CITADEL: Multidomain Security, Learning, and More
- CITADEL is a multifaceted project name representing systems in e-learning, memory security, retrieval, and intrusion detection.
- It encompasses diverse applications, including learner-centric web platforms, secure memory allocators, enclave architectures, and privacy-preserving collaborative learning.
- The initiative offers actionable insights into performance metrics, security overheads, and innovative methodologies across interdisciplinary technical domains.
CITADEL is a recurrent project name in the technical literature rather than a single unified system. It has been used for a learner-centred e-learning environment for Nigerian tertiary institutions, a domain-aware Linux memory allocator for Rowhammer defense, a multi-vector retrieval architecture based on dynamic lexical routing, SGX- and TEE-based collaborative learning systems, a privacy-preserving self-sovereign identity system on Dusk Network, a Spectre-safe enclave architecture, malware-analysis and intrusion-detection pipelines, an IIoT jamming detector, and, separately, as the archaeological place-name “The Citadel” in geophysical studies of Teotihuacan (Awodele et al., 2011, Saxena et al., 2024, Li et al., 2022, Zhang et al., 2021, Salleras, 2023, Drean et al., 2023, Bouferroum et al., 22 Jun 2026, López-Rodríguez et al., 2016).
1. Nomenclature and domain span
Representative uses of the name are summarized below.
| Usage | Domain | Defining technical element |
|---|---|---|
| CITADEL E-Learning (Awodele et al., 2011) | Tertiary education | Three-tier PHP/MySQL web platform |
| Citadel (Saxena et al., 2024) | Memory security | Security domains, security zones, guard rows |
| CITADEL (Li et al., 2022) | Neural retrieval | Conditional token interaction via dynamic lexical routing |
| Citadel (Zhang et al., 2021) | Collaborative ML | SGX training enclaves, aggregator enclave, zero-sum masking |
| Citadel++ (Chen et al., 2024) | Privacy-preserving collaborative learning | VM-level TEEs, DP barrier, sandboxing |
| Citadel (Salleras, 2023) | SSI and blockchain | Private NFT notes and zk-SNARK-based proofs |
| Citadel (Drean et al., 2023) | Enclave isolation | SpecSafe and Burst mode |
| CITADEL (Zhang et al., 2024) | DL framework testing | Context-similarity bug reuse |
| CITADEL (Bouferroum et al., 22 Jun 2026) | IIoT wireless defense | CSI-only two-stage jamming pipeline |
| CITADEL (Li et al., 26 Aug 2025) | Continual IoT IDS | Memory-aware masked autoencoder and LOF |
Some papers expand the name as an acronym, including “Conditional Token Interaction via Dynamic Lexical Routing,” “Context Similarity Based Deep Learning Framework Bug Finding,” “CSI-Based Jamming Detection and Open-Set Classification for IIoT Networks,” and “Continual Anomaly Detection for Enhanced Learning in IoT Intrusion Detection,” whereas “Citadel E-Learning” explicitly does not specify a literal acronym behind the name (Li et al., 2022, Zhang et al., 2024, Bouferroum et al., 22 Jun 2026, Li et al., 26 Aug 2025, Awodele et al., 2011).
2. E-learning infrastructure in Nigerian tertiary education
In the educational literature, CITADEL denotes a web-based learning system designed for Nigeria’s tertiary institutions, motivated by “an urgent need for a learner-centred, ICT-driven environment that overcomes the limitations of traditional, resource-scarce classrooms.” Its stated objective is an “ever-available (anyone, anyplace, anytime), user-friendly platform” integrating course delivery, assessment, communication, and administration in a single system. The implementation is a three-tier web application conforming to ISO standards: a presentation layer using HTML, Adobe Fireworks, and JavaScript; a PHP middle tier for business logic, session management, and security controls; and a MySQL data layer for credentials, course materials, assessment records, timetables, and messages (Awodele et al., 2011).
