Computers & Security最新文献

{"title":"RADIANT: Reactive Autoencoder Defense for Industrial Adversarial Network Threats","authors":"Irfan Khan,&nbsp;Syed Wali,&nbsp;Yasir Ali Farrukh","doi":"10.1016/j.cose.2025.104403","DOIUrl":"10.1016/j.cose.2025.104403","url":null,"abstract":"<div><div>Machine learning-based Intrusion Detection Systems (IDS) have significantly enhanced operational efficiency in Industrial Control Systems (ICS), but they face a growing threat from Adversarial Machine Learning (AML) attacks. These attacks exploit vulnerabilities in IDS, leading to delayed threat detection, infrastructure compromise, financial losses, and service disruptions. Traditional approaches, such as adversarial retraining, are not only resource-intensive but also suffer from limited generalization, as they rely on training models with specific adversarial samples. Given the constantly evolving nature of adversarial attacks, it is impractical to train on all possible attack variations, leaving systems vulnerable to new and unforeseen threats. To address these limitations, this paper introduces Reactive Autoencoder Defense for Industrial Adversarial Network Threats (RADIANT), a novel IDS that mitigates adversarial threats without relying on retraining. By reconstructing input data and analyzing three distinct reconstruction errors, RADIANT effectively reduces the impact of adversarial perturbations. To evaluate RADIANT’s performance, we used a comprehensive assessment framework that compared it against state-of-the-art defenses and undefended baseline classifiers on real-world ICS data. The evaluation included advanced adversarial attacks, such as HopSkipJump and Zeroth-Order Optimization (ZOO), conducted under gray-box conditions. During ZOO attacks, RADIANT achieved an F1 score of 85.9%, significantly outperforming the baseline classifier’s 17.1% and demonstrating its robustness against adversarial threats. Similarly, under HopSkipJump attacks, RADIANT maintained a strong F1 score of 91.4%, far exceeding the baseline’s 20.5%. Additionally, when compared to state-of-the-art proactive defenses based on adversarial training, RADIANT consistently delivered a superior balance of precision, recall, and overall robustness, all without the need for adversarial retraining. These results highlight RADIANT’s practicality and effectiveness, offering reliable protection for ICS while addressing the increasing sophistication of AML attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104403"},"PeriodicalIF":4.8,"publicationDate":"2025-03-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143600772","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"APIARY: An API-based automatic rule generator for yara to enhance malware detection","authors":"Antonio Coscia,&nbsp;Roberto Lorusso,&nbsp;Antonio Maci,&nbsp;Giuseppe Urbano","doi":"10.1016/j.cose.2025.104397","DOIUrl":"10.1016/j.cose.2025.104397","url":null,"abstract":"<div><div>Cyber threats, primarily malware, have increased with rapid technological advancements in various fields. This growing complexity requires sophisticated and automated malware detection tools because traditional methods cannot keep up with the sheer volume of threats and their evolution. Detection mechanisms that are resilient against evolved malware behaviors, which are typically described by application programming interface (API) functions, are essential for real-time system protection. This paper presents APIARY, an innovative API-based Automatic Rule generator for the YARA tool, designed to enhance malware identification through customized signatures based on peculiar API-based patterns. It discovers distinctive APIs that distinguish malware from goodware, regardless of input data coming from dynamic and static analyses of Windows-like executable files. The algorithm assigns relevance scores to each variable and discards less significant features to identify critical malware indicators. In addition, the generation process optimizes the identified malware model categories to increase the detection rate while minimizing the number of rules produced. The experimental results obtained on nine datasets sourced from the literature demonstrate the potential of APIARY to automatically produce highly effective YARA rules in a short time. Moreover, the rules generated outperform those obtained using alternative state-of-the-art algorithms in terms of detection performance. Lastly, unlike competitors, the proposed procedure does not rely on additional malware analysis data, such as network connection attempts or API parameters, achieving a more streamlined and efficient detection process.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"153 ","pages":"Article 104397"},"PeriodicalIF":4.8,"publicationDate":"2025-03-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143579830","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Ripple2Detect: A semantic similarity learning based framework for insider threat multi-step evidence detection","authors":"Hongle Liu,&nbsp;Ming Liu,&nbsp;Lansheng Han,&nbsp;Haili Sun,&nbsp;Cai Fu","doi":"10.1016/j.cose.2025.104387","DOIUrl":"10.1016/j.cose.2025.104387","url":null,"abstract":"<div><div>Insider threat attacks occur when individuals misuse their access to an organization’s systems, data, or networks. These attacks, including Advanced Persistent Threats (APT), Pivoting, and Lateral Movement, often involve prolonged timelines and similar sensitive actions. Given the complexity of these attacks, current internal threat detection methods have their shortcomings.