Computers & Security最新文献

{"title":"A comprehensive bluetooth security audit framework for IoT devices","authors":"L. Kavisankar,&nbsp;Naziya Aslam,&nbsp;Ajay Vemuri,&nbsp;Gadde Jahnavi,&nbsp;Uha Saranya Lavu,&nbsp;Nitesh Kumar Shah,&nbsp;S. Venkatesan","doi":"10.1016/j.cose.2026.104840","DOIUrl":"10.1016/j.cose.2026.104840","url":null,"abstract":"<div><div>Nowadays, individuals and organizations largely use Bluetooth enabled Internet of Things (IoT) devices for various needs including critical services. However, there are devices that brings risk since those are less secure due to outdated firmware, poor pairing methods, and ineffective service setup. Hence, there is a need for a method to identify such less secure devices to make the application and environment secure. Considering the requirements, this paper proposes a comprehensive Bluetooth security audit framework that effectively checks for security issues in Bluetooth enabled devices. The framework identifies the device’s key information, such as the device’s operating system type and version, and checks for any known vulnerabilities by mapping them to the Common Vulnerabilities and Exposures (CVEs). The framework also checks whether communication between devices is encrypted or not, determines the distance to the target device by measuring response time, and performs active penetration tests such as Denial of Service (DoS) attack, Bluejacking, and trust deception. In addition, we implemented a firmware identification module in the audit framework to identify version specific security vulnerabilities that are often overlooked by regular vulnerability scanners. Our audit results revealed that older Android phones with Bluetooth are relatively easy to hack. The framework’s performance evaluation across multiple Bluetooth-enabled IoT devices demonstrates the scalability and practicality in real-world scenarios. The comparison analysis of the proposed framework with existing tools and techniques shows that our proposed framework has greater coverage and is more effective in finding vulnerabilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104840"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146191198","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Defending against BLE-based covert channels in crowdsourced location networks","authors":"Hosam Alamleh ,&nbsp;Alessandro Cantelli-Forti","doi":"10.1016/j.cose.2026.104835","DOIUrl":"10.1016/j.cose.2026.104835","url":null,"abstract":"<div><div>Crowdsourced location networks turn billions of consumer devices into a global sensor grid for locating lost items, but the same reach enables two systemic abuses: (i) location tracking via beacons that masquerade as “lost tags,” and (ii) data exfiltration by embedding short secrets in Bluetooth Low Energy (BLE) advertisements that are relayed forward without inspection. Using Apple’s <em>Find My</em> as a case study, we show that covert beacons reliably reach the cloud and then the attacker within minutes due to relay density. We also find that basic single-layer countermeasures such as packet dropping, TCP ACK/RST injection, fixed-delay insertion, or traffic flooding fail under realistic operational conditions. We contribute the first end-to-end experimental evaluation of deployable mitigations that require no vendor changes. Our defense-in-depth design combines: endpoint controls that correlate OS location-service access with immediate BLE advertising and enforce per-process advertising limits; a hybrid perimeter detector that correlates on-host BLE advertisement counts with outbound traffic to crowd-location backends; and physical controls for high-security areas, including exclusion zones of 35 m indoors and 200 m outdoors (line of sight), optionally supported by selective, low-duty RF jamming. For the longer term, we outline protocol changes that vendors can adopt, such as basic beacon admission control and authentication, shorter helper-retention timers, and helper-side quotas. While evaluated on <em>Find My</em>, these findings generalize to crowdsourced location systems built under similar design assumptions.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104835"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081599","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"From attack trees to timed stochastic games: A novel intrusion response approach","authors":"Tommaso Caiazzi,&nbsp;Stefano Iannucci,&nbsp;Valerio Marini,&nbsp;Matteo Foschi,&nbsp;Riccardo Torlone","doi":"10.1016/j.cose.2026.104834","DOIUrl":"10.1016/j.cose.2026.104834","url":null,"abstract":"<div><div>Most dynamic Intrusion Response Systems (IRSs) use models to characterize the attack patterns and the dynamics of the protected system. They are typically based on some mathematical framework and require a low-level modeling activity that is often difficult and error-prone, even for the experienced end-user. Furthermore, most of the model-based approaches proposed so far do not structurally include the notion of time, which is necessary to model non-instantaneous defense and attack actions. In this paper, we introduce a novel methodology for the automatic generation of IRSs based on Timed Competitive Stochastic Games from augmented Attack-Defense Trees (ADT), a formalism that is commonly used to represent attack patterns and to build IRSs based on a static mapping between attack and response. We formally and empirically prove that: (i) using a static mapping between attack and response or selecting the action with the immediate minimum cost to counter the attack without long-term planning leads to an underestimation of the defense cost; (ii) the total defense cost of a defense policy obtained with an IRS based on the proposed methodology is lower than or equal to the defense cost that can be obtained with an IRS based on static mapping; (iii) not considering time leads to an underestimation of the defense cost. We then perform experiments showing the scalability of the proposed approach in terms of planning time and memory usage.