateway nodes and scalable gateway protocols, namely (i) the opaque ledgers principle as the analogue of the autonomous systems principle in IP datagram routing, and (ii) the externalization of value principle as the analogue of the end-to-end principle in the Internet architecture. We illustrate the need for a standard gateway protocol by describing a unidirectional asset movement protocol between two peer gateways, under the strict condition of both blockchains being private/permissioned with their ledgers inaccessible to external entities. Several aspects of gateways and the gateway protocol is discussed, including gateway identities, gateway certificates and certificate hierarchies, passive locking transactions by gateways, and the potential use of delegated hash-locks to expand the functionality of gateways.
Stringent latency requirements in advanced Internet of Things (IoT) applications as well as an increased load on cloud data centers have prompted a move towards a more decentralized approach, bringing storage and processing of IoT data closer to the end-devices through the deployment of multi-purpose IoT gateways. However, the resource constrained nature and diversity of these gateways pose a challenge in developing applications that can be deployed widely. This challenge can be overcome with containerization, a form of lightweight virtualization, bringing support for a wide range of hardware architectures and operating system agnostic deployment of applications on IoT gateways. This paper discusses the architectural aspects of containerization, and studies the suitability of available containerization tools for multi-container deployment in the context of IoT gateways. We present containerization in the context of AGILE, a multi-container and micro-service based open source framework for IoT gateways, developed as part of a Horizon 2020 project. Our study of containerized services to perform common gateway functions like device discovery, data management and cloud integration amon
With the growing connectivity demands, Unmanned Aerial Vehicles (UAVs) have emerged as a prominent component in the deployment of Next Generation On-demand Wireless Networks. However, current UAV positioning solutions typically neglect the impact of Rate Adaptation (RA) algorithms or simplify its effect by considering ideal and non-implementable RA algorithms. This work proposes the Rate Adaptation aware RL-based Flying Gateway Positioning (RARL) algorithm, a positioning method for Flying Gateways that applies Deep Q-Learning, accounting for the dynamic data rate imposed by the underlying RA algorithm. The RARL algorithm aims to maximize the throughput of the flying wireless links serving one or more Flying Access Points, which in turn serve ground terminals. The performance evaluation of the RARL algorithm demonstrates that it is capable of taking into account the effect of the underlying RA algorithm and achieve the maximum throughput in all analysed static and mobile scenarios.
LoRaWAN deployments rely on rough range estimates or simplified propagation models to decide where to place/mount gateways. As a result, operators have limited visibility into how rooftop choice, streets, and building shadowing jointly affect coverage and reliability. This paper addresses the problem of gateway placement in dense urban environments by combining a geometry accurate Digital Twin (DT) with a GPU accelerated ray tracing engine. Existing studies optimize placement on abstract grids or tune models with sparse measurements; few works evaluate LoRaWAN gateways on a full 3D city model using a realistic link budget. In this paper, we develop a DT with ITU radio materials and evaluate eight candidate rooftops for RAK7289 WisGate Edge Pro gateways under a sub-GHz link budget derived from the data sheet. For each rooftop, we obtain Signal-to-Noise Ratios (SNR) on a 5 meter grid, derive robust and edge coverage indicators, and apply a greedy maximum coverage algorithm to rank sites and quantify the benefit of incremental densification. Results show that a single rooftop gateway covers one fifth of the full Sunway twin (i.e., the DT) at a robust SNR threshold, and that six sites
Third-party LLM gateways have become a critical infrastructure layer between applications and external LLM providers. Conventional gateways do more than forward traffic: they decide which provider and model are called, whether fallback occurred, which stream is delivered, and what usage record should be billed. Because these decisions and records are authored inside the operator-controlled service, clients cannot independently distinguish honest mediation from route substitution, hidden fallback, stream manipulation, or forged provenance. We present an evidence-bound LLM gateway architecture that separates the operator control plane from an attested execution plane. Within the gateway, a measured Attested Gateway Runtime (AGR) is the only component allowed to decrypt requests, enforce path policy, construct upstream calls, and sign evidence. Clients verify signed release metadata and fresh attestation before encrypting requests to keys bound to the AGR measurement. AGR enforces request-scoped routing, fallback, and endpoint constraints, invokes admitted providers, returns encrypted response streams, and signs evidence binding the policy, selected route, endpoint identity, stream co