Computers & Security最新文献_第10页

Kernel-level hidden rootkit detection based on eBPF 基于eBPF的内核级隐藏rootkit检测

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-06-21 DOI: 10.1016/j.cose.2025.104582

Yun-Che Yu, Ci-Yi Hung, Li-Der Chou

{"title":"Kernel-level hidden rootkit detection based on eBPF","authors":"Yun-Che Yu, Ci-Yi Hung, Li-Der Chou","doi":"10.1016/j.cose.2025.104582","DOIUrl":"10.1016/j.cose.2025.104582","url":null,"abstract":"<div><div>With the rapid development of the Internet, entrusting data and services to cloud providers has become a prevailing trend among enterprises. However, this shift has also introduced new security threats, particularly the potential dangers posed by rootkits. Once these malicious software programs gain control of a system, they can conceal the activities of attackers. In particular, kernel-level rootkits are especially threatening and markedly difficult to detect. To counter kernel-level rootkit attacks, this study proposes a detection mechanism called the hidden kernel rootkit detector, specifically designed to detect hidden objects within Linux kernel-level rootkits. The mechanism utilizes the extended Berkeley Packet Filter technology and checks system calls during execution by comparing them with backed-up addresses to determine if they have been hijacked. If hijacking is detected, the system call is restored to its original address, and the attacker is removed from the system. Before a context switch occurs, the integrity of the process and module about to be executed is verified, and before a socket sends or receives messages, it is checked for existence within the system to defend against direct kernel object manipulation attacks. If system objects are found to have been tampered with, then they are restored to their original state, and the attacker is removed from the system.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104582"},"PeriodicalIF":4.8,"publicationDate":"2025-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144490122","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Wasserstein distance guided feature Tokenizer transformer domain adaptation for network intrusion detection Wasserstein距离引导特征标记器变压器域自适应网络入侵检测

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-06-21 DOI: 10.1016/j.cose.2025.104562

Hongpo Zhang, Zhaozhe Zhang, Haizhaoyang Huang, Hehe Yang

{"title":"Wasserstein distance guided feature Tokenizer transformer domain adaptation for network intrusion detection","authors":"Hongpo Zhang, Zhaozhe Zhang, Haizhaoyang Huang, Hehe Yang","doi":"10.1016/j.cose.2025.104562","DOIUrl":"10.1016/j.cose.2025.104562","url":null,"abstract":"<div><div>When deploying a machine learning-based network intrusion detection system in an environment with significantly different feature distribution from the training dataset, its performance is substantially degraded. This paper presents a domain adaptation approach (WDFT-DA) that utilizes Wasserstein Distance and Feature Tokenizer Transformer to address this issue. The proposed method employs Wasserstein distance to measure the dissimilarity between the source and target domains and mitigates it through adversarial training for achieving domain-invariant feature learning. Simultaneously, a feature token converter acts as a feature extractor to obtain domain-invariant representations of network traffic data with rich information content. This facilitates mapping of both source and target domain data into a shared domain-invariant space, promoting feature alignment and representation consistency. As a result, it enhances generalization capability and performance across the target domain. Experimental validation is conducted on diverse intrusion detection datasets, demonstrating that the proposed model outperforms existing domain adaptation methods by effectively training highly accurate intrusion detection classification models without relying on labeled data within the target domain.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104562"},"PeriodicalIF":4.8,"publicationDate":"2025-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144518063","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

NIOM-DGA: Nature-inspired optimised ML-based model for DGA detection NIOM-DGA：基于ml的DGA检测模型

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-06-21 DOI: 10.1016/j.cose.2025.104561

Daniel Jeremiah , Husnain Rafiq , Vinh Thong Ta , Muhammad Usman , Mohsin Raza , Muhammad Awais

引用次数: 0

PIXHELL: When pixels learn to scream PIXHELL：当像素学会尖叫时

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-06-21 DOI: 10.1016/j.cose.2025.104568

Mordechai Guri

引用次数: 0

Enhancing detection rates in intrusion detection systems using fuzzy integration and computational intelligence 利用模糊集成和计算智能提高入侵检测系统的检出率

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-06-18 DOI: 10.1016/j.cose.2025.104577

