{"title":"A decision-making framework for user authentication using keystroke dynamics","authors":"Viktor Medvedev, Arnoldas Budžys, Olga Kurasova","doi":"10.1016/j.cose.2025.104494","DOIUrl":"10.1016/j.cose.2025.104494","url":null,"abstract":"<div><div>Increasingly sophisticated cyber attacks threaten critical infrastructures, requiring more trusted user authentication mechanisms. In this work, we propose a deep learning-based user authentication framework that combines keystroke dynamics with Siamese neural networks to differentiate legitimate users from impostors. A key challenge in this area is the variability in password lengths, which leads to different feature sizes and complicates model training. Our approach uses interpolation-based data fusion strategies to standardize the number of keystroke features, ensuring consistency across different datasets and password lengths. Through experiments on the fused CMU and KeyRecs datasets, we have evaluated the effectiveness of the proposed decision-making framework with adaptive threshold strategies. The threshold strategy determines how the final decision boundary is set with respect to the user’s baseline typing behavior. We empirically evaluated the framework on fused data, achieving an equal error rate as low as 0.11–0.12, indicating strong efficacy in detecting insider threats. We show how the obtained Siamese neural network with triplet loss function can be used to distinguish genuine users from impostors even under different input conditions, contributing to more robust and scalable intrusion detection systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104494"},"PeriodicalIF":4.8,"publicationDate":"2025-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143869441","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"SAFE-IDS: A privacy-preserving framework for overcoming non-IID challenges in federated intrusion detection","authors":"Alimov Abdulboriy Abdulkhay ugli , Ji Sun Shin","doi":"10.1016/j.cose.2025.104492","DOIUrl":"10.1016/j.cose.2025.104492","url":null,"abstract":"<div><div>Federated learning has advanced intrusion detection systems (IDS) by enabling collaborative model training without requiring direct data sharing. This approach allows multiple institutions to contribute to and benefit from a shared model, enhancing detection capabilities. Despite these advances, the security of model updates remains a significant concern, as malicious actors may reverse-engineer the underlying data from these updates. Additionally, existing federated learning techniques struggle with non-IID (non-Independent and Identically Distributed) data distributions and are vulnerable to inference attacks on model updates. For example, methods like <span>SignSGD</span>, while providing some privacy benefits through gradient sign manipulation, suffer from accuracy degradation, especially when dealing with non-IID data. Similarly, <span>FedAvg</span>, while effective in handling non-IID data, is prone to privacy breaches as it transmits full model updates, potentially revealing sensitive information. To address these challenges, we propose <span>SAFE-IDS</span>, a novel framework combining gradient sign-based aggregation with the <span>zSignFedAvg</span> optimizer. Unlike <span>SignSGD</span>, it incorporates a unified learning rate and weighted loss function to mitigate accuracy loss in non-IID settings. Additionally, while <span>FedAvg</span> shares full model updates, <span>SAFE-IDS</span> only shares gradient signs, enhancing privacy. The integration of <span>zSignFedAvg</span> balances privacy and convergence speed, accelerating convergence and improving robustness, particularly for class imbalance. Notably, <span>SAFE-IDS</span> is the first federated network intrusion detection system that effectively maintains privacy while adeptly managing non-IID data. Our empirical evaluation demonstrates that <span>SAFE-IDS</span> achieves an impressive accuracy of up to 99.74% across various IDS datasets and a varying number of clients, proving its effectiveness in both securing client data and maintaining high model performance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104492"},"PeriodicalIF":4.8,"publicationDate":"2025-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143876533","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Matilda Nkoom , Sena G. Hounsinou , Garth V. Crosby
