Computers & Security最新文献_第2页

DomainDynamics: Advancing lifecycle-based risk assessment of domain names

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-02-20 DOI: 10.1016/j.cose.2025.104366

Daiki Chiba, Hiroki Nakano, Takashi Koide

{"title":"DomainDynamics: Advancing lifecycle-based risk assessment of domain names","authors":"Daiki Chiba, Hiroki Nakano, Takashi Koide","doi":"10.1016/j.cose.2025.104366","DOIUrl":"10.1016/j.cose.2025.104366","url":null,"abstract":"<div><div>The persistent threat of malicious domains in cybersecurity necessitates robust detection systems. Traditional machine learning approaches often struggle to accurately assess domain name risks due to their static analysis methods and lack of consideration for temporal changes in domain attributes. To address these limitations, we developed DomainDynamics, a novel system that evaluates domain name risks by analyzing their lifecycle phases. This study provides a comprehensive evaluation and refinement of the DomainDynamics framework. The system creates temporal profiles for domains and assesses their attributes at various stages, enabling informed, time-sensitive risk assessments. Our initial evaluation, involving over 85,000 malicious domains, achieved an 82.58% detection rate with a low 0.41% false positive rate. We expanded our research to include benchmarking against commercial services, feature significance analysis using interpretable AI techniques, and detailed case studies. This investigation not only validates the effectiveness of DomainDynamics but also reveals temporal indicators of malicious intent. Our findings demonstrate the advantages of lifecycle-based analysis over static methodologies, providing valuable insights for practical cybersecurity applications.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"153 ","pages":"Article 104366"},"PeriodicalIF":4.8,"publicationDate":"2025-02-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143487847","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Cancelable iris template based on slicing

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-02-19 DOI: 10.1016/j.cose.2025.104381

Qianrong Zheng , Jianwen Xiang , Changtian Song , Rivalino Matias , Rui Hao , Songsong Liao , Xuemin Zhang , Meng Zhao , Dongdong Zhao

{"title":"Cancelable iris template based on slicing","authors":"Qianrong Zheng , Jianwen Xiang , Changtian Song , Rivalino Matias , Rui Hao , Songsong Liao , Xuemin Zhang , Meng Zhao , Dongdong Zhao","doi":"10.1016/j.cose.2025.104381","DOIUrl":"10.1016/j.cose.2025.104381","url":null,"abstract":"<div><div>With the widespread adoption of iris authentication technology and its use in different applications, the potential risks associated with iris template leakage have become a major concern. Hence, a secure template protection scheme becomes an important requirement for biometric systems. However, most of the current template protection schemes based on cancelable templates fail to meet the balance between security and performance. To address this challenge, we propose a method called cancelable iris template based on slicing (Iris-Slice). The scheme generates segments by segmenting the original iris data to a specific length, and subsequently compares these segments with their opposite sequences and retains the smaller segments. Next, the retained segments are randomly expanded, where the expanded sequences are half the inverse of the original iris data. Ultimately, the expanded sequences are saved in a collection for iris data protection. Experimental results on well-known iris datasets (CASIA-IrisV3-Interval, CASIA-IrisV4-Lamp, MMU-V1, IITD) show that the accuracy of the Iris-Slice method decreases only slightly by 0.63%. We also analyze the irreversibility, revocability, and unlinkability of our proposed scheme, both theoretically and experimentally. The results show that our scheme satisfies all these requirements with high performance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104381"},"PeriodicalIF":4.8,"publicationDate":"2025-02-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143474680","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

An effective SQL injection detection model using LSTM for imbalanced datasets

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-02-19 DOI: 10.1016/j.cose.2025.104391

