{"title":"Security risk assessment in IoT environments: A taxonomy and survey","authors":"Mofareh Waqdan , Habib Louafi , Malek Mouhoub","doi":"10.1016/j.cose.2025.104456","DOIUrl":"10.1016/j.cose.2025.104456","url":null,"abstract":"<div><div>Internet of Things (IoT) applications have become an integral part of our daily lives. However, due to the rising number of cybercrimes, ensuring cyberspace security has become essential. The security and privacy of IoT applications are fundamental as they are used in critical sectors, like healthcare, transportation systems, and energy production. As a result, many studies are focusing on the security and privacy of the IoT revolution. The need for assessing IoT security risks is increasing.</div><div>This paper presents a survey and taxonomy of risk management, analysis, and evaluation methods applied to systems involving IoT devices. In particular, the paper reviews and categorizes existing IoT risk management and assessment frameworks, and the different assessments techniques, risk perspectives, and methodologies. The paper concludes with a deep analysis of these frameworks, solutions, and guidelines, and discusses future research directions.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104456"},"PeriodicalIF":4.8,"publicationDate":"2025-03-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143739071","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"VuldiffFinder: Discovering inconsistencies in unstructured vulnerability information","authors":"Qindong Li , Wenyi Tang , Xingshu Chen , Hao Ren","doi":"10.1016/j.cose.2025.104447","DOIUrl":"10.1016/j.cose.2025.104447","url":null,"abstract":"<div><div>The information conveyed by vulnerability reports is crucial for enhancing the security of information systems. Nonetheless, there are widespread information inconsistencies across reports, including, numerical discrepancies, misreported version ranges, semantic conflict, and so on. Identifying these inconsistencies is essential for improving information quality. Current research primarily focuses on standardized, non-free-form information’s inconsistency at the character or numerical level, while research for unstructured ones at the semantic level is limited. Given this, we introduce Vul<sub>diff</sub>Finder to determine the inconsistency of unstructured vulnerability information at the semantic level. Firstly, it utilizes NLP tools to break down unstructured information into constituent sets, and design a determination strategy based on the constituent’s syntactic hierarchies and semantic similarity. The designed strategy can determine information pairs in arbitrary structure. Secondly, it creates a span similarity-based fine-tuning task to enhance the embedding capabilities of the SpanBERT model, ensuring accurately capturing semantic information in the vulnerability domain. Finally, a dataset containing eight categories of vulnerability information and 1,612 samples is utilized to validate the proposed method. The results demonstrate that Vul<sub>diff</sub>Finder outperforms the state-of-the-art schemes, showing a 4.31% improvement in the F1-score. Additionally, we discover that consistency is higher in information that has simpler writing structures (up to 56.46%). Heterogeneous and Contained are often found in information with fixed or complex writing structures (up to 23.33% and 38.30%, respectively). Divergent and Repugnant mainly occur in information with a high missing rate.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104447"},"PeriodicalIF":4.8,"publicationDate":"2025-03-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143738752","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Laurens Sion, Dimitri Van Landuyt, Kim Wuyts, Wouter Joosen
{"title":"Robust and reusable LINDDUN privacy threat knowledge","authors":"Laurens Sion, Dimitri Van Landuyt, Kim Wuyts, Wouter Joosen","doi":"10.1016/j.cose.2025.104419","DOIUrl":"10.1016/j.cose.2025.104419","url":null,"abstract":"<div><div>Privacy threat modeling is an intrinsically complex analysis task that requires expertise in sophisticated privacy threats, their harms and implications, as well as potential mitigations. To support both novices and experts in attaining a desired degree of rigor and completeness in their analysis, supporting materials such as privacy threat trees and threat examples are crucial as they consolidate and harmonize the complete spectrum of threat characteristics, and as such assist with the broader uptake of privacy threat modeling practices.</div><div>However, the existing knowledge structures, taxonomies, and trees used in privacy threat analysis prove to have limited use in practice. They are either too broad and generic, or too tightly coupled to a specific modeling approach (<span>dfd</span>s) or to a specific threat elicitation method (e.g., per-element). In addition, current privacy threat knowledge structures suffer from semantic ambiguity. Finally, existing structures are too rigid to support evolution, thus hindering the incorporation of emerging privacy threats.