Functionally, the platform is partitioned into Student, Lecturer, and Registry modules. Students authenticate with matriculation number and password, then register courses, download lecture notes, take quizzes or examinations online, submit assignments, inspect continuous assessment results, browse library resources, consult timetables, exchange messages, view contact details, and participate in chat. Lecturers upload documents or video lectures, generate quizzes and exams, assign homework, post grades, and initiate live classes via video conferencing. Registry staff register users, define faculties, departments, and courses, post announcements, and generate certificates. Deployment is intended on local institutional servers rather than a cloud model, and browser-based access preserves operating-system independence. The paper emphasizes ubiquity, flexibility, portability, and ease of use, while also recording limitations: the live-class feature does not verify physical attendance, and there is no integrated payment processing or mobile-app access. Proposed extensions include webcam-based presence detection or biometric login, a student-billing submodule, dedicated mobile applications or responsive design updates, and formal usability studies and load-testing (Awodele et al., 2011).
3. Memory, enclave, and supply-chain security systems
In systems security, Citadel has been used for a software-only Rowhammer defense implemented as a Linux-kernel memory allocator. Its central abstraction is the security domain, identified by a unique 64-bit domain ID, whose pages are drawn from domain-specific security zones composed of contiguous runs of DRAM global rows. Guard rows are inserted at the start of each zone; in the prototype, , sufficient against the Half-Double attack. The allocator supports page-table pages and user processes as domains, introduces reservation chunks with global rows as the minimum reservation unit, and uses zonelets for small domains. On a two-socket 128 GB DDR4 server, evaluated across SPEC2017 and GAP mixes with up to 57 K domains, average total memory overhead is 7.4 percent, with 1.6 percent from guard rows and 5.8 percent from stranded chunks; the allocator path remains under 1 percent of runtime and no benchmark shows measurable throughput or latency degradation. The design is contrasted with ZebRAM and Siloz, which incur substantially higher capacity costs or cannot sustain many-domain scenarios (Saxena et al., 2024).
A different Citadel addresses transient-execution leakage. That system defines relaxed microarchitectural isolation and enforces Speculative Non-Interference for enclaves that share public memory with an untrusted OS. Its two enforcement modes are SpecSafe, which disables speculative accesses to shared memory and satisfies , and Burst mode, which limits learned speculation while preserving fall-through execution and satisfies . The prototype is a 2-core out-of-order RISC-V processor on an AWS F1 UltraScale+ FPGA, clocked at 30 MHz, with a Security Monitor, dual page tables for shared memory, LLC and MSHR partitioning, temporal flushing, and ISA support via a BURST CSR. The abstract reports secure applications, including cryptographic libraries and private inference, running with less than 5 percent performance overhead; detailed results show that overhead is highly workload dependent, with compute-bound signing near baseline and shared-memory-intensive hashing substantially higher (Drean et al., 2023).
A third usage, in SoC security, treats CITADEL as a modular subsystem for supply-chain attack resistance. The architecture combines a lightweight microcontroller called the Compute Enclave, security wrappers around protected IP blocks, a PUF Control Module, secure storage and crypto engines using AES-256 and SHA-256, an HSM used at chip birth, and an off-chip Asset Management Infrastructure maintaining ChipID, IPID, obfuscation keys, and lifecycle state. Threat classes include counterfeiting and overproduction, reverse engineering, and illegal recycling. Across single-bus, multi-bus, and MIT CEP testbeds, measured SoC-level overheads are approximately 17.5 percent area and 17.9 percent power for the single-bus SoC, 14.0 percent area and 12.5 percent power for the multi-bus SoC, and 10.5 percent area and 10.9 percent power for MIT CEP; wrapper overhead per IP is 0.7–5.9 percent area and about 1–3 percent power, with boot-path latency impact reported as negligible and below 10 ns total (Raj et al., 15 Jul 2025).
4. Confidential collaborative learning and privacy barriers
In collaborative machine learning, Citadel denotes an SGX-based training architecture that separates data handling from model updating. Each data owner runs a training enclave that processes only its own plaintext data, while the model owner runs a single aggregator enclave that holds proprietary update logic and plaintext model weights. An admin enclave, trusted by both sides, orchestrates attestation, key distribution, and a zero-sum masking protocol. If each training enclave computes and receives a mask such that , then the aggregator observes only masked gradients yet recovers the exact sum through
The system also supports hierarchical aggregation trees to reduce EPC paging and communication bottlenecks. On Azure DCsv2 instances, with models including AlexNetS, AlexNetL, SpamNet, and an MNIST CNN, throughput with 32 training enclaves improves by 4.7×–19.6× over a single-enclave run, and SGX protection slows end-to-end iteration time by at most 1.73×; for MNIST, hierarchical aggregation cuts aggregation overhead by up to 36 percent (Zhang et al., 2021).