{"title":"Securing the Internet of Robotic Things (IoRT) against DDoS Attacks: A Federated Learning with Differential Privacy Clustering Approach","authors":"Matilda Nkoom , Sena G. Hounsinou , Garth V. Crosby","doi":"10.1016/j.cose.2025.104493","DOIUrl":"10.1016/j.cose.2025.104493","url":null,"abstract":"<div><div>The exponential growth of Internet of Robotic Things (IoRT) systems has increased the vulnerability to Distributed Denial of Service (DDoS) attacks. Centralized intrusion detection approaches collect sensitive data from distributed robotic devices, raising privacy concerns. While federated learning (FL) offers collaborative threat detection, it faces challenges due to the heterogeneous nature of the data collected from the diverse IoRT devices and privacy vulnerability. This paper proposes a DDoS detection framework for IoRT systems that addresses both challenges through: (1) applying the Differential Privacy (DP) mechanism to the quantile values shared by clients with the central server, protecting statistical information while enabling effective clustering, and (2) implementing privacy-preserving k-means clustering based on these DP quantile values to group devices with similar data distributions. Using the CICIoT2023 data set and PyTorch framework, we evaluate three models and compare performance between clustered and non-clustered FL approaches. The results from our simulated environment demonstrate that our clustered approach improves performance across all models when compared to our baseline model: CNN accuracy increased from 98.10% to 98.99%, LSTM showed improvement from 95.38% to 98.00%, and GRU accuracy increased from 96.50% to 98.50%. Our evaluation demonstrates that privacy-preserving clustering effectively mitigates the challenges of heterogeneous data in FL while maintaining privacy guarantees.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104493"},"PeriodicalIF":4.8,"publicationDate":"2025-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143869439","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Zihui Guo , Yin Lv , Ningning Cui , Liwei Chen , Gang Shi
{"title":"HScheduler: An execution history-based seed scheduling strategy for hardware fuzzing","authors":"Zihui Guo , Yin Lv , Ningning Cui , Liwei Chen , Gang Shi","doi":"10.1016/j.cose.2025.104479","DOIUrl":"10.1016/j.cose.2025.104479","url":null,"abstract":"<div><div>The recent emergence of hardware fuzzing has introduced significant advancements in hardware verification. However, the lack of an efficient seed (input for fuzzing) scheduling mechanism severely affects its performance. In this paper, we propose HScheduler, a novel seed scheduling strategy based on seed execution history. First, HScheduler prioritizes seeds based on the historical coverage points, ensuring that more promising seeds are executed first. Second, it analyzes seed mutation history to guide subsequent mutations, reducing the occurrence of ineffective mutations. Our evaluation demonstrates that HScheduler significantly improves the overall efficiency of hardware fuzzers. We implemented this design on both the state-of-the-art general-purpose hardware fuzzer RFUZZ and the processor-specific fuzzer DifuzzRTL. Experimental results demonstrate that, when fuzzing various real-world hardware designs, our approach achieves up to a <span><math><mrow><mn>41</mn><mo>.</mo><mn>4</mn><mo>×</mo></mrow></math></span> speed improvement (with an average improvement of <span><math><mrow><mn>7</mn><mo>.</mo><mn>4</mn><mo>×</mo></mrow></math></span>) over RFUZZ, while HScheduler significantly reduces ineffective mutations during fuzzing. Additionally, it boosts coverage speed by 5.6<span><math><mo>×</mo></math></span> in DifuzzRTL, with a notable increase in final coverage, detecting over 1.4 times more mismatch seeds (potential bugs). Moreover, HScheduler introduces only a 0.63% performance overhead.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104479"},"PeriodicalIF":4.8,"publicationDate":"2025-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143869440","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"An evolutionary wrapper to support intrusion detection system configuration","authors":"Javier Maldonado , María Cristina Riff","doi":"10.1016/j.cose.2025.104478","DOIUrl":"10.1016/j.cose.2025.104478","url":null,"abstract":"<div><div>Detecting and classifying attacks is one of the building blocks of cybersecurity. This is a difficult task, as classification algorithms must deal with a profusion of data used to detect attacks which may be very time consuming. In this paper, an evolutionary approach is proposed to obtain information about a given set of features, as well as to select the best features as input for attack classification algorithms. With this approach, each individual represents an optimized set of features, such that a cybersecurity analyst can evaluate which features and how many of them are required to obtain a suitable metric to detect a specific attack. This set of features improves the quality of attack detection while also reducing the CPU time required for the classification itself. This approach is evaluated using well-known datasets and decision trees generated by C4.5 and Random Forest algorithms for the evaluation and classification. We compare our findings with state-of-the-art results, demonstrating promising advances. Additionally, the features information that can be obtained using this approach is reported, which is useful for making decisions for attack discrimination.