Computers & Security最新文献

{"title":"μGAN: A mutation-based cost optimal adversarial malware generation approach against evolving Android malware variants","authors":"Xiaojian Liu ,&nbsp;Zilin Qin ,&nbsp;Kehong Liu","doi":"10.1016/j.cose.2025.104695","DOIUrl":"10.1016/j.cose.2025.104695","url":null,"abstract":"<div><div>Malware <em>detection</em> and <em>evasion</em> constitute a pair of opponents locked in a relentless competitive game—to bypass stringent detection mechanisms, Android malware has evolved a variety of sophisticated evasion techniques, been continuously spawning new malware variants, which poses an ongoing challenge for Android defense systems to efficiently detect these evolving threats. To tackle this problem, adversarial training offers a promising approach to improving the resilience of detection systems against newly emerging malware variants. However, in the setting of Android malware detection, adversarial training still faces a critical challenge—how to craft <em>valid</em> and <em>meaningful</em> adversarial samples. This paper proposes a mutation-based adversarial malware generation approach, which attempts to introduce proper perturbations to the seed samples in order to enable them to successfully evade detection. To seek for such perturbations, we formulate the problem of crafting adversarial malware as a constrained combinatorial optimization problem—adversarial samples should evade detection while consuming minimal crafting efforts. For this problem, we devise a solution strategy, referred to as <span><math><mi>μ</mi></math></span>GAN, which combines strengths of the Generative Adversarial Networks and the Simulated Annealing algorithm, to screen the optimal adversarial samples. Furthermore, we retrain an enhanced malware classifier by augmenting the dataset with the generated adversarial malware samples to improve the performance of detection against new malware variants. Extensive experimental evaluation shows that, introducing perturbations into malware can significantly promote the ability of malware to evade security detection; the enhanced malware detector retrained using our approach demonstrates superior performance over other state-of-the-art classifiers.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104695"},"PeriodicalIF":5.4,"publicationDate":"2025-10-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145268195","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Intra-section code cave injection for adversarial evasion attacks on windows PE malware file","authors":"Kshitiz Aryal ,&nbsp;Maanak Gupta ,&nbsp;Mahmoud Abdelsalam ,&nbsp;Moustafa Saleh","doi":"10.1016/j.cose.2025.104690","DOIUrl":"10.1016/j.cose.2025.104690","url":null,"abstract":"<div><div>Windows malware is predominantly available in cyberspace and is a prime target for deliberate adversarial evasion attacks. Although researchers have investigated the adversarial malware attack problem, a multitude of important questions remain unanswered, including (a) Are the existing techniques to inject adversarial perturbations in Windows Portable Executable (PE) malware files effective enough for evasion purposes?; (b) Does the attack process preserve the original behavior of malware?; (c) Are there unexplored approaches/locations that can be used to carry out adversarial evasion attacks on Windows PE malware?; and (d) What are the optimal locations and sizes of adversarial perturbations required to evade an ML-based malware detector without significant structural change in the PE file? To answer some of these questions, this work proposes a novel approach that injects a code cave within the section (i.e., intra-section) of Windows PE malware files to make space for adversarial perturbations. Additionally, a code loader is injected into the PE file, which reverses the effects of adversarial malware during execution, preserving the malware’s functionality and executability. To understand the effectiveness of our approach, we inject adversarial perturbations inside the <span>.text</span>, <span>.data</span> and <span>.rdata</span> sections, generated using the gradient descent and Fast Gradient Sign Method (FGSM) to target the two popular CNN-based malware detectors, MalConv and MalConv2. Our experimental analysis yielded impressive results, achieving an evasion rate of 92.31% with gradient descent and 96.26% with FGSM when targeting MalConv, as compared to the evasion rate of 16.17% for append attacks. Similarly, in the case of an attack against MalConv2, our approach achieves a remarkable maximum evasion rate of 97.93% with gradient descent and 94.34% with FGSM, significantly surpassing the 4.01% and 54.75% evasion rates observed with append attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104690"},"PeriodicalIF":5.4,"publicationDate":"2025-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145268166","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"GJALLARHORN: A framework for vulnerability detection via electromagnetic side-channel analysis in embedded systems","authors":"Jorge Barredo ,&nbsp;Maialen Eceiza ,&nbsp;Jose Luis Flores ,&nbsp;Mikel Iturbe","doi":"10.1016/j.cose.2025.104692","DOIUrl":"10.1016/j.cose.2025.104692","url":null,"abstract":"<div><div>The proliferation of embedded systems within the Internet of Things (IoT) has heightened the difficulty of detecting vulnerabilities due to their inherent resource constraints. This paper introduces GJALLARHORN, a framework extending electromagnetic side-channel analysis (EM SCA) for early-stage vulnerability detection in embedded systems. Unlike conventional methods requiring code access or imposing computational overhead, GJALLARHORN non-invasively analyses EM emissions to identify anomalous patterns indicating potential security vulnerabilities. By observing hardware-level manifestations of software execution, GJALLARHORN complements software-level analysis, revealing vulnerabilities that might otherwise remain undetected. The framework adapts to device complexity, enabling categorisation of up to 16 distinct vulnerability types, including buffer overflows, memory leaks, and arithmetic errors. Evaluations on both low-end (STM NUCLEO-144) and high-end (Raspberry Pi 3B) architectures demonstrate GJALLARHORN’s effectiveness, achieving a recall of 95.94% and <span><math><msub><mrow><mi>F</mi></mrow><mrow><mn>1</mn></mrow></msub></math></span> score of 96.39% on the low-end system, and 73.33% recall with 84.61% <span><math><msub><mrow><mi>F</mi></mrow><mrow><mn>1</mn></mrow></msub></math></span> score on the high-end system. Our results reveal that memory-related vulnerabilities produce more distinguishable EM signatures than arithmetic errors, offering valuable insights for externally detecting vulnerabilities. By enabling detection during development, GJALLARHORN helps mitigate risks before deployment, potentially reducing the economic impact of security incidents in IoT infrastructure.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104692"},"PeriodicalIF":5.4,"publicationDate":"2025-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145268165","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Robust set partitioning strategy for malicious information detection in large-scale Internet of Things","authors":"Yuhan Suo ,&nbsp;Runqi Chai ,&nbsp;Kaiyuan Chen ,&nbsp;Senchun Chai ,&nbsp;Wannian Liang ,&nbsp;Yuanqing Xia","doi":"10.1016/j.cose.2025.104688","DOIUrl":"10.1016/j.cose.2025.104688","url":null,"abstract":"<div><div>With the rapid development of the Internet of Things (IoT), the risks of data tampering and malicious information injection have intensified, making efficient threat detection in large-scale distributed sensor networks a pressing challenge. To address the decline in malicious information detection efficiency as network scale expands, this paper investigates a robust set partitioning strategy and, on this basis, develops a distributed attack detection framework with theoretical guarantees. Specifically, we introduce a gain mutual influence metric to characterize the inter-subset interference arising during gain updates, thereby revealing the fundamental reason for the performance gap between distributed and centralized algorithms. Building on this insight, the set partitioning strategy based on Grassmann distance is proposed, which significantly reduces the computational cost of gain updates while maintaining detection performance, and ensures that the distributed setting under subset partitioning preserves the same theoretical performance bound as the baseline algorithm. Unlike conventional clustering methods, the proposed set partitioning strategy leverages the intrinsic observational features of sensors for robust partitioning, thereby enhancing resilience to noise and interference. Simulation results demonstrate that the proposed method limits the performance gap between distributed and centralized detection to no more than 1.648%, while the computational cost decreases at an order of <span><math><mrow><mi>O</mi><mrow><mo>(</mo><mn>1</mn><mo>/</mo><mi>m</mi><mo>)</mo></mrow></mrow></math></span> with the number of subsets <span><math><mi>m</mi></math></span>. Therefore, the proposed algorithm effectively reduces computational overhead while preserving detection accuracy, offering a practical low-cost and highly reliable security detection solution for edge nodes in large-scale IoT systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104688"},"PeriodicalIF":5.4,"publicationDate":"2025-10-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145320848","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"From