Zhiming Chu , Guyue Li , Qingchun Meng , Haobo Li , Yuwei Zeng
{"title":"Privacy-preserving WiFi sensing in WSNs via CSI obfuscation","authors":"Zhiming Chu , Guyue Li , Qingchun Meng , Haobo Li , Yuwei Zeng","doi":"10.1016/j.cose.2025.104594","DOIUrl":"10.1016/j.cose.2025.104594","url":null,"abstract":"<div><div>WiFi’s inherent openness introduces significant privacy risks from unauthorized sensing, driving considerable research efforts to mitigate these threats. However, the latest spatial obfuscation schemes like repeater-based signal forwarding and beamforming control ones have limitations in recovering legitimate sensing and maintaining communication performance respectively. To address these challenges, this paper presents a privacy-preserving WiFi sensing framework, which supports shielding unauthorized sensing while allowing normal communication and legitimate sensing. It uses a dynamic channel obfuscation technique at the transmitter side, which filters the whole frame including the Long Training Sequence (LTS) to perturb Channel State Information (CSI) while ensuring receiver equalization decoding for communication performance. Moreover, a deep network-based de-obfuscation approach is employed to support legitimate sensing. This approach models the nonlinear relationship between obfuscation response and tap coefficients to accurately predict the original CSI, addressing issues like deviations due to hardware defects and phase unavailability due to transceiver separation. The proposed framework has been rigorously tested in real-world scenarios, whose effectiveness is evaluated through indoor localization experiments conducted on the Software Defined Radio (SDR) platform. The results indicate that the framework can diminish eavesdroppers’ sensing performance to below 50%, while maintaining legitimate sensing performance above 90%. This work advances dual-functional WiFi systems by establishing the hardware-compatible architecture that fundamentally resolves the privacy-utility conflict through three key innovations: (1) formalized CSI obfuscation with provable communication preservation, (2) physics-informed nonlinear deobfuscation network architecture, and (3) comprehensive validation from PHY-layer security to application-layer functionality based on hardware implementation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104594"},"PeriodicalIF":4.8,"publicationDate":"2025-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144672403","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Allan Nganga , Joel Scanlan , Margareta Lützhöft , Steven Mallam
{"title":"Cyber risk communication during vessel incident management: A case study","authors":"Allan Nganga , Joel Scanlan , Margareta Lützhöft , Steven Mallam","doi":"10.1016/j.cose.2025.104607","DOIUrl":"10.1016/j.cose.2025.104607","url":null,"abstract":"<div><div>The maritime cyber risk management guidelines developed by the International Maritime Organisation (IMO) highlight communication as a key aspect of the risk management process. This research sought to build upon previous studies highlighting incident communication as a critical part of the ship-to-SOC cyber incident management process. This research adopted a single case study-mixed methods design (CS-MM) featuring a primary case study that includes a nested mixed methods approach. The site for the case study was an M-SOC. The first phase of the case study involved interviews with 5 M-SOC personnel. For the second phase, an exploratory sequential design was applied. The quantitative data collection involved a survey with 10 vessel Information Technology (IT) and Operational Technology (OT) professionals, with 3 follow-up interviews conducted for the qualitative data collection stage. Our findings highlighted how a cyber incident dashboard and alert report complement each other in creating a shared recognised cyber picture (sRCP) between all the vessel incident management stakeholders. The sRCP, therefore, becomes the actionable element of the communication. The case study also sheds light on practical design considerations for enhancing the cyber situation awareness (CSA) of vessel cyber incident dashboards. Specifically, survey results revealed that highlighting the cyber risk of non-response to a security warning was the highest-ranked contextual information. Additionally, detection of potentially suspicious activity emerged as the risk finding that vessel IT teams highlighted as having the highest notification priority. Finally, the top alert grouping approaches were by warning type and by priority.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104607"},"PeriodicalIF":4.8,"publicationDate":"2025-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144696675","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Weiping Wang , Chenyu Wang , Hong Song , Kai Chen , Shigeng Zhang
