Computers & Security最新文献_第3页

Identifying communication sequence anomalies to detect DoS attacks against MQTT 识别通信序列异常以检测针对MQTT的DoS攻击

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-05-26 DOI: 10.1016/j.cose.2025.104526

Munmun Swain , Nikhil Tripathi , Kamalakanta Sethi

{"title":"Identifying communication sequence anomalies to detect DoS attacks against MQTT","authors":"Munmun Swain , Nikhil Tripathi , Kamalakanta Sethi","doi":"10.1016/j.cose.2025.104526","DOIUrl":"10.1016/j.cose.2025.104526","url":null,"abstract":"<div><div>Internet of Things (IoT) application layer protocols govern how applications running on IoT devices communicate and exchange data with each other. One popular IoT application layer protocol is the Message Queue Telemetry Transport (MQTT). It works on the publish–subscribe network model, allowing resource-constrained IoT devices to communicate with minimal bandwidth and computational power. Recently, a few works discussed DoS/DDoS attacks against the MQTT protocol, such as Basic CONNECT Flooding, Delay CONNECT Flooding, Invalid Subscription Flooding, CONNECT Flooding with WILL Payload and TCP SYN Flooding exploitation. However, the known defense approaches cannot detect all categories of DoS/DDoS attacks against MQTT. To bridge this research gap, we propose a detection approach in this paper that identifies anomalies in the MQTT communication sequence to detect anomalous requests. We test the proposed approach on a recent DoS/DDoS-MQTT-IoT dataset containing the traces of different DoS/DDoS attacks against the MQTT protocol. The experimental findings demonstrate that the approach can accurately detect malicious MQTT requests in real-time with slight overhead on computational resources.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104526"},"PeriodicalIF":4.8,"publicationDate":"2025-05-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144189298","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Prediction and graph visualization of cyber attacks using graph attention networks 基于图注意网络的网络攻击预测与图可视化

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-05-26 DOI: 10.1016/j.cose.2025.104534

Mucahit Soylu , Resul Das

引用次数: 0

ADVANCED ATTACK MITIGATION IN IOT GATEWAY PROTOCOLS 物联网网关协议中的高级攻击缓解

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-05-23 DOI: 10.1016/j.cose.2025.104539

K. Praveen Kumar , Dr. N. Suresh Kumar

{"title":"ADVANCED ATTACK MITIGATION IN IOT GATEWAY PROTOCOLS","authors":"K. Praveen Kumar , Dr. N. Suresh Kumar","doi":"10.1016/j.cose.2025.104539","DOIUrl":"10.1016/j.cose.2025.104539","url":null,"abstract":"<div><div>With the increasing number of users on the internet, numerous cyberattacks are becoming more and more common. Proper detection of these attacks by Intrusion Detection Systems (IDS) is extremely important, particularly for IoT networks. Deep learning methods have proved to be very promising for enhancing IDS performance. This paper presents an end-to-end system for attack detection and prevention in IoT networks with the use of data augmentation, preprocessing, feature extraction, and deep machine learning algorithms. The class imbalance is resolved using the Enhanced Synthetic Minority Over-Sampling Technique (ESMOTE), and preprocessing operations normalize and clean the data for improved model performance. Feature extraction involves statistical features and Shannon entropy-based features, which are fused and sent through a feature selection process. A new 2D-LICM hyper-chaotic map combined with Walrus Optimization (2D-LICMHy-CM_WO) is used to enhance feature selection through enhanced search diversity, convergence rate, and eliminating redundancy. The Dense Convolutional Spatial Attention-based Enhanced Bi-GRU (DCSAtten_EBi-GRU) effectively extracts attack pattern dependencies for precise detection, and an Enhanced Double Deep Q-Learning Network (DoubleDQN) offers dynamic adaptive real-time countermeasures. Experimental findings prove that the proposed solution can obtain a 99.6% detection accuracy with an F1-score of 0.98 and outperforms current IDS models in false positive rate and detection time.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104539"},"PeriodicalIF":4.8,"publicationDate":"2025-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144230695","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Enhancing encrypted traffic analysis via source APIs: A robust approach for malicious traffic detection 通过源api增强加密流量分析：一种用于恶意流量检测的健壮方法

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-05-23 DOI: 10.1016/j.cose.2025.104529