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104834"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081601","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A survey of internet censorship and its measurement: Methodology, trends, and challenges","authors":"Steffen Wendzel ,&nbsp;Simon Volpert ,&nbsp;Sebastian Zillien ,&nbsp;Julia Lenz ,&nbsp;Philip Rünz ,&nbsp;Luca Caviglione","doi":"10.1016/j.cose.2025.104732","DOIUrl":"10.1016/j.cose.2025.104732","url":null,"abstract":"<div><div>Internet censorship limits the access of nodes residing within a specific network environment to the public Internet, and vice versa. During the last decade, techniques for conducting Internet censorship have been developed further. Consequently, methodology for <em>measuring</em> Internet censorship had been improved as well.</div><div>In this paper, we firstly provide a survey of network-level Internet censorship techniques. Secondly, we survey censorship measurement methodology. We further cover the censorship of circumvention tools and its measurement, as well as available datasets. In cases where it is beneficial, we bridge the terminology and taxonomy of Internet censorship with related domains, namely traffic obfuscation and information hiding. We further extend the technical perspective with recent trends and challenges, including human aspects of Internet censorship.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104732"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146049211","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Modern web application security in practice: National-scale measurement and managerial insights from Türkiye","authors":"Aydın Erden","doi":"10.1016/j.cose.2026.104847","DOIUrl":"10.1016/j.cose.2026.104847","url":null,"abstract":"<div><div>This research evaluates the gap between web application security best practices and their actual implementation within organizations in Türkiye. A sequential explanatory mixed-methods design used national quantitative mapping to inform a positive deviance case study explaining superior security performance. First, a total of 2463 of the most visited domains in the .tr top-level domain space were evaluated via the Mozilla Observatory tool. The evaluation resulted in an average score of 27.19, with 53 % of tested domains receiving a failing 'F' grade. Most often, important security-related elements such as Content Security Policy headers were either non-existent or misconfigured.</div><div>Subsequently, a qualitative case study was conducted on a leading organization that had received an 'A+' security grade. Interviews with the organization's Chief Security Officer identified that the organization views regulatory requirements as opportunities to improve their internal processes rather than as burdens. The success of the organization was directly related to having a strong security culture, active senior management engagement, and the incorporation of security into their software development processes.</div><div>The frameworks that were utilized in the analysis include Institutional Theory, Resource-Based View, and the Technology-Organization-Environment Framework to provide a conceptual model of how external influences, internal resources/capabilities, and managerial perceptions/direction combined to achieve superior security results. The results of the study identify the need for increased adoption of both technical solutions and organizational and cultural practices to enhance web application security.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104847"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146191190","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Behavioral interaction identification between safety and security features in safety-critical systems","authors":"Priyadarshini ,&nbsp;Simon Greiner ,&nbsp;Maike Massierer ,&nbsp;Oum-El-Kheir Aktouf","doi":"10.1016/j.cose.2026.104846","DOIUrl":"10.1016/j.cose.2026.104846","url":null,"abstract":"<div><div>Due to the shift towards assisted and autonomous driving systems, more safety and security standards are introduced to ensure software quality and reliability. This leads to an increasing number of safety and security features being integrated into these systems, which introduces the challenge of feature interactions. Feature interactions amongst safety and security features are often detected during system integration tests and require fixes that are costly and time-consuming.