Papers
Topics
Authors
Recent
Search
2000 character limit reached

SecureScan: Multi-Domain Security Scanning

Updated 5 July 2026
  • SecureScan is a multi-domain security scanning framework that spans edge-native IIoT mapping, secure hardware scan chains, cloud compliance evaluation, and malware/phishing triage.
  • It employs resource-aware methodologies including pseudorandom scheduling, encrypted state management, and a hybrid of machine learning and heuristics for effective threat detection.
  • Key implementations showcase low network overhead in industrial settings, zero key leakage in hardware tests, precise AWS compliance assessments, and robust malware classification.

SecureScan is a recurrent designation in the technical literature for several distinct security systems rather than a single canonical platform. In the materials considered here, it denotes an edge-native IIoT network-scanning module for embedded microcontrollers (Niedermaier et al., 2019), a secure scan-chain architecture for protecting obfuscated hardware during test (Kamali et al., 2020), a GraphSecure-derived design for scanning AWS accounts against CIS Benchmarks and visualizing the results (Zhao et al., 12 Dec 2025), and an AI-driven triage framework for malware and phishing detection on URLs, file hashes, and binaries (Firdos et al., 11 Feb 2026). The shared label therefore refers not to one product lineage, but to a set of scanning-oriented architectures developed under different threat models, resource budgets, and assurance requirements.

1. Scope and principal usages

The heterogeneity of the term is substantial. In one strand, SecureScan is a network-monitoring building block that runs directly on Industrial Internet of Things edge nodes and periodically discovers hosts, ports, and topology changes inside industrial subnets (Niedermaier et al., 2019). In another, it is a design-for-security architecture for scan chains, intended to preserve structural test while preventing key leakage from obfuscated logic (Kamali et al., 2020). A third usage treats SecureScan as a cloud-compliance platform for AWS accounts, with CIS control evaluation, history, dashboards, and remediation views derived from GraphSecure’s serverless web application model (Zhao et al., 12 Dec 2025). A fourth usage describes a triple-layer detection pipeline combining heuristics, calibrated logistic regression, and VirusTotal validation for malware and phishing classification (Firdos et al., 11 Feb 2026).

Domain SecureScan meaning Representative implementation detail
IIoT and ICS Edge-native network scanning and mapping STM32F767ZIT6, FreeRTOS, LwIP, pseudo-random periodic probing
Hardware test security Secure and robust scan-chain architecture one-way Secure Cells, separated RC and SC chains, dummy-key structural test
Cloud compliance AWS CIS benchmark scanning and visualization S3, API Gateway, Lambda, DynamoDB, versioned controls
Malware and phishing triage Triple-layer classifier and verification pipeline heuristics, calibrated logistic regression, gray-zone VirusTotal escalation

This distribution of meanings also clarifies a common misconception: SecureScan is not tied to a single security vertical. The same name appears in embedded ICS monitoring, hardware design-for-test protection, cloud governance, and SOC-oriented detection pipelines.

2. Edge-native SecureScan for IIoT and industrial networks

In the IIoT literature, SecureScan is an edge-resident scanning and mapping module designed for industrial field-level networks that are typically static, so deviations such as a new host, a removed host, or changed services are treated as anomalies requiring prompt detection (Niedermaier et al., 2019). The stated threat model includes unauthorized device attachment, service exposure changes, device removal or malfunction, and some Man-in-the-Middle cases detectable via elevated latency; it explicitly does not detect purely passive “stealth” observers that produce no ARP, ICMP, or TCP interactions.

The implementation target is an ARM Cortex-M7 MCU, specifically the STM32F767ZIT6, with Ethernet over RJ45, a custom PCB, LEDs for alerting, and an I2C OLED display for operator feedback. The software stack uses FreeRTOS for task scheduling and LwIP for TCP/IP networking; the edge node also exposes a Modbus/TCP slave for I/O control and a minimal web server for debug or demonstration. SecureScan itself runs as a low-priority FreeRTOS task, sleeps between probes, and adds +10,672 bytes of text and +152 bytes of BSS, for a total binary increase of +10,824 bytes. The scan task stack reaches up to 2,048 words and spends most of its time blocked, which preserves real-time control behavior.