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104478"},"PeriodicalIF":4.8,"publicationDate":"2025-04-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143863648","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"iQUIC: An intelligent framework for defending QUIC connection ID-based DoS attack using advantage actor–critic RL","authors":"Debasmita Dey, Nirnay Ghosh","doi":"10.1016/j.cose.2025.104463","DOIUrl":"10.1016/j.cose.2025.104463","url":null,"abstract":"<div><div>QUIC (Quick UDP Internet Connections) is a relatively recent transport layer protocol that Google deployed and implemented for the first time in 2012. The key aspect of this protocol is that it is faster than TCP, more secure than UDP, and more efficient regarding resource usage. It has been adopted by some Internet-based applications, viz., YouTube, Gmail, etc. Recent advancements in 5G/6G communication technology have enabled the integration of QUIC with many real-time applications. One of the drawbacks in the design of the QUIC protocol is its vulnerability against attacks related to connection ID, and a recent attack of this type is the <em>retire connection ID stuffing attack</em>. This attack leads to a denial of service (DoS) condition, thus hindering network operations and services. Few preventive solutions have been proposed, but they focus on closing the connection after detecting an attack scenario, which results in service disruption. In this paper, we attempted to render flexibility to this rigid security defense mechanism situation by proposing <em>iQUIC</em>, an intelligent framework to configure a network condition monitoring QUIC server. The framework inputs the network data to a local <em>Advantage Actor–Critic (A2C) Reinforcement Learning (RL)</em> engine to support decision-making regarding accepting/rejecting a request from a client or issuing a warning signal to it. The framework also enables the server to stochastically suspend connections with the client(s) following in <span><math><mi>ϵ</mi></math></span>-greedy approach after a predefined observation window. To replicate a real-world QUIC-enabled network, we devised a small QUIC network consisting of two clients and a server and generated substantial QUIC traffic by implementing a U-Net-based GAN (Generative Adversarial Network) model from scratch. A simulation-based performance evaluation demonstrates that the QUIC server powered by the actor–critic RL learns to make optimal decisions with time.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104463"},"PeriodicalIF":4.8,"publicationDate":"2025-04-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143869442","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Privacy preservation techniques through data lifecycle: A comprehensive literature survey","authors":"Sheema Madhusudhanan, Arun Cyril Jose","doi":"10.1016/j.cose.2025.104473","DOIUrl":"10.1016/j.cose.2025.104473","url":null,"abstract":"<div><div>With the increasing user data volume, safeguarding sensitive information has become more critical than ever. This survey reviews privacy-preserving techniques and models designed to protect Personally Identifiable Information (PII) and other sensitive data. Privacy is essential at every data lifecycle stage, including data collection, storage, processing, sharing and transmission, retention and deletion, and access control. We discuss the challenges associated with each stage and highlight relevant research work. The survey concludes with a discussion of ongoing challenges and potential research directions in data privacy preservation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104473"},"PeriodicalIF":4.8,"publicationDate":"2025-04-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143851396","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Exploring capacitive swipe gesture for user authentication using a new large dataset","authors":"Kiran K.C., Md Shafaeat Hossain, Carl Haberfeld","doi":"10.1016/j.cose.2025.104475","DOIUrl":"10.1016/j.cose.2025.104475","url":null,"abstract":"<div><div>We investigate the viability of the capacitive swipe gesture as a biometric modality. While the regular swipe gesture and the capacitive image have been widely explored in biometric literature, the capacitive swipe gesture is fairly new in this line of research. To our knowledge, only one recent study has explored the capacitive swipe gesture, and demonstrated its promise. However, that study is limited by a number of factors, such as using a very small data set in the experiments, collecting data in a single session, allowing the same impostor in both training and testing phases of authentication models, etc. In our paper, we address all these limitations, and rigorously explore the capacitive swipe gesture by creating a new large data set. Additionally, we develop a new technique to preprocess capacitive swipe gesture data, and demonstrate its effectiveness by comparing with existing techniques. A large set of experiments with four machine learning classifiers and two swipe directions prove that the capacitive swipe gesture can be effectively used for user authentication in smartphones.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104475"},"PeriodicalIF":4.8,"publicationDate":"2025-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143843562","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Shanquan Yang , Yansong Gao , Boyu Kuang , Yixuan Yang , Anmin Fu
