Computers & Security最新文献

筛选
英文 中文
GRAIN: Graph neural network and reinforcement learning aided causality discovery for multi-step attack scenario reconstruction GRAIN:图神经网络和强化学习辅助因果关系发现,用于多步骤攻击场景重建
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-30 DOI: 10.1016/j.cose.2024.104180
{"title":"GRAIN: Graph neural network and reinforcement learning aided causality discovery for multi-step attack scenario reconstruction","authors":"","doi":"10.1016/j.cose.2024.104180","DOIUrl":"10.1016/j.cose.2024.104180","url":null,"abstract":"<div><div>Correlating individual alerts to reconstruct attack scenarios has become a critical issue in identifying multi-step attack paths. Most of existing reconstruction approaches depend on external expertise, such as attack templates or attack graphs, to identify known attack patterns, which are incapable of uncovering unknown attack patterns that exceed prior knowledge. Recently, several expertise-independent methods utilize alert similarity or statistical correlations to reconstruct multi-step attacks. However, these methods often miss rare but high-risk events. The key to overcoming these drawbacks lies in discovering the potential causalities between security alerts. In this paper, we propose GRAIN, a novel graph neural network and reinforcement learning aided causality discovery approach for multi-step attack scenario reconstruction, which does not rely on any external expertise or prior knowledge. By matching the similarity between alerts’ attack semantics, we first remove redundant alerts to alleviate alert fatigue. Then, we correlate these alerts as alert causal graphs that embody the causalities between attack incidents via causality discovery. Afterwards, we employ a graph neural network to evaluate the causal effect between correlated alerts. In light of the fact that the alerts triggered by multi-step attacks have the maximum causal effect, we utilize reinforcement learning to screen out authentic causal relationships. Extensive evaluations on 4 public multi-step attack datasets demonstrate that GRAIN significantly outperforms existing methods in terms of accuracy and efficiency, providing a robust solution for identifying and analyzing sophisticated multi-step attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142578162","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Multi-perspective API call sequence behavior analysis and fusion for malware classification 用于恶意软件分类的多视角 API 调用序列行为分析与融合
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-29 DOI: 10.1016/j.cose.2024.104177
{"title":"Multi-perspective API call sequence behavior analysis and fusion for malware classification","authors":"","doi":"10.1016/j.cose.2024.104177","DOIUrl":"10.1016/j.cose.2024.104177","url":null,"abstract":"<div><div>The growing variety of malicious software, i.e., malware, has caused great damage and economic loss to computer systems. The API call sequence of malware reflects its dynamic behavior during execution, which is difficult to disguise. Therefore, API call sequence can serve as a robust feature for the detection and classification of malware. The statistical analysis presented in this paper reveals two distinct characteristics within the API call sequences of different malware: (1) the API existence feature caused by frequent calls to the APIs with some special functions, and (2) the API transition feature caused by frequent calls to some special API subsequence patterns. Based on these two characteristics, this paper proposes MINES, a Multi-perspective apI call sequeNce bEhavior fuSion malware classification Method. Specifically, the API existence features from different perspectives are described by two graphs that model diverse rich and complex existence relationships between APIs, and we adopt the graph contrastive learning framework to extract the consistent shared API existence feature from two graphs. Similarly, the API transition features of different hops are described by the multi-order transition probability matrices. By treat each order as a channel, a CNN-based contrastive learning framework is adopted to extract the API transition feature. Finally, the two kinds of extracted features are fused to classify malware. Experiments on five datasets demonstrate the superiority of MINES over various state-of-the-arts by a large margin.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142572054","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Adversarial attacks based on time-series features for traffic detection 基于时间序列特征的流量检测对抗攻击
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-29 DOI: 10.1016/j.cose.2024.104175