Kholood Salah Fathi, Sherif Barakat, Amira Rezk

{"title":"An effective SQL injection detection model using LSTM for imbalanced datasets","authors":"Kholood Salah Fathi, Sherif Barakat, Amira Rezk","doi":"10.1016/j.cose.2025.104391","DOIUrl":"10.1016/j.cose.2025.104391","url":null,"abstract":"<div><div>The rise of web application attacks, increasingly frequent and complex, presents a significant cybersecurity challenge. This rise is driven by the vast data available on the internet, attracting cybercriminals. Among these attacks, Structured Query Language Injection (SQLI) remains particularly pervasive and dangerous, threatening the security and integrity of critical databases. This enduring threat has encouraged extensive research to develop strategies for detecting SQLI attacks with high accuracy and low latency. This paper introduces two advanced models for SQLI detection using a Long Short-Term Memory (LSTM) neural network as a deep learning model and other traditional Machine Learning classifiers. A key challenge addressed in this study is data imbalance—a common issue in cybersecurity datasets where malicious instances are vastly outnumbered by benign ones. This imbalance can bias Machine Learning models toward the majority class. To counter this, the research employs a variety of data preprocessing techniques that significantly enhance model performance. Experimental results indicate significant improvements in performance metrics due to preprocessing. However, the standout finding is the superior performance of the proposed deep learning model, specifically the LSTM neural network. Without relying on resampling techniques, the LSTM model demonstrates exceptional accuracy in detecting SQLI attacks, beating the enhanced Machine Learning model. It is worth noting that the proposed LSTM model performance is tested on three different datasets to ensure its robustness and ability to adapt with varying environments. It achieves a perfect 100 % precision, recall, and F1-score. Its accuracy consistently ranged from 99.7 % to 99.8 % across all three datasets, with a remarkably low classification error of 0.002 that was nearly zero. These results highlight the LSTM model's robustness and effectiveness in addressing SQLI detection challenges, making it a powerful tool for enhancing cybersecurity defenses.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"153 ","pages":"Article 104391"},"PeriodicalIF":4.8,"publicationDate":"2025-02-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143511887","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

MOSDroid: Obfuscation-resilient android malware detection using multisets of encoded opcode sequences

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-02-18 DOI: 10.1016/j.cose.2025.104379

Yogesh Kumar Sharma, Deepak Singh Tomar, R.K Pateriya, Shweta Bhandari

{"title":"MOSDroid: Obfuscation-resilient android malware detection using multisets of encoded opcode sequences","authors":"Yogesh Kumar Sharma, Deepak Singh Tomar, R.K Pateriya, Shweta Bhandari","doi":"10.1016/j.cose.2025.104379","DOIUrl":"10.1016/j.cose.2025.104379","url":null,"abstract":"<div><div>The rapid proliferation of Android devices has made them a prime target for malware developers, necessitating sophisticated detection techniques. Obfuscation poses a significant challenge in Android malware detection due to the platform’s unique characteristics and widespread usage of obfuscation techniques by malware developers. This work proposes a static Android malware detection approach that is resilient to obfuscation. The method involves extracting method-level opcode sequences and segmenting them into strings, representing methods as Multiset of Encoded Opcode Sequences (MOS). The next step is to encode the Android Application Package (APK) as a set of multisets based on the principle of multiset equality. This encoding provides detailed method representation and efficient APK comparison that optimizes the proposed approach, enhancing detection accuracy and efficiency. The proposed approach employs a strategy for generating a reduced feature subset through filtering and feature selection processes. It further improves efficiency, enhances model performance, prevents overfitting, simplifies interpretation, and optimizes computational resources. The dataset used to evaluate MOSDroid’s performance included Data-MD, a collection of 15,356 Android apps sourced from AndroZoo, and Data-MOS, comprising 10,500 Android apps collected from AndroZoo and Drebin benchmarks. Additionally, 25,990 obfuscated samples derived from these datasets were analysed to assess the impact of obfuscation and resilience. Experimental results demonstrate that the proposed approach is potent and resilient to obfuscation in malware detection, achieving an accuracy of 98.41%, and an AUC of 99.45%.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104379"},"PeriodicalIF":4.8,"publicationDate":"2025-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143463649","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Secure bi-attribute index: Batch membership tests over the non-sensitive attribute

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-02-18 DOI: 10.1016/j.cose.2025.104369

Yue Fu, Qingqing Ye, Rong Du, Haibo Hu

引用次数: 0

Empowered Cyber–Physical Systems security using both network and physical data

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-02-17 DOI: 10.1016/j.cose.2025.104382

Roberto Canonico, Giovanni Esposito, Annalisa Navarro, Simon Pietro Romano, Giancarlo Sperlì, Andrea Vignali