{"title":"ProvGOutLiner: A lightweight anomaly detection method based on process behavior features within provenance graphs","authors":"Weiping Wang , Chenyu Wang , Hong Song , Kai Chen , Shigeng Zhang","doi":"10.1016/j.cose.2025.104589","DOIUrl":"10.1016/j.cose.2025.104589","url":null,"abstract":"<div><div>The Provenance Graph is an effective tool for host-based intrusion detection. It uses directed graph to represent interactions between system entities and is widely used to capture and analyze system activities. Provenance graph-based anomaly detection methods aim to identify potential security threats in host environments. Compared to traditional intrusion detection techniques, provenance graph-based methods are more effective at detecting stealthy attacks. However, existing learning-based methods often rely on large amounts of labeled data. These methods have high computational costs and lack interpretability. This makes it difficult to clearly identify specific attack behaviors. To address these issues, we propose ProvGOutLiner: A lightweight and unsupervised anomaly detection method for provenance graphs. This method is based on process behavior characteristics. We analyze common attack behaviors in detail and find that the outgoing edge types and counts from processes in the provenance graph exhibit distinctive behavior patterns. Based on this observation, we introduce a Process Behavior Tree. This tree generates feature vectors for process behaviors by statistically analyzing the types and counts of outgoing edges from its nodes. We then apply a clustering algorithm to detect anomalous behaviors in an unsupervised manner. The construction of the Process Behavior Tree and feature extraction do not require complex models, which enables lightweight detection. We evaluate our method on the DARPA public dataset. The results show that ProvGOutLiner significantly reduces computational overhead while accurately identifying malicious process activities. ProvGOutLiner achieves a recall rate of 99%, a precision rate of 96%, and our method significantly reduces computation time.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104589"},"PeriodicalIF":4.8,"publicationDate":"2025-07-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144672402","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Gizem Kayisoglu , Emre Duzenli , Pelin Bolat , Aleksei Bondarenko
{"title":"Exploring cyber security threats and security models in cross-border paperless maritime trade system","authors":"Gizem Kayisoglu , Emre Duzenli , Pelin Bolat , Aleksei Bondarenko","doi":"10.1016/j.cose.2025.104604","DOIUrl":"10.1016/j.cose.2025.104604","url":null,"abstract":"<div><div>Cross-border paperless trade is the digital exchange of trade-related information and documents between countries, eliminating the need for physical paper, thereby streamlining and speeding up international trade processes. Adopting paperless systems in cross-border trade offers numerous benefits, including increased efficiency, cost savings, and faster processing times for private companies or public bodies, including governments, suppliers, logistics providers, customs, regulatory agencies, sellers and buyers. However, this transition also introduces a range of cybersecurity challenges. This paper investigates the cyber security threats and security models pertinent to paperless cross-border trade systems. In this study, the types of cyber threats and current security measures are explored, and an enhanced cyber security model for paperless cross-border maritime trade systems is proposed based on ISO/IEC 27,001 Information Security Management System and NIST SP 800–53 Security and Privacy Controls for Information Systems and Organizations to mitigate potential cyber risks. It is concluded that to adopt effective cybersecurity strategies, identifying assets in cross-border paperless trade systems is required. Assets encompass data, infrastructure, applications, and personnel in these systems. For the robust cyber security model in the cross-border paperless trade systems, traditional security measures, such as firewalls, encryption, or multi-factor authentication, are required to be integrated with emerging security technologies, such as zero trust architecture, artificial intelligence, or blockchain technologies and security framework including layered security approach, real-time threat detection and response, secure data exchange protocols, policy development, stakeholder collaboration and training and awareness programs.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104604"},"PeriodicalIF":4.8,"publicationDate":"2025-07-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144662180","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Shengrui Lin , Shaowei Xu , Binjie He , Hongyan Liu , Dezhang Kong , Xiang Chen , Dong Zhang , Chunming Wu , Ming Li , Xuan Liu , Yuqin Wu , Muhammad Khurram Khan
{"title":"NDIF: A distributed framework for efficient in-network neural network inference","authors":"Shengrui Lin , Shaowei Xu , Binjie He , Hongyan Liu , Dezhang Kong , Xiang Chen , Dong Zhang , Chunming Wu , Ming Li , Xuan Liu , Yuqin Wu , Muhammad Khurram Khan","doi":"10.1016/j.cose.2025.104593","DOIUrl":"10.1016/j.cose.2025.104593","url":null,"abstract":"<div><div>In-network machine learning is a promising technology that offloads machine learning models onto programmable data planes to enable intelligent decision-making by programmable devices. Such advancement empowers security applications (e.g., intrusion detection) to adapt to dynamic network changes in real time and make rational decisions. Existing research deploys neural network models in a distributed way on programmable data planes, with the aim of performing real-time inference using network-wide compute resources. However, existing research primarily focuses on model implementations, with little attention paid to the negative impact on the efficiency and robustness of in-network applications introduced by the inference process. We propose NDIF, a framework for performing in-network neural network inference in a distributed manner. NDIF enables in-network inference on arbitrary programmable devices, with each device autonomously managing its inference workload based on available resources. Moreover, new inference schemes can be easily deployed by writing entries into programmable devices to adapt to network changes. These benefits improve the efficiency and stability of the in-network inference process, thereby enhancing the efficiency and robustness of in-network applications built based on neural network models. The experiments on the use cases of anomaly detection and packet classification demonstrate that NDIF outperforms previous inference frameworks across various quality of service (QoS) metrics while maintaining a reasonable cost.