{"title":"Adversarial attacks based on time-series features for traffic detection","authors":"","doi":"10.1016/j.cose.2024.104175","DOIUrl":"10.1016/j.cose.2024.104175","url":null,"abstract":"<div><div>To enhance the robustness of intrusion detection classifiers, we propose a Time Series-based Adversarial Attack Framework (TSAF) targeting the temporal characteristics of network traffic. Initially, adversarial samples are generated using the gradient calculations of CNNs, with updates iterated based on model loss. Different attack schemes are then applied to various traffic types and saved as generic adversarial perturbations. These time series-based perturbations are subsequently injected into the traffic stream. To precisely implement the adversarial perturbations, a masking mechanism is utilized. Our adversarial sample model was evaluated, and the results indicate that our samples can reduce the accuracy and recall rates for detecting four types of malicious network traffic, including botnets, brute force, port scanning, and web attacks, as well as degrade the detection performance of DDoS traffic. The CNN model’s accuracy dropped by up to 72.76%, and the SDAE model’s accuracy by up to 78.77% with minimal perturbations. Our adversarial sample attack offers a new perspective in the field of cybersecurity and lays the groundwork for designing AI models that can resist adversarial attacks more effectively.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142578161","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
DaE2: Unmasking malicious URLs by leveraging diverse and efficient ensemble machine learning for online security DaE2:利用多样化和高效的集合机器学习为在线安全揭开恶意 URL 的面纱
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-28 DOI: 10.1016/j.cose.2024.104170
{"title":"DaE2: Unmasking malicious URLs by leveraging diverse and efficient ensemble machine learning for online security","authors":"","doi":"10.1016/j.cose.2024.104170","DOIUrl":"10.1016/j.cose.2024.104170","url":null,"abstract":"<div><div>Over 5.44 billion people now use the Internet, making it a vital part of daily life, enabling communication, e-commerce, education, and more. However, this huge Internet connectivity also raises concerns about online privacy and security, particularly with the rise of malicious Uniform Resource Locators (URLs). Recently, conventional ensemble models have attracted attention due to their notable benefits of reducing the variance in models, enhancing predictive performance, improving prediction accuracy, and demonstrating high generalization potential. But, its application in addressing the challenge of malicious URLs is still an open problem. These URLs often hide behind static links in emails or web pages, posing a threat to individuals and organizations. Despite blacklisting services, many harmful sites evade detection due to inadequate scrutiny or recent creation. Hence, to improve URL detection, a Diverse and Efficient Ensemble (DaE2) machine learning algorithm was developed using four ensemble models, that is, AdaBoost, Bagging, Stacking, and Voting to classify URLs. After preprocessing, the experimental result shown that all models achieved over 80 % accuracy, with AdaBoost reaching 98.5 % and Stacking offering the fastest runtime. AdaBoost and Bagging also delivered strong performance, with F1 scores of 0.980 and 0.976, respectively.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142586773","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Thread-sensitive fuzzing for concurrency bug detection 针对并发错误检测的线程敏感模糊测试
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-28 DOI: 10.1016/j.cose.2024.104171
{"title":"Thread-sensitive fuzzing for concurrency bug detection","authors":"","doi":"10.1016/j.cose.2024.104171","DOIUrl":"10.1016/j.cose.2024.104171","url":null,"abstract":"<div><div>Fuzzing is a commonly used method for identifying bugs and vulnerabilities in software. However, current methods for improving fuzzing in concurrency environments often lack a detailed analysis of the program’s concurrent state space. This leads to inefficient execution of previously verified concurrent states and missed information. We have developed TSAFL, a novel concurrency fuzzing framework that aims to detect the running state of concurrency programs and uncover hard-to-find vulnerabilities. TSAFL builds upon AFL’s concurrency vulnerability detection capabilities by incorporating three new techniques. Firstly, we introduce two new coverage metrics to measure concurrency: concurrent behavior window and CFG prediction. These metrics enhance the TSAFL’s capabilities to explore more thread interleavings. The second technique adds efficient thread-interleaved scheduling to fuzzing combined with period scheduling. Several methods are proposed to avoid problems caused by simply using period scheduling to accurately detect and verify all concurrent state spaces. Thirdly, we propose a multi-objective optimization mechanism based on the characteristics of concurrent fuzz testing to fully utilize the information in the seed files. Using these three techniques, our concurrency fuzzing approach effectively covers infrequent thread interleavings with concrete context information. We evaluated TSAFL on user-level applications, and experiments show that TSAFL outperforms AFL++ and MOPT in multithreading-related seed generation and concurrent vulnerability detection.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142572053","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Enhanced cell phone security: An ultrasonic and sensor fusion-based persistent cell phone protection method integrating anti-theft & identity authentication 增强手机安全性:基于超声波和传感器融合的持久性手机保护方法,集防盗和身份验证于一体