Its scanning methodology is deliberately conservative for ICS environments. Host discovery uses an ARP sweep in the local broadcast domain, ICMP echo for liveness confirmation and RTT measurement, and TCP connect scans for port discovery, with connect scans preferred over SYN scans because they are less likely to perturb fragile industrial stacks. Optional application-level probes such as Modbus/TCP can be added for higher-fidelity fingerprints. The scheduling policy is pseudo-random and periodic: each edge waits a random 1–5 minutes after power-up, scans hosts in pseudo-random order, and inserts 100 ms delays between ARP, ICMP, and TCP port probes. Analytical guidance is given by

Tsweep(N+nalive)dT_{\text{sweep}} \approx (N + n_{\text{alive}})\cdot d

and

E[Tdetect,host]Tsweep2p,E[T_{\text{detect,host}}] \approx \frac{T_{\text{sweep}}}{2p},

with complexity per cycle O(N+naliveS)O(N + n_{\text{alive}}\cdot S) for SS probed ports.

Mapping and change detection are organized around a graph G=(V,E)G=(V,E), though practical edge deployment focuses mainly on VV: discovered hosts with IP address, MAC address, optional vendor from MAC OUI, open TCP ports, ICMP RTT statistics, timestamps, and probe counters. A first or trusted scan snapshot BB serves as baseline; later scans produce CtC_t, and diffs are computed as Dt=CtBD_t=C_t-B. New nodes, disappeared nodes, and service changes are flagged, optionally with kk-of-E[Tdetect,host]Tsweep2p,E[T_{\text{detect,host}}] \approx \frac{T_{\text{sweep}}}{2p},0 confirmation such as 2 of the last 3 scans to mask transients. The paper further proposes compact node hashes over E[Tdetect,host]Tsweep2p,E[T_{\text{detect,host}}] \approx \frac{T_{\text{sweep}}}{2p},1 to accelerate diffing.

The industrial testbed evaluation used multiple IIoT edge nodes with sensors, one motor actuator, Modbus/TCP control via OpenPLC on Raspberry Pi, and an HMI. SecureScan ran concurrently on each edge. Under this configuration, background Modbus/TCP traffic was about 400 packets/s per node, while active TCP scanning from one edge peaked at about 25 packets/s, and ARP and ICMP phases each produced about 4 packets/s. An outgoing-only bandwidth estimate for TCP probing was about 1,500 B/s, or about 12 kbit/s. Detection covered node removal, service changes, and standard laptop attachment; MitM was sometimes detectable via increased ping RTTs, but a passive “stealth” listener with ARP off and ICMP disabled was not detected by design.

3. SecureScan in hardware test security and secure scan chains

In hardware security, SecureScan denotes a scan-chain architecture intended to protect obfuscated logic without sacrificing manufacturing test. The design, also described as key-trapped DFS or kt-DFS, separates regular scan chains from key-storage scan chains and uses one-way Secure Cells (1wSC) so that the true key cannot be shifted out once registered (Kamali et al., 2020). Each key bit is stored through two elements: FF1, a scan-connected staging register, and FF2, an unscannable trap storage element with no reset. Control is mediated by pins SE, REG, KSE, and KSI. In mode M2, FF2 is loaded from FF1 and FF1 is asynchronously cleared; when KSE selects the tpNVM source, scan-out of the key chain is masked.