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104593"},"PeriodicalIF":4.8,"publicationDate":"2025-07-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144696651","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"VeracOS: An operating system extension for the veracity of files","authors":"Naser AlDuaij","doi":"10.1016/j.cose.2025.104565","DOIUrl":"10.1016/j.cose.2025.104565","url":null,"abstract":"<div><div>As generative artificial intelligence has improved, there is a growing trend of generating false media for spreading misinformation, driving propaganda, and theft through enhanced social engineering. This creates a global concern, leading to a heavy demand for verification and fact-checking of information. Existing solutions aim at educating users or using artificial intelligence to fact-check and detect false documents or media. While these methods provide a measure for combating misinformation, many of these existing methods are inaccurate. Methods such as deepfake detection for videos are an uphill battle as deepfake generation keeps improving and newer methods are created to subvert deepfake detection techniques. VeracOS is introduced and presented as an operating system modification that is easily deployed, can certify files that are created, and ensures that any user can automatically check the authenticity of files across any existing application or platform. VeracOS invents a unique algorithm for certifying and verifying files. VeracOS aims to revolutionize the war against misinformation and exploitation of fake content by introducing several key features: VeracOS allows users or corporations to easily and automatically certify their media. Unlike existing solutions, VeracOS avoids intensive computations, specialized hardware, and private data sharing. VeracOS also allows any user to automatically be notified if the file they are viewing is verified to be authentic. VeracOS does not require the modification of existing applications nor does it require the sharing of private information such as what files or media are being viewed by a user. These key features provide a highly portable and easily deployed system for users of any operating system, including Internet of Things devices and mobile operating systems. Using media files such as images and videos as exemplary file types and using Android as an exemplary operating system, a VeracOS prototype was implemented to allow any user to automatically certify or verify their media files. The results show that VeracOS is easy to use and can be easily run on smartphones without the need for specialized systems, applications, or hardware.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104565"},"PeriodicalIF":4.8,"publicationDate":"2025-07-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144623503","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
David Cevallos-Salas, José Estrada-Jiménez, Danny S. Guamán, Luis Urquiza-Aguiar
{"title":"Ransomware dynamics: Mitigating personal data exfiltration through the SCIRAS lens","authors":"David Cevallos-Salas, José Estrada-Jiménez, Danny S. Guamán, Luis Urquiza-Aguiar","doi":"10.1016/j.cose.2025.104583","DOIUrl":"10.1016/j.cose.2025.104583","url":null,"abstract":"<div><div>Ransomware’s capability to exfiltrate personal data is one of the most significant threats to privacy today. Its growing complexity and resistance to static analysis have driven research efforts to implement security controls on endpoints using dynamic analysis. However, the <em>critical security threshold</em> that these endpoint controls must overcome to effectively mitigate personal data exfiltration and stop ransomware propagation once an infection has begun in communication networks remains unclear. This paper addresses this issue by analyzing the <em>Susceptible–Carriers–Infected–Recovered–Attacked–Susceptible</em> (SCIRAS) epidemiological model in the context of a critical ransomware attack, with limited network and administrative security, that defines the critical scenario to be overcome. Unlike previous studies, this research first estimates a <em>critical execution rate</em> by studying the behavior of LockBit, Ryuk, and TeslaCrypt ransomware families and simulating CL0P MOVEit and Conti attacks in a controlled environment. To reflect more realistic conditions, we introduce a <em>critical dynamic infection rate</em> based on the <em>critical execution rate</em>, several attack vectors of modern ransomware, and the effect of limited network security. Using this baseline, a proposed triple extortion SCIRAS model is simulated and analyzed under its estimated parameters’ critical values to solve for each ransomware family the optimization problem of finding the <em>critical security threshold</em> required for endpoint controls to reach the <em>Kermack and McKendrick’s non-epidemic status</em> with the minimum feasible basic reproduction number. Our results demonstrate that a <em>critical security threshold</em> of at least 0.961 might contain modern ransomware exceeding the thresholds reported in previous simulations of SCIRAS and other models. Furthermore, we introduce a novel deep-learning-based framework called RansomSentinel, validated on the RanSAP120GB, RanSAP250GB, and RanSMAP datasets, which outperforms traditional machine learning classifiers and surpasses the estimated <em>critical security threshold</em> of each analyzed ransomware family.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104583"},"PeriodicalIF":4.8,"publicationDate":"2025-07-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144655704","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Hongmei Li , Tiantian Zhu , Jie Ying , Tieming Chen , Mingqi Lv , Jian-Ping Mei , Zhengqiu Weng , Lili Shi