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-28 DOI: 10.1016/j.cose.2024.104176
{"title":"Enhanced cell phone security: An ultrasonic and sensor fusion-based persistent cell phone protection method integrating anti-theft & identity authentication","authors":"","doi":"10.1016/j.cose.2024.104176","DOIUrl":"10.1016/j.cose.2024.104176","url":null,"abstract":"<div><div>With the rapid development of the Internet of Things, cell phones inevitably involve people’s privacy and property information. Therefore, ensuring cell phone security is of great importance. Current cell phone protection methods include cell phone anti-theft and identity authentication, but each has limitations. Cell phone anti-theft methods focus on preventing cell phone loss but do not adequately address privacy security. Identity authentication emphasizes privacy protection but overlooks the cell phone’s security. Previous studies have achieved these two methods through ultrasonic or sensors. However, ultrasonic-based methods are limited by sensing distance and are inconvenient to use. Sensor-based methods do not detect subtle movements and may have shortcomings in terms of security. This study proposes an ultrasonic and sensor fusion-based persistent cell phone protection method integrating anti-theft and identity authentication. Unlike past work, this study uses ultrasonic and inertial sensors to capture motion data of users with different granularity, and provide multifaceted protection for cell phones through anti-theft when taking up the cell phone (ATWTP) and gait identity authentication (GTIA). Our intuition in the design is that each individual has unique movements and gait patterns, resulting in differences in the collected data from ultrasonic and inertial sensors. These differences can be used to achieve persistent protection of the cell phone. This study combines the strengths of sensors and ultrasonic through multimodal fusion and designs a system that incorporates system-triggered event detection (STED), ATWTP, and GTIA. The results demonstrate that the proposed design achieves an accuracy of 96.88% in protecting cell phones.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142572075","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
TrustCNAV: Certificateless aggregate authentication of civil navigation messages in GNSS TrustCNAV:GNSS 中民用导航信息的无证书聚合认证
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-26 DOI: 10.1016/j.cose.2024.104172
{"title":"TrustCNAV: Certificateless aggregate authentication of civil navigation messages in GNSS","authors":"","doi":"10.1016/j.cose.2024.104172","DOIUrl":"10.1016/j.cose.2024.104172","url":null,"abstract":"<div><div>The Global Navigation Satellite System (GNSS) is capable of accurate positioning because it can provide high-precision data. These data are transmitted to the receiver in the form of navigation messages, called civil navigation messages (CNAV). As it is transmitted in an open, transparent environment without data integrity protection mechanisms and secure data transmission measures, the CNAV is suspected to spoofing attacks. In 2023, the OPSGROUP has received approximately 50 reports of GPS spoofing activity. A spoofed plane's navigation system will show it as being in a different place - a security risk if a jet is guided to fly into a hostile country's airspace. To prevent the forging of GNSS positioning data by spoofing attacks targeting CNAV, we propose a certificateless aggregation authentication for CNAV by using the elliptic curve discrete logarithm problem and the combination of the GNAV structural characteristics, called TrustCNAV. Security proof and performance analysis indicate that this authentication scheme can resist spoofing attacks and ensure data security of CNAV, also it avoids pairing operations with high computational complexity, thus meeting security requirements without causing too much time and communication consumption.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142552118","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
A multiscale approach for network intrusion detection based on variance–covariance subspace distance and EQL v2 基于方差-协方差子空间距离和 EQL v2 的多尺度网络入侵检测方法
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-26 DOI: 10.1016/j.cose.2024.104173
