Papers
Topics
Authors
Recent
Search
2000 character limit reached

CITADEL: Multidomain Security, Learning, and More

Updated 6 July 2026
  • CITADEL is a multifaceted project name representing systems in e-learning, memory security, retrieval, and intrusion detection.
  • It encompasses diverse applications, including learner-centric web platforms, secure memory allocators, enclave architectures, and privacy-preserving collaborative learning.
  • The initiative offers actionable insights into performance metrics, security overheads, and innovative methodologies across interdisciplinary technical domains.

CITADEL is a recurrent project name in the technical literature rather than a single unified system. It has been used for a learner-centred e-learning environment for Nigerian tertiary institutions, a domain-aware Linux memory allocator for Rowhammer defense, a multi-vector retrieval architecture based on dynamic lexical routing, SGX- and TEE-based collaborative learning systems, a privacy-preserving self-sovereign identity system on Dusk Network, a Spectre-safe enclave architecture, malware-analysis and intrusion-detection pipelines, an IIoT jamming detector, and, separately, as the archaeological place-name “The Citadel” in geophysical studies of Teotihuacan (Awodele et al., 2011, Saxena et al., 2024, Li et al., 2022, Zhang et al., 2021, Salleras, 2023, Drean et al., 2023, Bouferroum et al., 22 Jun 2026, López-Rodríguez et al., 2016).

1. Nomenclature and domain span

Representative uses of the name are summarized below.

Usage Domain Defining technical element
CITADEL E-Learning (Awodele et al., 2011) Tertiary education Three-tier PHP/MySQL web platform
Citadel (Saxena et al., 2024) Memory security Security domains, security zones, guard rows
CITADEL (Li et al., 2022) Neural retrieval Conditional token interaction via dynamic lexical routing
Citadel (Zhang et al., 2021) Collaborative ML SGX training enclaves, aggregator enclave, zero-sum masking
Citadel++ (Chen et al., 2024) Privacy-preserving collaborative learning VM-level TEEs, DP barrier, sandboxing
Citadel (Salleras, 2023) SSI and blockchain Private NFT notes and zk-SNARK-based proofs
Citadel (Drean et al., 2023) Enclave isolation SpecSafe and Burst mode
CITADEL (Zhang et al., 2024) DL framework testing Context-similarity bug reuse
CITADEL (Bouferroum et al., 22 Jun 2026) IIoT wireless defense CSI-only two-stage jamming pipeline
CITADEL (Li et al., 26 Aug 2025) Continual IoT IDS Memory-aware masked autoencoder and LOF

Some papers expand the name as an acronym, including “Conditional Token Interaction via Dynamic Lexical Routing,” “Context Similarity Based Deep Learning Framework Bug Finding,” “CSI-Based Jamming Detection and Open-Set Classification for IIoT Networks,” and “Continual Anomaly Detection for Enhanced Learning in IoT Intrusion Detection,” whereas “Citadel E-Learning” explicitly does not specify a literal acronym behind the name (Li et al., 2022, Zhang et al., 2024, Bouferroum et al., 22 Jun 2026, Li et al., 26 Aug 2025, Awodele et al., 2011).

2. E-learning infrastructure in Nigerian tertiary education

In the educational literature, CITADEL denotes a web-based learning system designed for Nigeria’s tertiary institutions, motivated by “an urgent need for a learner-centred, ICT-driven environment that overcomes the limitations of traditional, resource-scarce classrooms.” Its stated objective is an “ever-available (anyone, anyplace, anytime), user-friendly platform” integrating course delivery, assessment, communication, and administration in a single system. The implementation is a three-tier web application conforming to ISO standards: a presentation layer using HTML, Adobe Fireworks, and JavaScript; a PHP middle tier for business logic, session management, and security controls; and a MySQL data layer for credentials, course materials, assessment records, timetables, and messages (Awodele et al., 2011).

Functionally, the platform is partitioned into Student, Lecturer, and Registry modules. Students authenticate with matriculation number and password, then register courses, download lecture notes, take quizzes or examinations online, submit assignments, inspect continuous assessment results, browse library resources, consult timetables, exchange messages, view contact details, and participate in chat. Lecturers upload documents or video lectures, generate quizzes and exams, assign homework, post grades, and initiate live classes via video conferencing. Registry staff register users, define faculties, departments, and courses, post announcements, and generate certificates. Deployment is intended on local institutional servers rather than a cloud model, and browser-based access preserves operating-system independence. The paper emphasizes ubiquity, flexibility, portability, and ease of use, while also recording limitations: the live-class feature does not verify physical attendance, and there is no integrated payment processing or mobile-app access. Proposed extensions include webcam-based presence detection or biometric login, a student-billing submodule, dedicated mobile applications or responsive design updates, and formal usability studies and load-testing (Awodele et al., 2011).