</div><div>We propose the method X-I-FASST to identify interactions amongst safety and security features during the software architectural design phase of a system. In addition, we present a comparison study of three feature interaction identification methods, i.e. the Vogelsang method, the FIISS method, and the X-I-FASST method. The study compares these methods to assess how suitable they are in identifying behavioral interactions between safety and security features modeled in UML-based software architecture models. We perform this study by applying the methods on the UML software architecture model of a real world driver assistance system. The results show that while two methods effectively detect direct interactions, only one excels in identifying complex indirect interactions. Moreover, we observed that the model quality has a significant impact on the interesting feature interactions found by each method.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104846"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146191272","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SHAPE: An APT detection framework fusing semantic understanding and heterogeneous modeling","authors":"Xiaodan Huang ,&nbsp;Guosheng Zhao ,&nbsp;Jian Wang ,&nbsp;Kaiwen Lou ,&nbsp;Zixuan Wan","doi":"10.1016/j.cose.2026.104841","DOIUrl":"10.1016/j.cose.2026.104841","url":null,"abstract":"<div><div>With the increasing complexity of threats in cyberspace, Advanced Persistent Threats (APT) in Industrial Internet of Things (IIoT) environments exhibit stronger, hidden, and persistent characteristics. Existing APT detection methods underutilize node semantic attribute information and lack adaptive modeling capabilities for heterogeneous data, limiting the effectiveness of malicious intent detection. To address this, a framework for detecting APT attacks based on Semantic Heterogeneous Autoencoders with Pre-trained language model Embeddings (SHAPE) is proposed. SHAPE integrates the deep semantic features of nodes extracted by large language models with heterogeneous autoencoders tailored to specific node types, enabling the effective modeling of normal behavior patterns across various node types. Significant deviations of nodes from the semantic-level normal baseline are captured by quantifying the reconstruction error, thereby facilitating the detection of APT attacks. Experimental evaluation on the CICAPT-IIoT (2024) dataset demonstrates that SHAPE significantly outperforms all baseline models, improving the overall node AUC by approximately 5.8% relative to the best baseline; notably, for key node types, the AUC improves by 48.2%. These results validate the effectiveness of the semantic-heterogeneous joint analysis framework. This framework innovatively integrates deep semantic understanding of nodes with adaptive modeling of heterogeneous data, providing a novel paradigm for advanced threat hunting in complex network environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104841"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081597","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"DeRed: Enhancing third-party library detection in binaries via deceptive reuse mitigation","authors":"Shengjia Chang ,&nbsp;Shouguo Yang ,&nbsp;Xiao Deng ,&nbsp;Qi Meng ,&nbsp;Dan Wang ,&nbsp;Bin Wang ,&nbsp;Baojiang Cui ,&nbsp;Shaocong Feng ,&nbsp;Haoran Yu","doi":"10.1016/j.cose.2026.104844","DOIUrl":"10.1016/j.cose.2026.104844","url":null,"abstract":"<div><div>Third-Party Libraries (TPLs) are widely adopted to accelerate software development by offering reusable components. However, TPL reuse also introduces significant security risks, particularly due to the propagation of vulnerabilities. To address this, TPL detection techniques have been proposed, primarily based on syntactic and semantic feature matching. Despite their effectiveness, these methods overlook the directionality of code reuse, often leading to false positive vulnerability reports.</div><div>To overcome this limitation, this paper introduces the concept of deceptive reuse–a misleading reuse relationship between recipient software that share common TPL code–and proposes a novel approach, <span><strong>DeRed</strong></span>, to enhance TPL detection by distinguishing between real reuse and deceptive reuse. <span><strong>DeRed</strong></span> exploits key differences between donor code areas (TPL) and recipient code areas (software) in terms of function call graph centrality and connectivity to exported functions. It further introduces algorithms to quantify these differences for accurate reuse classification. Additionally, to achieve efficient and scalable homologous code matching, <span><strong>DeRed</strong></span> integrates a Markov matrix and MobileNet for function matching, combined with Graph Convolutional Networks operating on Attributed Function Call Graphs for area alignment. Experimental results demonstrate that <span><strong>DeRed</strong></span> effectively distinguishes between real and deceptive reuse, significantly outperforming existing TPL detection methods. Furthermore, its core components exhibit strong robustness across different architectures and compiler optimization levels. A real-world case study comparing <span><strong>DeRed</strong></span> with the commercial Software Composition Analysis tool, BinaryAI, demonstrates that <span><strong>DeRed</strong></span> outperforms BinaryAI in mitigating deceptive reuse, thereby significantly reducing false positives during vulnerability detection. The source code is available at <span><span>https://github.com/kitsch0x97/dered-artifacts</span><svg><path></path></svg></span>.