{"title":"Empowered Cyber–Physical Systems security using both network and physical data","authors":"Roberto Canonico, Giovanni Esposito, Annalisa Navarro, Simon Pietro Romano, Giancarlo Sperlì, Andrea Vignali","doi":"10.1016/j.cose.2025.104382","DOIUrl":"10.1016/j.cose.2025.104382","url":null,"abstract":"<div><div>The protection of Cyber–Physical Systems (CPSs) from cybersecurity threats is essential to ensure the resilience and safety of critical infrastructures. Anomaly detection approaches for CPSs proposed in the literature use either network data or data from sensors/actuators as inputs, often failing to detect attacks that affect only specific components. In this paper, we propose a novel two-stage framework for threat detection in CPSs. This framework integrates anomaly detection models that operate on both network and physical data, by leveraging a decision fusion technique to combine the outputs into a coherent decision. To assess the effectiveness of the framework, we employ an unlabeled release of a real-world dataset, integrating network traffic with sensors/actuators data. Additionally, we offer explicit labeling rules to ensure reproducibility. The results demonstrate that our approach substantially improves CPSs security, efficiently identifying subtle attacks that can evade traditional methods relying on a single data source. In particular, we show that integrating both physical and network data improves the F1 score by approximately 10% compared to using just network data, and by nearly 30% compared to using just physical data.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104382"},"PeriodicalIF":4.8,"publicationDate":"2025-02-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143463680","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

MADONNA: Browser-based malicious domain detection using Optimized Neural Network by leveraging AI and feature analysis

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-02-17 DOI: 10.1016/j.cose.2025.104371

Janaka Senanayake , Sampath Rajapaksha , Naoto Yanai , Harsha Kalutarage , Chika Komiya

{"title":"MADONNA: Browser-based malicious domain detection using Optimized Neural Network by leveraging AI and feature analysis","authors":"Janaka Senanayake , Sampath Rajapaksha , Naoto Yanai , Harsha Kalutarage , Chika Komiya","doi":"10.1016/j.cose.2025.104371","DOIUrl":"10.1016/j.cose.2025.104371","url":null,"abstract":"<div><div>Detecting malicious domains is a critical aspect of cybersecurity, with recent advancements leveraging Artificial Intelligence (AI) to enhance accuracy and speed. However, existing browser-based solutions often struggle to achieve both high accuracy and efficient throughput. In this paper, we present MADONNA, a novel browser-based malicious domain detector that exceeds the current state-of-the-art in both accuracy and throughput. MADONNA utilizes feature selection through correlation analysis and model optimization techniques, including pruning and quantization, to significantly enhance detection speed without compromising accuracy. Our approach employs a Shallow Neural Network (SNN) architecture, outperforming Large Language Models (LLMs) and state-of-the-art methods by improving accuracy by 6% (reaching 0.94) and F1-score by 4% (reaching 0.92). We further integrated MADONNA into a Google Chrome extension, demonstrating its practical application with a real-time domain detection accuracy of 94% and an average inference time of 0.87 s. These results highlight MADONNA’s effectiveness in balancing speed and accuracy, providing a scalable, real-world solution for malicious domain detection.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104371"},"PeriodicalIF":4.8,"publicationDate":"2025-02-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143463650","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

The efficiency of ICT suppliers' product security incident response teams in reducing the risk of exploitation of vulnerabilities in the wild

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-02-16 DOI: 10.1016/j.cose.2025.104388

Vladimir Radunović, Mladen Veinović, Aleksandar Jevremović

{"title":"The efficiency of ICT suppliers' product security incident response teams in reducing the risk of exploitation of vulnerabilities in the wild","authors":"Vladimir Radunović, Mladen Veinović, Aleksandar Jevremović","doi":"10.1016/j.cose.2025.104388","DOIUrl":"10.1016/j.cose.2025.104388","url":null,"abstract":"<div><div>Exploitation of vulnerabilities in digital products is among the key components of cyberattacks. Suppliers of digital products use different security-by-design practices, such as a product security incident response team (PSIRT), to respond to discovered vulnerabilities and minimise the cybersecurity risk. However, the efficiency of such practices, including PSIRT, remains underexplored.</div><div>This paper evaluates the efficiency of PSIRT in reducing risks of exploitation of vulnerabilities 'in the wild' (i.e. their active use in real-world cyberattacks) using a customised model based on randomised matched case-control design with data from authoritative public sources. Results show that PSIRT reduces the likelihood of exploitation by 17 % (absolute risk reduction). Additionally, factors like the availability of proof of concept for vulnerability exploitation, type of supplier's industry, and the open-source nature of its products influence the risk altering the absolute risk reduction by 10 %, 3.6 % and 2.2 % respectively.</div><div>The study confirms PSIRT as a good practice that cybersecurity practitioners – particularly large suppliers and suppliers to critical infrastructure – should consider in order to reduce risk of vulnerability exploitation in the wild. It recommends coupling PSIRT with other security-by-design practices to maximise risk reduction. The proposed model allows researchers and practitioners to assess the efficiency of similar practices in reducing the risk of vulnerability exploitation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104388"},"PeriodicalIF":4.8,"publicationDate":"2025-02-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143453265","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Enhancing in-process isolation for robust defense against information disclosure attacks

