Hongsong Chen , Zimei Tao , Zhiheng Wang , Xinrui Liu
{"title":"Merkle multi-branch hash tree-based dynamic data integrity auditing for B5G network cloud storage","authors":"Hongsong Chen , Zimei Tao , Zhiheng Wang , Xinrui Liu","doi":"10.1016/j.jisa.2025.103981","DOIUrl":"10.1016/j.jisa.2025.103981","url":null,"abstract":"<div><div>In the Beyond 5th Generation (B5G) mobile communication network, data transmission speed will be higher, and communication time latency will be minimized, it also brings new security challenges to data management and privacy protection. Aiming at the problems faced by the data integrity audit for B5G network cloud storage, such as complex dynamic data updating, a large number of users, we propose a Merkle Multi-branch Hash Tree (MMHT)-based data integrity auditing scheme for B5G network cloud storage. The scheme involves five entities and eight phases. We propose a multi-branch double-linked Merkle Hash Tree structure to store and audit dynamic data. We conduct correctness analysis and security analysis to this scheme. The results show that our scheme can meet the requirements of data integrity audit and counter six types of data integrity attack. We conduct theoretical comparative analysis. Compared with other schemes, the computational overhead of data owner (DO) is reduced by <em>m</em> times (<em>m</em> represents the number of data blocks). Relevant experiments are conducted with a 5G real-world dataset, and the experiments show that on the order of million data, the construction time of MHT is about 2.48 times that of MMHT in terms of Merkle tree. The verification time of MHT is about 12.83 times that of MMHT. When the data scale reaches millions, the time to generate user keys in the 4G environment is 6.49 times that of in the B5G environment. When the number of bilinear pairings reaches one million, the verification time of Third-Party Auditors (TPA) for 10,000 encrypted data entries is only 1.07 times that of 1,000 entries, indicating that our scheme can be scaled for use with large datasets. Compared with other schemes, our solution improves the efficiency and security of dynamic data integrity auditing in the B5G network environment.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103981"},"PeriodicalIF":3.8,"publicationDate":"2025-01-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170129","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"CSA: Crafting adversarial examples via content and style attacks","authors":"Wei Chen , Yunqi Zhang","doi":"10.1016/j.jisa.2025.103974","DOIUrl":"10.1016/j.jisa.2025.103974","url":null,"abstract":"<div><div>Most existing black-box attacks fall into two categories: gradient-based attacks and unrestricted attacks. The former injects adversarial perturbations into the original clean examples under the <span><math><msub><mrow><mi>L</mi></mrow><mrow><mi>p</mi></mrow></msub></math></span>-norm constraint, while the latter tends to attack by changing the shape, color, and texture of the original image. However, the adversarial examples generated by the gradient-based attacks are vulnerable to defense methods and unnatural to the human eye. Meanwhile, unrestricted attacks have poor transferability of adversarial examples compared to gradient-based attacks. Therefore, we propose a novel attack that combines gradient-based and unrestricted attacks, <em>i.e.</em>, Content and Style Attack (CSA). Specifically, we utilize an encoder to extract the content features of the original image and train a reconstructor to generate an image consistent with these features. A gradient-based method is then employed to inject perturbations, followed by using the encoder to extract the content features of the altered image. We implement a momentum-based approach to search for malicious style information, which is then fused with the adversarial content features to create the final attack features. Extensive experiments on the ImageNet standard dataset demonstrate that our method is capable of generating adversarial examples that are both natural-looking and possess high transferability.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103974"},"PeriodicalIF":3.8,"publicationDate":"2025-01-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170128","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"An anonymous yet accountable contract wallet system using account abstraction","authors":"Kota Chin , Keita Emura , Kazumasa Omote","doi":"10.1016/j.jisa.2025.103978","DOIUrl":"10.1016/j.jisa.2025.103978","url":null,"abstract":"<div><div>Account abstraction allows a contract wallet to initiate transaction execution. Thus, account abstraction is useful for preserving the privacy of externally owned accounts (EOAs) because it can remove a transaction issued from an EOA to the contract wallet and hides who issued the transaction by additionally employing anonymous authentication procedures such as ring