Computers & Security最新文献

{"title":"NIOM-DGA: Nature-inspired optimised ML-based model for DGA detection","authors":"Daniel Jeremiah ,&nbsp;Husnain Rafiq ,&nbsp;Vinh Thong Ta ,&nbsp;Muhammad Usman ,&nbsp;Mohsin Raza ,&nbsp;Muhammad Awais","doi":"10.1016/j.cose.2025.104561","DOIUrl":"10.1016/j.cose.2025.104561","url":null,"abstract":"<div><div>Domain Generation Algorithms (DGAs) allow malware to evade detection by generating millions of random domains daily for Command-and-Control (C&amp;C) communication, challenging traditional detection methods. This work presents NIOM-DGA, a novel machine learning model that applies nature-inspired algorithms (NIAs) to select an optimal subset of 78 features from a dataset of over 16 million domain names, including several features not traditionally used in DGA detection. This approach enhances accuracy, robustness, and generalisability, achieving up to 98.3% accuracy—outperforming most existing approaches. Further testing on 10 external datasets with over 37 million domains confirms an average classification accuracy of 95.7%. Designed for seamless integration into SIEM, EDR, XDR, and cloud security platforms, NIOM-DGA significantly improves DGA detection compared to existing methods, advancing practical threat detection capabilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104561"},"PeriodicalIF":4.8,"publicationDate":"2025-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144365975","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"PIXHELL: When pixels learn to scream","authors":"Mordechai Guri","doi":"10.1016/j.cose.2025.104568","DOIUrl":"10.1016/j.cose.2025.104568","url":null,"abstract":"<div><div>This paper presents a novel technique for generating sound by leveraging the electrical properties of liquid crystal displays (LCDs). The phenomenon occurs due to vibrational noise produced by capacitors within the LCD panel during rapid pixel state transitions. By modulating these transitions through specially crafted bitmap patterns projected onto the screen, we demonstrate how weak yet audible acoustic signals can be generated directly from the display. We designed, implemented, evaluated, and tested a system that repurposes the LCD as a sound-emitting device. Potential applications for this technique include low-power auditory feedback systems, short-range device communication, air-gap covert channels, secure auditory signaling, and innovative approaches to human–computer interaction.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104568"},"PeriodicalIF":4.8,"publicationDate":"2025-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144338369","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Security of cyber-physical Additive Manufacturing supply chain: Survey, attack taxonomy and solutions","authors":"Mahender Kumar,&nbsp;Gregory Epiphaniou,&nbsp;Carsten Maple","doi":"10.1016/j.cose.2025.104557","DOIUrl":"10.1016/j.cose.2025.104557","url":null,"abstract":"<div><div>Additive Manufacturing (AM) is transforming industries by enabling rapid prototyping and customised production. However, as AM processes become increasingly digitised and interconnected, they introduce significant cybersecurity vulnerabilities, including intellectual property theft, design manipulation, and counterfeit production. This paper offers a comprehensive analysis of cyber and cyber–physical threats within the AM supply chain, addressing a critical research gap that has largely focused on isolated security aspects. Building upon existing taxonomies, we expand cybersecurity frameworks to incorporate emerging AM-specific threats. We propose a structured attack taxonomy that categorises threats by attacker goals, targets, and methods, supported by real-world case studies. The paper emphasises the need for robust cybersecurity measures to protect intellectual property, ensure production integrity, and strengthen supply chain security. Finally, we present mitigation strategies to counter these threats, laying the foundation for future research and best practices to secure AM ecosystems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104557"},"PeriodicalIF":4.8,"publicationDate":"2025-06-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144312823","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"STPA-Cyber: A semi-automated cyber risk assessment framework for maritime cybersecurity","authors":"Awais Yousaf ,&nbsp;Sean Gunawan ,&nbsp;Sunil Basnet ,&nbsp;Victor Bolbot ,&nbsp;Jianying Zhou ,&nbsp;Osiris A. Valdez Banda","doi":"10.1016/j.cose.2025.104559","DOIUrl":"10.1016/j.cose.2025.104559","url":null,"abstract":"<div><div>Cybersecurity incidents in the maritime sector are growing in number and the requirement of cyber risk management onboard ships is an inescapable reality today. Multiple cyber risk assessment frameworks exist today but they are all cumbersome to be applied in today’s state-of-the-art modern maritime systems. Most of the frameworks require experts’ involvement, their precious time and cognitive efforts. The application of these frameworks are also prone to human biases. Moreover, due to the rapid evolution of malicious actors and the inclusion of state-of-the-art toolsets in their arsenal, the completeness of the coverage of the cyber risk analysis for modern