{"title":"Through the static: Demystifying malware visualization via explainability","authors":"Matteo Brosolo, Vinod P., Mauro Conti","doi":"10.1016/j.jisa.2025.104063","DOIUrl":"10.1016/j.jisa.2025.104063","url":null,"abstract":"<div><div>Security researchers face growing challenges in rapidly identifying and classifying malware strains for effective protection. While Convolutional Neural Networks (CNNs) have emerged as powerful visual classifiers for this task, critical issues of robustness and explainability, well-studied in domains like medicine, remain underaddressed in malware analysis. Although these models achieve strong performance without manual feature engineering, their replicability and decision-making processes remain poorly understood. Two technical barriers have limited progress: first, the lack of obvious methods for selecting and evaluating explainability techniques due to their inherent complexity, and second the substantial computational resources required for replicating and tuning these models across diverse environments, which requires extensive computational power and time investments often beyond typical research constraints. Our study addresses these gaps through comprehensive replication of six CNN architectures, evaluating both performance and explainability using Class Activation Maps (CAMs) including GradCAM and HiResCAM. We conduct experiments across standard datasets (MalImg, Big2015) and our new VX-Zoo collection, systematically comparing how different models interpret inputs. Our analysis reveals distinct patterns in malware family identification while providing concrete explanations for CNN decisions. Furthermore, we demonstrate how these interpretability insights can enhance Visual Transformers, achieving F1-score yielding substantial improvements in F1 score, ranging from 2% to 8%, across the datasets compared to benchmark values.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"91 ","pages":"Article 104063"},"PeriodicalIF":3.8,"publicationDate":"2025-04-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143870288","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Wenyi Zhu , Xiaolong Liu , Yimeng Liu , Yizhou Shen , Xiao-Zhi Gao , Shigen Shen
{"title":"RT-A3C: Real-time Asynchronous Advantage Actor–Critic for optimally defending malicious attacks in edge-enabled Industrial Internet of Things","authors":"Wenyi Zhu , Xiaolong Liu , Yimeng Liu , Yizhou Shen , Xiao-Zhi Gao , Shigen Shen","doi":"10.1016/j.jisa.2025.104073","DOIUrl":"10.1016/j.jisa.2025.104073","url":null,"abstract":"<div><div>The existing Asynchronous Advantage Actor–Critic (A3C) open-source training model can effectively recommend defense strategies for the edge-enabled Industrial Internet of Things (IIoT) under malware attacks. However, it faces challenges in rapidly countering large-scale IIoT network attacks. To address this issue, we develop an enhanced algorithm, RT-A3C, by innovatively integrating the A3C model into a real-time Markov game framework. This approach involves three key enhancements: incorporating prediction models, integrating adversary models, and optimizing state transition and action selection strategies. Such contributions collectively enhance the practicality and efficiency of IIoT security simulation training. The core innovation lies in converting the traditional turn-based Markov game into a real-time reactive one, showing the potential for policy optimization and strategic development in advanced IIoT network security. Through simulations, we demonstrate that the proposed RT-A3C algorithm surpasses the performance of the state-of-the-art actor–critic models. Our research clarifies that we can develop a more resilient and responsive IIoT security training model by merging real-time components with Markov games and A3C technology. This advancement significantly improves real-time monitoring and defense capabilities against large-scale IIoT network attacks, thereby strengthening the overall security of IIoT network systems.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"91 ","pages":"Article 104073"},"PeriodicalIF":3.8,"publicationDate":"2025-04-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143870144","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Enhanced unknown Android Malware Detection using LG-PN: A local–global fusion approach in prototypical networks","authors":"Longhui Shu , Shi Dong","doi":"10.1016/j.jisa.2025.104062","DOIUrl":"10.1016/j.jisa.2025.104062","url":null,"abstract":"<div><div>In malware detection research, determining whether the application has malicious intent is the most important issue. Malware variants evolve rapidly through the use of polymorphic and metamorphic techniques, posing two challenges to malware detection. First, it is very difficult to label and identify large amounts of new malware. Second, existing classification methods are usually trained on predefined malicious samples. Therefore cannot identify new types of malware. In order to solve these problems, this study proposes an innovative method based on few-shot learning, aiming to quickly adapt to new threats. This method can rely on a small number of malicious family samples to quickly infer malware that does not appear in the training set. This study conducted detection experiments on malware of unknown families, unknown samples, and unknown functions. The research results show that this method is better than existing methods when facing new malware samples.