cyber security incident management to cyber security crisis management in the European Union","authors":"Jukka Ruohonen ,&nbsp;Kalle Rindell ,&nbsp;Simone Busetti","doi":"10.1016/j.cose.2025.104689","DOIUrl":"10.1016/j.cose.2025.104689","url":null,"abstract":"<div><div>Incident management is a classical topic in cyber security. Recently, the European Union (EU) has started to consider also the relation between cyber security incidents and cyber security crises. These considerations and preparations, including those specified in the EU’s new cyber security laws, constitute the paper’s topic. According to an analysis of the laws and associated policy documents, (i) cyber security crises are equated in the EU to large-scale cyber security incidents that either exceed a handling capacity of a single member state or affect at least two member states. For this and other purposes, (ii) the new laws substantially increase mandatory reporting about cyber security incidents, including but not limited to the large-scale incidents. Despite the laws and new governance bodies established by them, however, (iii) the working of actual cyber security crisis management remains unclear particularly at the EU-level. With these policy research results, the paper advances the domain of cyber security incident management research by elaborating how European law perceives cyber security crises and their relation to cyber security incidents, paving the way for many relevant further research topics with practical relevance, whether theoretical, conceptual, or empirical.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104689"},"PeriodicalIF":5.4,"publicationDate":"2025-10-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145267702","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Design of a high-stability QPUF and QRNG circuit based on CCNOT gate","authors":"Yuanfeng Xie,&nbsp;Hanqing Luo,&nbsp;Aoxue Ding","doi":"10.1016/j.cose.2025.104694","DOIUrl":"10.1016/j.cose.2025.104694","url":null,"abstract":"<div><div>Quantum computing, with its powerful computational capabilities, is expected to become a secure paradigm for solving complex problems. However, existing cloud-based quantum computing systems are reliant on cloud service providers for scheduling, making it impossible to directly verify the results produced by quantum hardware. This introduces significant security risks, such as scenarios where a third-party provider allocates quantum computers with suboptimal hardware performance or attackers redirect execution on the hardware to steal critical keys. Current solutions face issues with limited authentication dimensions and poor stability of physical fingerprints. This study proposes a highly stable Quantum Physical Unclonable Function (QPUF) and Quantum Random Number Generator (QRNG) based on quantum superposition and entanglement. First, a circuit model is created using the Hadamard and R_Y gate to generate tunable equal-amplitude superposition states, encoding the measurement probabilities. Dynamic Majority Voting (DMV) is then applied to improve the stability of the QPUF response, which can serve as an effective ID for cloud-executed devices. Next, the CCNOT gate is used to entangle multiple qubits, producing a QRNG with high worst-case entropy, which can be utilized as a high-performance random number generator for computations. Finally, experiments conducted on IBM's quantum hardware demonstrate that the stability of the proposed QPUF in the new unified architecture is 100%, representing a 4.16% improvement over similar models. The worst-case entropy of the QRNG is 0.974, fully validating the effectiveness of the proposed architecture in countering attacks that attempt to tamper with cloud-based quantum computing hardware.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104694"},"PeriodicalIF":5.4,"publicationDate":"2025-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145267703","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The hidden complexities of Android TPL detection: An empirical analysis of techniques, challenges, and effectiveness","authors":"Lige Zhan ,&nbsp;Jiang Ming ,&nbsp;Jianming Fu ,&nbsp;Guojun Peng ,&nbsp;Letian Sha ,&nbsp;Lili Lan","doi":"10.1016/j.cose.2025.104672","DOIUrl":"10.1016/j.cose.2025.104672","url":null,"abstract":"&lt;div&gt;&lt;div&gt;Third-party libraries (TPLs) play a crucial role in Android application (app) development and have become an indispensable part of the Android ecosystem. However, TPLs also introduce potential security risks, as they may propagate 1-day vulnerabilities or even malicious code into apps. Moreover, certain downstream tasks, such as app clone detection, license violation identification and patch presence test, require accurate TPL detection as a prerequisite. Consequently, TPL