Computers & Security最新文献

{"title":"Penterep: Comprehensive penetration testing with adaptable interactive checklists","authors":"Willi Lazarov ,&nbsp;Pavel Seda ,&nbsp;Zdenek Martinasek ,&nbsp;Roman Kummel","doi":"10.1016/j.cose.2025.104399","DOIUrl":"10.1016/j.cose.2025.104399","url":null,"abstract":"<div><div>In the contemporary landscape of cybersecurity, the importance of effective penetration testing is underscored by NIS2, emphasizing the need to assess and demonstrate cyber resilience. This paper introduces an innovative approach to penetration testing that employs interactive checklists, supporting both manual and automated tests, as demonstrated within the Penterep environment. These checklists, functioning as a quantifiable measure of test completeness, guide pentesters through methodological testing, addressing the inherent challenges of the security testing domain. While some may perceive a limitation in the dependency on predefined checklists, the results from a presented case study underscore the criticality of methodological testing. The study reveals that relying solely on fully automated tools would be inadequate to identify all vulnerabilities and flaws without the inclusion of manual tests. Our innovative approach complements established methodologies, such as PTES, OWASP, and NIST, providing crucial support to penetration testers and ensuring a comprehensive testing process. Implemented within the Penterep environment, our approach is designed with deployment flexibility (both on-premises and cloud-based), setting it apart through an overview comparison with existing tools aligned with state-of-the-art penetration testing approaches. This flexible and scalable approach effectively bridges the gap between manual and automated testing, meeting the increasing demands for effectiveness and adaptability in penetration testing.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104399"},"PeriodicalIF":4.8,"publicationDate":"2025-03-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143643573","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Systematic analysis of security advice on the topic of insider threats","authors":"Andrew Stewart,&nbsp;Christopher Hobbs","doi":"10.1016/j.cose.2025.104411","DOIUrl":"10.1016/j.cose.2025.104411","url":null,"abstract":"<div><div>Insider threats are an important and enduring security challenge. As a consequence, a number of organizations such as government agencies, research institutions, trade groups, and other parties have published documents containing advice on the topic of insider threats. Here, we provide an evaluation of such advice documents. We employ the relatively new SAcoding (security advice coding) methodology to perform a systematic analysis. This approach enables us both to assess the advice documents and to provide feedback on the use of SAcoding for a novel category (advice intended specifically for organizations), and for a novel topic (advice on the topic of insider threats). We find that 62.5% of 424 advice items extracted from six source documents are actionable, but the per-document proportion of actionable advice ranges substantially from 85.4% to just 35.1%. This finding suggests that organizations may incur opportunity costs by engaging with documents that offer little actionable advice. We also find that organizations may struggle to apply the published guidance, due to the high quantity of advice and the high portion of advice that requires specialist expertise. We use these and other findings to deliver a practical framework that provides guidance for the authors of advice documents, and for organizations seeking advice on the topic of insider threats. Additionally, we provide feedback on various aspects of the SAcoding method.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104411"},"PeriodicalIF":4.8,"publicationDate":"2025-03-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143706519","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Investigating the experiences of providing cyber security support to small- and medium-sized enterprises","authors":"Neeshe Khan ,&nbsp;Steven Furnell ,&nbsp;Maria Bada ,&nbsp;Matthew Rand ,&nbsp;Jason R.C. Nurse","doi":"10.1016/j.cose.2025.104448","DOIUrl":"10.1016/j.cose.2025.104448","url":null,"abstract":"<div><div>Small- and Medium-Sized Enterprises or SMEs comprise of 99.9 % of all businesses in the UK and make a significant contribution the overall economy. In UK's path to digitalisation, ensuring the cyber security and resilience of SMEs becomes an integral element that must be adequately safeguarded to protect national interests. Despite playing a crucial role, there is limited research on SMEs adopting cyber security practices, becoming cyber secure or improving their resilience to attacks. To examine this journey, a qualitative study was designed to learn from the experiences of organisations that provide cyber security advice or solutions. The three aims of the study were to: (1) understand the various types of support offered by providers; (2) topics for which support is sought and the circumstances that trigger the need for assistance; and (3) the perceived effectiveness of the support provided, associated challenges and opportunities to improve from the lived experiences of providers. Following semi-structured interviews with 12 participants, findings confirm results presented in earlier literature and provides new insights. Each participant had exposure to numerous SMEs, in some instances hundreds, at a regional or national level due to their roles at their respective organisations. The inherent knowledge gained from this exposure results in