Wanshuang Lin , Chunhe Xia , Tianbo Wang , Mengyao Liu , Yang Li

{"title":"Enhancing encrypted traffic analysis via source APIs: A robust approach for malicious traffic detection","authors":"Wanshuang Lin , Chunhe Xia , Tianbo Wang , Mengyao Liu , Yang Li","doi":"10.1016/j.cose.2025.104529","DOIUrl":"10.1016/j.cose.2025.104529","url":null,"abstract":"<div><div>The widespread adoption of encryption protocols has increased the complexity of detecting malicious Android traffic. By randomizing payload content, encryption obscures semantically explicit features in network traffic, thereby concealing its behavioral intent. Although existing methods mitigate this issue by expanding feature sets or extracting spatiotemporal patterns, they do not fundamentally reconstruct the original payload semantics. In this paper, we propose RATD, a detection model that enhances encrypted traffic representation by introducing semantics of source-APIs. This approach leverages the correlation between system API calls made prior to traffic transmission (referred to as source APIs) and the behavioral intent within encrypted traffic, thereby compensating for semantic loss. First, we construct API-traffic association samples by monitoring network connection APIs. Then, we transform the API sequences into graphs and apply a Graph Convolutional Network (GCN) to learn their structural and semantic representations. These features are fused with corresponding traffic features through a multi-source encoder module. Finally, to address the challenges of limited data availability in real-world deployment, we introduce a representation enhancement module to improve model’s robustness in scenarios with missing data. Experimental results show that RATD is significantly better than the state-of-the-art models across multiple datasets. In particular, in scenarios with missing API data, the accuracy of our model decreases by at most 2.9%, showing a stronger environmental adaptability.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104529"},"PeriodicalIF":4.8,"publicationDate":"2025-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144134966","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DISTR: Detecting multi-stage IoT botnets through contextual traffic and causal analytics DISTR：通过上下文流量和因果分析检测多阶段物联网僵尸网络

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-05-22 DOI: 10.1016/j.cose.2025.104531

Fanchao Meng, Jiaping Gui , Futai Zou, Yunbo Li, Yue Wu

{"title":"DISTR: Detecting multi-stage IoT botnets through contextual traffic and causal analytics","authors":"Fanchao Meng, Jiaping Gui , Futai Zou, Yunbo Li, Yue Wu","doi":"10.1016/j.cose.2025.104531","DOIUrl":"10.1016/j.cose.2025.104531","url":null,"abstract":"<div><div>The proliferation of Internet of Things (IoT) devices has introduced more vulnerabilities that can be exploited by cyber attacks, such as botnets. It is imperative to detect these attacks to prevent significant damage. However, existing solutions fail to meet both the efficacy and interpretability goals demanded in the real world. By analyzing the traffic patterns of normal IoT networks and attack traffic, we observe that (1) IoT devices with similar traffic patterns exhibit clustering tendencies; (2) the attack starts with one IoT device as a foothold, then moves to other devices, which proceeds in a progressive manner. Based on these insights, we propose DISTR, a novel framework that detects and validates malicious activities on an IoT device by analyzing behaviors of other devices within the same cluster in the network, which improves the detection accuracy. In addition, by causally correlating anomalies, DISTR is able to reconstruct the progression of IoT botnets. Our evaluations on public datasets, along with those collected from real IoT devices, show that DISTR achieves the detection of IoT attacks accurately, on average with a precision and F1 score of 99.1% and 99.3%, respectively on various attack scenarios, outperforming the state-of-the-art solutions.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104531"},"PeriodicalIF":4.8,"publicationDate":"2025-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144130964","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Retraction notice to “I Recognize you by Your Steps: Privacy Impact of Pedometer Data” [Computers & Security 124 (2022) 102994] 对“I Recognize you by Your Steps：计步器数据对隐私的影响”的撤回通知[计算机与安全124 (2022)102994]

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-05-22 DOI: 10.1016/j.cose.2025.104505

Aljoscha Dietrich , Kurunandan Jain , Georg Gutjahr , Bianca Steffes , Christoph Sorge

引用次数: 0

A uniform assessment of host-based intrusion detection data sets 基于主机的入侵检测数据集的统一评估

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-05-21 DOI: 10.1016/j.cose.2025.104503

Kevin Bergner, Dieter Landes

引用次数: 0

ASIRDetector: Scheduling-driven, asynchronous execution to discover asynchronous improper releases bug in linux kernel ASIRDetector：调度驱动的异步执行，用于发现linux内核中异步不当发布的错误

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-05-21 DOI: 10.1016/j.cose.2025.104530