maritime systems is also open to questions. In response to these emerging challenges and threat landscape, a modified system theoretic process analysis for cybersecurity is proposed that not only inspects the control actions from a controller but also investigates the incoming feedback signals from the controlled process. The rationale behind the two-way cyber risk analysis within a system, i.e., for a control action as well as for a feedback signal, is that the attackers can target both the links within a feedback loop with comparable likelihood and impact, which could result in gruesome consequences. This work also contributes by semi-automating the labor intensive steps of the cyber risk assessment that results in significant reduction of involvement of experts, cognitive efforts, time requirement and human biases. Lastly, semi-automated generation of security causal scenarios in this work also contributes to the completeness of the cyber risk assessment process because human involvement and manual efforts required in the cyber risk assessment of a cyber–physical system could result in incomplete analysis due to the limitations in human comprehension. Hence, considerable reductions in time, cognitive efforts, human involvement and human biases are achieved in this work.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104559"},"PeriodicalIF":4.8,"publicationDate":"2025-06-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144312822","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"MER-GCN: Reasoning about attacking group behaviors using industrial control system attack knowledge graphs","authors":"Xiao Zhang ,&nbsp;Yingxu Lai ,&nbsp;Xinrui Dong ,&nbsp;Xinyu Xu","doi":"10.1016/j.cose.2025.104558","DOIUrl":"10.1016/j.cose.2025.104558","url":null,"abstract":"<div><div>To enhance the ability of Intrusion Detection Systems (IDSs) to detect complex attacks on Industrial Control Systems (ICSs), we developed the ICS attack knowledge graph (ICS-Attack-KG). This graph focuses on learning the correlations across attack groups’ behaviors to enable cross-group threat intelligence sharing. Based on the knowledge learned, the graph can reason about potential attack behaviors more comprehensively and accurately, which is beneficial for IDS to update its rulebase and detect complex attacking behaviors. However, data sparsity caused by the difficulty in obtaining threat intelligence of advanced attack group, as well as the data complexity brought by learning correlations across attack groups’ behaviors, increases the difficulty of embedding and reasoning on a knowledge graph. To address these issues, we introduce a novel link prediction model named the Multi-Edge Relation Graph Convolutional Network (MER-GCN). This model overcomes the limitations of data sparsity by embedding global graph structure into relation vectors, enabling it to supply missing information through adjacent or related nodes. To better learn the correlations across attack groups’ behaviors, MER-GCN sets attack group as relations and involves three-dimensional convolutional computation and relational projections to capture pattern sharing and differences across relational subgraphs. Empirical evaluation results demonstrate that the model significantly improves the accuracy and completeness of reasoning about attack groups’ behaviors in ICS. On the ICS-Attack-KG dataset, the model achieves an 11.3% improvement in mean reverse rank (MRR) over the state-of-the-art MR-GCN model. Additionally, the model also improved by 6.8% on the widely recognized Reuters dataset, demonstrating the model’s good generalization ability on a common dataset.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104558"},"PeriodicalIF":4.8,"publicationDate":"2025-06-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144321048","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"HGAN4VD: Leveraging Heterogeneous Graph Attention Networks for enhanced vulnerability detection","authors":"Yucheng Zhang ,&nbsp;Xiaolin Ju ,&nbsp;Xiang Chen ,&nbsp;Amin Misbahul ,&nbsp;Zilong Ren","doi":"10.1016/j.cose.2025.104548","DOIUrl":"10.1016/j.cose.2025.104548","url":null,"abstract":"<div><div>Detecting vulnerabilities is crucial for mitigating inherent risks in software systems. In recent years, there has been a significant increase in developing effective vulnerability detection approaches, many of which leverage deep learning technologies. These methods provide notable advantages, including automated feature extraction and the ability to train models autonomously, thereby improving the efficiency and accuracy of the detection process. However, existing methods encounter two significant limitations. Firstly, code analysis lacks granularity and does not fully leverage semantic and syntactic information within code structures, resulting in suboptimal performance. Secondly, approaches based on Graph Neural Networks (GNNs) inherently struggle to capture long-distance relationships between nodes in code structures. In this paper, we propose HGAN4VD, a novel vulnerability detection method that utilizes heterogeneous intermediate source code representations to address these limitations. HGAN4VD comprises two components: a heterogeneous code representation graph, which is constructed by creating diverse code representations and simplifying the graph to reduce node distances, and a Heterogeneous Graph Attention Network, which incorporates two attention layers to calculate node-level and semantic-level attention. Experiments on three widely used datasets demonstrate that HGAN4VD outperforms state-of-the-art methods by 1.5% to 7.7% in accuracy and 3.8% to 12.2% in F1 score metrics, affirming its effectiveness in learning global information for code graphs used in vulnerability detection. Furthermore, we demonstrate the generalization capability of our method on Java and Python datasets, suggesting its potential for broader applicability.