</div><div>This article introduces three contributions to address these shortcomings: (i) it defines the metamodel to express threat knowledge in the form of threat types, elicitation criteria, examples, and additional metadata; (ii) it discusses its application to the privacy threat knowledge of the <span>linddun</span> privacy threat modeling framework; and (iii) it introduces the automated knowledge management tools comprised of extraction logic that allows more flexible adoption in different privacy analysis approaches, and that fundamentally supports continuous evolution and refinement of this privacy threat knowledge. A major outcome is the updated <span>linddun</span> privacy threat knowledge which completely subsumes earlier versions and provides more rooted support for adoption, refinement, and continuous evolution.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104419"},"PeriodicalIF":4.8,"publicationDate":"2025-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143739073","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A comprehensive review of security vulnerabilities in heavy-duty vehicles: Comparative insights and current research gaps","authors":"Narges Rahimi , Beth-Anne Schuelke-Leech , Mitra Mirhassani","doi":"10.1016/j.cose.2025.104452","DOIUrl":"10.1016/j.cose.2025.104452","url":null,"abstract":"<div><div>The increasing connectivity and integration of advanced technologies in vehicular systems have amplified the need for robust cybersecurity measures, particularly in heavy-duty (HD) vehicles, which are crucial to commercial transportation. Despite their importance, HD vehicles have received less attention in cybersecurity research compared to light-duty (LD) vehicles, leaving critical vulnerabilities unaddressed. This paper aims to bridge this gap by conducting a thorough analysis of the unique security challenges faced by HD vehicles. By comparing HD vehicles with LD vehicles, we identify distinct and vulnerabilities in two key areas: intra-vehicle networks and external connections. The study includes a comprehensive literature review focused on the cybersecurity of heavy- and medium-duty vehicles, through which we identify prevalent threats and potential mitigation strategies. This analysis underscores the necessity for enhanced protocol security and advocates for a detailed examination of both intra-vehicle networks and external connections.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104452"},"PeriodicalIF":4.8,"publicationDate":"2025-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143714571","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jinchuan Pei , Yuxiang Hu , Le Tian , Xinglong Pei , Zihao Wang
{"title":"Dynamic anomaly detection using In-band Network Telemetry and GCN for cloud–edge collaborative networks","authors":"Jinchuan Pei , Yuxiang Hu , Le Tian , Xinglong Pei , Zihao Wang","doi":"10.1016/j.cose.2025.104422","DOIUrl":"10.1016/j.cose.2025.104422","url":null,"abstract":"<div><div>In the intelligent era of the Internet of Everything, the cloud–edge collaborative network architecture solves the data storage and computing problems caused by the exponential growth of terminal data. However, at the same time, the network attack situation is becoming increasingly severe and the types of network anomalies are complex and diverse. The traffic characteristic information collected in traditional network security situation analysis is single and coarse in granularity, which makes it difficult to completely reflect the original traffic and network equipment status. Moreover, the collection of a large amount of fine-grained telemetry data generates substantial telemetry overhead, which hinders the efficient detection of network anomalies and malicious intrusions. To solve this problem, we propose a dynamic anomaly detection method using In-band Network Telemetry (INT) and GCN for cloud–edge collaborative networks, which flexibly and efficiently collects network state information to identify network anomalies and network intrusions. Firstly, we design an anomaly telemetry architecture for cloud–edge collaborative networks and use in-band network telemetry technology of programmable network to extract network characteristic information, and then use dynamic telemetry mechanism to extract network situation elements on demand, so as to quickly identify network anomalies by information entropy method in the edge layer. According to the identified network anomaly information, we deeply telemetry the abnormal position and design a novel Graph Convolutional Network (GCN) that aggregates anomaly information named AGCN in the cloud layer, and analyze whether there is malicious intrusion by combining spatiotemporal dimensions, so that network administrators can accurately grasp the network security situation and discover malicious intrusion in time. The experimental results show that the proposed method can quickly identify network anomalies and detect network intrusions, which can quickly converge while saving telemetry overhead, and the detection accuracy of network intrusions can reach 98.69%.