3. Memory, enclave, and supply-chain security systems

In systems security, Citadel has been used for a software-only Rowhammer defense implemented as a Linux-kernel memory allocator. Its central abstraction is the security domain, identified by a unique 64-bit domain ID, whose pages are drawn from domain-specific security zones composed of contiguous runs of DRAM global rows. Guard rows are inserted at the start of each zone; in the prototype, Ng=2N_g = 2, sufficient against the Half-Double attack. The allocator supports page-table pages and user processes as domains, introduces reservation chunks with G=16G = 16 global rows as the minimum reservation unit, and uses zonelets for small domains. On a two-socket 128 GB DDR4 server, evaluated across SPEC2017 and GAP mixes with up to 57 K domains, average total memory overhead is 7.4 percent, with 1.6 percent from guard rows and 5.8 percent from stranded chunks; the allocator path remains under 1 percent of runtime and no benchmark shows measurable throughput or latency degradation. The design is contrasted with ZebRAM and Siloz, which incur substantially higher capacity costs or cannot sustain many-domain scenarios (Saxena et al., 2024).

A different Citadel addresses transient-execution leakage. That system defines relaxed microarchitectural isolation and enforces Speculative Non-Interference for enclaves that share public memory with an untrusted OS. Its two enforcement modes are SpecSafe, which disables speculative accesses to shared memory and satisfies seq,shm\langle \mathrm{seq}, \mathrm{shm} \rangle, and Burst mode, which limits learned speculation while preserving fall-through execution and satisfies str,shm\langle \mathrm{str}, \mathrm{shm} \rangle. The prototype is a 2-core out-of-order RISC-V processor on an AWS F1 UltraScale+ FPGA, clocked at 30 MHz, with a Security Monitor, dual page tables for shared memory, LLC and MSHR partitioning, temporal flushing, and ISA support via a BURST CSR. The abstract reports secure applications, including cryptographic libraries and private inference, running with less than 5 percent performance overhead; detailed results show that overhead is highly workload dependent, with compute-bound signing near baseline and shared-memory-intensive hashing substantially higher (Drean et al., 2023).

A third usage, in SoC security, treats CITADEL as a modular subsystem for supply-chain attack resistance. The architecture combines a lightweight microcontroller called the Compute Enclave, security wrappers around protected IP blocks, a PUF Control Module, secure storage and crypto engines using AES-256 and SHA-256, an HSM used at chip birth, and an off-chip Asset Management Infrastructure maintaining ChipID, IPID, obfuscation keys, and lifecycle state. Threat classes include counterfeiting and overproduction, reverse engineering, and illegal recycling. Across single-bus, multi-bus, and MIT CEP testbeds, measured SoC-level overheads are approximately 17.5 percent area and 17.9 percent power for the single-bus SoC, 14.0 percent area and 12.5 percent power for the multi-bus SoC, and 10.5 percent area and 10.9 percent power for MIT CEP; wrapper overhead per IP is 0.7–5.9 percent area and about 1–3 percent power, with boot-path latency impact reported as negligible and below 10 ns total (Raj et al., 15 Jul 2025).

4. Confidential collaborative learning and privacy barriers

In collaborative machine learning, Citadel denotes an SGX-based training architecture that separates data handling from model updating. Each data owner runs a training enclave that processes only its own plaintext data, while the model owner runs a single aggregator enclave that holds proprietary update logic and plaintext model weights. An admin enclave, trusted by both sides, orchestrates attestation, key distribution, and a zero-sum masking protocol. If each training enclave computes gig_i and receives a mask mim_i such that imi=0\sum_i m_i = 0, then the aggregator observes only masked gradients g~i=gi+mi\widetilde g_i = g_i + m_i yet recovers the exact sum through

i=0N1g~i=i=0N1(gi+mi)=i=0N1gi.\sum_{i=0}^{N-1}\widetilde g_i = \sum_{i=0}^{N-1}(g_i + m_i) = \sum_{i=0}^{N-1} g_i.

The system also supports hierarchical aggregation trees to reduce EPC paging and communication bottlenecks. On Azure DCsv2 instances, with models including AlexNetS, AlexNetL, SpamNet, and an MNIST CNN, throughput with 32 training enclaves improves by 4.7×–19.6× over a single-enclave run, and SGX protection slows end-to-end iteration time by at most 1.73×; for MNIST, hierarchical aggregation cuts aggregation overhead by up to 36 percent (Zhang et al., 2021).