The central security claim is structural rather than merely heuristic: after registration, there is no path from FF2 to scan-out, summarized as

E[Tdetect,host]Tsweep2p,E[T_{\text{detect,host}}] \approx \frac{T_{\text{sweep}}}{2p},2

This architecture was proposed in direct response to weaknesses in earlier R-DFS and mR-DFS schemes. R-DFS allowed shift-and-leak attacks through leaky cells and functional-mode observation at primary outputs. mR-DFS attempted to prevent this with Mode-Switch Shift Disable, but the literature describes a glitch re-enablement condition in which a carefully timed Test pulse with width E[Tdetect,host]Tsweep2p,E[T_{\text{detect,host}}] \approx \frac{T_{\text{sweep}}}{2p},3 prevents the lock flip-flop from capturing, so shift is re-enabled in the presence of the real key (Kamali et al., 2020).

The reported benchmark results are unusually strong. On ISCAS-89 and ITC-99 circuits with a 128-bit SLL key, SecureScan/kt-DFS yielded 0 recovered bits across all evaluated benchmarks, while R-DFS and glitch-bypassed mR-DFS leaked approximately 127–128 bits. Reported average area reductions were −61% relative to R-DFS and −44% relative to mR-DFS, with example SecureScan overheads of 5.21% on s35932, 5.91% on s38417, 6.27% on s38584, 1.84% on b17, 0.55% on b18, and 0.24% on b19. Structural fault coverage remained essentially unchanged, with examples such as s35932, s38417, and s38584 at 100% and b17 moving from 99.91% to 99.67% (Kamali et al., 2020).

A major controversy in this area is that dynamic scan obfuscation by itself does not guarantee resilience. “DynUnlock” shows that even the most “rigorous” dynamically keyed scan obfuscation, EFF-Dyn, remains vulnerable when its per-cycle key evolution is PRNG- or LFSR-based and structurally visible; the attack remodels the sequentially obfuscated scan shift into a SAT-solvable combinational form with the seed as key input (Limaye et al., 2020). “ScanSAT” extends the point by showing that both static and dynamic scan obfuscation can be transformed into logic-locked instances and broken with 100% success rate, including in the presence of scan compression (Alrahis et al., 2019). “GF-Flush” sharpens the critique further: because the scan path and dynamic defenses are linear over E[Tdetect,host]Tsweep2p,E[T_{\text{detect,host}}] \approx \frac{T_{\text{sweep}}}{2p},4, the unknown LFSR seed can be recovered by solving linear equations, with seeds as long as 500 bits recovered in less than 7 seconds and attack times about one hundredth of SAT-based attacks on the same defenses (Chen et al., 2021). The broader implication is that SecureScan-like hardware protection must be structurally isolating or cryptographically nonlinear, not merely dynamically keyed.

4. SecureScan as an AWS CIS benchmark scanning platform

In cloud governance, SecureScan appears as a GraphSecure-derived blueprint for scanning AWS accounts, validating them against CIS Benchmarks, and visualizing the results (Zhao et al., 12 Dec 2025). GraphSecure itself is a web application that allows scans across multiple AWS accounts, validates them against the CIS AWS Foundations Benchmark, presents the output through statistical charts, and warns users about account status. The SecureScan extension preserves this orientation but specifies a more production-oriented architecture, versioned policy artifacts, and multi-account orchestration.

The intended scope is the CIS AWS Foundations Benchmark, organized across IAM, monitoring, networking, storage, and logging. Controls are represented as versioned JSON or YAML artifacts with fields such as id, benchmark_version, title, rationale, severity, service, resource_types, parameters, collectors, evaluation logic, exceptions, remediation, and references. The collector layer maps individual controls to AWS APIs such as iam:GetAccountPasswordPolicy, s3:GetBucketPublicAccessBlock, and ec2:DescribeSecurityGroups. Evaluation is declarative: resources are normalized into common schemas, a condition is applied to each resource or account scope, and results are recorded as pass, fail, waived, or not applicable.

The platform architecture is serverless. The frontend is a React TypeScript single-page application hosted in S3 behind CloudFront. The backend uses API Gateway and Lambda for scan launch, result retrieval, waiver application, and exports. Scanner workers are orchestrated via Step Functions or EventBridge plus SQS; Lambdas assume cross-account read-only roles, enumerate regions, run collectors, normalize data, evaluate rules, write findings to DynamoDB, and store raw artifacts in S3. The core entities include accounts, scans, evaluations, controls, exceptions, optional cached resources, and tenants. Encryption is specified through KMS CMKs for DynamoDB and S3, TLS in transit, and per-tenant encryption context where applicable.