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104548"},"PeriodicalIF":4.8,"publicationDate":"2025-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144291300","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Model-based structural and behavioral cybersecurity risk assessment in system designs","authors":"Tino Jungebloud ,&nbsp;Nhung H. Nguyen ,&nbsp;Dan Dongseong Kim ,&nbsp;Armin Zimmermann","doi":"10.1016/j.cose.2025.104543","DOIUrl":"10.1016/j.cose.2025.104543","url":null,"abstract":"<div><div>Cybersecurity risk assessment has become a critical task in systems development and the operation of complex networked systems. However, current state-of-the-art approaches for detecting vulnerabilities, such as automated security testing or penetration testing, often result in late detection. Thus, there is a growing need for security by design, which involves conducting security-related analyses as early as possible in the system development life cycle.</div><div>This paper proposes an integrated approach that combines static and dynamic hierarchical model-based security risk assessment. The approach enables early identification of security risks during system design, utilizing various models based on the Unified Modeling Language (UML), with lightweight extensions using profiles and stereotypes to capture security attributes like vulnerabilities and asset values. These security attributes are then used to compute relevant properties, including threat space, possible attack paths, and selected network-based security metrics. To facilitate dynamic security analysis, the UML model is subsequently translated into a deterministic and stochastic Petri net (DSPN). This translation allows for the dynamic analysis and simulation of the system’s state and behavior during an attack, capturing temporal aspects and probabilistic transitions. By representing system components and their interactions as modular Petri nets, the DSPN framework facilitates comprehensive simulation and analysis of possible attack scenarios. This also allows us to estimate time-based security metrics such as the duration required for an attacker to compromise system components. Consequently, this combined approach effectively addresses both static security analysis and dynamic state behavior, providing an integrated understanding of the system’s resilience against cyber threats. A real-world industrial case study illustrates the effectiveness of this approach. The underlying data originates from security assessments performed by Keen Security Labs, which were independently verified by BMW (Cai et al., 2019). Specifically, we present an infotainment system network model as implemented in multiple car models along with corresponding attack and defense models. We then demonstrate how the approach assesses the cybersecurity risk of such in-vehicle networks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104543"},"PeriodicalIF":4.8,"publicationDate":"2025-06-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144298192","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Explainable AI and Random Forest based reliable intrusion detection system","authors":"Syed Wali,&nbsp;Yasir Ali Farrukh,&nbsp;Irfan Khan","doi":"10.1016/j.cose.2025.104542","DOIUrl":"10.1016/j.cose.2025.104542","url":null,"abstract":"<div><div>Emerging cyber threats — particularly adversarial attacks on machine learning-based Intrusion Detection Systems (IDS) — pose critical risks to network security by exploiting model vulnerabilities and training blind spots. These attacks, often carried out under black-box threat models, involve crafting perturbations that force misclassification without direct access to model parameters, making them especially dangerous in real-world deployments. Traditional IDS models remain ill-equipped to handle such scenarios, relying heavily on adversarial retraining, which is computationally expensive and limited to known attack patterns. To address these challenges, we propose a novel IDS framework that enhances adversarial resilience without retraining by integrating Explainable AI (XAI)-driven credibility assessment with a dual-layered defense pipeline. At its core is a Credibility Assessment Module (CAM) that leverages SHAP (Shapley Additive Explanations) to identify inconsistencies between local and global feature attributions, flagging suspicious predictions for reassessment. The secondary pipeline employs Transformer-based semantic payload inspection alongside behavioral classifiers operating on contextual features, ensuring modal and architectural separation to prevent adversarial transferability. These