Citadel++ extends this line of work to protect dataset confidentiality, user privacy, model confidentiality, training-code confidentiality, and integrity simultaneously. It moves from enclave-level isolation to VM-level TEEs such as AMD SEV-SNP or Intel TDX, combines central DP-SGD with zero-sum masking, adds dynamic gradient clipping and correlated-noise correction, and constrains untrusted training code inside OS-level sandboxes with isolated network, IPC, and mount namespaces. The threat model explicitly allows malicious model code and collusion among participants. Reported utility on MNIST with MLP3 rises from 85 percent at ϵ=1\epsilon = 1 to 97 percent at G=16G = 160; on CIFAR-10 with CNN6, accuracy rises from 48 percent at G=16G = 161 to 66 percent at the non-private baseline. In performance terms, Citadel++ is reported as up to 543× faster on CPU and 113× faster on GPU TEEs than prior privacy-preserving training systems, while matching FL+DP-style per-iteration latencies in representative MLP3, CNN6, and WRN-28 configurations (Chen et al., 2024).

5. Retrieval architectures and software-engineering methodologies

In neural information retrieval, CITADEL is a multi-vector retriever that reinterprets token interaction through learned lexical routing. A BERT encoder produces contextual token vectors G=16G = 162, and a sparse router head scores lexical keys with a ReLU-plus-log activation. Each query token is routed to its top key, and each document token to its top five keys, so interaction is conditional on shared routing keys. The document–query score is

G=16G = 163

This replaces all-to-all late interaction with sparse conditional interaction. On MS MARCO and BEIR, the method is reported as nearly 40 times faster than ColBERT-v2 while maintaining similar or slightly better effectiveness; one reported configuration reaches 3.2 ms/query for CITADEL+ versus 120 ms/query for ColBERT-v2, with a 13.3 GB PQ-compressed index versus 29 GB, and zero-shot BEIR average G=16G = 164 around 0.486 for CITADEL and 0.493 for CITADEL+ (Li et al., 2022).

A separate CITADEL targets deep-learning framework testing. Its premise is that many framework bugs are structurally analogous because operators from the same family share implementation context. The pipeline mines bug reports from PyTorch and TensorFlow repositories, extracts problematic APIs and runnable buggy snippets, groups low-level source functions by analogous-function families using Jaccard similarities over input/output arguments and callee sets, profiles API call stacks dynamically, measures API-level context similarity, and adapts buggy source tests into new target tests while preserving the original oracle. This makes performance-bug oracles available in addition to crash and value-bug oracles. The reported coverage is 1,436 PyTorch APIs and 5,380 TensorFlow APIs, with 36,347 matched pairs overall, 404 tests generated, a 35.4 percent bug-trigger ratio, and 159 bugs found in total, of which 126 are new and 94 confirmed; 13 are performance bugs, 11 confirmed. Baseline trigger ratios are 0.74 percent for DocTer, 1.23 percent for DeepREL, and 3.90 percent for TitanFuzz (Zhang et al., 2024).

6. Malware analysis and adaptive intrusion detection

In malware reverse engineering, Citadel refers to an information-stealing botnet analyzed as an offspring of Zeus. The malware is modular, comprising a dropper or installer, an injector or agent, a configuration manager, a communication and data-stealing component, and a crypto/network layer using “Visual Encrypt” with RC4 and XOR for command-and-control traffic plus AES+RC4+MD5 for configuration encryption. The reverse-engineering paper introduces a clone-based methodology combining assembly-to-source matching and binary clone detection. Post-unpack, Citadel contains roughly 800 functions, of which 526 are exact binary clones with Zeus, representing about 67 percent of Citadel’s functions and about 93 percent of Zeus; 1,876 inexact clone windows are identified at threshold G=16G = 165. The methodology reduces manual review to about 267 functions, or 33 percent of the code, with clone-detection precision above 95 percent, assembly-to-source precision around 80 percent, and an overall analysis-time reduction of approximately 60–70 percent (Rahimian et al., 2014).

The name also appears in Android malware detection under continuous distribution drift. There, CITADEL is a semi-supervised active learning framework that uses binary malware feature vectors, malware-specific augmentations based on Bernoulli bit flips and masking, supervised contrastive loss, and a three-criterion acquisition strategy combining softmax margin, feature-space G=16G = 166-distance, and prediction confidence. It is evaluated on APIGraph, Chen-AZ, MaMaDroid, and LAMDA, a 12-year longitudinal dataset. The abstract reports F1 improvements of over 1 percent, 3 percent, 7 percent, and 14 percent respectively using only 40 percent labeled samples, together with 24× faster training and 13× fewer operations than prior work; the paper motivates the design with the observation that more than 450,000 new malware samples emerge daily, while expert review scales only to about 80 samples per day (Haque et al., 15 Nov 2025).