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104422"},"PeriodicalIF":4.8,"publicationDate":"2025-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143714572","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Detection of on-manifold adversarial attacks via latent space transformation","authors":"Mohmmad Al-Fawa’reh , Jumana Abu-khalaf , Naeem Janjua , Patryk Szewczyk","doi":"10.1016/j.cose.2025.104431","DOIUrl":"10.1016/j.cose.2025.104431","url":null,"abstract":"<div><div>Out-of-distribution (OOD) generalization is critical for reliable intrusion detection systems (IDS), yet current methods often falter against stealthy, on-manifold adversarial attacks that mimic ID data. To solve this challenge, we propose a semi-supervised approach that applies an invertible transformation to the latent space and leverages changes in differential entropy to detect OOD samples. Experiments on the KDD99 and X-IIoTID datasets demonstrate that our approach outperforms state-of-the-art defenses, providing enhanced robustness and generalizability for IDS.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104431"},"PeriodicalIF":4.8,"publicationDate":"2025-03-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143706517","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Okba Ben Atia , Mustafa Al Samara , Ismail Bennis , Abdelhafid Abouaissa , Jaafar Gaber , Pascal Lorenz
{"title":"M3D-FL: Multi-layer Malicious Model Detection for Federated Learning in IoT networks","authors":"Okba Ben Atia , Mustafa Al Samara , Ismail Bennis , Abdelhafid Abouaissa , Jaafar Gaber , Pascal Lorenz","doi":"10.1016/j.cose.2025.104444","DOIUrl":"10.1016/j.cose.2025.104444","url":null,"abstract":"<div><div>Federated learning (FL) is an advanced technique in machine learning that ensures privacy while enabling multiple devices or clients to jointly train a model. Instead of sharing their private data, each device trains a local model on its own data and transmits only the model updates to a central server. However, FL systems face security threats such as poisoning attacks. The maliciously generated data can cause serious consequences on the global model. Also, it can be used to steal sensitive data or cause the model to make incorrect predictions. In this paper, we propose a new approach to enhance the detection of malicious clients against these attacks. Our novel approach is titled M3D-FL for Multi-layer Malicious Model Detection for Federated Learning in IoT networks. The first layer computes the malicious score of participating FL clients using the LOF algorithm, enabling their rejection from the FL aggregation process. Meanwhile, the second layer targets rejected clients and employs MAD outlier detection to permanently eliminate them from the FL process. Simulation results using the CIFAR10, Mnist, and Fashion-Mnist datasets showed that the M3D-FL approach outperforms other studied approaches from the literature regarding several performance metrics like the Accuracy Rate (ACC), Detection Rate (DR), Attack Success Rate (ASR), precision, and the CPU aggregation run-time. The M3D-FL approach is demonstrated to be a more effective and strict detection method of malicious models in FL.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104444"},"PeriodicalIF":4.8,"publicationDate":"2025-03-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143706520","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sanfeng Zhang , Shangze Li , Juncheng Lu , Wang Yang
{"title":"Power-ASTNN: A deobfuscation and AST neural network enabled effective detection method for malicious PowerShell Scripts","authors":"Sanfeng Zhang , Shangze Li , Juncheng Lu , Wang Yang","doi":"10.1016/j.cose.2025.104441","DOIUrl":"10.1016/j.cose.2025.104441","url":null,"abstract":"<div><div>PowerShell is frequently utilized by attackers in the realm of Windows system security, particularly in cyberattack activities such as information stealing, vulnerability exploitation, and password cracking. To evade detection, attackers often employ code obfuscation techniques on their scripts. Current detection solutions face challenges due to limited deobfuscation methods and a predominant focus on identifying static and local features. This limitation hinders the ability to capture fine-grained code features and long-distance semantic relationships, resulting in reduced robustness and accuracy. To address these issues, this paper presents a novel malicious script detection method, Power-ASTNN, which integrates deobfuscation and a tree neural