Computers & Security最新文献

{"title":"FELACS: Federated learning with adaptive client selection for IoT DDoS attack detection","authors":"Mulualem Bitew Anley,&nbsp;Pasquale Coscia,&nbsp;Angelo Genovese,&nbsp;Vincenzo Piuri","doi":"10.1016/j.cose.2025.104642","DOIUrl":"10.1016/j.cose.2025.104642","url":null,"abstract":"<div><div>Distributed denial-of-service (DDoS) attacks pose a significant threat to network security by overwhelming systems with malicious traffic, leading to service disruptions and potential data breaches. The traditional centralized machine learning (ML) methods for detecting DDoS attacks in Internet of Things (IoT) environments raise privacy and security concerns due to their collection and distribution of data to a central entity that may not be trusted to perform model training. Federated learning (FL) offers a privacy-preserving solution that enables distributed collaboration by training a model only on local clients, without data exchanges, where the central entity only performs global model aggregation. However, the current practice of random client selection, combined with the statistical heterogeneity of client data and the device heterogeneity encountered in IoT environments, requires many training rounds to reach optimal accuracy, increasing the imposed computational overhead. To address these challenges, we propose a multiobjective optimization-based FL with adaptive client selection (FELACS) approach that maximizes client importance scores while satisfying resource, performance, and data diversity constraints. Experiments are carried out on the CIC-IDS2018, CIC-DDoS2019, BoT-IoT, and CIC-IoT2023 datasets, demonstrating that FELACS improves upon the accuracy of the existing approaches while exhibiting increased convergence speed when training a model in an FL scenario, hence reducing the number of communication rounds required to achieve the target accuracy, making it highly effective for performing IoT-based DDoS attack detection in FL scenarios.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104642"},"PeriodicalIF":5.4,"publicationDate":"2025-08-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144996824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"How informative are cybersecurity risk disclosures? Empirical analysis of firms targeted by ransomware","authors":"Matthew Adams,&nbsp;Tyler Moore","doi":"10.1016/j.cose.2025.104626","DOIUrl":"10.1016/j.cose.2025.104626","url":null,"abstract":"<div><div>Public companies face escalating requirements to disclose cybersecurity risks and damages in regulatory filings. In theory, such disclosures should equip investors with knowledge required to make informed decisions, while also encouraging firms to adopt more robust strategies for managing cybersecurity risks. In practice, discussions are often embedded in disparate locations of long documents full of legalese, which hinders systematic examination. This paper examines the regulatory filings of 61 firms that experienced ransomware incidents between 2018 and 2021. We describe a process whereby 7681 cyber-related statements were extracted from 314 10-K filings between 2018–23, then categorized using an iterative process inspired by grounded theory. We then perform quantitative and qualitative analysis of the statements, examining how firms discuss cybersecurity before and after experiencing an incident.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104626"},"PeriodicalIF":5.4,"publicationDate":"2025-08-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145021103","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Distance-based feature selection using Benford’s law for malware detection","authors":"Pedro Fernandes ,&nbsp;Séamus Ó Ciardhuáin ,&nbsp;Mário Antunes","doi":"10.1016/j.cose.2025.104625","DOIUrl":"10.1016/j.cose.2025.104625","url":null,"abstract":"<div><div>Detecting malware in computer networks and data streams from Android devices remains a critical challenge for cybersecurity researchers. While machine learning and deep learning techniques have shown promising results, these approaches often require large volumes of labelled data, offer limited interpretability, and struggle to adapt to sophisticated threats such as zero-day attacks. Moreover, their high computational requirements restrict their applicability in resource-constrained environments.</div><div>This research proposes an innovative approach that advances the state of the art by offering practical solutions for dynamic and data-limited security scenarios. By integrating natural statistical laws, particularly Benford’s law, with dissimilarity functions, a lightweight, fast, and scalable model is developed that eliminates the need for extensive training and large labelled datasets while improving resilience to data imbalance and scalability for large-scale cybersecurity applications.</div><div>Although Benford’s law has demonstrated potential in anomaly detection, its effectiveness is limited by the difficulty of selecting relevant features. To overcome this, the study combines Benford’s law with several distance functions, including Median Absolute Deviation, Kullback–Leibler divergence, Euclidean distance, and Pearson correlation, enabling statistically grounded feature selection. Additional metrics, such as the Kolmogorov test, Jensen–Shannon divergence, and Z statistics, were used for model validation.