Srinidhi Vasudevan, Anna Piazza, Lavanya Rajendran, Samuel Duraivel
{"title":"Mapping the metaverse minefield: A TIPS framework for security-conscious business adoption","authors":"Srinidhi Vasudevan, Anna Piazza, Lavanya Rajendran, Samuel Duraivel","doi":"10.1016/j.cose.2025.104710","DOIUrl":"10.1016/j.cose.2025.104710","url":null,"abstract":"<div><div>As organisations embrace immersive environment to conduct their operations, the metaverse can be considered as a prominent technology that both enhance business efficiency and expose them to new security vulnerabilities that cannot be fully mitigated using traditional cybersecurity models. This study explores the adoption of the metaverse through the Trust, Identity, Privacy, and Security (TIPS) framework, emphasising the interdependencies between these security dimensions. Although prior research has examined these factors independently, little attention has been paid to their combined impact on organisational adoption of metaverse. Addressing this gap, we employ qualitative research based on thematic content analysis using Natural Language Processing (NLP) and the Natural Language Toolkit (NLTK), leveraging insights from in-depth interviews with business and IT professionals from micro & small, and medium enterprises (M/SMEs); entities that often lack extensive cybersecurity resources yet seek competitive advantages through digital innovation. Our findings reveal a structured hierarchical dependency between Trust, Identity, Privacy, and Security (TIPS) factors in metaverse adoption contexts, going beyond just identifying interrelationships between these elements. Specifically, trust in metaverse environments is influenced by user embodiment. The avatar as identity complicates identity verification and privacy protection as digital avatars merge physical and virtual identities. Finally, the metaverse raises privacy concerns, demanding frameworks that ensure transparency and user consent. Insights from our analysis suggest organisations should prioritise security-by-design principles while balancing implementation with user experience considerations to successfully navigate the socio-technical complexities of metaverse adoption.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104710"},"PeriodicalIF":5.4,"publicationDate":"2025-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145324642","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Danish Vasan , Mohammad Hammoudeh , Adel F. Ahmed , Hamad Naeem
{"title":"Cyber-attacks: Securing ship navigation systems using multi-layer cross-validation defense","authors":"Danish Vasan , Mohammad Hammoudeh , Adel F. Ahmed , Hamad Naeem","doi":"10.1016/j.cose.2025.104706","DOIUrl":"10.1016/j.cose.2025.104706","url":null,"abstract":"<div><div>The safety and reliability of ship navigation systems are critical for secure maritime operations. With growing reliance on digital tools, these systems face increasing vulnerability to cyber–physical threats such as GPS spoofing, sensor manipulation, and control logic interference. This research presents a comprehensive threat model across key navigation subsystems and proposes a multi-layer defense strategy based on cross-sensor validation. Rather than relying on hardware redundancy or statistical anomaly filters, our framework validates sensor data and control decisions through consistency checks across GPS, INS, sonar, and depth systems. Standard filtering techniques, such as Kalman filters, are used for state estimation. Experimental simulations across various attack scenarios show that the proposed defense restores navigational accuracy and operational safety, reducing error by over 99% in most subsystems. A public dataset and codebase are released to support future maritime cybersecurity research on GitHub<span><span><sup>1</sup></span></span>.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104706"},"PeriodicalIF":5.4,"publicationDate":"2025-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145324643","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proactive threat detection in enterprise systems using Wazuh: A MITRE ATT&CK Evaluation","authors":"Aidan M. Winkler , Prinkle Sharma","doi":"10.1016/j.cose.2025.104702","DOIUrl":"10.1016/j.cose.2025.104702","url":null,"abstract":"<div><div>The proactive detection of advanced adversarial behaviors remains a critical challenge for Security Information and Event Management (SIEM) platforms, particularly as attackers adopt stealthy, multi-phase campaigns. This paper presents a cross-platform, MITRE ATT&CK aligned evaluation framework for systematically measuring the SIEM detection coverage, responsiveness, and accuracy. The framework was demonstrated through the Wazuh SIEM platform and atomic red team testing, targeting four high-impact tactics: Collection, Command-and-Control (C2), Exfiltration, and Impact. The results show a high detection rate for C2 and Impact techniques, and partial detection for Collection and Ex-filtration tactics owing to gaps in correlation and telemetry depth. The overall detection rate was approximately 85%, with platform-specific differences driven by the endpoint logging capabilities. Quantitative performance analysis yielded a precision of 91.4%, recall of 85.2%, and false positive rate of 4.8%, confirming both detection