capabilities enable the system to counter a wide spectrum of threats, ranging from traditional attacks to advanced black-box adversarial techniques such as HopSkipJump and ZOO, which craft minimal perturbations to evade detection. The proposed system is evaluated on two comprehensive and diverse datasets: CSE-CIC IDS 2018, which captures modern attack vectors such as SSH brute force, DoS, and DDoS; and CIC-IoT 23, which focuses on IoT-specific traffic and threats. These datasets were chosen for their realism, broad protocol coverage, and relevance to both conventional and emerging network environments. Our framework outperforms state-of-the-art adversarial defenses and multimodal IDS models, maintaining high accuracy under clean conditions while significantly improving resilience against black-box adversarial attacks. This work introduces a new paradigm in trustworthy IDS design, where explainability and processing diversity form the backbone of proactive, resilient cybersecurity.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104542"},"PeriodicalIF":4.8,"publicationDate":"2025-06-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144298191","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Optimized intrusion predictions through feature selection methods","authors":"Anagha A.S. ,&nbsp;Ciza Thomas ,&nbsp;N. Balakrishnan","doi":"10.1016/j.cose.2025.104541","DOIUrl":"10.1016/j.cose.2025.104541","url":null,"abstract":"<div><div>In the realm of cybersecurity, Intrusion Detection Systems are essential for protecting networks from evolving threats. This paper studies enhancing the performance of Intrusion Detection Systems in cybersecurity using Deep Neural Networks, through the integration of advanced feature selection techniques applied to the oversampled NSL-KDD dataset. The primary objective of this study is to identify relevant features crucial for improving classification accuracy. The main techniques used to identify these features are the SHAP, correlation-based feature selection, and information gain-based methods. The baseline model considered for this work takes 41 features attaining an F1 score of 98.7%. Using the top 30 features with attack-specific characteristics on SHAP explanation list, the F1 score improves to 98.8% compared to the baseline model F1 score of 98.7%. Moreover, using SHAP and correlation-based methods to identify and utilize 33 important features further enhances the F1 score to 98.9%. It is observed that information gain-based feature selection performs inferiorly to SHAP and correlation-based methods in intrusion detection systems due to its limited ability to capture feature interactions, lack of interpretability, and sensitivity to noise and redundancy. SHAP values and correlation-based methods offer more comprehensive insights into feature importance, leading to better performance and robustness in Intrusion Detection Systems. These findings underscore significant enhancements in the proficiency of the Intrusion Detection System through feature selection, thereby strengthening cybersecurity defenses against evolving threats.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104541"},"PeriodicalIF":4.8,"publicationDate":"2025-06-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144255267","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"VWA-6G AI assisted continuous security monitoring over open RAN service management orchestration","authors":"Yi-Chih Tung ,&nbsp;En-Cheng Liou ,&nbsp;Pen-Chih Hu ,&nbsp;Cheng-Han Yu","doi":"10.1016/j.cose.2025.104566","DOIUrl":"10.1016/j.cose.2025.104566","url":null,"abstract":"<div><div>The evolution towards sixth generation (6G) mobile networks and Open Radio Access Network (O-RAN) architectures introduces enhanced flexibility and scalability but also significantly broadens the cybersecurity threat landscape. Integration of open-source software components and third-party applications (xApps) exacerbates security vulnerabilities, challenging conventional protection mechanisms. To address these issues, this study proposes the Vulnerability Weakness Attack for 6G (VWA-6G) system, an artificial intelligence (AI) assisted framework for continuous security monitoring. This framework utilizes a contextually fine-tuned BERT-based model. The VWA-6G AI model automates semantic mapping from Common Vulnerabilities and Exposures (CVEs) to Common Weakness Enumerations (CWEs) and Common Attack Pattern Enumerations and Classifications (CAPECs), leveraging specialized datasets derived from forward-looking 6G technical materials. Empirical results demonstrate that the proposed model achieves superior performance metrics compared to baseline methods, notably an accuracy of 98.62 % and an F1-Score of 99.44 %, representing significant improvements over standard BERT and V2W-BERT approaches. This AI driven semantic approach substantially enhances vulnerability identification and mapping accuracy, thereby providing robust, automated, and proactive security management aligned with Zero Trust principles in 6G O-RAN environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104566"},"PeriodicalIF":4.8,"publicationDate":"2025-06-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144280461","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}