{"title":"MIRDETECTOR: Applying malicious intent representation for enhanced APT anomaly detection","authors":"Hongmei Li , Tiantian Zhu , Jie Ying , Tieming Chen , Mingqi Lv , Jian-Ping Mei , Zhengqiu Weng , Lili Shi","doi":"10.1016/j.cose.2025.104588","DOIUrl":"10.1016/j.cose.2025.104588","url":null,"abstract":"<div><div>Advanced Persistent Threats (APTs) infiltrate target systems covertly, exhibiting behavior that is difficult to detect using conventional detection methods. Posing significant risks to enterprise security. Data provenance technology is widely used in attack detection to counter these threats. Among the different types of Provenance-based Intrusion Detection Systems (PIDSes), anomaly-based PIDSes are gaining increasing attention due to their ability to counter zero-day vulnerabilities without relying on attack knowledge. The detection mechanism of anomaly-based PIDSes is based on modeling the system’s normal behavior patterns (structural/attribute features) to detect deviations in behavior. However, existing anomaly-based PIDSes are prone to a significant number of false positives due to benign data fluctuations, limiting their effectiveness against complex APT attacks. To address this, we propose MIRDETECTOR, a novel anomaly detection system for APT attacks. The core idea of MIRDETECTOR is that a node is considered malicious not only due to changes in its structural/attribute features but also because it exhibits a certain inclination toward malicious intent. Building on this idea, MIRDETECTOR models nodes from three dimensions: structural features, attribute features, and malicious intent representation. By employing lightweight models for training and detection, it effectively reduces the false positives and achieves efficient real-time detection. We have thoroughly evaluated MIRDETECTOR on several public datasets and compared it with state-of-the-art anomaly detection systems. The results demonstrate that MIRDETECTOR achieves excellent detection accuracy and recall. Compared to the baseline detection system, MIRDETECTOR has increased the node-level detection accuracy by up to 99% and the recall rate by up to 68%. This significantly mitigates the high false positives in traditional PIDSes that rely solely on structural/attribute features. MIRDetector demonstrates remarkable accuracy and efficiency in identifying complex threats. Its deployment will effectively mitigate the risks posed by APTs.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104588"},"PeriodicalIF":4.8,"publicationDate":"2025-07-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144605476","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Xiangpu Song , Yingpei Zeng , Jianliang Wu , Hao Li , Chaoshun Zuo , Qingchuan Zhao , Shanqing Guo
{"title":"CSFuzzer: A grey-box fuzzer for network protocol using context-aware state feedback","authors":"Xiangpu Song , Yingpei Zeng , Jianliang Wu , Hao Li , Chaoshun Zuo , Qingchuan Zhao , Shanqing Guo","doi":"10.1016/j.cose.2025.104581","DOIUrl":"10.1016/j.cose.2025.104581","url":null,"abstract":"<div><div>Code coverage-guided fuzzers have achieved great success in discovering vulnerabilities, but since code coverage does not adequately describe protocol states, they are not effective enough for protocol fuzzing. Although there has been some work introducing state feedback to guide state exploration in protocol fuzzing, they ignore the complexity of protocol state space, e.g., state variables have different categories and are diverse in data type and number, facing the challenges of inaccurate state variable identification and low fuzzing efficiency.</div><div>In this paper, we propose a novel context-aware state-guided fuzzing approach, CSFuzzer, to address the above challenges. CSFuzzer first divides the state variables into two categories, i.e., protocol-state variables and sub-state variables based on the context of the states, and automatically identifies and distinguishes these two categories of state variables from code. Then, CSFuzzer uses a new state coverage metric named <em>context-aware state transition coverage</em> to more efficiently guide fuzzing. We have implemented a prototype of CSFuzzer and evaluated it on 12 open-source protocol programs. Our experiments show that CSFuzzer outperforms the existing state-of-the-art fuzzers in terms of code and state coverage as well as fuzzing efficiency. CSFuzzer successfully discovered 10 zero-day vulnerabilities, which have been confirmed by the stakeholders and assigned 9 CVEs/CNVDs.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104581"},"PeriodicalIF":4.8,"publicationDate":"2025-07-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144605472","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}