effectiveness and operational feasibility. The main contributions of this study are as follows: (i) a reproducible, ATT&CK aligned framework adaptable to both open source and commercial SIEMs, (ii) actionable detection rule enhancements to improve Security Operations Centerwork (SOC) operations, and (iii) scalability considerations for deployment in enterprise environments. By integrating structured adversary modeling with operational SOCs flows, the proposed framework advances proactive cyber defence in complex enterprise environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104702"},"PeriodicalIF":5.4,"publicationDate":"2025-10-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145320849","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Faster secure and efficient collaborative private data cleaning based on PSI","authors":"Zhaowang Hu , Jun Ye , Zhengqi Zhang","doi":"10.1016/j.cose.2025.104701","DOIUrl":"10.1016/j.cose.2025.104701","url":null,"abstract":"<div><div>Mislabeled datasets are common in the detection of software malicious behaviors in the real world. When two different Security Operation Centers (SOCs) classify the same malware attack into different threat categories due to differing detection methodologies, this creates significant challenges and security risks for subsequent operations. Through collaborative, both parties aim to align their datasets by filtering out severely misclassified or erroneously labeled entries while preserving privacy. In this privacy-preserving collaborative data cleaning scenario, each party can only learn intersection contents and misclassified items within the intersection, without obtaining any private information about non-intersection data entries. To address this challenge, we propose a novel Secure and Efficient Collaborative Private Data Cleaning Scheme (SCPDC). The scheme comprises two phases: an offline phase responsible for pre-generating computationally expensive share tuples and label encoding operations, and an online phase that utilizes these pre-generated share tuples and encoded vectors to execute a variant-labeled PSI protocol for identifying misclassified items in the intersection. SCPDC achieves an exceptionally efficient online phase while fulfilling privacy requirements for both parties. Security analysis and experimental results demonstrate that SCPDC offers reasonable execution time and lower communication overhead compared to existing related works.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104701"},"PeriodicalIF":5.4,"publicationDate":"2025-10-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145320851","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
P. Mohan Anand , P.V. Sai Charan , Hrushikesh Chunduri , Sandeep Kumar Shukla
{"title":"LARM: Linux Anti Ransomware Monitor","authors":"P. Mohan Anand , P.V. Sai Charan , Hrushikesh Chunduri , Sandeep Kumar Shukla","doi":"10.1016/j.cose.2025.104700","DOIUrl":"10.1016/j.cose.2025.104700","url":null,"abstract":"<div><div>As Linux becomes more prevalent across servers, desktops, and cloud infrastructures, ransomware groups increasingly focus on targeting Linux-based systems, particularly those running on widely deployed x86 architectures. However, research on real-time, lightweight ransomware detection for Linux systems remains limited. The existing approaches, based on file backups, trap or decoy files, and file I/O behavior monitoring, are found to be ineffective against multithreaded ransomware variants, often leading to delayed detection and false positives. In this work, we introduce LARM (Linux Anti-Ransomware Monitor), a lightweight, real-time detection tool tailored for Linux systems with <span>x86_64</span> architecture. LARM employs a file trap monitoring module that operates at the kernel level using eBPF (extended Berkeley Packet Filter) to detect real-time ransomware activity. LARM dynamically selects trap files for monitoring through a non-parametric clustering approach of Affinity Propagation, combined with the encryption order heuristics observed in ransomware behavior. Since sole reliance on trap file monitoring may result in false positives, LARM integrates a secondary profiling mechanism that analyzes pre-encryption ransomware activity in real-time. We evaluated LARM against 14 modern Linux ransomware families, including multithreaded versions of Avos Locker and Babuk. The evaluation results demonstrate an average detection delay of 1,240 ms and a file loss rate of 0.46%, highlighting the effectiveness of LARM in early detection and mitigation of ransomware in Linux systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104700"},"PeriodicalIF":5.4,"publicationDate":"2025-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145320850","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Priyabrata Dash , Debasis Samanta , Monalisa Sarma , Ashok Kumar Das , Athanasios V. Vasilakos