Hannah Jessie Rani R , Amit Barve , Ashwini Malviya , Vivek Ranjan , Rubal Jeet , Nilesh Bhosle

{"title":"Enhancing detection rates in intrusion detection systems using fuzzy integration and computational intelligence","authors":"Hannah Jessie Rani R , Amit Barve , Ashwini Malviya , Vivek Ranjan , Rubal Jeet , Nilesh Bhosle","doi":"10.1016/j.cose.2025.104577","DOIUrl":"10.1016/j.cose.2025.104577","url":null,"abstract":"<div><div>Intrusion Detection Systems (IDS) show a major part in computer cyber defense by detecting and reacting to unauthorized activities. These systems monitor network and system activity, evaluating developments to identify possible security breaches. Enhancing Detection Rates in IDS includes optimizing algorithms, employing Machine Learning (ML) approaches, and employing intrusion detection to enhance the system's functionality to find novel vulnerabilities immediately. Continuous improvement in detection capabilities is essential for adapting to evolving challenges from cyberspace and maintaining resilience of the online infrastructure. To enhance the detection rates, data preprocessing like min-max normalization, followed by t-distributed Stochastic Neighbor Embedding (t-SNE) feature extraction technique to capture most discriminative attributes for attack classifications. The established Genetic Fuzzy Systems (GFS) throughout paired learning framework for detecting input attack. The model enhances accuracy for unusual attack occurrences by better distinguishing between normal activity and distinct attack categories. To proposed Generative Adversarial Network (GAN) as a classifier for enhancing detection rates. This research explores the performance of the proposed GFS-GAN model on two prominent intrusion detection datasets are the TII-SSRC-23 for dataset 1 and NSL-KDD for dataset 2. The suggested GFS-GAN model demonstrated exceptional performance on the TII-SSRC-23 dataset, achieving 99.23 % accuracy. The GFS-GAN model also performed well on the NSL-KDD dataset, with an accuracy of 99.13 %, The findings illustrate GANs' capabilities to progress the efficacy and durability of IDS, resulting in effective protection against complicated cyber-attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104577"},"PeriodicalIF":4.8,"publicationDate":"2025-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144490115","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Security of cyber-physical Additive Manufacturing supply chain: Survey, attack taxonomy and solutions 网络物理增材制造供应链的安全性：调查、攻击分类和解决方案

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-06-17 DOI: 10.1016/j.cose.2025.104557

Mahender Kumar, Gregory Epiphaniou, Carsten Maple

{"title":"Security of cyber-physical Additive Manufacturing supply chain: Survey, attack taxonomy and solutions","authors":"Mahender Kumar, Gregory Epiphaniou, Carsten Maple","doi":"10.1016/j.cose.2025.104557","DOIUrl":"10.1016/j.cose.2025.104557","url":null,"abstract":"<div><div>Additive Manufacturing (AM) is transforming industries by enabling rapid prototyping and customised production. However, as AM processes become increasingly digitised and interconnected, they introduce significant cybersecurity vulnerabilities, including intellectual property theft, design manipulation, and counterfeit production. This paper offers a comprehensive analysis of cyber and cyber–physical threats within the AM supply chain, addressing a critical research gap that has largely focused on isolated security aspects. Building upon existing taxonomies, we expand cybersecurity frameworks to incorporate emerging AM-specific threats. We propose a structured attack taxonomy that categorises threats by attacker goals, targets, and methods, supported by real-world case studies. The paper emphasises the need for robust cybersecurity measures to protect intellectual property, ensure production integrity, and strengthen supply chain security. Finally, we present mitigation strategies to counter these threats, laying the foundation for future research and best practices to secure AM ecosystems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104557"},"PeriodicalIF":4.8,"publicationDate":"2025-06-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144312823","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Informal control responses to information security policy violations: A factorial survey on insurance employees’ moral licensing of insider threats 对违反信息安全政策的非正式控制反应：保险员工对内部威胁的道德许可的析因调查

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-06-16 DOI: 10.1016/j.cose.2025.104575