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-02-15 DOI: 10.1016/j.cose.2025.104370

Hongjoo Jin , Sumin Yang , Haehyun Cho , Dong Hoon Lee

{"title":"Enhancing in-process isolation for robust defense against information disclosure attacks","authors":"Hongjoo Jin , Sumin Yang , Haehyun Cho , Dong Hoon Lee","doi":"10.1016/j.cose.2025.104370","DOIUrl":"10.1016/j.cose.2025.104370","url":null,"abstract":"<div><div>Memory corruption attacks continue to be a critical issue in system security, as defenders and adversaries constantly compete to develop new means to protect or exploit vulnerabilities. To safeguard against these malicious attacks, researchers have developed various methods, such as Address Space Layout Randomization (ASLR) and Stack Canary, to protect sensitive data in the memory. One method in this category is stack isolation, which relocates sensitive objects in the stack to a dedicated “safe region” to enhance security. However, attackers have devised sophisticated methods, like Allocation Oracle, to locate these safe regions, thereby undermining the protection this technique can provide. In response to these threats, we propose Satellite, a novel method that securely defends against memory corruption and information disclosure attacks by effectively protecting the safe region. Satellite ensures that return addresses stored in the safe region are safeguarded from typical vulnerabilities like buffer overflows. Moreover, our method counters information disclosure attacks, as it continuously modifies the memory layout at runtime, thus making it difficult for attackers to pinpoint the safe region. Satellite also works within the LLVM compiler framework and can, therefore, seamlessly support general C/C++ programs. To address potential compatibility issues, we develop supplementary libraries that enhance the flexibility of compiler instrumentation and evaluate the performance and effectiveness of Satellite with benchmark programs such as SPEC CPU2006 and SPEC CPU2017. We also test the impact of our proposed method on real-world applications, including the Nginx web server and the ProFTPD FTP server. Our results demonstrate that Satellite imposes a performance overhead of less than 1%, making it an efficient and effective solution for enhancing stack memory safety.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104370"},"PeriodicalIF":4.8,"publicationDate":"2025-02-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143453043","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

HC-NIDS: Historical contextual information based network intrusion detection system in Internet of Things

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-02-15 DOI: 10.1016/j.cose.2025.104367

Zijie Chen , Hailin Zou , Tao Hu , Xun Yuan , Xiaofen Fang , Yuanyuan Pan , Jianqing Li

{"title":"HC-NIDS: Historical contextual information based network intrusion detection system in Internet of Things","authors":"Zijie Chen , Hailin Zou , Tao Hu , Xun Yuan , Xiaofen Fang , Yuanyuan Pan , Jianqing Li","doi":"10.1016/j.cose.2025.104367","DOIUrl":"10.1016/j.cose.2025.104367","url":null,"abstract":"<div><div>In the context of the burgeoning Internet of Things (IoT), the security of interconnected devices is of paramount importance. Nevertheless, the dynamic nature of IoT networks and the challenges in low-label data volume present significant difficulties for traditional network security technologies. This paper introduces HC-NIDS, a Historical Contextual Traffic Based Network Intrusion Detection System, which addresses these challenges by leveraging contextual information from historical traffic. In HC-NIDS, we propose a novel feature representation technique based on the structure of Graph Neural Networks (GNNs), called Signal Channel Correlation Fusion Representation. This technique is designed to extract compelling features from complex historical traffic in a dynamic manner. Subsequently, the incorporation of extracted historical and current traffic features facilitates the enhancement of the efficacy and resilience of HC-NIDS against evolving network threats. A series of comprehensive experiments on four public datasets have validated the effectiveness of HC-NIDS, demonstrating its superior performance even when utilizing disparate volumes of labeled data. Notably, in multi-classification tasks, the detection outcomes remain markedly enhanced even when employing a mere 2% of original labeled training data, in comparison to the baselines. The study also investigates the impact of varying lengths of historical data and the functionality of different modules within HC-NIDS, confirming its adaptability and potential for practical application in securing IoT networks. The findings highlight the critical role of historical traffic information in enhancing the accuracy of network intrusion detection, indicating a promising direction for future research in network security.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104367"},"PeriodicalIF":4.8,"publicationDate":"2025-02-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143429272","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0