{"title":"DFirmSan: A lightweight dynamic memory sanitizer for Linux-based firmware","authors":"Shanquan Yang , Yansong Gao , Boyu Kuang , Yixuan Yang , Anmin Fu","doi":"10.1016/j.cose.2025.104467","DOIUrl":"10.1016/j.cose.2025.104467","url":null,"abstract":"<div><div>Vulnerabilities in Linux-based firmware present a significant risk to IoT security, with memory-related issues being especially hidden and dangerous. Despite substantial efforts to uncover firmware vulnerabilities through fuzzing, these methods are often ineffective in detecting memory vulnerabilities. To address this issue, prior research introduces sanitizers integrated into fuzzers. However, applying existing sanitizers to Linux-based firmware poses three significant challenges: First, embedded Linux systems lack robust memory protection and operate under tight performance constraints, making it difficult to detect “silent memory corruption”. Second, most binary sanitizers focus on executables, such as the main program (the core backend service programs handling requests), and fail to effectively monitor dynamically loaded libraries, which are often assumed to be trustworthy. Third, sanitizers that rely on global memory monitoring techniques, such as shadow memory or redzone, introduce substantial performance overhead. These mechanisms significantly slow down resource-constrained firmware, rendering fuzz testing impractical for IoT devices. This paper introduces DFirmSan, a lightweight dynamic memory sanitizer for Linux-based firmware. DFirmSan addresses key challenges in detecting memory vulnerabilities through a two-step process. First, the pre-analysis phase identifies service programs and vendor-customized libraries, analyzing them for sensitive function calls and key parameters. In the second step, dynamic memory corruption detection, DFirmSan leverages this information to perform targeted dynamic boundary checks during runtime, focusing on detecting memory flaws, particularly silent corruptions. To minimize overhead, DFirmSan focuses on selectively monitoring sensitive function parameters influenced by untrusted data, rather than tracking all memory variables. It further reduces false positives by dynamically adjusting parameter boundaries. We evaluate DFirmSan on 18 real-world firmware samples. By integrating DFirmSan, two advanced fuzzers detect 117 and 25 additional known CVEs, respectively. Besides, it helps uncover 4 CNVD zero-day vulnerabilities. Despite this enhanced capability, the impact on fuzzing speed remains minimal, with reductions of only 16.43% and 2.69%, well within acceptable limits. Moreover, DFirmSan maintains an impressively low false positive rate of under 0.35% for detecting memory corruption, further underscoring its practicality in real-world firmware.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104467"},"PeriodicalIF":4.8,"publicationDate":"2025-04-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143828564","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yazhuo Gao , Lin Yang , Ran Zhu , Yixuan Wu , Feng Yang , Yining Cao
{"title":"IR-IDS: A network intrusion detection method based on causal feature selection and explainable model optimization","authors":"Yazhuo Gao , Lin Yang , Ran Zhu , Yixuan Wu , Feng Yang , Yining Cao","doi":"10.1016/j.cose.2025.104496","DOIUrl":"10.1016/j.cose.2025.104496","url":null,"abstract":"<div><div>With the rapid advancement of computer network technologies, the complexity of cybersecurity issues has grown significantly. Intrusion Detection Systems (IDS), serving as the first line of defense against network attacks, are vital components in ensuring network security. However, traditional IDS often struggle to balance the robustness of detection capabilities with the interpretability of the model. To address these challenges, this paper proposes an interpretable and robust intrusion detection method (IR-IDS). The proposed approach begins by efficiently and accurately selecting the optimal feature subset for predicting the target variable, using a causal effect-based conditional testing method and a Markov blanket search algorithm. Subsequently, it enhances the decision tree algorithm using Shapley values, enabling fine-grained classification of attacks. Finally, by integrating Kolmogorov–Arnold Networks (KAN) and Conditional Variational Autoencoders (CVAE), the method further improves the detection of unknown attacks. Experimental results demonstrate that the proposed method outperforms existing techniques on five datasets, including CIC-IDS2017, CSE-CIC-IDS2018, CIC-DDoS2019, CIC-UNSW-NB15 and CIC-IoT-IDAD-2024, with multi-class accuracies of 98.83 %, 99.37 %, 99.57 %, 99.52 % and 97.11 %, respectively. From the results, it can be seen that this method not only ensures the interpretability of the model but also improves the accuracy and robustness of intrusion detection.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104496"},"PeriodicalIF":4.8,"publicationDate":"2025-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143833983","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}