Steffi Haag , Nils Siegfried , Nane Winkler

{"title":"Informal control responses to information security policy violations: A factorial survey on insurance employees’ moral licensing of insider threats","authors":"Steffi Haag , Nils Siegfried , Nane Winkler","doi":"10.1016/j.cose.2025.104575","DOIUrl":"10.1016/j.cose.2025.104575","url":null,"abstract":"<div><div>Most organizations implement information security policies (ISPs) to protect their data and systems. However, these policies are only effective if employees follow them—including reporting or discouraging violations by others. Beyond formal control mechanisms, informal controls play a crucial role in shaping employees’ responses to ISP violations. These informal controls can either reduce security risks by discouraging misconduct or, conversely, reinforce insider threats by signaling approval of violations. Despite their importance, little is known about how informal controls develop and function.</div><div>This study investigates key factors influencing employees’ informal control responses to non-malicious ISP violations, focusing on moral licensing—the tendency to permit rule-breaking based on a violator’s past behavior or status. Using a factorial survey of 1024 insurance sector employees and analyzing 4607 vignette-based observations through multilevel structural equation modeling, we find that employees are more likely to tolerate ISP violations when the violator has a history of compliance, possesses high task competence, holds a higher hierarchical status, or when the violation appears to benefit the team.</div><div>By emphasizing the human factor in information security, this study reveals how cognitive biases in informal controls can weaken ISP compliance and increase insider threats. The findings provide actionable recommendations for security managers, including strategies to align ISPs with organizational goals, engage influential employees, and enhance security training. Strengthening informal controls can help create a more secure and compliant workplace.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104575"},"PeriodicalIF":4.8,"publicationDate":"2025-06-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144490121","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

STPA-Cyber: A semi-automated cyber risk assessment framework for maritime cybersecurity STPA-Cyber：海上网络安全半自动化网络风险评估框架

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-06-16 DOI: 10.1016/j.cose.2025.104559

Awais Yousaf , Sean Gunawan , Sunil Basnet , Victor Bolbot , Jianying Zhou , Osiris A. Valdez Banda

{"title":"STPA-Cyber: A semi-automated cyber risk assessment framework for maritime cybersecurity","authors":"Awais Yousaf , Sean Gunawan , Sunil Basnet , Victor Bolbot , Jianying Zhou , Osiris A. Valdez Banda","doi":"10.1016/j.cose.2025.104559","DOIUrl":"10.1016/j.cose.2025.104559","url":null,"abstract":"<div><div>Cybersecurity incidents in the maritime sector are growing in number and the requirement of cyber risk management onboard ships is an inescapable reality today. Multiple cyber risk assessment frameworks exist today but they are all cumbersome to be applied in today’s state-of-the-art modern maritime systems. Most of the frameworks require experts’ involvement, their precious time and cognitive efforts. The application of these frameworks are also prone to human biases. Moreover, due to the rapid evolution of malicious actors and the inclusion of state-of-the-art toolsets in their arsenal, the completeness of the coverage of the cyber risk analysis for modern maritime systems is also open to questions. In response to these emerging challenges and threat landscape, a modified system theoretic process analysis for cybersecurity is proposed that not only inspects the control actions from a controller but also investigates the incoming feedback signals from the controlled process. The rationale behind the two-way cyber risk analysis within a system, i.e., for a control action as well as for a feedback signal, is that the attackers can target both the links within a feedback loop with comparable likelihood and impact, which could result in gruesome consequences. This work also contributes by semi-automating the labor intensive steps of the cyber risk assessment that results in significant reduction of involvement of experts, cognitive efforts, time requirement and human biases. Lastly, semi-automated generation of security causal scenarios in this work also contributes to the completeness of the cyber risk assessment process because human involvement and manual efforts required in the cyber risk assessment of a cyber–physical system could result in incomplete analysis due to the limitations in human comprehension. Hence, considerable reductions in time, cognitive efforts, human involvement and human biases are achieved in this work.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104559"},"PeriodicalIF":4.8,"publicationDate":"2025-06-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144312822","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A fast hardware Trojan detection method with parallel clustering for large-scale gate-level netlists 基于并行聚类的大规模门级网络快速硬件木马检测方法

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-06-16 DOI: 10.1016/j.cose.2025.104570