network. Initially, the method utilizes AMSI memory dump to deobfuscate PowerShell scripts, yielding fully deobfuscated samples. Subsequently, a subtree splitting algorithm tailored for abstract syntax trees extracts fine-grained code features from subtree fragments. Finally, a two-layer neural network model encodes representations based on subtree node semantics and sequence semantics, effectively capturing the semantic characteristics of the code. Experimental results demonstrate the effectiveness of Power-ASTNN, achieving an accuracy of 98.87% on a self built dataset collected from multiple publicly available sources, while maintaining a low false negative rate and a high area under the curve (AUC) value exceeding 0.995. Furthermore, Power-ASTNN demonstrates superior detection performance against adversarial samples compared with existing detection models.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104441"},"PeriodicalIF":4.8,"publicationDate":"2025-03-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143684124","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"DecoyPot: A large language model-driven web API honeypot for realistic attacker engagement","authors":"Anıl Sezgin , Aytuğ Boyacı","doi":"10.1016/j.cose.2025.104458","DOIUrl":"10.1016/j.cose.2025.104458","url":null,"abstract":"<div><div>As cyberattacks get more sophisticated, security systems must learn to detect and deceive them. DecoyPot, a honeypot Web Application Programming Interface (API) that generates legitimate API responses, is introduced in this paper. DecoyPot's command extractor module carefully analyzes API requests to create prompt-response pairs that improve a Retrieval-Augmented Generation based (RAG) large language model (LLM). DecoyPot can instantly adjust its answers to mimic API activity in a contextually correct and convincing manner to attackers. To assess system efficacy, we used a two-phase similarity analysis. Initial queries were matched with prompt-response pairs to ensure contextually suitable responses. Second, similarity measures were used to compare generated responses to reference responses, producing an average score of 0.9780. The high score shows that the system can create API-like responses, boosting its utility. DecoyPot engaged opponents and learned their Tactics, Techniques and Procedures (TTPs). The study shows that honeypot cybersecurity effectiveness must be improved by merging AI-driven response creation with enhanced deception technologies. DecoyPot effectively adapts to incoming queries and generates API-like responses, delivering actionable cyber threat intelligence and enhancing proactive defense strategies.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104458"},"PeriodicalIF":4.8,"publicationDate":"2025-03-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143714573","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Robust intrusion detection based on personalized federated learning for IoT environment","authors":"Shimin Sun , Le Zhou , Ze Wang , Li Han","doi":"10.1016/j.cose.2025.104442","DOIUrl":"10.1016/j.cose.2025.104442","url":null,"abstract":"<div><div>In the dynamic and complex realm of the Internet of Things (IoT) and artificial intelligence (AI), it is a significant challenge to design a network intrusion detection system that balances accuracy, efficiency, and data privacy. Federated learning offers a solution by enabling the sharing of high-quality attack samples to enhance local models’ intrusion detection capabilities without compromising local data privacy. However, most existing research on federated learning for intrusion detection assumes homogeneity among local models, which can reduce detection accuracy in real-world scenarios where local datasets are often non-independent and identically distributed (Non-IID). The Non-IID characteristic, marked by varied distributional properties and correlations, impacts model convergence and stability. To address this challenge, we propose a personalized federated cross learning framework (pFedCross) for intrusion detection, to manage imbalanced and heterogeneous data distributions. First, we present a collaborative model cross aggregation algorithm for personalized local model update, to solve the problem that one global model cannot always accommodate all the incompatible convergence directions of local models. Then, we introduce a gradient approximation <span><math><mi>α</mi></math></span>-fairness algorithm for global model generation to achieve a well-generalization. Finally, the experiments show that pFedCross outperforms baseline methods in improving model accuracy and reducing loss, highlighting its promise for enhancing IoT security.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104442"},"PeriodicalIF":4.8,"publicationDate":"2025-03-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143684122","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}