Collaborative Edge Intelligence for Secure Child Location Monitoring in IoT Systems: A Privacy-Preserving Framework Aligned with the Oslo Safe Schools Declaration

Sylvester Oga Ogaji; Oluwagbemisola J. Akinlade-Ogaji; Adeniji Samuel Olamilekan; Adeyanju Emmanuel Abayomi; Alabi Ayomide Praise

// Escalation decision tree

From device alert to national response

CEICS generates confirmed alerts at the school gateway level. Every alert then moves through a structured escalation chain before reaching national command. Understanding which level you are operating at — and what your specific decision authority is — determines your action.

1

Wearable device — anomaly detected

ESP32-C3 wearable · autonomous

The CNN-LSTM model on the badge detects a 2-window confirmed anomaly. A coded signal (not raw biometric data) is transmitted to the school gateway via LoRaWAN. The badge discards all raw sensor values immediately after inference — nothing identifiable leaves the device.

⏱ t=0 — t+22ms (inference) → t+127ms (alert at gateway)

2

School gateway — confirmation and local dispatch

Jetson Nano gateway · Thread 1 · Thread 3

The gateway confirms the alert, applies the hysteresis filter, and dispatches push notifications to the registered class teacher and school administrator. For C2 (Seizure) alerts, the re-alert cycle fires every 30 seconds until acknowledged.

// teacher action required

Teacher must physically go to child and tap "Acknowledged" in the app. Until acknowledged, alerts continue. Response time target: <90 seconds for C2.

⏱ t+127ms mean alert delivery · t+312ms 95th-percentile (hysteresis events)

3

School administrator — escalation decision

School admin dashboard · Tier 2

The administrator receives all confirmed alerts with timestamps and teacher acknowledgement status. For unacknowledged alerts after 90 seconds, the system escalates automatically to the Zone Coordinator. For C3 alerts where the GPS location is outside a recognised exit point, the administrator initiates the school lock-down protocol.

// escalation triggers

C2 unacknowledged after 90s → auto-escalate to Zone Coordinator. C3 unknown location → immediately call Zone Coordinator. C1+C3 co-occurrence → immediately call Zone Coordinator and consider security incident protocol.

4

Zone Security Coordinator — situation assessment

Local government / zone office · Tier 2/3 boundary

The Zone Coordinator receives escalated alerts from multiple schools in the zone. They cross-reference alert patterns across schools — if multiple schools in a zone report C1/C3 co-occurrences within a short window, this pattern indicates a potential coordinated security incident requiring state-level activation.

// pattern recognition

Single school C3 + C1 → assess → escalate if location unresolvable. Multiple schools same zone within 15 minutes → activate State C2. Multiple zones simultaneously → activate Federal CEICS coordination protocol.

⏱ Decision window: 5–10 minutes from zone coordinator notification

5

State Command & Control — C2 operator activation

State military/police C2 centre · You are here if you hold this role

The state C2 centre receives a structured alert package from the Zone Coordinator. Your role is to validate the alert against contextual intelligence, make the dispatch decision, and log your decision in the CEICS audit system before deploying any response unit.

// C2 operator checklist before dispatch

1. Verify alert class and confidence score (see triage table below).
2. Check co-occurrence pattern — C1+C3 together is higher priority than either alone.
3. Cross-reference with local intelligence: known active threat in area?
4. Verify gateway is online (not store-and-forward buffered alert from earlier outage).
5. Log dispatch decision in CEICS dashboard → Incidents → Log action.
6. Dispatch response unit with blockchain alert hash as incident reference.

⏱ Dispatch decision target: <5 minutes from state C2 notification

6

Federal response coordination

NPA C&C · NEMA · UNICEF Nigeria Rapid Response

Federal activation occurs when state C2 confirms a security incident or mass-casualty medical event. CEICS provides the blockchain audit log as the authoritative incident record. The alert token format is compatible with ITU-T X.1500 IODEF for inter-agency sharing.

UNICEF Rapid Response: CEICS alert tokens include the Oslo SSD incident category code. UNICEF Nigeria has pre-agreed alert reception protocols for C3 (abduction risk) and C1+C3 co-occurrence events. Contact: +234 9 461 8000

// Alert triage protocol

How to read and act on every alert class

Each alert displays an anomaly class (C0–C4), a confidence percentage, and the gateway/device ID. This table tells C2 operators exactly what threshold warrants dispatch and what each class means in an operational context.