{"title":"Privacy preserving unique robust and revocable passcode generation from fingerprint data","authors":"Priyabrata Dash , Debasis Samanta , Monalisa Sarma , Ashok Kumar Das , Athanasios V. Vasilakos","doi":"10.1016/j.cose.2025.104698","DOIUrl":"10.1016/j.cose.2025.104698","url":null,"abstract":"<div><div>This research explores generating passcodes from fingerprint images. The investigation unfolds through a three-step process: (a) fixed length feature vector generation from minutia features, (b) stable binary feature vector generation from the fixed length feature vector, and (c) passcode generation from the stable binary feature vector. The main research objectives of this work are: (1) how a unique and robust binary pattern can be generated from a fingerprint image, (2) from this binary bit pattern, how a passcode can be generated satisfying non-linkable and revocable properties, and (3) how an attacker cannot guess the source biometric given a passcode thus preserving the privacy of the fingerprint data. The generated passcode can be applied in many applications, such as unique identity generation for authentication without enrollment, encryption key generation for network security, remote authentication protocol or distributed systems, data storage security, digital wallet, etc. The proposed approach has been validated with FVC2002 and FVC2004, and results show impressive genuine acceptance rates of 99.31% and 99.25%, with 0% false acceptance rates. Further, the generated passcodes pass NIST and Diehard randomness tests, substantiating the potential key generation technique with high intra-similarity and low inter-similarity.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104698"},"PeriodicalIF":5.4,"publicationDate":"2025-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145268198","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ferney Martínez , Luis E. Sánchez , Antonio Santos-Olmo , David G. Rosado , Eduardo Fernández-Medina
{"title":"Integrated maritime protection: Innovation for the safeguarding of maritime systems based on MARISMA","authors":"Ferney Martínez , Luis E. Sánchez , Antonio Santos-Olmo , David G. Rosado , Eduardo Fernández-Medina","doi":"10.1016/j.cose.2025.104699","DOIUrl":"10.1016/j.cose.2025.104699","url":null,"abstract":"<div><div>The maritime sector is becoming increasingly susceptible to sophisticated cyber-attacks, underscoring the pressing necessity for advanced research and development to establish robust safeguards for maritime assets. Although risk assessment methods for traditional IT systems are now highly developed, they are not directly applicable to risk assessment in maritime environments due to the specific characteristics and particularities of the latter. Therefore, there is an urgent need to define approaches that adequately support risk assessment in maritime environments. To contribute to this important challenge, we propose a novel risk analysis technique, specifically tailored for the maritime sector, based on MARISMA, a security management methodology, and eMARISMA, its cloud-based technological support tool. Our work contributes to the state of the art by defining the MARISMA-SHIPS maritime cybersecurity pattern, which includes a set of reusable and adaptable elements that enable risk management and control in a maritime environment, and is aligned with major international standards such as ENISA and NIST, as well as existing maritime regulations, becoming a key part of our ongoing POSEIDON maritime cybersecurity framework. A case study is presented for a ship developed in the main shipyard in Colombia, which shows how the reusability and adaptability of the proposal allows the proposed MARISMA-SHIPS pattern to be easily adapted to any maritime environment, and which allowed the identification of critical areas of cybersecurity that could be improved. The application of the process in the maritime domain has proven its value in improving the efficiency and security management of maritime assets.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104699"},"PeriodicalIF":5.4,"publicationDate":"2025-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145268199","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Rodolfo García-Peñas, Rafael A. Rodríguez-Gómez , Gabriel Maciá-Fernández
{"title":"Characterizing Internet Background Traffic from a Spain-Based Network Telescope","authors":"Rodolfo García-Peñas, Rafael A. Rodríguez-Gómez , Gabriel Maciá-Fernández","doi":"10.1016/j.cose.2025.104693","DOIUrl":"10.1016/j.cose.2025.104693","url":null,"abstract":"<div><div>Internet background traffic (or Internet Background Radiation, IBR) consists of unsolicited packets. It is traffic usually generated in the preliminary phases of attacks by computers making enumerations of targets and available services, sent as responses to denial of service attacks, or sent by mistake due to incorrect configurations and commands. Capturing and analysing this traffic enables the observation of Internet activity and serves as an important tool for identifying new types of attacks and attackers. This traffic is captured by “network telescopes”, nodes that advertise blocks of unused IP addresses and store the traffic sent to them.</div><div>This article studies the traffic received by a network telescope located in Spain during 2023, with more than 4.7 billion packets and 362.39 GB of information. A statistical breakdown of the packets by protocol shows that TCP accounts for 95.96%, UDP for 3.74%, and ICMP for 0.51%. In addition, the behaviour of the traffic generators targeting the telescope’s addresses is examined, and the main attacks – such as NTP and DNS reflection – are analysed. The characteristics of the traffic are compared with those of previous studies, highlighting changes in behaviour and the most common attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104693"},"PeriodicalIF":5.4,"publicationDate":"2025-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145268169","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Xianliang He , Junyi Li , Yaping Lin , Qiao Hu , Xiehua Li