each participant's experience representing the cumulative experience of several SMEs as opposed to a singular view of one. We conclude that there is a vast amount of cyber security related content aimed at SMEs and our findings reveal providers are playing an assistive role in the understanding, education and implementation of cyber security defences. Despite significant efforts being made, cyber hygiene amongst SMEs remains low and they are unlikely to proactively reach out for support. Additionally, SMEs have low knowledge levels and are hampered in their efforts due to comprehension, capability, attitudes, and resources whilst providers face numerous internal and external challenges when delivering this support. Insights from data reveal several opportunities for improvement can be realised through the creation of security focused communities that can provide support, collaboration and learning.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104448"},"PeriodicalIF":4.8,"publicationDate":"2025-03-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143684107","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SecRASP: Next generation web application security protection methodology and framework","authors":"Chenggang He ,&nbsp;Chris H.Q. Ding","doi":"10.1016/j.cose.2025.104445","DOIUrl":"10.1016/j.cose.2025.104445","url":null,"abstract":"<div><div>Currently, Web applications are encountering unprecedented security threats from various types of attacks, such as SQL injection, XSS cross-site scripting attacks, Webshell attacks, and increasingly prominent 0-day security vulnerabilities and other serious threats, the security of Web applications is directly related to the normal order of society and national security and other important aspects. However, the current Web application security protection methods and tools are easy to bypassed by security attacks, have high false positives, and are cumbersome to configure, are unable to protect efficiently against the growing application demands and the increasingly complicated malicious attacks. In this regard, the SecRASP high-performance application security protection method and framework based on RASP are proposed to solve the current Web application security protection problems such as low accuracy, inability to quickly block 0-day security holes, and serious impact on the performance of Web applications and other \"choke points\". Experimental results show that in terms of security attack protection accuracy, SecRASP's security protection accuracy reaches 100 %, while Baidu OpenRASP's security protection accuracy is only 77.60 %; in terms of the impact on the performance of the protected application, SecRASP's impact on the performance of the application is minimal, compared to the OpenRASP in the CPU utilization rate, memory utilization rate, the performance of the protected application is reduced by 5.2 %.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104445"},"PeriodicalIF":4.8,"publicationDate":"2025-03-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143642683","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"LowPTor: A lightweight method for detecting extremely low-proportion darknet traffic","authors":"Qiang Zhang,&nbsp;Cheng Huang,&nbsp;Jiaxuan Han,&nbsp;Shuyi Jiang,&nbsp;Jiayong Liu","doi":"10.1016/j.cose.2025.104420","DOIUrl":"10.1016/j.cose.2025.104420","url":null,"abstract":"<div><div>The darknet’s accessibility has increased significantly in recent years, making it more susceptible to exploitation by cybercriminals. The darknet’s inherent characteristics of high concealment, strong anonymity, and resistance to tracing have created a fertile ground for illicit activities, which are becoming increasingly prevalent. Deep learning models’ complex computations in high-dimensional feature spaces result in significant computational overhead and prolonged inference times, hindering their deployment in backbone networks where real-time detection is crucial. Dealing these challenges requires innovative solutions for efficient traffic sampling, feature engineering, model simplification, memory optimization and inference acceleration. Therefore, this paper introduces a collaborative filtering algorithm, an extensible channel-wise feature group, and a lightweight detection algorithm, designed to optimize performance through operator fusion and channel alignment. The proposed algorithm combines the advantages of lightweight CNNs (Convolutional Neural Networks), leverages GPU (Graphics Processing Unit) parallelism, and reduces memory allocation overhead, resulting in a CUDA (Compute Unified Device Architecture) core-optimized neural network model that achieves significant inference speedup. We utilize extensible channel-wise feature group derived from short traffic packet sequences to improve detection accuracy. Our approach targets the detection and prevention of illicit darknet traffic during the connection phase, rather than interfering with data transmission. By integrating rule-based filtering with small flow sampling within collaborative filtering, we facilitate early detection while maintaining minimal complexity overhead. To the best of our knowledge, the methodology proposed in this paper is the first to be designed based on operator fusion and channel alignment strategies, specifically aimed at detecting extremely low-proportion darknet traffic within backbone networks. Our approach synthesizes three extremely low-proportion darknet traffic datasets, utilizing the self-built, CIC-Darknet2020, and TCUB datasets as Tor sources. Notably, our approach achieves a 45.79% reduction in actual inference time compared to current state-of-the-art (SOTA) method, while maintaining SOTA detection accuracy. Furthermore, our method exhibits the capability to filter out up to 91.26% (with a minimum of 78.01%) of the packets to be processed, without compromising any flows.