</div><div>This approach quantifies discrepancies between expected and observed distributions, addressing classic feature selection challenges like redundancy and imbalance. Validated on both balanced and unbalanced datasets, the model achieved strong results: 88.30% accuracy and 85.08% F1-score in the balanced set, 92.75% accuracy and 95.29% F1-score in the unbalanced set. The integration of Benford’s law with distance functions significantly reduced false positives and negatives.</div><div>Compared to traditional Machine Learning methods, which typically require extensive training and large datasets to achieve F1 scores between 92% and 99%, the proposed approach delivers competitive performance while enhancing computational efficiency, robustness, and interpretability. This balance makes it a practical and scalable alternative for real-time or resource-constrained cybersecurity environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104625"},"PeriodicalIF":5.4,"publicationDate":"2025-08-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144896701","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Otupy: A flexible, portable, and extensible framework for remote control of security functions","authors":"Matteo Repetto","doi":"10.1016/j.cose.2025.104597","DOIUrl":"10.1016/j.cose.2025.104597","url":null,"abstract":"<div><div>The growing proliferation of heterogeneous security functions ensures diversity, robustness, and adaptivity in addressing cyber-threats, but also poses management and integration challenges. OpenC2 defines a vendor- and application-agnostic abstract language for remote command and control of cyber-defense technologies. Its architecture supports multiple encoding and transfer options, but this might complicate its implementation and usage.</div><div>This paper describes Otupy, a flexible and extensible implementation of the OpenC2 language specification. Otupy defines an Application Programming Interface (API) that allows programmers to focus on the control and business logic of security functions, rather than the communication syntax, protocol, and encoding. The design of Otupy leverages an abstract data notation, an inheritance model, and meta-serialization to simplify the development of extensions for specific <em>profiles</em> of security functions, as well as additional encoding and transfer protocols. We evaluate the correctness of our implementation by validating its output against both a syntax schema and external good and bad samples provided by a third party. Our analysis points out unclear and ambiguous aspects of OpenC2 that deserve further attention by its technical committee.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104597"},"PeriodicalIF":5.4,"publicationDate":"2025-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144907921","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A fine-grained message clustering method based on message representation and identifier fingerprints","authors":"Degang Li ,&nbsp;Xi Chen,&nbsp;Mingliang Zhu,&nbsp;Qingjun Yuan,&nbsp;Chunxiang Gu","doi":"10.1016/j.cose.2025.104631","DOIUrl":"10.1016/j.cose.2025.104631","url":null,"abstract":"<div><div>Protocol reverse engineering is a critical technique for analyzing private protocols and unknown protocols. Message clustering is a foundational element of protocol reverse engineering, playing a key role in traffic classification and format inference. In this paper, we propose a fine-grained unknown message clustering method, termed FG-MCRF. FG-MCRF extracts deep representation vectors from the raw message data by constructing a representation network with low information loss and constructs high-purity message clusters based on representation vectors. The FG-MCRF method constructs high-precision global message fingerprints for each message cluster based on message length identifiers, operation identifiers, and counter identifiers. Subsequently, FG-MCRF constructs a message relationship graph based on these global message fingerprints and determines the final message type using the relationship graph. We also introduce the fine-grained multi-protocol dataset (FgMPD) to evaluate the clustering performance of our method. The experimental results demonstrate that the FG-MCRF methodology achieves superior clustering performance on the FgMPD dataset, outperforming other baseline methods. The clustering purity, Adjusted Rand Index (ARI), completeness, and accuracy of FG-MCRF in the fine-grained message clustering task are 0.9961, 0.9897, 0.9837, and 0.9899, respectively, representing improvements of 3.2%, 10.5%, 10.9% and 8.7% compared to state-of-the-art (SOTA) baseline methods. These results indicate that the FG-MCRF method possesses robust generalization capacity and extensibility, facilitating fine-grained message clustering.