The blueprint also specifies explicit metrics:

E[Tdetect,host]Tsweep2p,E[T_{\text{detect,host}}] \approx \frac{T_{\text{sweep}}}{2p},5

for compliance rate,

E[Tdetect,host]Tsweep2p,E[T_{\text{detect,host}}] \approx \frac{T_{\text{sweep}}}{2p},6

for weighted risk, and

E[Tdetect,host]Tsweep2p,E[T_{\text{detect,host}}] \approx \frac{T_{\text{sweep}}}{2p},7

for implementation completeness. Visualization follows GraphSecure’s Dashboard, Launch Scan, and History pages, with doughnut charts, stacked bars, heatmaps, severity breakdowns, and trends over time. Status warnings are threshold-driven; for example, an “At Risk” banner may be shown when compliance falls below a configured boundary or when any critical failure is present.

This SecureScan formulation is explicitly an architectural blueprint rather than a benchmarked product report. That matters interpretively. The data block gives concrete design choices, schemas, API examples, and workflows, but not empirical detection rates analogous to those reported for the IIoT or malware/phishing variants.

5. SecureScan as a triple-layer malware and phishing detector

Another research usage defines SecureScan as an AI-driven, triple-layer framework for malware and phishing detection on URLs, file hashes, and binaries (Firdos et al., 11 Feb 2026). Its stated motivation is the declining effectiveness of signature-based intrusion detection against zero-day threats, obfuscation, and concept drift. The three layers are deterministic heuristics, calibrated logistic regression, and external threat intelligence through the VirusTotal API.

The feature pipeline is lightweight and explicit. URL analysis uses TF-IDF over character n-grams of length 3–7 with a maximum vocabulary of 50,000, along with lexical and structural heuristics such as URL length, digit-to-letter ratio, special character frequency, subdomain depth, domain age, HTTPS flag, brand impersonation tokens, suspicious TLDs, obfuscation indicators, IP-based hostnames, and suspicious file extensions. File and binary analysis uses static metadata including file size, Shannon entropy, import count, string density, and byte-sequence n-gram distributions. The classifier is logistic regression with Platt scaling:

E[Tdetect,host]Tsweep2p,E[T_{\text{detect,host}}] \approx \frac{T_{\text{sweep}}}{2p},8

and the operational decision policy defines benign as E[Tdetect,host]Tsweep2p,E[T_{\text{detect,host}}] \approx \frac{T_{\text{sweep}}}{2p},9, a gray-zone as O(N+naliveS)O(N + n_{\text{alive}}\cdot S)0, and malicious as O(N+naliveS)O(N + n_{\text{alive}}\cdot S)1. Borderline cases trigger VirusTotal validation.

Threat intelligence integration uses /api/v3/urls and /api/v3/files/{hash}. Queried attributes include malicious engine counts, detection ratios, reputation tags, and last-analysis timestamps. The paper notes that external queries add about 2–3 s per call and face daily rate limits, so it recommends limiting shared data to URLs or hashes and treating caching as future enhancement. Outside the gray-zone, SecureScan enforces the ML decision directly; inside it, VirusTotal can confirm maliciousness, verify benign cases, or return an ambiguous result labeled suspicious for analyst review.