Citadel++ extends this line of work to protect dataset confidentiality, user privacy, model confidentiality, training-code confidentiality, and integrity simultaneously. It moves from enclave-level isolation to VM-level TEEs such as AMD SEV-SNP or Intel TDX, combines central DP-SGD with zero-sum masking, adds dynamic gradient clipping and correlated-noise correction, and constrains untrusted training code inside OS-level sandboxes with isolated network, IPC, and mount namespaces. The threat model explicitly allows malicious model code and collusion among participants. Reported utility on MNIST with MLP3 rises from 85 percent at to 97 percent at 0; on CIFAR-10 with CNN6, accuracy rises from 48 percent at 1 to 66 percent at the non-private baseline. In performance terms, Citadel++ is reported as up to 543× faster on CPU and 113× faster on GPU TEEs than prior privacy-preserving training systems, while matching FL+DP-style per-iteration latencies in representative MLP3, CNN6, and WRN-28 configurations (Chen et al., 2024).
5. Retrieval architectures and software-engineering methodologies
In neural information retrieval, CITADEL is a multi-vector retriever that reinterprets token interaction through learned lexical routing. A BERT encoder produces contextual token vectors 2, and a sparse router head scores lexical keys with a ReLU-plus-log activation. Each query token is routed to its top key, and each document token to its top five keys, so interaction is conditional on shared routing keys. The document–query score is
3
This replaces all-to-all late interaction with sparse conditional interaction. On MS MARCO and BEIR, the method is reported as nearly 40 times faster than ColBERT-v2 while maintaining similar or slightly better effectiveness; one reported configuration reaches 3.2 ms/query for CITADEL+ versus 120 ms/query for ColBERT-v2, with a 13.3 GB PQ-compressed index versus 29 GB, and zero-shot BEIR average 4 around 0.486 for CITADEL and 0.493 for CITADEL+ (Li et al., 2022).
A separate CITADEL targets deep-learning framework testing. Its premise is that many framework bugs are structurally analogous because operators from the same family share implementation context. The pipeline mines bug reports from PyTorch and TensorFlow repositories, extracts problematic APIs and runnable buggy snippets, groups low-level source functions by analogous-function families using Jaccard similarities over input/output arguments and callee sets, profiles API call stacks dynamically, measures API-level context similarity, and adapts buggy source tests into new target tests while preserving the original oracle. This makes performance-bug oracles available in addition to crash and value-bug oracles. The reported coverage is 1,436 PyTorch APIs and 5,380 TensorFlow APIs, with 36,347 matched pairs overall, 404 tests generated, a 35.4 percent bug-trigger ratio, and 159 bugs found in total, of which 126 are new and 94 confirmed; 13 are performance bugs, 11 confirmed. Baseline trigger ratios are 0.74 percent for DocTer, 1.23 percent for DeepREL, and 3.90 percent for TitanFuzz (Zhang et al., 2024).
6. Malware analysis and adaptive intrusion detection
In malware reverse engineering, Citadel refers to an information-stealing botnet analyzed as an offspring of Zeus. The malware is modular, comprising a dropper or installer, an injector or agent, a configuration manager, a communication and data-stealing component, and a crypto/network layer using “Visual Encrypt” with RC4 and XOR for command-and-control traffic plus AES+RC4+MD5 for configuration encryption. The reverse-engineering paper introduces a clone-based methodology combining assembly-to-source matching and binary clone detection. Post-unpack, Citadel contains roughly 800 functions, of which 526 are exact binary clones with Zeus, representing about 67 percent of Citadel’s functions and about 93 percent of Zeus; 1,876 inexact clone windows are identified at threshold 5. The methodology reduces manual review to about 267 functions, or 33 percent of the code, with clone-detection precision above 95 percent, assembly-to-source precision around 80 percent, and an overall analysis-time reduction of approximately 60–70 percent (Rahimian et al., 2014).