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104631"},"PeriodicalIF":5.4,"publicationDate":"2025-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144896709","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"AI algorithms under scrutiny: GDPR, DSA, AI Act and CRA as pillars for algorithmic security and privacy in the European Union","authors":"Marta Beltrán","doi":"10.1016/j.cose.2025.104628","DOIUrl":"10.1016/j.cose.2025.104628","url":null,"abstract":"<div><div>The General Data Protection Regulation (GDPR), Digital Services Act (DSA), Artificial Intelligence Act (AI Act) and Cyber Resilience Act (CRA) are essential pillars for algorithmic security and privacy in the European Union. Each of these regulations addresses specific aspects of technology, such as personal data protection, trustworthy online services, safe AI systems, and secure digital products while fostering trust in algorithm-based systems. Together, they can establish a robust framework for ensuring the security and privacy of AI algorithms in the EU by addressing critical concerns through a risk-based approach. This paper proposes a multi-layered approach to algorithmic security and privacy, based on these four instruments, considering organisational risk, risks to rights and freedoms, systemic risks and risks to national security. An illustrative example demonstrates how the EU can establish a global standard for trustworthy innovation and the protection of fundamental rights by leveraging the direct and indirect synergies of these laws.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104628"},"PeriodicalIF":5.4,"publicationDate":"2025-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144896708","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Integrating system calls and position-specific scoring for enhanced anomaly detection in Internet of Things environments","authors":"Nouman Shamim ,&nbsp;Muhammad Asim ,&nbsp;Thar Baker ,&nbsp;Zeeshan Pervez ,&nbsp;Ali Ismail Awad ,&nbsp;Albert Y. Zomaya","doi":"10.1016/j.cose.2025.104613","DOIUrl":"10.1016/j.cose.2025.104613","url":null,"abstract":"<div><div>Identifying attacks on Internet of Things (IoT) systems through anomaly detection is an effective approach and remains a crucial area of research. The core method involves collecting system-related data during normal operation to establish a baseline of typical behavior and then continuously monitoring for deviations from this baseline. Using system call sequences for anomaly detection is a well-established and important field. System call sequences effectively capture the behavior of a target system at a low level, allowing identification of any changes in this behavior; however, these approaches face several challenges, including high false-positive rates, the need for segmentation of long sequences, and the difficulty of detecting anomalies when the system call data comes from multiple processes. This work presents a novel anomaly-detection approach that uses a position-specific scoring mechanism to analyze the content and structural properties of system call sequences. The proposed approach addresses key challenges in this field, including fixed-length segmentation of system call sequences, predetermined anomaly-detection thresholds, the detection of anomalies in both single and multiple processes, and high false-positive rates. We extensively evaluated the proposed approach using system-call-specific public datasets (ADFA-LD and UNM) of a diverse nature. The performance of the proposed content-based, structure-based, and combined content- and structure-based anomaly-detection methods was evaluated using ten-fold cross-validation. The proposed anomaly-detection approach achieves an impressive detection rate of 1.0, along with exceptionally low false-positive rates of 0.001 and 0.017 when evaluated on the UNM and ADFA-LD datasets, respectively.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104613"},"PeriodicalIF":5.4,"publicationDate":"2025-08-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144866730","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Points of the local optimal privacy utility tradeoff","authors":"Zhenyu Chen ,&nbsp;Lin Yao ,&nbsp;Haibo Hu ,&nbsp;Guowei Wu","doi":"10.1016/j.cose.2025.104622","DOIUrl":"10.1016/j.cose.2025.104622","url":null,"abstract":"<div><div>With the increasing prevalence of data sharing and publishing, striking a balance between data privacy and data utility, known as the privacy utility tradeoff problem, has emerged as a core challenge. Recent studies treat this tradeoff as an optimization process within the privacy protection process for certain privacy protection mechanism. However, the ability to achieve an optimal tradeoff is inherently constrained by the chosen privacy protection mechanism. In this paper, we provide a new perspective by conceptualizing the privacy utility tradeoff as a series of distinct “tradeoff points,” where the inference privacy and inference utility serve as the components to represent a tradeoff point. To identify local optimal tradeoff points, we first select those that maximize utility for a given level of privacy. Then, we discard those points that do not ensure optimal privacy for the corresponding utility. Simulations on four real-world datasets using three state-of-the-art methods demonstrate that existing tradeoff solutions are limited by their underlying privacy mechanisms, while our solution helps integrate local optimal tradeoff points into the design of privacy protection mechanisms.