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"91 ","pages":"Article 104062"},"PeriodicalIF":3.8,"publicationDate":"2025-04-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143870143","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Vertin: Fast, Communication-friendly and Key-compact secure inference system for NNs and LLMs","authors":"Xin Bie , Zhenhua Liu , Han Liang","doi":"10.1016/j.jisa.2025.104060","DOIUrl":"10.1016/j.jisa.2025.104060","url":null,"abstract":"<div><div>Existing secure inference schemes based on function secret sharing (FSS) allow the client to obtain inference results while protecting the client’s inputs, the server’s neural networks (NNs), and large language models (LLMs), ensuring high online efficiency. However, there is still room for improvement in terms of storage, communication, and inference speed for linear layers in these schemes. In this work, we introduce a novel semi-honest secure two-party inference system tailored for NNs and LLMs, which surpasses state-of-the-art solutions in speed, communication efficiency, and key storage. Our system leverages plaintext weight matrices for the server, introducing <em>FMLO</em>, a secure two-party computation protocol supporting linear operations. By using precomputed random matrices correlated with weight matrices, <em>FMLO</em> minimizes key storage, online computation, and communication demands. We also develop two efficient protocols, <span><math><msub><mrow><mi>π</mi></mrow><mrow><mi>M</mi><mi>u</mi><mi>l</mi><mi>P</mi><mi>r</mi><mi>e</mi></mrow></msub></math></span> for matrix multiplication and <span><math><msub><mrow><mi>π</mi></mrow><mrow><mi>C</mi><mi>o</mi><mi>n</mi><mi>v</mi><mi>P</mi><mi>r</mi><mi>e</mi></mrow></msub></math></span> for matrix convolution, by using vector oblivious linear evaluation. Both protocols batch-generate required random numbers securely in the offline phase, reducing preprocessing overhead in <em>FMLO</em>. Compared to the leading FSS-based scheme <em>Orca</em>, <em>Vertin</em> reduces key storage by 5.37%, online communication by 16.46%, and online inference time by 10.71% in secure inference with ResNet-50. When compared to the state-of-the-art <em>SIGMA</em> on BERT-large model with the sequence length of 64, <em>Vertin</em> achieves reductions in key storage, online communication, and online runtime by 9.81%, 9.17%, and 8.9% respectively.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"91 ","pages":"Article 104060"},"PeriodicalIF":3.8,"publicationDate":"2025-04-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143870142","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Zhenhua Liu , Han Liang , Jinhua Wang , Baocang Wang
{"title":"Third-party private set intersection with application to privacy-preserving training of large language models","authors":"Zhenhua Liu , Han Liang , Jinhua Wang , Baocang Wang","doi":"10.1016/j.jisa.2025.104061","DOIUrl":"10.1016/j.jisa.2025.104061","url":null,"abstract":"<div><div>In the training of large language models (LLMs), the protection of private dataset is especially crucial. The private set intersection (PSI) mechanism acts as a potent privacy-preserving collaborative learning technique, allowing participants to collaborate in model training without revealing their own data, and thereby meeting the training requirements of LLMs. In this paper, we consider a variant of PSI, namely third-party PSI, where a third-party with no input privately receives the intersection of the other two parties’ sets, while the two parties output nothing. We propose a general construction of third-party PSI protocol from leveled fully homomorphic encryption, which ensures privacy-preserving training of large language models. The proposed construction can support intersection of arbitrary-length items by using polynomial links, and its security can be proven in the presence of semi-honest adversaries. Compared with existing protocols, the instantiation of the proposed general construction achieves higher computational efficiency while maintaining equivalent level of communication complexity. More importantly, the proposed protocol offers better utility, effectively safeguarding the privacy of the data without compromising model accuracy.