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104420"},"PeriodicalIF":4.8,"publicationDate":"2025-03-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143642693","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A novel symbolic model for analyzing Internet of Things protocols based on event logic","authors":"Zehuan Li ,&nbsp;Meihua Xiao ,&nbsp;Yangping Xu ,&nbsp;Fangping Chen ,&nbsp;Huaibin Shao ,&nbsp;Sufen Yan","doi":"10.1016/j.cose.2025.104440","DOIUrl":"10.1016/j.cose.2025.104440","url":null,"abstract":"<div><div>The unique characteristics of the Internet of Things (IoT) make IoT protocols more vulnerable to security risks compared to traditional security protocols. Formal methods are widely used to analyze and verify the security properties of IoT protocols, but existing methods often fail to address the special security mechanisms required in the complex IoT network environment. A novel symbolic model based on event logic is proposed to implement the comprehensive analysis of secure IoT protocols. The model enhances the description of message flow and match, while also extending the inference capabilities of equivalence and injectivity. Aiming at the pre-shared key, cookie, raw public key, and certificate authority in the IoT protocols, a proof system of the model is proposed to prove the security properties of these mechanisms. To improve efficiency, the match buffer reduction method is also presented to eliminate the redundant proof steps. Formal analysis and verification of protocols, including DTLS, SRTP, CoAP, and PUF, uncover several attacks that violate security properties. The results reveal that the proposed symbolic model is an effective method for the formal analysis and proof of IoT protocols.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104440"},"PeriodicalIF":4.8,"publicationDate":"2025-03-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143683677","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Transformer-based knowledge distillation for explainable intrusion detection system","authors":"Nadiah AL-Nomasy ,&nbsp;Abdulelah Alamri ,&nbsp;Ahamed Aljuhani ,&nbsp;Prabhat Kumar","doi":"10.1016/j.cose.2025.104417","DOIUrl":"10.1016/j.cose.2025.104417","url":null,"abstract":"<div><div>The rapid expansion of IoT networks has increased the risk of cyber threats, making intrusion detection systems (IDS) critical for maintaining security. However, most of the existing IDS rely on computationally intensive deep learning architectures, rendering them unsuitable for IoT environments with limited resources. Additionally, existing IDS approaches, including those using Knowledge Distillation (KD), often fail to capture the complex temporal dependencies and contextual relationships inherent in IoT traffic, which limits their ability to detect complex multi-stage attacks. Furthermore, these models frequently lack transparency, hindering effective decision-making by security experts. To address these gaps, we propose DistillGuard, a novel IDS framework designed specifically for IoT networks. The proposed framework employs a Transformer-based teacher model, which utilizes a hybrid attention mechanism combining multi-head self-attention (MHSA) and cross-attention layers to effectively capture both temporal and contextual patterns in network traffic. The framework further incorporates a Selective Gradient-Based Knowledge Distillation (SG-KD) process to transfer critical knowledge from the teacher model to a lightweight student model, optimizing performance while reducing computational costs. In addition, ‘DistillGuard’ integrates gradient contribution heatmaps, layer-wise contribution, and gradient selection impact analysis to provide detailed explanability, enabling security experts to understand which layers contribute to the detection of attacks. Experimental results demonstrate that ‘DistillGuard’ achieves superior detection accuracy and efficiency compared to existing state-of-the-art IDS models.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104417"},"PeriodicalIF":4.8,"publicationDate":"2025-03-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143643572","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Surf-Snooping: USB crosstalk leakage attacks on wireless charging","authors":"Yue Hou ,&nbsp;Xinyan Zhou ,&nbsp;Huakang Xia ,&nbsp;Jian Wang ,&nbsp;Haiming Chen","doi":"10.1016/j.cose.2025.104412","DOIUrl":"10.1016/j.cose.2025.104412","url":null,"abstract":"<div><div>Various mobile devices such as smartphones, tablets, and computers have been increasingly incorporated with wireless charging technology. Nevertheless, this widespread adoption of wireless chargers has raised substantial concerns regarding privacy and security. The Universal Serial Bus (USB), serving as the primary power supply port, is widely acknowledged as a significant source of privacy vulnerabilities. This article introduces Surf-Snooping, a side-channel attack that is aimed at exploiting vulnerabilities in wireless charging systems. Through monitoring the voltage fluctuations of a nearby USB charging port, an attacker can eavesdrop on the detailed activities and operations that are happening during smartphone charging (e.g., PIN code and text input), even without engaging in data communication. With a trained model, Surf-Snooping exhibits a 100% accuracy on device model identification, while the activity recognition accuracy can reach up to 86.7%, 89.9%, and 81.7% for password recognition, application identification, and keystroke inference, respectively. It is noteworthy that Surf-Snooping achieves accuracies of 92.3%, 98%, and 94.5% for the three types of activity categorization when the phone is fully charged. We also validate the privacy leakage risk of Surf-Snooping with different scenarios, and our work reveals an inherent flaw in the current implementation of wireless charging systems. It provides enhanced obfuscation and stability, requires no physical interference with the charging infrastructure, and remains effective throughout the entire charging cycle.