detection has gained increasing importance over the past decade in improving maintainability and enhancing security within the software supply chain. To ensure robustness against external factors and precise vulnerability identification, modern library detection tools, in addition to recognizing TPL variety, must be resilient to code obfuscation and optimization, and must also be capable of accurately identifying library versions. Although recent studies have reported progress in addressing these issues, none have conducted a comprehensive evaluation to determine whether the proposed methods effectively overcome these challenges. Furthermore, critical aspects such as tool performance on real-world apps, as well as the generalizability of existing approaches, are frequently overlooked in current research.&lt;/div&gt;&lt;div&gt;To gain deeper insights into TPL detection research, we conducted a comprehensive empirical analysis of state-of-the-art approaches in this domain. This study begins by summarizing the common technologies used at each stage of the TPL detection process, followed by an analysis of the prevalence of code obfuscation and optimization in real-world apps to identify key external factors that hinder effective library detection. Next, we evaluate the performance of cutting-edge tools on multiple ground-truth datasets to validate our findings. Specifically, we systematically analyze the methodologies employed by these tools, assessing their capabilities in TPL variety detection, version identification, resilience to common obfuscation and optimization techniques, and the underlying causes of their failures. Finally, we assessed the generalizability of these tools by comparing their performance across diverse datasets and validating them with real-world data. Our findings confirm that obfuscation and optimization are indeed prevalent in real-world scenarios. However, the code transformations introduced by these techniques often exceed the scope of scenarios considered in prior TPL detection studies. We also observe that even the most advanced detection features struggle to accurately differentiate between library versions. In addition to errors caused by obfuscation and optimization, overly simplistic library features can further contribute to false positives. Moreover, while most tools perform well on their own curated datasets and show reduced performance on external datasets, their effectiveness in real-world scenarios does not exhibit a substantial disparity. Ove","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104672"},"PeriodicalIF":5.4,"publicationDate":"2025-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145268167","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"DynamicFuzz: Confidence-based directed greybox fuzzing for programs with unreliable call graphs","authors":"Hao Jiang,&nbsp;Kang Wang,&nbsp;Yujie Yang,&nbsp;Shan Zhong,&nbsp;Shuai Zhang,&nbsp;Chengjie Liu,&nbsp;Xiarun Chen,&nbsp;Weiping Wen","doi":"10.1016/j.cose.2025.104691","DOIUrl":"10.1016/j.cose.2025.104691","url":null,"abstract":"<div><div>Directed greybox fuzzing (DGF) is a security testing technique designed to test specific targets. Current DGF techniques face challenges due to the dynamic nature of indirect calls. The main challenges include mitigating the influence of indirect call omissions and misjudgments on seed guidance and guiding fuzzing on unreliable function call graphs.</div><div>This paper introduces DynamicFuzz, a novel dynamic guidance mechanism that uses the confidence of indirect calls to update the call graph and adjust path priorities during fuzzing. Our key insight is that functions connected by indirect calls tend to form function islands in the call graph. These islands help focus fuzzing on critical areas, improving both guidance efficiency and control over complex program structures. DynamicFuzz also incorporates two depth metrics – function depth and island depth – to better estimate the importance of each path. Based on this, DynamicFuzz employs four guiding strategies: the Target Function Selection Strategy, the Function Island Prioritization Strategy, the High-Confidence Path Prioritization Strategy, and the Deep Indirect Call Prioritization Strategy. These strategies allow DynamicFuzz to guide fuzzing effectively even when the call graph is unreliable. We evaluate DynamicFuzz on 17 benchmarks from three test suites. Compared to AFLGo, AFL, and FairFuzz, it reaches target locations 5.64<span><math><mo>×</mo></math></span> , 3.01<span><math><mo>×</mo></math></span> , and 2.89<span><math><mo>×</mo></math></span> faster, and detects target crashes 69.8<span><math><mo>×</mo></math></span> , 48.37<span><math><mo>×</mo></math></span> , and 161.20<span><math><mo>×</mo></math></span> faster, respectively. Additionally, DynamicFuzz discovered 8 CVEs from the real world.