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"91 ","pages":"Article 104061"},"PeriodicalIF":3.8,"publicationDate":"2025-04-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143864251","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Authenticable Distributed Homomorphic Private Counter and its application in data analysis of edge computing","authors":"Fatemeh Rezaeibagha , Leyou Zhang , Ke Huang , Lanxiang Chen","doi":"10.1016/j.jisa.2025.104059","DOIUrl":"10.1016/j.jisa.2025.104059","url":null,"abstract":"<div><div>The rapid proliferation of advanced technologies, including the Internet of Things (IoT), cloud computing, and edge computing, has led to an exponential growth in structured and unstructured data, generated and collected across diverse applications. It is important to develop secure techniques that can efficiently process large volumes of data while preserving privacy. Privacy-preserving data analytics on encrypted data have gained popularity for performing essential calculations within cloud storage servers. However, applying these techniques to fully homomorphic encryption introduces inefficiencies and computational overheads. While homomorphic encryption allows for delegated execution of arithmetic operations directly on ciphertexts via cloud services, ensuring both efficiency and correctness in data computations remains a challenging endeavor. Most existing studies overlook simultaneous data aggregation while maintaining integrity and privacy for analytical purposes. In response, we propose an Authenticable Distributed Homomorphic Private Counter Scheme (ADHPC) for privacy-preserving data analysis in cloud computing. Our scheme securely and efficiently aggregates encrypted data within distributed edge computing environments, subsequently allowing authorized parties to decrypt and validate it. To authenticate the encrypted data, we employ an authenticable additive homomorphic encryption scheme based on online and offline setup stages. We demonstrate the applicability and efficiency of our proposed approach through implementation results and a comprehensive security analysis.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"91 ","pages":"Article 104059"},"PeriodicalIF":3.8,"publicationDate":"2025-04-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143859518","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Haotian Yin , Jie Zhang , Wanxin Li , Yuji Dong , Eng Gee Lim , Dominik Wojtczak
{"title":"Updatable Signature with public tokens","authors":"Haotian Yin , Jie Zhang , Wanxin Li , Yuji Dong , Eng Gee Lim , Dominik Wojtczak","doi":"10.1016/j.jisa.2025.104058","DOIUrl":"10.1016/j.jisa.2025.104058","url":null,"abstract":"<div><div>The Updatable Signature (US) allows valid signatures to be updated by an update token without accessing the newly generated signing key. Cini et al. (PKC’21) formally defined this signature and gave several constructions. However, their security model requires the secrecy of the update token, which is only applicable in some specific scenarios, such as software verification in the trusted App Store. In Web3, information is usually shared via a public blockchain, and decentralized private computation is expensive. In addition, one can use the same token to update both the signing key and signatures and all signatures can be updated with a single token. The adversarial signature generated by an adversary might also be updated. Therefore, this work explores the (im)possibility of constructing an Updatable Signature with public tokens (USpt), the tokens of which are signature-dependent. Specifically, we define the updatable signature with public tokens and present its security model. Then, we present a concrete USpt scheme based on the Boneh–Lynn–Shacham signature. This variant introduces a limitation for the signer who must maintain a dataset about its signed messages or hashes of them, which is applicable in our applications.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"91 ","pages":"Article 104058"},"PeriodicalIF":3.8,"publicationDate":"2025-04-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143859519","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"An improved biometric authentication and key agreement scheme based on fuzzy extractor for Wireless Body Area Networks","authors":"Xiao Wang , Yong Xie , Dingyi Shui , Shaolong Ge","doi":"10.1016/j.jisa.2025.104047","DOIUrl":"10.1016/j.jisa.2025.104047","url":null,"abstract":"<div><div>Wireless Body Area Networks (WBANs) support data communication between devices around the human body and are widely used in areas such as healthcare and health monitoring. Due to the sensitivity of transmitted data in WBANs, the restriction of device resources, and the requirement of communication efficiency in emergencies, it remains a great challenge to construct an efficient and secure authentication and key agreement scheme to meet the needs of WBANs. Recently, for the secure exchange of sensitive data in WBANs, Zhang et al. (2024) designed a biometric authentication and key agreement protocol using fuzzy extractor. However, an in-depth analysis reveals that the scheme cannot effectively withstand man-in-the-middle attacks and