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104412"},"PeriodicalIF":4.8,"publicationDate":"2025-03-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143642682","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"LinTracer: An efficient tracking system for cyberattack chains fusing entity and event semantics","authors":"Tiantian Zhu ,&nbsp;Wenya He ,&nbsp;Tieming Chen ,&nbsp;Jiabo Zhang ,&nbsp;Mingqi Lv ,&nbsp;Hongmei Li ,&nbsp;Aohan Zheng ,&nbsp;Jie Zheng ,&nbsp;Mingjun Ma ,&nbsp;Xiangyang Zheng ,&nbsp;Zhengqiu Weng ,&nbsp;Shuying Wu","doi":"10.1016/j.cose.2025.104413","DOIUrl":"10.1016/j.cose.2025.104413","url":null,"abstract":"<div><div>With the rapid development of information technology, advanced persistent threat (APT) attacks are becoming increasingly prevalent. This form of attack is known for its persistence, diversity, and stealth, and it results in serious security threats and economic losses for various organizations and institutions. In the face of this threat, tracing the attack chain (i.e., attack investigation) is critical to understanding the attacker’s behavior, identifying attack methods and patterns, and taking appropriate defensive measures. However, the current APT attack investigation techniques suffer from insufficient audit log refinement, attack entrance location difficulties, and attack path tracking accuracy challenges. In this paper, we propose LinTracer, which is an efficient attack investigation system based on the ATT&amp;CK attack model for Linux systems that fuses entity and event semantics for cyber-attack chains. First, an auditing mechanism is used to stably collect the kernel data of the target operating system, and data compression techniques are used to refine the log data and reduce the overhead imposed by the attack investigation system. Second, a backward causal analysis is performed from the alarm point to construct a suspicious provenance graph. LinTracer extracts the features used to distinguish between attack events and benign events, calculates the feature scores of the events, and then uses the backward propagation algorithm to propagate the dependency scores backward from the alarm point to identify the attack entry points. Finally, entity semantic labels are designed based on the ATT&amp;CK framework to perform forward label propagation on the attack entry points, ultimately enabling an effective attack investigation. The experimental results derived from laboratory tests and DARPA Engagement (approximately 64 million auditing events obtained from real systems) show that LinTracer has good real-time performance and can accurately identify attack chains.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104413"},"PeriodicalIF":4.8,"publicationDate":"2025-03-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143609225","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Data-free fingerprinting technology for biometric classifiers","authors":"Ziting Ren ,&nbsp;Yucong Duan ,&nbsp;Qi Qi ,&nbsp;Lanhua Luo","doi":"10.1016/j.cose.2025.104386","DOIUrl":"10.1016/j.cose.2025.104386","url":null,"abstract":"<div><div>Deep neural networks (DNNs) for biometrics represent the intellectual property of model owners due to the extensive biometric data and significant computing resources required for training them. However, existing technologies for protecting the intellectual property of DNNs are primarily tailored for general tasks and often fail to account for the unique characteristics of DNNs for biometrics. Consequently, these technologies have limitations as they may increase data costs. This is because they typically require additional data samples to construct pairs that can be used for verifying intellectual property. Given the heightened privacy concerns and the challenging nature of acquiring authorized biometric data, addressing the issue of increased data costs is paramount in biometric model intellectual property protection technology. To address this challenge, we introduce MGIP (Multi-Generator Intellectual Property protection), a novel data-free fingerprinting framework specifically designed for biometric classifiers. Our key technology innovations include: (1) a collaborative multi-generator architecture that creates a variety of fingerprints without external data, (2) an adaptive threshold strategy that dynamically adjusts verification criteria, and (3) a robust fingerprint selection that ensures reliable ownership verification. In our empirical evaluation, we conduct an ablation study using three state-of-the-art technologies and six datasets, including three general datasets and three biometric datasets. Our comparative analysis demonstrates that MGIP consistently outperforms three state-of-the-art technologies in accurately identifying pirated models.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104386"},"PeriodicalIF":4.8,"publicationDate":"2025-03-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143600828","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}