signatures. However, unconditional anonymity is undesirable in practice because it prevents to reveal who is accountable for a problem when it arises. Thus, maintaining a balancing between anonymity and accountability is important. In this paper, we propose an anonymous yet accountable contract wallet system. In addition to account abstraction, the proposed system also utilizes accountable ring signatures (Bootle et al., ESORICS 2015). The proposed system provides (1) anonymity of a transaction issuer that hides who agreed with running the contract wallet, and (2) accountability of the issuer, which allows the issuer to prove they agreed with running the contract wallet. Moreover, due to a security requirement of accountable ring signatures, the transaction issuer cannot claim that someone else issued the transaction. This functionality allows us to clarify the accountability involved in issuing a transaction. In addition, the proposed system allows an issuer to employ a typical signature scheme, e.g., ECDSA, together with the ring signature scheme. This functionality can be considered an extension of the common multi-signatures that require a certain number of ECDSA signatures to run a contract wallet. The proposed system was implemented using zkSync (Solidity). We discuss several potential applications of the proposed system, i.e., medical information sharing and asset management.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103978"},"PeriodicalIF":3.8,"publicationDate":"2025-01-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170127","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Hassan Y. El-Arsh , Amr Abdelaziz , Ahmed Elliethy , H.A. Aly , T. Aaron Gulliver
{"title":"Information-theoretic bounds for steganography in visual multimedia","authors":"Hassan Y. El-Arsh , Amr Abdelaziz , Ahmed Elliethy , H.A. Aly , T. Aaron Gulliver","doi":"10.1016/j.jisa.2025.103966","DOIUrl":"10.1016/j.jisa.2025.103966","url":null,"abstract":"<div><div>Steganography in visual multimedia embeds data into an image or video cover object and produces a corresponding stego object with some distortion. Establishing an upper bound on the maximum embedding rate, subject to a target distortion threshold, is challenging due to the difficulties introduced by the Gibbs modeling of visual multimedia objects. This paper introduces an analytic optimization approach to establish a generalized upper bound on the maximum embedding rate in visual multimedia cover objects with a particular target probability of detection by any steganographic detector. To that end, we show that the parametric form of the correlated multivariate quantized Gaussian distribution supersedes the Gibbs family in the achievable embedding rate with a bounded relative entropy between the cover and stego objects’ distributions. Our solution provides an analytical form of the upper bound in terms of the WrightOmega function and agrees with the well-known Square Root Law (SRL) for steganography.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103966"},"PeriodicalIF":3.8,"publicationDate":"2025-01-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170755","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"MSG: Missing-sequence generator for metamorphic malware detection","authors":"Rama Krishna Koppanati, Sateesh K. Peddoju","doi":"10.1016/j.jisa.2024.103962","DOIUrl":"10.1016/j.jisa.2024.103962","url":null,"abstract":"<div><div>Metamorphic malware is a sophisticated malware that frequently modifies its code to avoid being detected by signature-based methods while maintaining the same output during the run time. Invariably, the output of the register values reflects the malware’s behavior. Therefore, capturing the output sequence from the register values of a binary is essential to identify the evolutionary relationship between the sequences, leading to effective malware detection. In other words, generating register value sequences for the malicious code in a binary, distinct or missing from benign binary, is vital to effectively detecting the typical and metamorphic malware. This paper proposes a novel <em>Missing Sequence Generator (MSG)</em> to generate features in the form of missing sequences by capturing the registers’ output sequence from a binary’s Control Flow Graph (CFG) with context, semantics, and control flow. We create a diverse and large-scale dataset of metamorphic malware using the metamorphic engine to conduct experiments. Also, we experiment with diverse non-metamorphic malware. The proposed model achieves an accuracy of 99.82% for the non-metamorphic dataset and 99.06% for the metamorphic dataset, with negligible False Positive Rates (FPRs). The proposed model outperforms the state-of-the-art models. Further, the proposed work proves its performance and effectiveness by surpassing 47 existing anti-malware.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103962"},"PeriodicalIF":3.8,"publicationDate":"2025-01-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170131","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mingyue Li , Liudong Zheng , Xiaoxue Ma , Shuang Li