is insufficient in stability. To address the issues, we propose an improved biometric authentication and key agreement scheme. The solution mainly uses fuzzy extraction techniques, biometrics and elliptic curve cryptography. The user is not required to store any information and only requires to send the message once to complete the authentication, which protects the user’s privacy and is more appropriate for WBANs devices with limited resources. The security of our scheme is demonstrated by formal and informal security analysis. Additionally, we comprehensively evaluate the calculation complexity and security characteristics of this scheme. The evaluation shows our scheme provides both better security as well as reduced computational and communication overheads compared with Zhang et al. (2024)’s scheme.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"91 ","pages":"Article 104047"},"PeriodicalIF":3.8,"publicationDate":"2025-04-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143850293","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"CRASHED: Cyber risk assessment for smart home electronic devices","authors":"Georgios Paparis , Apostolis Zarras , Aristeidis Farao , Christos Xenakis","doi":"10.1016/j.jisa.2025.104054","DOIUrl":"10.1016/j.jisa.2025.104054","url":null,"abstract":"<div><div>The rapid proliferation of Internet of Things (IoT) technology has enriched modern households with smart home devices, enhancing convenience, but simultaneously increasing vulnerability to cyber threats. This paper introduces <em>CRASHED</em>, an innovative cyber risk assessment methodology specifically designed for smart home ecosystems. Compared to existing approaches, <em>CRASHED</em> integrates the MITRE ATT&CK and CAPEC frameworks to systematically identify and analyze threats, vulnerabilities, and potential impacts. By employing device-specific profiling, quantitative metrics, and sophisticated weighting mechanisms, it delivers a multilayered assessment of cyber risks that accounts for asset criticality and threat severity, distinguishing it from conventional methods lacking such granularity. The novelty of <em>CRASHED</em> lies in its comprehensive evaluation of systemic vulnerabilities and domestic repercussions. Case studies on various smart home configurations demonstrate its effectiveness in modeling, analyzing, and mitigating risks compared to existing frameworks. This work represents a significant advancement in safeguarding smart home environments, underscoring the urgent need for specialized cyber risk assessment models in our interconnected era. The proposed methodology not only enhances threat detection and response, but also addresses critical gaps in vulnerability databases and risk calculation processes, offering a transformative solution to the evolving challenges of smart home cybersecurity.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"91 ","pages":"Article 104054"},"PeriodicalIF":3.8,"publicationDate":"2025-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143844120","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Fully homomorphic encryption-based optimal key encryption for privacy preservation in the cloud sector","authors":"Sonam Mittal","doi":"10.1016/j.jisa.2025.104048","DOIUrl":"10.1016/j.jisa.2025.104048","url":null,"abstract":"<div><div>Cloud computing infrastructure has been specifically designed to handle vast amounts of data as well as relevant details that are most basic for data-intensive applications. However, cloud computing has been exposed to various internal and external security threats along with privacy concerns. Therefore, an intelligent framework named privacy preservation in the cloud sector (PPCS) is implemented in this work. The main phases taken up in the proposed security model are data sanitization and restoration. The data stored in the cloud infrastructure is subjected to a data sanitization operation. In the data sanitization process, the data is transformed into another form, where the confidential data has been preserved by the optimal key generation operation. An improved meta-heuristic algorithm called Improved Class Topper Optimization (ICTO) derived from existing Class Topper Optimization (CTO) is designed for performing the optimal key generation. This algorithm aids in optimizing the key generated in the data sanitization technique. To offer more security to the cloud environment, the encryption of the generated optimal key is done by fully homomorphic encryption (FHE). It permits the preservation of confidentiality in sensitive data. The performance results of the designed approach illustrated the ability of this technique to prevent attacks without increasing energy consumption and latency.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"91 ","pages":"Article 104048"},"PeriodicalIF":3.8,"publicationDate":"2025-04-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143834635","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}