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104844"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146191277","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Cybersecurity optimization in supply chains under propagated cyberattacks","authors":"Tadeusz Sawik","doi":"10.1016/j.cose.2025.104820","DOIUrl":"10.1016/j.cose.2025.104820","url":null,"abstract":"<div><div>A novel mixed integer nonlinear programming model is developed for cybersecurity optimization in the supply chain exposed to combined direct and propagated cyberattacks. Given a limited budget for cybersecurity investments and a set of available security controls, the problem objective is to select for each node a subset of controls to minimize the breach probability of the most vulnerable attack path to a target node. Using a network transformation, Taylor series approximation of natural logarithm and applying duality theory, a nonlinear model is replaced by a mixed integer linear program. The results of computational experiments are provided, and approximated and exact solutions are compared. This study’s contribution and novelty lie in the explicit equalization of cybersecurity vulnerabilities in supply chains under combined cyberattacks, using the developed linearization techniques. The findings indicate that for the minimax objective function, cybersecurity vulnerabilities of all nodes can be significantly reduced and equalized and that the Taylor approximation of the nonlinear formula for the combined direct and propagated breach probability is very accurate. The proposed approach proves to be computationally efficient for cybersecurity optimization in large-scale multi-tier supply chain networks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"163 ","pages":"Article 104820"},"PeriodicalIF":5.4,"publicationDate":"2026-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145928813","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The modern cybersecurity analyst: An international position analysis","authors":"Christopher A Ramezan,&nbsp;Mohammad J. Ahmad,&nbsp;Ludwig Christian Schaupp,&nbsp;Frank W. Hatten,&nbsp;Michael A. Starling","doi":"10.1016/j.cose.2026.104825","DOIUrl":"10.1016/j.cose.2026.104825","url":null,"abstract":"&lt;div&gt;&lt;div&gt;The cybersecurity analyst is one of the most common positions within the cybersecurity domain and forms the backbone of many organization’s cybersecurity operations. Despite its importance, the position remains broad in scope, and inconsistently defined across industry, with variability in titles, qualifications, and responsibilities. To provide a better understanding of the role, this study provides a global, position-level examination of the cybersecurity analyst through an empirical analysis of 725 job postings from 47 nations. Using a mixed-method approach, including manual coding, descriptive statistics, term frequency inverse document frequency (TF-IDF) analysis, named entity recognition (NER), and latent Dirichlet allocation (LDA), we explore the required qualifications, technical competencies, and operational responsibilities associated with the role. Results show that over 83% of positions required prior professional experience, while a higher education degree and possession of an industry certification were also highly desired, and were listed on 71% and 61% of positions, respectively. Surprisingly, soft communication skills and knowledge of industry standards and frameworks were highly desired and were a more frequent requirement than programming skills and knowledge of networking protocols, indicating a balanced demand for both technical proficiency and non-technical skills. Over 350 individual software tools and 123 different standards/frameworks were mentioned by employers, highlighting the diverse range of security tools and platforms used within industry. Job duties crossed several NICE Cybersecurity Workforce Framework categories, such as protection and defense, governance, incident response, and vulnerability management, highlighting the heterogeneous nature of the position. We also found several positions with unrealistic or mismatched requirements, including entry-level job postings requiring senior-level certifications, which can impede successful recruitment. Synthesizing these results, we further identify five recurring cybersecurity analyst job profiles that represent empirically derived types of analyst roles, offering a structured and actionable representation of how analyst responsibilities are configured in practice. Recommendations include aligning academic programs to industry certifications, combining technical and soft skill development, and increasing experiential learning opportunities to assist graduates with meeting position experience requirements. Employers are encouraged to ensure that position responsibilities are not overly broad, align position descriptions with operational requirements, and balance requirements with position expectations. Given the current wide diversity of the role, academia, industry, and professional organizations should focus on greater standardization of the role, which could streamline hiring, reduce barriers to entry, narrow the cyber skills gap, and better align educati","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"163 ","pages":"Article 104825"},"PeriodicalIF":5.4,"publicationDate":"2026-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145898212","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}