{"title":"A multiscale approach for network intrusion detection based on variance–covariance subspace distance and EQL v2","authors":"","doi":"10.1016/j.cose.2024.104173","DOIUrl":"10.1016/j.cose.2024.104173","url":null,"abstract":"<div><div>As an important network defense approach, network intrusion detection is mainly used to identify anomaly traffic behavior. However, dominant network intrusion detection approaches are now struggling to identify the complex and variable means of attack, leading to high false alarm rate. Additionally, the feature redundancy and class imbalance problem in the intrusion detection dataset also constrain the performance of detection methods. This paper proposes a multiscale intrusion detection approach based on variance–covariance subspace distance and Equalization Loss v2 (EQL v2). Firstly, the variance–covariance subspace distance is used for feature selection on the preprocessed dataset to determine a set of representative feature subsets that can effectively approximate the original feature space. Secondly, the loss function, EQL v2, is adopted to balance the positive and negative gradients, addressing the class imbalance problem. Finally, a pyramid depthwise separable convolution model is proposed to capture the multiscale information of the traffic, and the convolutional layer in the depthwise convolution is replaced with self-supervised predictive convolutional attention block to compensate for the performance loss caused by the parameter reduction. Extensive experiments demonstrated that the proposed approach exhibits better performance on the three datasets of NSL-KDD, UNSW_NB15, and CIC-IDS-2017, with accuracy rates of 99.19%, 97.81%, and 99.83%, respectively, effectively improve the intrusion detection performance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142571490","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Zero day ransomware detection with Pulse: Function classification with Transformer models and assembly language 利用 Pulse 进行零日勒索软件检测:利用变换器模型和汇编语言进行函数分类
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-24 DOI: 10.1016/j.cose.2024.104167
{"title":"Zero day ransomware detection with Pulse: Function classification with Transformer models and assembly language","authors":"","doi":"10.1016/j.cose.2024.104167","DOIUrl":"10.1016/j.cose.2024.104167","url":null,"abstract":"<div><div>Finding automated AI techniques to proactively defend against malware has become increasingly critical. The ability of an AI model to correctly classify novel malware is dependent on the quality of the features it is trained with and the authenticity of the features is dependent on the analysis tool. Peekaboo, a Dynamic Binary Instrumentation tool defeats evasive malware to capture its genuine behaviour. The ransomware Assembly instructions captured by Peekaboo, follow Zipf’s law, a principle also observed in natural languages, indicating Transformer models are particularly well-suited to binary classification. We propose Pulse, a novel framework for zero day ransomware detection with Transformer models and Assembly language. Pulse, trained with the Peekaboo ransomware and benign software data, uniquely identify truly new samples with high accuracy. Pulse eliminates any familiar functionality across the test and training samples, forcing the Transformer model to detect malicious behaviour based solely on context and novel Assembly instruction combinations.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142552116","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
MFT: A novel memory flow transformer efficient intrusion detection method MFT:新型内存流变换器高效入侵检测方法
IF 4.8 2区 计算机科学
Computers & Security Pub Date : 2024-10-22 DOI: 10.1016/j.cose.2024.104174
{"title":"MFT: A novel memory flow transformer efficient intrusion detection method","authors":"","doi":"10.1016/j.cose.2024.104174","DOIUrl":"10.1016/j.cose.2024.104174","url":null,"abstract":"<div><div>Intrusion detection is a critical field in network security research that is devoted to detecting malicious traffic or attacks on networks. Even with the advances in today's Internet environment, a lot of intrusion detection techniques still fail to take into account the long-term characteristics present in network data, which results in a high false alarm rate. Some researchers have tried to address this problem by using the traditional transformer model; however, it is not very effective when dealing with complex relationships and the subtle classification requirements of large amounts of sequential data. This work presents a novel solution called the memory flow transformer (MFT) in response to the limitations of the conventional transformer model. By utilizing a carefully designed memory flow structure, MFT transcends traditional limitations and makes it possible to obtain complex long-term features from network traffic. This innovation enables the model to identify deep connections at a finer level between a wide variety of network traffic data. Extensive experiments were carried out on the complex CICIDS 2017 and NSL-KDD datasets to validate the effectiveness of the MFT model. The results were outstanding, demonstrating MFT's powerful detection abilities. With regard to performance metrics like accuracy, F1 score, false alarm rate, and training time, MFT is superior to current state-of-the-art approaches. Network security is greatly strengthened by MFT, which provides practitioners in the intrusion detection field with novel and effective techniques.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142571491","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信