Jianzhou Zhao, Qiang Wei, Xingwei Li, Yunchao Wang, Xixing Li

{"title":"ASIRDetector: Scheduling-driven, asynchronous execution to discover asynchronous improper releases bug in linux kernel","authors":"Jianzhou Zhao, Qiang Wei, Xingwei Li, Yunchao Wang, Xixing Li","doi":"10.1016/j.cose.2025.104530","DOIUrl":"10.1016/j.cose.2025.104530","url":null,"abstract":"<div><div>Asynchronous operations are the cornerstone of modern operating systems, enabling high-performance task scheduling and efficient resource management. However, if the asynchronous mechanism releases resources at incorrect times, it will pose significant security risks to the Linux kernel, such as high-risk vulnerabilities like use-after-free and null pointer dereferencing. Due to the indirect triggerability of asynchronous operations by users, existing methods for detecting kernel concurrency vulnerabilities are ineffective in identifying bugs arising from improper asynchronous resource releases.</div><div>In this paper, we present a method named ASIRDetector, which adopts a schedule-driven asynchronous execution control strategy to address the aforementioned challenges through a combination of static analysis and dynamic fuzz testing. Our method models the mainstream asynchronous mechanisms in the kernel and their entry points to ensure that dynamic fuzz testing is guided towards high-risk areas where such errors can be triggered. Additionally, we implement a deterministic thread control technique that precisely orchestrates the interleaving of asynchronous and regular instructions to maximize the detection of asynchronous concurrency errors.</div><div>We have developed a prototype of ASIRDetector, which successfully detected all 14 vulnerabilities in the test set, surpassing the performance of the current state-of-the-art methods. More notably, ASIRDetector discovered 15 unique bugs in Linux kernel version 6.9-rc7, highlighting its effectiveness in uncovering asynchronous improper release vulnerabilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104530"},"PeriodicalIF":4.8,"publicationDate":"2025-05-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144147184","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Shadow information security practices in organizations: The role of information security transparency, overload, and psychological empowerment 组织中的影子信息安全实践：信息安全透明度、过载和心理授权的作用

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-05-20 DOI: 10.1016/j.cose.2025.104538

Duy Dang-Pham , Nik Thompson , Atif Ahmad , Sean Maynard

{"title":"Shadow information security practices in organizations: The role of information security transparency, overload, and psychological empowerment","authors":"Duy Dang-Pham , Nik Thompson , Atif Ahmad , Sean Maynard","doi":"10.1016/j.cose.2025.104538","DOIUrl":"10.1016/j.cose.2025.104538","url":null,"abstract":"<div><div>Employees are both the first line of defense in organizations and a significant source of vulnerability. Behavioral research in information security (InfoSec) has predominantly studied the compliance of employees with organizational directives. Less understood are ‘shadow security practices’ – a related category of behavior where employees adopt InfoSec workarounds, albeit to still comply with organizational security needs. We develop a model of the antecedents of employees’ intentions to engage in shadow security practices and empirically test our model through a sample of 433 office workers. Results of our structural equation modeling analysis reveal that both <em>InfoSec overload</em> and <em>psychological empowerment</em> increase intentions to adopt shadow security measures, whereas <em>perceived transparency of organizational InfoSec</em> (through InfoSec communication) reduces this intention. Furthermore, we find that these constructs are interrelated and that <em>InfoSec overload</em> can be increased by both <em>psychological empowerment</em> and <em>InfoSec transparency</em>. Our study develops the theoretical understanding of the important yet under-researched concept of shadow security and presents practical recommendations to effectively manage organizational InfoSec through these factors.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104538"},"PeriodicalIF":4.8,"publicationDate":"2025-05-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144139360","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

CNN-AutoMIC: Combining convolutional neural network and autoencoder to learn non-linear features for KNN-based malware image classification CNN-AutoMIC：结合卷积神经网络和自编码器学习非线性特征，用于基于knn的恶意软件图像分类

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-05-19 DOI: 10.1016/j.cose.2025.104507

Simone Andriani , Stefano Galantucci , Andrea Iannacone , Antonio Maci , Giuseppe Pirlo

{"title":"CNN-AutoMIC: Combining convolutional neural network and autoencoder to learn non-linear features for KNN-based malware image classification","authors":"Simone Andriani , Stefano Galantucci , Andrea Iannacone , Antonio Maci , Giuseppe Pirlo","doi":"10.1016/j.cose.2025.104507","DOIUrl":"10.1016/j.cose.2025.104507","url":null,"abstract":"<div><div>Malware refers to malicious software or a component of software intended for malicious purposes. The manual analysis and detection of malicious software is challenging due to its complexity. Thus, several automated solutions have become popular for real-time malware detection. A spread-out approach consists of generating images from the samples bytecode and giving them to convolutional neural networks (CNNs), which are used either as classifiers or feature extractors for further classification algorithms. These systems perform extremely well when trained and tested on partitions of the same dataset. However, cross-dataset tests and malware detection verification on emerging real-world samples are required in the real-world context. This is a crucial challenge when probing the robustness of the systems and models. This paper proposes CNN-AutoMIC,a robust automated approach to extract features from malware images. CNN-AutoMIC employs a specific CNN architecture to extract features, followed by an autoencoder-based compressor that reduces features to two fundamental components. The two-dimensional projection of these components is the basis of the predictions performed by the K-nearest neighbors (K-NN) algorithm. Moreover, the observable placement of new samples on the obtained scatter plot makes it possible to explain why the AI-based system produced a certain prediction. It was benchmarked against several CNN-based models and a Vision Transformer. They were trained on the Malevis dataset and cross-dataset evaluated on four different real-world datasets. CNN-AutoMIC outperformed the competitors for each classification performance metric, while requiring a reasonable training and prediction time. In addition, it achieves a promising Akaike information criterion (AIC) score, indicating its efficiency in terms of model complexity.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104507"},"PeriodicalIF":4.8,"publicationDate":"2025-05-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144105798","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0