{"title":"Real-time monitoring model of DDoS attacks using distance thresholds in Edge cooperation networks","authors":"Mingyue Li , Liudong Zheng , Xiaoxue Ma , Shuang Li","doi":"10.1016/j.jisa.2025.103972","DOIUrl":"10.1016/j.jisa.2025.103972","url":null,"abstract":"<div><div>Edge networks have an increasing demand for real-time attack detection as the duration of Distributed Denial-of-Service (DDoS) attacks decreases and causes missing of reporting insecure cases. However, the training and testing time of the existing detection model deployed on the edge server side is more expensive and cannot be well applied in practice. In this paper, we propose a real-time monitoring framework for DDoS attacks with edge server-device collaboration to solve these problems. Specifically, the edge server uses the k-means algorithm to represent the model boundaries and builds a separate group of recognition and monitoring models for each device by splitting the feature vectors. Furthermore, each device monitors the generated data in real-time through the model and submits suspicious data to the edge server for analysis. Finally, the server utilizes the k-neighbor algorithm which adds threshold selection and judgment to fine-grained identify updated benign data and specific categories of attack data. Experimental results show that the proposed scheme can effectively monitor benign data and attack data and identify attack types while the train time, test time and storage cost are less than that of the centralized model.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103972"},"PeriodicalIF":3.8,"publicationDate":"2025-01-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170756","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
F.R. Parente, Emanuel B. Rodrigues, César L.C. Mattos
{"title":"FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of vulnerabilities in cybersecurity","authors":"F.R. Parente, Emanuel B. Rodrigues, César L.C. Mattos","doi":"10.1016/j.jisa.2025.103971","DOIUrl":"10.1016/j.jisa.2025.103971","url":null,"abstract":"<div><div>Inadequate Vulnerability Management (VM) techniques, relying solely on metrics such as the Common Vulnerability Scoring System (CVSS), may lead to overestimating the risk of vulnerability exploitation. This work presents FRAPE, a novel Risk-Based Vulnerability Management (RBVM) framework designed to help analysts classify and prioritize the remediation of security flaws. FRAPE combines a labeling technique called Active Learning (AL) with a Supervised Learning approach to create a Machine Learning model capable of emulating the experience of security experts in assessing vulnerability risk. The framework includes four main modules: Data Collection, which gathers essential information for risk assessment; Vulnerability Labeling, where vulnerabilities are labeled via AL based on significant characteristics; Classification and Prioritization, which categorizes vulnerabilities and prioritizes them for remediation based on the estimated risk; and Explainability of Results, which offers a detailed analysis of why vulnerabilities are considered critical. Additionally, we implemented a computer network simulator capable of comparing the effectiveness of different VM classification and prioritization techniques. The performed experiments indicate that FRAPE outperforms the use of CVSS in VM and correctly classifies 88% of critical vulnerabilities, which is comparable to the performance obtained by security analysts.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103971"},"PeriodicalIF":3.8,"publicationDate":"2025-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170132","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Xiangqian Kong , Lanxiang Chen , Yizhao Zhu , Yi Mu
{"title":"Laconic updatable private set intersection","authors":"Xiangqian Kong , Lanxiang Chen , Yizhao Zhu , Yi Mu","doi":"10.1016/j.jisa.2025.103969","DOIUrl":"10.1016/j.jisa.2025.103969","url":null,"abstract":"<div><div>A laconic private set intersection (PSI) protocol features a two-round communication process with an initial message that remains independent of the set sizes. It is useful for efficiently matching large server sets with smaller client sets without multiple rounds of interaction. The previous work by Aranha et al. (CCS’22) demonstrated superior efficiency but relied on a trusted third party to generate a secret value <span><math><mi>s</mi></math></span> and all its powers, denoted as <span><math><mrow><mo>(</mo><mi>g</mi><mo>,</mo><msup><mrow><mi>g</mi></mrow><mrow><mi>s</mi></mrow></msup><mo>,</mo><mo>…</mo><mo>,</mo><msup><mrow><mi>g</mi></mrow><mrow><msup><mrow><mi>s</mi></mrow><mrow><mn>2</mn></mrow></msup></mrow></msup><mo>,</mo><mo>…</mo><mo>,</mo><msup><mrow><mi>g</mi></mrow><mrow><msup><mrow><mi>s</mi></mrow><mrow><mrow><mo>|</mo><mi>X</mi><mo>|</mo></mrow></mrow></msup></mrow></msup><mo>)</mo></mrow></math></span>, where <span><math><mrow><mo>|</mo><mi>X</mi><mo>|</mo></mrow></math></span> represents the size of the receiver’s set <span><math><mi>X</mi></math></span>. However, these protocols did not address the practical need for updatable sets for both the receiver and sender, which implies the ability to add new elements, delete existing ones, or update an element by deleting it and subsequently adding a new one. In our work, we present an updatable private set intersection protocol that eliminates the need for a trusted third party. Our approach achieves constant communication complexity from the receiver to the sender and linear complexity from the sender to the receiver while partially hiding the size of the receiver’s set. We first establish an efficient PSI protocol and then propose two variants that allow both parties to modify their sets. Additionally, we prove the security of our proposed protocol against semi-honest participants within our security model.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103969"},"PeriodicalIF":3.8,"publicationDate":"2025-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170669","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Lukáš Sadlek , Muhammad Mudassar Yamin , Pavel Čeleda , Basel Katt
{"title":"Severity-based triage of cybersecurity incidents using kill chain attack graphs","authors":"Lukáš Sadlek , Muhammad Mudassar Yamin , Pavel Čeleda , Basel Katt","doi":"10.1016/j.jisa.2024.103956","DOIUrl":"10.1016/j.jisa.2024.103956","url":null,"abstract":"<div><div>Security teams process a vast number of security events. Their security analysts spend considerable time triaging cybersecurity alerts. Many alerts reveal incidents that must be handled first and escalated to the more experienced staff to allow appropriate responses according to their severity. The current state requires an automated approach, considering contextual relationships among security events, especially detected attack tactics and techniques. In this paper, we propose a new graph-based approach for incident triage. First, it generates a kill chain attack graph from host and network data. Second, it creates sequences of detected alerts that could represent ongoing multi-step cyber attacks and matches them with the attack graph. Last, it assigns severity levels to the created sequences of alerts according to the most advanced kill chain phases that were used and the criticality of assets. We implemented the approach using the MulVAL attack graph generator and generation rules for MITRE ATT&CK techniques. The evaluation was accomplished in a testbed where multi-step attack scenarios were executed. Classification of sequences of alerts based on computed match scores obtained 0.95 area under the receiver operating characteristic curve in a feasible time. Moreover, a threshold exists for classifying 80% of positive sequences correctly and only a small percentage of negative sequences wrongly. Therefore, the approach selects malicious sequences of alerts and significantly improves incident triage.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103956"},"PeriodicalIF":3.8,"publicationDate":"2025-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170671","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"MLPN: Multi-Scale Laplacian Pyramid Network for deepfake detection and localization","authors":"Yibo Zhang , Weiguo Lin , Junfeng Xu , Wanshang Xu , Yikun Xu","doi":"10.1016/j.jisa.2025.103965","DOIUrl":"10.1016/j.jisa.2025.103965","url":null,"abstract":"<div><div>Sophisticated and realistic facial manipulation videos created by deepfake technology have become ubiquitous, leading to profound trust crises and security risks in contemporary society. However, various researchers concentrate on enhancing the precision and generalization of deepfake detection models, with little attention to forgery localization. Detecting deepfakes and identifying fake regions is a challenging task. We propose an end-to-end model for performing deepfake detection and forgery localization based on the Laplacian pyramid. The model is designed by an encoder–decoder architecture. Specifically, the encoder generates multi-scale features. The decoder gradually integrates multi-scale features and Laplacian residuals to reconstruct the prediction masks coarse-to-finely. Otherwise, we adopt a spatial pyramid pool approach to deal with high-level semantic features and integrate local and global information. Comprehensive experiments demonstrate that the proposed model performs satisfactorily in deepfake detection and localization.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103965"},"PeriodicalIF":3.8,"publicationDate":"2025-01-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170173","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}