Gaoyuan Pan, Huan Li, Jian Wang

{"title":"A fast hardware Trojan detection method with parallel clustering for large-scale gate-level netlists","authors":"Gaoyuan Pan, Huan Li, Jian Wang","doi":"10.1016/j.cose.2025.104570","DOIUrl":"10.1016/j.cose.2025.104570","url":null,"abstract":"<div><div>The growing complexity of hardware design makes third-party intellectual property (3PIP) a superior option. However, it poses security threats to the integrated circuit (IC) supply chain. An untrusted 3PIP may have been implanted with hardware Trojans (HTs), which are malicious modifications to ICs. To ensure the security of ICs, state-of-the-art HT detection techniques related to testability metrics have been recently researched. Nevertheless, the computation of testability values and clustering analysis may be time-consuming for large-scale gate-level netlists (GLNs). To address this issue, we propose a fast HT detection method based on a previously proposed modularity algorithm, incorporating parallel clustering for large-scale GLNs. D-flip-flops are utilized as the boundaries to divide the GLN into modules. Then, we use a self-designed tool to simultaneously compute testability values and static transition probabilities for each signal in each module. If the minimum static transition probability of signals within a module falls below a predefined threshold, the module is suspected to contain HTs and necessitates clustering analysis. Otherwise, it is considered safe and excluded from further analysis. Suspicious modules are then clustered in parallel to identify potential HT signals. Lastly, a secondary diagnosis is performed to minimize false positives in the clustering analysis results. For samples with up to approximately 10<sup>5</sup> signals from Trust-hub, the detection time is reduced by up to 60 % compared to our previous work, achieving a detection accuracy of 100 %, a signal diagnosis accuracy exceeding 93 %, and a false positive rate below 1 %.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104570"},"PeriodicalIF":4.8,"publicationDate":"2025-06-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144472241","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

MER-GCN: Reasoning about attacking group behaviors using industrial control system attack knowledge graphs MER-GCN：用工业控制系统攻击知识图推理攻击群体行为

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-06-16 DOI: 10.1016/j.cose.2025.104558

Xiao Zhang , Yingxu Lai , Xinrui Dong , Xinyu Xu

{"title":"MER-GCN: Reasoning about attacking group behaviors using industrial control system attack knowledge graphs","authors":"Xiao Zhang , Yingxu Lai , Xinrui Dong , Xinyu Xu","doi":"10.1016/j.cose.2025.104558","DOIUrl":"10.1016/j.cose.2025.104558","url":null,"abstract":"<div><div>To enhance the ability of Intrusion Detection Systems (IDSs) to detect complex attacks on Industrial Control Systems (ICSs), we developed the ICS attack knowledge graph (ICS-Attack-KG). This graph focuses on learning the correlations across attack groups’ behaviors to enable cross-group threat intelligence sharing. Based on the knowledge learned, the graph can reason about potential attack behaviors more comprehensively and accurately, which is beneficial for IDS to update its rulebase and detect complex attacking behaviors. However, data sparsity caused by the difficulty in obtaining threat intelligence of advanced attack group, as well as the data complexity brought by learning correlations across attack groups’ behaviors, increases the difficulty of embedding and reasoning on a knowledge graph. To address these issues, we introduce a novel link prediction model named the Multi-Edge Relation Graph Convolutional Network (MER-GCN). This model overcomes the limitations of data sparsity by embedding global graph structure into relation vectors, enabling it to supply missing information through adjacent or related nodes. To better learn the correlations across attack groups’ behaviors, MER-GCN sets attack group as relations and involves three-dimensional convolutional computation and relational projections to capture pattern sharing and differences across relational subgraphs. Empirical evaluation results demonstrate that the model significantly improves the accuracy and completeness of reasoning about attack groups’ behaviors in ICS. On the ICS-Attack-KG dataset, the model achieves an 11.3% improvement in mean reverse rank (MRR) over the state-of-the-art MR-GCN model. Additionally, the model also improved by 6.8% on the widely recognized Reuters dataset, demonstrating the model’s good generalization ability on a common dataset.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104558"},"PeriodicalIF":4.8,"publicationDate":"2025-06-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144321048","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0