{"title":"TDSF: Trajectory-preserving method of dual-strategy fusion with differential privacy in LBS","authors":"Xianliang He , Junyi Li , Yaping Lin , Qiao Hu , Xiehua Li","doi":"10.1016/j.cose.2025.104697","DOIUrl":"10.1016/j.cose.2025.104697","url":null,"abstract":"<div><div>When the public utilizes location-based services (LBS), a large amount of trajectory data is generated, and their location information is constantly exposed. However, providing trajectories to LBS without additional protection may result in the leakage of location privacy and correlation privacy in the trajectory. Most current methods only protect the location privacy of trajectories by adjusting the allocation of privacy budgets, without combining multiple strategies to protect location privacy and correlation privacy. These methods also struggle to balance data availability and privacy for trajectories. To address the above challenges, we propose a trajectory-preserving method of dual-strategy fusion with differential privacy (TDSF). Specifically, one strategy is used to protect the correlation privacy between sensitive locations, and the other is used to protect the non-sensitive locations. We use the trained transfer correlation matrix to extract sensitive locations in a trajectory that require correlation protection. The remaining locations introduce less noise as they involve minimal privacy disclosure, thus maintaining data availability. Finally, we also designed a privacy budget allocation strategy that is suitable for this dual-strategy fusion scenario. Strict security analysis shows that the mechanism we propose can well protect the location and correlation privacy of the trajectory. The experimental results on real data sets further demonstrate the advantages of this mechanism in data availability and confidentiality.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104697"},"PeriodicalIF":5.4,"publicationDate":"2025-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145268197","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Operationalizing cybersecurity knowledge: Design, implementation & evaluation of a knowledge management system for CACAO playbooks","authors":"Orestis Tsirakis , Konstantinos Fysarakis , Vasileios Mavroeidis , Ioannis Papaefstathiou","doi":"10.1016/j.cose.2025.104696","DOIUrl":"10.1016/j.cose.2025.104696","url":null,"abstract":"<div><div>Modern cybersecurity threats are growing in complexity, targeting increasingly intricate and interconnected systems. To effectively defend against these evolving threats, security teams utilize automation and orchestration to enhance response efficiency and consistency. In that sense, cybersecurity playbooks and workflows are key enablers, as they provide a structured, reusable, and continuously evolving approach to incident response. They enable organizations to codify requirements, operational domain expertise, underlying organizational policies, regulatory obligations, and best practices. Moreover, playbooks enhance and standardize the decision-making process, while allowing automation in areas where reliability is sufficiently established to ensure that mission assurance is not compromised. The emerging Collaborative Automated Course of Action Operations (CACAO) technical specification and standard defines a common machine-processable schema for cybersecurity playbooks, facilitating interoperability for their exchange and ensuring the ability to orchestrate and automate cybersecurity operations. However, despite its potential and the fact that it is a relatively new standardization effort, there is a lack of tools to support its adoption, particularly in the management and lifecycle development of CACAO playbooks, which limits their practical deployment. Motivated by the above, this work presents the design, development, and evaluation of a Knowledge Management System (KMS) for managing CACAO cybersecurity playbooks throughout their lifecycle. It provides essential tools to improve cybersecurity maturity, strengthens collaboration and coordination within and across organizations, and streamlines playbook management. By utilizing open-source technologies and open standards, the proposed approach promotes interoperability and enhances the usability of state-of-the-art cybersecurity orchestration and automation primitives. To encourage adoption, the resulting implementation is released as open-source, which, to the best of our knowledge, comprises the first publicly available and documented work in this domain, supporting the broader uptake of CACAO playbooks and promoting the widespread use of interoperable automation and orchestration mechanisms in cybersecurity operations.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104696"},"PeriodicalIF":5.4,"publicationDate":"2025-10-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145268168","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}