Alert class	Operational meaning	Confidence threshold for dispatch	C2 action	Priority
C0 Normal	Child activity is normal — walking, sitting, running. No alert is sent for C0.	N/A — not dispatched	No action.	—
C1 Fall/Assault	Sudden violent impact detected by accelerometer. May be a fall, fight, or physical attack. Threshold τ=0.85 means 2 consecutive 5-second windows both flagged the event.	≥85% → teacher responds. ≥92% + unacknowledged 90s → zone coordinator.	Monitor acknowledgement. Escalate if unacknowledged or C1+C3 co-occur.	MEDIUM
C2 Seizure	Convulsive shaking pattern detected. Recall 99.1% — the model misses fewer than 1 in 100 genuine seizures. Threshold τ=0.92 was selected against a clinical recall floor of ≥0.93 (Shoaib et al. 2021).	≥92% → immediate teacher dispatch. ≥92% + unacknowledged 90s → medical emergency escalation.	Medical emergency. Verify teacher response. Dispatch medical team if no acknowledgement within 3 minutes.	URGENT
C3 Zone Exit	Child's GPS has been outside school boundary for >30 seconds. Threshold τ=0.80. Could indicate wandering, early departure, or in high-risk areas: abduction.	≥80% → administrator confirms with gate security. Unknown location → immediate zone coordinator notification.	Verify location via dashboard GPS. If location is near a known exit and child is accounted for, close. If location unknown or in high-risk area, treat as security incident.	ELEVATED
C4 Phys. Distress	Abnormal heart rate, low oxygen (SpO₂), or high stress response (EDA). May indicate shock, extreme fear, acute illness, or cardiac event. Threshold τ=0.88. Note: C4 has highest inter-run variance (SD=0.71%) — treat with clinical context.	≥88% → nurse/medical responder. ≥88% + teacher acknowledgement confirms distress → medical escalation.	Medical/welfare response. Notify school nurse and parents. Document confidence score in incident report.	MEDIUM

Co-occurring alert patterns

When two alert classes fire simultaneously for the same device, the combined pattern carries higher operational significance than either class alone.

Co-occurrence pattern	Operational interpretation	Recommended C2 action
C1 + C3	Physical assault followed by or concurrent with zone exit. This is the highest-risk pattern — consistent with abduction in progress. Sambisa/Chibok incident pattern.	Immediate escalation. Activate security incident protocol. Notify Zone Coordinator and State C2 simultaneously. Log blockchain hash as incident reference.
C2 + C4	Seizure with concurrent physiological distress. Indicates serious medical event — prolonged seizure or post-ictal complication. Requires urgent medical response, not security.	Medical emergency. Dispatch medical team. Notify parents. Document for NEMA health reporting.
Multiple C3 same zone	Multiple devices from different schools in the same zone triggering C3 within a 15-minute window. Indicates possible coordinated security incident.	Zone activation. Activate all school lock-down protocols in zone. Notify State C2. Cross-reference with intelligence reports.
C1 + C3 + store-and-forward flag	Alert was buffered during communications blackout. This means the incident occurred during a blackout — when attackers commonly cut communications first.	High priority. Buffered alert timestamp is the incident time, not delivery time. Communications blackout itself is an indicator. Treat as active security incident.

// Blockchain audit log operations

Reading and exporting the tamper-proof audit trail

Every alert, every FL round, and every administrative action is recorded on the Proof-of-Authority blockchain. The log cannot be modified retroactively. Each block contains a cryptographic hash that proves the data has not been altered since it was written.

01

Reading a blockchain alert record

Navigate to Dashboard → Audit Log → Incidents. Each record contains the following fields:

alert_hash SHA-256 · unique identifier for this specific alert event
block_number sequential block in the PoA chain
timestamp event time (not delivery time) · UTC · immutable
device_id anonymised badge token · not child name
alert_class C0–C4 · with confidence score
location_id school zone reference · not GPS coordinates
node_signaturegateway cryptographic signature · proves gateway authenticity
merkle_root hash of all transactions in this block · tamper-evidence
acknowledged_bystaff member who acknowledged · anonymised ID
response_time_mstime from alert to acknowledgement

02

Verifying a record has not been tampered with

To verify a specific alert record for use as legal evidence: navigate to Audit → Verify. Enter the block number and alert hash. The system recomputes the Merkle root from all transactions in that block and compares it to the stored root. A match proves the record is authentic.

For court or tribunal use: The Merkle root verification constitutes cryptographic proof of record integrity. The PoA blockchain uses a 2-of-3 multi-signature key for decryption — no single administrator can alter a record without the involvement of two key holders.

03

Exporting the audit log for NSSI inspection

Navigate to Reports → Blockchain audit export. Select date range and school(s). Export as PDF or JSON. The PDF includes a cryptographic verification certificate. The JSON export is compatible with Oslo SSD Annex B incident reporting format.

Important: The exported log contains anonymised device IDs, not child names. To match a device ID to a child name, the school administrator must use the local badge registry — this cannot be done remotely and requires the administrator's credentials. This design protects child identity in the event of a log leak.