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104691"},"PeriodicalIF":5.4,"publicationDate":"2025-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145221382","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Robust continuous authentication via multi-channel photoplethysmography signals: A wearable wristband solution for uncontrolled environments","authors":"Weiguang Wang,&nbsp;Xiao Zhang,&nbsp;Jinlian Du,&nbsp;Wenbing Zhao","doi":"10.1016/j.cose.2025.104686","DOIUrl":"10.1016/j.cose.2025.104686","url":null,"abstract":"<div><div>The increasing prevalence of wearable devices has intensified security demands for robust continuous authentication (CA) systems to safeguard privacy and data integrity. Conventional one-time authentication methods fail to adapt to dynamic user behavior and environmental variations, leaving systems vulnerable to session hijacking and context-aware attacks. CA addresses these vulnerabilities by persistently monitoring biometric traits, thereby enabling adaptive security policies that balance usability and threat mitigation. Photoplethysmography (PPG) signals are uniquely suited for CA due to their non-invasive acquisition, temporal continuity, and anti-spoofing resilience. However, existing PPG-based CA systems rely on datasets collected under controlled conditions, lacking generalizability to real-world dynamics and sufficient security against multi-layer attacks. To tackle these, we propose a secure and robust CA framework leveraging multi-channel PPG signals from wearable wristbands. We first construct a multi-behavioral PPG dataset from 40 participants with 4-channel signals (dual green, red, and infrared light) under diverse activities. Then we design a multi-stage adaptive filtering pipeline that combines cascaded filters with Independent Component Analysis (ICA), effectively suppressing motion artifacts to improve signal quality. An end-to-end security scheme is integrated to ensure security and privacy of PPG data. Finally, we develop a hybrid Inception-LSTM network for authentication. Experimental results demonstrate a mean authentication accuracy of 94.89%, outperforming conventional single-channel baselines by 23.28% and exhibiting enhanced robustness against signal distortions.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104686"},"PeriodicalIF":5.4,"publicationDate":"2025-09-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145268170","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Semi-supervised traceability analysis of investigative scanners of darknet traffic","authors":"Kayumov Abduaziz ,&nbsp;Chansu Han ,&nbsp;Ji Sun Shin","doi":"10.1016/j.cose.2025.104681","DOIUrl":"10.1016/j.cose.2025.104681","url":null,"abstract":"<div><div>Darknet, an unused IP address space on the Internet, has led to significant research advances in the analyses of global scanning activities, predictions of incoming cyber threats, and the classification of scanning patterns in unsolicited network traffic. However, most darknet traffic research has focused on classification methods that rely on supervised learning, or on unsupervised methods that require further expert effort. To study the applicability of semi-supervision for darknet traffic analysis, we propose a semi-supervised framework that efficiently clusters and classifies scanner behaviors based on existing knowledge for the traceability analysis of investigative scanners on the darknet. The framework utilizes a word embedding model to represent similarly behaving scanners in close proximity in the vector space, followed by a semi-supervised clustering step that incorporates partial labels of known scanners. We validate the framework by combining two publicly available darknet traffic datasets: CAIDA, providing labeled data for semi-supervision, and NICT, that offers a larger set of unlabeled data for analysis. Experimental results demonstrated that integrating semi-supervised learning into darknet traffic analysis improves the interpretability of diverse scanning behaviors and enhances scalability, offering a three-fold speedup in overall runtime compared to the existing sliding window approach. By reducing reliance on fully labeled datasets, the framework facilitates large-scale threat intelligence while allowing for the smooth integration of ever-growing domain knowledge pertaining to darknet traffic. Future research can further refine the model by incorporating additional classes of darknet scanners and expanding the applicability of the model to real-time darknet traffic analysis.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104681"},"PeriodicalIF":5.4,"publicationDate":"2025-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145268196","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}