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104622"},"PeriodicalIF":5.4,"publicationDate":"2025-08-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144886307","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Tool or Toy: Are SCA tools ready for challenging scenarios?","authors":"Congyan Shu ,&nbsp;Wentao Chen ,&nbsp;Guisheng Fan ,&nbsp;Huiqun Yu ,&nbsp;Zijie Huang ,&nbsp;Yuguo Liang","doi":"10.1016/j.cose.2025.104624","DOIUrl":"10.1016/j.cose.2025.104624","url":null,"abstract":"<div><div>The widespread adoption of open-source software (OSS) has introduced new security challenges to the software supply chain. While existing studies confirm the basic capabilities of Software Composition Analysis (SCA) tools, such as vulnerability detection and dependency resolution. They often focus on single ecosystems or detection aspects. This limited scope overlooks real-world complexities, including multi-language ecosystems, source and binary dependencies, and adversarial threats. Without a comprehensive evaluation, SCA tools may perform well in controlled settings but struggle in more complex scenarios. To address this gap, this study proposes a evaluation framework centered on the core functionalities of SCA tools: dependency detection, vulnerability identification, and license inspection. It covers three key dimensions including multi-language ecosystems compatibility, build forms, and attack defense. Using standardized datasets and quantitative metrics, such as precision, recall, F1-score and standard deviation, we evaluate four representative SCA tools, including both open-source and commercial options. Results reveal significant limitations in binary dependencies, language coverage, and license consistency. SCA tools also face challenges in balancing precision, coverage and robustness. The study highlights systemic shortcomings in current SCA tools, revealing that many perform like limited-use toys under real-world conditions. It offers data-driven recommendations to guide the evolution of these tools into practical, reliable solutions for supply chain security governance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104624"},"PeriodicalIF":5.4,"publicationDate":"2025-08-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144866755","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SoK: An empirical investigation of malware techniques in advanced persistent threat attacks","authors":"Md Rayhanur Rahman ,&nbsp;Setu Kumar Basak ,&nbsp;Rezvan Mahdavi Hezaveh ,&nbsp;Laurie Williams","doi":"10.1016/j.cose.2025.104618","DOIUrl":"10.1016/j.cose.2025.104618","url":null,"abstract":"<div><h3>Context:</h3><div>Adversaries launch advanced persistent threat (APT) attacks, where adversaries design their attack for a specific target and aim to remain undetected for a prolonged time. The attackers deploy a plethora of techniques for delivering and operating multiple malware in manual or automated manners. Cybersecurity vendors publish technical reports, known as cyberthreat intelligence reports, on past APT attacks, a rich information source on malware techniques. To defend organizations, prevalent techniques observed across malware in APT attacks and their association need to be identified.</div></div><div><h3>Objective:</h3><div>The goal of this research is to aid cybersecurity practitioners in defending against APT attacks by analyzing malware techniques documented in cyberthreat intelligence reports.</div></div><div><h3>Methodology:</h3><div>We construct a curated set of 798 cyberthreat intelligence reports and then analyze the reported malware techniques using MITRE ATT&amp;CK, a well-known terminology of cyberattack techniques, cybercriminal groups, and campaigns in APT attacks. We analyze the frequency and trend of techniques, followed by a qualitative analysis. Next, we perform association rule mining to identify co-occurring techniques, followed by a qualitative analysis.</div></div><div><h3>Findings:</h3><div>We identify that obtaining information on the operating and network system of the victim environment is the most prevalent technique and appears in the highest number of co-occurring pairs. We identify that spear-phishing is the most prevalent way of initial infection. We also identify three prevalent misuses of system functionalities: Macros in Office documents, the Registry in Windows, and the Task scheduler. We advocate that organizations prioritize their defense against the identified prevalent techniques and actively hunt for potential malicious intrusions based on the identified association among malware techniques.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104618"},"PeriodicalIF":5.4,"publicationDate":"2025-08-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144852230","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}