// Oslo Safe Schools Declaration — Annex B reporting

Filing an SSD-compliant incident report

The CEICS blockchain log is designed to produce all fields required by Oslo SSD Annex B. The following shows how each CEICS record field maps to the SSD reporting schema.

Oslo SSD Annex B field mapping — CEICS export

SSD: Date and time of incident

CEICS: timestamp (UTC · immutable)

SSD: Type of attack

CEICS: alert_class (C1=physical, C3=abduction risk)

SSD: Location of incident

CEICS: location_id (school zone · GPS on request)

SSD: Number of children affected

CEICS: count of unique device_ids in incident window

SSD: Response time

CEICS: response_time_ms (ms-precision, immutable)

SSD: Evidence of incident

CEICS: merkle_root + node_signature (cryptographic)

SSD: System used for detection

CEICS: "CEICS v1.0 · CNN-LSTM · PoA blockchain"

SSD: Communications status

CEICS: network_state at time of alert (5G/LoRaWAN/satellite/buffer)

For GCPEA annual reporting: The Global Coalition to Protect Education from Attack uses CEICS export data to contribute to the annual "Education Under Attack" report. The JSON export from Audit → Export → GCPEA format produces a pre-formatted report segment. Contact the NSSI national coordinator to initiate submission.

// System health monitoring

What to watch and when to act

Zone coordinators and C2 operators have read-only access to the system health dashboard. These are the critical indicators and the thresholds that should trigger intervention.

NORMAL Gateway utilisation

Percentage of gateway capacity currently in use. Calculated as devices_connected / gateway_capacity.

Normal: <60% · Warning: 60–80% · Critical: >80%

⚠ >80%: Alert admin to check for device registration errors or activate load-balancing to adjacent gateway.

NORMAL Alert latency

Mean time from sensor detection to teacher notification. Published baseline: 127 ms ±3.2 ms (5G). Expected variation by network state.

5G: ~127 ms · WiFi: ~152 ms · LoRaWAN: ~182 ms · Satellite: ~1200 ms

⚠ Sustained >300 ms on 5G: indicates network congestion or gateway processing overload.

MONITOR Store-and-forward buffer count

Number of alerts currently queued locally because all network links are severed. Buffer flushes automatically when connectivity restores. Non-zero buffer means active communications blackout.

Normal: 0 · Monitoring: 1–10 · Action required: >10

🔴 >10 buffered: All terrestrial links severed. This is an active security indicator — communications blackout precedes 80% of documented school attacks (GCPEA 2021). Initiate situational assessment for that zone.

NORMAL FL model accuracy

Current running detection accuracy of the CNN-LSTM model deployed at each gateway. Should track within ±0.5% of published baseline (95.3%) once convergence is achieved.

Normal: 94–96% · Warning: 92–94% · Review: <92%

⚠ <92%: Notify FL Coordinator. May indicate data distribution shift, Byzantine gradient attack, or model version mismatch between gateways.

NORMAL Packet loss rate

Percentage of telemetry packets lost in transit. Expected variation by environment: urban schools have lower loss than rural/forest deployments.

Urban: <5% · Rural: <10% · Forest: <15% · Any: >20% = critical

🔴 >20% sustained: Check LoRaWAN spreading factor configuration. Consider antenna repositioning or gateway relocation.

NORMAL Satellite relay usage

Proportion of alerts being routed via satellite fallback. Should be near zero in normal operations. Elevated satellite usage indicates terrestrial network degradation.

Normal: <2% · Elevated: 2–15% · Blackout indicator: >15%

⚠ >15%: Terrestrial infrastructure is significantly degraded. Verify LoRaWAN gateway power and antenna status. Report to NSSI technical team.

// FL coordinator duties

Managing the regional aggregation server

The FL Coordinator operates the Tier 4 regional aggregation server. This role does not receive child alerts — it manages model training, key security, and gateway software versions. It is a purely technical operational role.

Monitoring FL round convergence

Each 24-hour FL round should converge to within ±0.3% of the previous round's accuracy before the improved model is broadcast. The convergence criterion is |accuracy_val(t) − accuracy_val(t−10)| < 0.003.

Round schedule: 22:00–05:00 daily (off-peak, minimises gateway resource conflict)

⚠ If accuracy drops >1% in a single round: check for Byzantine gradient anomaly (outlier gradient vector from a compromised gateway) or data distribution shift.

Distributed key management (2-of-3)

The Paillier decryption key is split across 3 key holders: the FL Coordinator (you), the regional NSSI officer, and the school network administrator. Any decryption requires 2 of these 3 parties to be present. A single holder cannot decrypt alone.

🔴 Never share your key share. Never store it digitally. Rotate key shares every 6 months or immediately if a key holder leaves their post.