The name also appears in Android malware detection under continuous distribution drift. There, CITADEL is a semi-supervised active learning framework that uses binary malware feature vectors, malware-specific augmentations based on Bernoulli bit flips and masking, supervised contrastive loss, and a three-criterion acquisition strategy combining softmax margin, feature-space 6-distance, and prediction confidence. It is evaluated on APIGraph, Chen-AZ, MaMaDroid, and LAMDA, a 12-year longitudinal dataset. The abstract reports F1 improvements of over 1 percent, 3 percent, 7 percent, and 14 percent respectively using only 40 percent labeled samples, together with 24× faster training and 13× fewer operations than prior work; the paper motivates the design with the observation that more than 450,000 new malware samples emerge daily, while expert review scales only to about 80 samples per day (Haque et al., 15 Nov 2025).
In IoT intrusion detection, CITADEL denotes a self-supervised continual-learning pipeline built around a tabular-to-image transformation, a memory-aware masked autoencoder, and novelty detection using Local Outlier Factor. PCA selects features, DeepInsight maps them to 7 grayscale images, the masked autoencoder learns benign latent representations with mask ratio 8, and a hierarchical memory buffer performs strategic forgetting, strategic sampling, and drift-severity-aware placement. On continual-learning metrics, the reported average LL-PR-AUC is 0.7060, BWT is 9, and FWT is 0.7005; compared with VLAD, BWT improves from 0 to 1, described as a 72.9 percent relative gain on CIC-IDS2017. The framework is also reported as compatible with IoT constraints, with inference around 0.05 ms/sample (Li et al., 26 Aug 2025).
7. Identity, wireless defense, and place-name usage
In blockchain identity systems, Citadel is a self-sovereign identity framework on Dusk Network built atop a native privacy-preserving NFT model. It extends Phoenix’s note structure with transparent NFT notes (2) and obfuscated NFT notes (3), replacing coin value with an NFT payload and using DH-derived symmetric encryption for private notes. Ownership and validity are established in a PLONK-style zk-SNARK over BLS12-381, with Merkle-tree membership checks, double-key Schnorr proofs for note control, single-key Schnorr verification for issuer signatures, Pedersen commitments on JubJub, and nullifier computation via Poseidon. The Citadel-specific circuit uses about 34,861 R1CS constraints; a one-note nullification plus license proof totals about 66,000 constraints, with prover time around 16.2 s on Apple M1, verifier time around 7 ms, proof size around 2 kB, and contract execution cost near 200,000 gas. The system supports issuance, transfer, usage, nullification, and revocation while aiming to prevent both on-chain tracing and off-chain linkage (Salleras, 2023).
In wireless IIoT security, CITADEL is a CSI-only, two-stage hierarchical jamming detector. Stage 1 is an on-device binary trigger running on nodes such as the ESP32-C6, with 1,362 learnable parameters and input tensors 4 where 5 and 6; the validation-tuned escalation threshold is approximately 7. Stage 2, running on an edge GPU such as Jetson Orin Nano, combines a 4-way CSI classifier, a variational autoencoder, a latent-space diffusion model, and a three-signal OOD ensemble based on KL divergence, energy score, and Mahalanobis distance. Across 6 known attack types and 15 zero-day scenarios, the reported end-to-end results are 100.0 percent known-attack detection, 97.1 percent zero-day detection, and 0.4 percent false positive rate. Under adversarial evaluation, white-box gradient-based evasion remains below 2 percent across tested perturbation budgets, and the strongest published CSI attack generator achieves less than 5 percent average evasion; Stage 2 inference is reported at about 14.2 ms and 95.9 mJ per window (Bouferroum et al., 22 Jun 2026).
The term also appears non-acronymically as the archaeological place-name “The Citadel” in Teotihuacan. In that context, multichannel GPR traces from the tunnel beneath the Temple of the Feathered Serpent were analyzed with multi-cross wavelet and Fourier multi-cross algorithms. The reported MCW periods are 15.22 ns for the matrix, 14.37 ns for the tunnel filling, and 8 ns for the chamber filling; FMC yields 9 ns for the matrix, 0 ns for the tunnel filling, and 1 ns for the chamber filling. The interpretation given is that tunnel infill reflects a mixed limestone-clay compound, whereas the chamber filling is more clay-rich, and that combined MCW+FMC analysis reveals similarities not attainable with MCW alone (López-Rodríguez et al., 2016).