In IoT intrusion detection, CITADEL denotes a self-supervised continual-learning pipeline built around a tabular-to-image transformation, a memory-aware masked autoencoder, and novelty detection using Local Outlier Factor. PCA selects features, DeepInsight maps them to G=16G = 167 grayscale images, the masked autoencoder learns benign latent representations with mask ratio G=16G = 168, and a hierarchical memory buffer performs strategic forgetting, strategic sampling, and drift-severity-aware placement. On continual-learning metrics, the reported average LL-PR-AUC is 0.7060, BWT is G=16G = 169, and FWT is 0.7005; compared with VLAD, BWT improves from seq,shm\langle \mathrm{seq}, \mathrm{shm} \rangle0 to seq,shm\langle \mathrm{seq}, \mathrm{shm} \rangle1, described as a 72.9 percent relative gain on CIC-IDS2017. The framework is also reported as compatible with IoT constraints, with inference around 0.05 ms/sample (Li et al., 26 Aug 2025).

7. Identity, wireless defense, and place-name usage

In blockchain identity systems, Citadel is a self-sovereign identity framework on Dusk Network built atop a native privacy-preserving NFT model. It extends Phoenix’s note structure with transparent NFT notes (seq,shm\langle \mathrm{seq}, \mathrm{shm} \rangle2) and obfuscated NFT notes (seq,shm\langle \mathrm{seq}, \mathrm{shm} \rangle3), replacing coin value with an NFT payload and using DH-derived symmetric encryption for private notes. Ownership and validity are established in a PLONK-style zk-SNARK over BLS12-381, with Merkle-tree membership checks, double-key Schnorr proofs for note control, single-key Schnorr verification for issuer signatures, Pedersen commitments on JubJub, and nullifier computation via Poseidon. The Citadel-specific circuit uses about 34,861 R1CS constraints; a one-note nullification plus license proof totals about 66,000 constraints, with prover time around 16.2 s on Apple M1, verifier time around 7 ms, proof size around 2 kB, and contract execution cost near 200,000 gas. The system supports issuance, transfer, usage, nullification, and revocation while aiming to prevent both on-chain tracing and off-chain linkage (Salleras, 2023).

In wireless IIoT security, CITADEL is a CSI-only, two-stage hierarchical jamming detector. Stage 1 is an on-device binary trigger running on nodes such as the ESP32-C6, with 1,362 learnable parameters and input tensors seq,shm\langle \mathrm{seq}, \mathrm{shm} \rangle4 where seq,shm\langle \mathrm{seq}, \mathrm{shm} \rangle5 and seq,shm\langle \mathrm{seq}, \mathrm{shm} \rangle6; the validation-tuned escalation threshold is approximately seq,shm\langle \mathrm{seq}, \mathrm{shm} \rangle7. Stage 2, running on an edge GPU such as Jetson Orin Nano, combines a 4-way CSI classifier, a variational autoencoder, a latent-space diffusion model, and a three-signal OOD ensemble based on KL divergence, energy score, and Mahalanobis distance. Across 6 known attack types and 15 zero-day scenarios, the reported end-to-end results are 100.0 percent known-attack detection, 97.1 percent zero-day detection, and 0.4 percent false positive rate. Under adversarial evaluation, white-box gradient-based evasion remains below 2 percent across tested perturbation budgets, and the strongest published CSI attack generator achieves less than 5 percent average evasion; Stage 2 inference is reported at about 14.2 ms and 95.9 mJ per window (Bouferroum et al., 22 Jun 2026).

The term also appears non-acronymically as the archaeological place-name “The Citadel” in Teotihuacan. In that context, multichannel GPR traces from the tunnel beneath the Temple of the Feathered Serpent were analyzed with multi-cross wavelet and Fourier multi-cross algorithms. The reported MCW periods are 15.22 ns for the matrix, 14.37 ns for the tunnel filling, and seq,shm\langle \mathrm{seq}, \mathrm{shm} \rangle8 ns for the chamber filling; FMC yields seq,shm\langle \mathrm{seq}, \mathrm{shm} \rangle9 ns for the matrix, str,shm\langle \mathrm{str}, \mathrm{shm} \rangle0 ns for the tunnel filling, and str,shm\langle \mathrm{str}, \mathrm{shm} \rangle1 ns for the chamber filling. The interpretation given is that tunnel infill reflects a mixed limestone-clay compound, whereas the chamber filling is more clay-rich, and that combined MCW+FMC analysis reveals similarities not attainable with MCW alone (López-Rodríguez et al., 2016).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to CITADEL.