The empirical evaluation is reported on an initial corpus of 651,191 unique labeled samples, consisting of 428,103 benign and 223,088 malicious instances, augmented to about 824,240 samples through URL variants. Splits are stratified 80/20 with ten-fold cross-validation. For the hybrid system, reported metrics are accuracy 93.1%, precision 0.87, recall 0.92, F1 0.89, balanced accuracy 0.93, and ROC-AUC 0.93. The heuristic-only baseline reaches accuracy 82.4%, precision 0.79, recall 0.77, F1 0.78, and ROC-AUC 0.81, while VirusTotal-only reaches accuracy 86.2%, precision 0.82, recall 0.80, F1 0.81, and ROC-AUC 0.86. Calibration improves F1 from 0.87 to 0.89, reduces false positives by 12% relative to uncalibrated ML, and the gray-zone plus VirusTotal logic corrects about 8% of borderline false positives. A deployment-oriented summary further states false positives of about 1.8%, false negatives below 4%, and inference latency under 100 ms for the ML stage.

The system is also positioned as interpretable. Structured JSON outputs include the contract or sample identifier, scores, decisions, explanation fields, model version, preprocessing version, and timestamp. Explainability is tied to top contributing n-grams and coefficients rather than to latent neural features.

6. Common design themes, limitations, and adversarial pressures

Despite their domain differences, the distinct SecureScan systems exhibit several recurring engineering themes. One is constrained execution under explicit operational budgets. The IIoT implementation enforces 100 ms probe pacing, low-priority scheduling, and local diffing to keep CPU activity and network load low (Niedermaier et al., 2019). The AWS compliance design uses read-only cross-account roles, paginators, token-bucket rate limiting, and serverless fan-out to avoid production impact at organizational scale (Zhao et al., 12 Dec 2025). The malware/phishing framework privileges heuristics and logistic regression over heavier models, then reserves third-party validation for an explicitly bounded gray-zone (Firdos et al., 11 Feb 2026).

A second theme is locality of sensitive state. The IIoT variant keeps the trusted baseline and raw scan intelligence on the edge and recommends forwarding only signed or encrypted anomaly events (Niedermaier et al., 2019). The hardware scan-chain architecture removes any post-registration path from the true key to scan-out (Kamali et al., 2020). The cloud blueprint emphasizes least-privilege IAM and encrypted operational storage (Zhao et al., 12 Dec 2025). The malware/phishing pipeline limits external sharing to URLs or hashes when querying VirusTotal (Firdos et al., 11 Feb 2026).

Limitations are equally domain-specific. Edge-native SecureScan is bounded by the local broadcast domain, does not see assets hidden by VLANs or NAT without per-segment deployment, and cannot detect a passive “stealth” listener with ARP off and ICMP disabled (Niedermaier et al., 2019). The AWS blueprint is AWS-only, and some controls remain human-verification or future-work items such as automated remediation and multi-cloud expansion (Zhao et al., 12 Dec 2025). The malware/phishing framework is sensitive to dataset bias, concept drift, heuristic brittleness, and the coverage gaps and latency of VirusTotal (Firdos et al., 11 Feb 2026). In hardware, linearly structured dynamic obfuscation is directly contested by SAT- and algebra-based attacks (Limaye et al., 2020, Alrahis et al., 2019, Chen et al., 2021).

Scanner-facing adversarial pressure also appears in adjacent literature. “Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners” reports that 67 of 78 assessed scanning systems exhibited tainted flows from target responses into scanner UI or reports, and 36 of 78 were vulnerable to XSS, including severe stored-XSS cases in Metasploit Pro (Valenza et al., 2020). At the reconnaissance layer, “SCANTRAP” shows that a WordPress deception plugin can hide real plugins and themes, inject fake ones with plausible versions, suppress core version fingerprinting, and block user enumeration in WPScan without limiting legitimate functionality (Reti et al., 2023). These results do not redefine SecureScan itself, but they do establish an important contextual point: scanning systems must often operate against adversarial targets, and scan outputs cannot be assumed trustworthy or inert.

Taken together, the literature presents SecureScan as a polysemous but technically coherent label for scanning systems that are security-first, resource-aware, and explicitly shaped by adversarial conditions. The term spans embedded network cartography, hardware DfT protection, cloud compliance assessment, and malware/phishing triage, but in each setting it is defined less by a shared codebase than by a common architectural emphasis on controlled observability, bounded automation, and evidence-driven decision logic.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to SecureScan.