Reviewing gradient updates for Byzantine anomalies

Before the aggregation server broadcasts an updated model, the FL Coordinator should review the gradient norms from each participating gateway. A gateway submitting a gradient vector with norm significantly higher than the median (typically >3× median) may indicate gradient poisoning.

Normal gradient norm variance: ±15% across gateways

⚠ Outlier gradient: exclude that gateway from this round's aggregation. File incident report. Do not broadcast model until investigation is complete. (Note: Byzantine-robust aggregation is a future research direction — current FedAvg is not Byzantine-robust.)

Approving model broadcast to gateways

After convergence is confirmed and gradient review is complete, the FL Coordinator authorises the model broadcast. This requires a multi-signature approval: FL Coordinator + NSSI regional officer. The approval is logged on the PoA blockchain as an administrative transaction.

✓ Navigate: Regional Dashboard → FL Management → Approve broadcast → Multi-sig confirm.

// National emergency dispatch integration

CEICS alert token format for NPA/NEMA systems

When a C2 operator decides to dispatch a response unit, CEICS generates a standardised alert token that can be passed to NPA Command and Control, NEMA dispatch, and UNICEF Rapid Response systems. The token is designed to be compatible with ITU-T X.1500 IODEF (Incident Object Description Exchange Format).

// CEICS alert dispatch token — JSON-LD format

"@context": "https://schema.org", // ITU-T X.1500 compatible
"incident_id": "CEICS-2025-BRN-0042", // state-corridor-sequence
"alert_class": "C1_C3_COOCCURRENCE",
"oslo_ssd_code": "PHYSICAL_ATTACK_ABDUCTION_RISK",
"confidence": 0.943,
"timestamp_utc": "2025-03-15T10:42:17Z", // event time, not delivery time
"zone_id": "BRN-NORTH-ZONE-04",
"school_id": "BRN-042", // anonymised school reference
"devices_affected": 3,
"network_state": "SATELLITE_FALLBACK", // blackout indicator
"blockchain_hash": "0x3f7a...c421", // tamper-evident audit reference
"dispatched_by": "C2-OPS-BRN-STATE-01", // C2 operator log

Response unit briefing: When passing this token to a response unit, highlight: (1) the network_state field — SATELLITE_FALLBACK means communications were cut before the event, (2) devices_affected — multiple devices increases incident probability, (3) blockchain_hash — this is the incident reference for all subsequent reports. The response unit commander should quote this hash in their after-action report.

// Quick reference cards

Operator quick reference — print and post at C2 workstation

🎖 C2 Operator — alert received

C2 alone (>92%) → Verify teacher acknowledgement. Medical team if no ack within 3 min.
C1+C3 together → Immediate security incident protocol. Call Zone Coordinator now.
C3 unknown location → Do not wait for ack. Escalate immediately.
Multiple C3 same zone (<15 min) → Zone activation. State C2 notification.
Buffer flag on alert → Incident time ≠ delivery time. Comms blackout = security indicator.
Before dispatch: Verify confidence, check co-occurrence, log decision with blockchain hash.

📋 NSSI Inspector — audit export

Export log: Reports → Blockchain audit export → Date range → School → PDF or JSON.
Verify tamper: Audit → Verify → Enter block number + alert hash → Check Merkle root.
SSD Annex B: Export → GCPEA format → Pre-populated report segment ready.
Key point: Log uses anonymised device IDs. Child name matching requires admin credentials on-site.
Response time: response_time_ms field gives ms-precision teacher response data.

⚙ FL Coordinator — daily checks

Round completed? Check convergence criterion: Δacc <0.3% over last 10 rounds.
Gradient anomaly? Flag any gateway gradient norm >3× median. Exclude, investigate.
Approve broadcast: FL Mgmt → Approve → Multi-sig with NSSI regional officer.
Key rotation: Every 6 months. Immediate if key holder changes post.
Never: Share key share. Store key digitally. Approve broadcast without gradient review.

📡 Dispatch — token handoff

Token reference: blockchain_hash = incident ID for all reports.
Network state: SATELLITE_FALLBACK = comms were cut before event.
Oslo code: oslo_ssd_code maps directly to SSD Annex B incident type.
Affected count: devices_affected gives minimum children involved.
UNICEF Rapid Response: +234 9 461 8000 · For C3 + C1 co-occurrence.
NEMA Emergency: 0800-EMERGENCY · For C2 mass-casualty events.

Simulation note: This C&C guide describes the operational protocols for a deployed CEICS system. The current CEICS website is a simulation-based research demonstration. Field deployment in Nigerian schools will require institutional ethics committee approval, community consultation, formal integration agreements with NPA/NEMA, and compliance with the Nigeria Data Protection Act 2023 and UN Convention on the Rights of the Child.