</div><div>Firstly, internal threat attacks typically involve multiple sequences of malicious operations, making it challenging to capture the entire attack process using a single model. Secondly, current research often overlooks the interconnections between user behavior sequences, failing to differentiate between malicious intentions, actions, and outcomes. This neglect may lead to forensic inaccuracies and the misattribution of benign activities as attacks, potentially causing erroneous responses. Furthermore, existing internal threat detection methods fail to mine relevant attack evidence from known sensitive behaviors to thoroughly analyze the attack mechanisms.</div><div>To address these challenges, we propose Ripple2Detect, a multi-step evidence detection framework for insider threat detection. First, Ripple2Detect builds an evidence sequence library by decomposing known attack behaviors into sequences and constructing a knowledge graph to measure their correlations. Next, we train a semantic similarity model based on the BERT architecture, tailored for operation sequences, to improve the detection of attack evidence. To overcome data imbalance, we introduce a contrastive learning loss to better distinguish between attack and non-attack behaviors. Finally, a preference propagation mechanism is used to predict attack behaviors within the knowledge graph.</div><div>We conduct experiments on Cert-r4.2 and Cert-r5.2 benchmark datasets, comparing our model with state-of-the-art approaches. The results suggest that our model can identify malicious sequences with 0.96 F1 score and achieve an attack identification F1 score of up to 0.99. The source code can be obtained from <span><span>https://github.com/L3LeTrigger-F/Ripple2Detect_code</span><svg><path></path></svg></span></div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104387"},"PeriodicalIF":4.8,"publicationDate":"2025-03-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143643570","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Malicious behavior identification using Dual Attention Based dense bi-directional gated recurrent network in the cloud computing environment","authors":"Nandita Goyal ,&nbsp;Kanika Taneja ,&nbsp;Shivani Agarwal ,&nbsp;Harsh Khatter","doi":"10.1016/j.cose.2025.104418","DOIUrl":"10.1016/j.cose.2025.104418","url":null,"abstract":"<div><div>The rapid expansion of novel computing technologies has driven organizations to collaborate through cloud-based platforms, making robust security frameworks to ensure integrity, security, and accessibility. This paper proposes a deep learning approach to enhance malicious behaviour detection in cloud environments. Initially, the input data undergoes pre-processing using Min-Max Normalization, Missing Value Imputation, and Data Reduction to eliminate noise and inconsistencies. Feature selection is performed using the Improved Cheetah Optimization (ICO) algorithm. Finally, a Dual Attention-Based Dense Bi-Directional Gated Recurrent Unit (DA-Dense-BiGRU) is then employed to detect and classify malicious activity. The proposed approach is evaluated on five distinct datasets, achieving good accuracy rates of 99.35 %, 99.5 %, 99.4 %, 99.2 %, and 98.8 %. These results indicate the model's ability to detect harmful activities and improve security monitoring in cloud computing environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104418"},"PeriodicalIF":4.8,"publicationDate":"2025-03-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143643571","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Evaluation of cyber security risk pillars for a digital, innovative, and sustainable model utilizing a novel fuzzy hybrid optimization","authors":"Mehmet Erdem,&nbsp;Akın Özdemir","doi":"10.1016/j.cose.2025.104394","DOIUrl":"10.1016/j.cose.2025.104394","url":null,"abstract":"<div><div>Cyber security, digitization, and information technologies may contribute to sustainable smart cities, digital businesses, and economies. So, in this paper, a digital, innovative, and sustainable business economy model is introduced with cyber security and risk indicators to evaluate the performances of digital economies when developing a novel fuzzy hybrid framework. To the best of our knowledge, the proposed fuzzy hybrid framework is not explored in the literature. The main contributions of this paper are presented as follows. First of all, the eight main criteria and forty-three sub-criteria are specified based on the experts’ notions and published reports. Then, a Fermatean fuzzy sets-based analytical hierarchy process (FFSAHP) is proposed to obtain weights of the main criteria and sub-criteria. Based on FFSAHP results, economics, risks, and innovation &amp; digitization are the top three crucial criteria. Next, a fuzzy slacks-based data envelopment analysis (FSDEA) is introduced to measure the efficiencies of digital economies. Twenty-two out of thirty economies are efficient based on FSDEA results. Further, the FSDEA-embedded TOPSIS (technique for order performance by similarity to ideal solution) technique is developed to rank the efficient digital economies. Denmark, Switzerland, and Luxembourg have the three highest scores from FSDEA-embedded TOPSIS results as efficient digital economies. Finally, comparison studies and managerial and theoretical recommendations are presented for policymakers, including sustainable development goals and cyber security risk management.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"153 ","pages":"Article 104394"},"PeriodicalIF":4.8,"publicationDate":"2025-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143550057","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Hybrid framework for security evaluation in Internet of Vehicles","authors":"Nan Sun ,&nbsp;Wei Wang ,&nbsp;Kexin Liu ,&nbsp;Donghong Li ,&nbsp;Jinhu Lü","doi":"10.1016/j.cose.2025.104398","DOIUrl":"10.1016/j.cose.2025.104398","url":null,"abstract":"<div><div>Advancements in communication technology are driving the rapid evolution of the Internet of Vehicles (IoV) industry, paving the way for future connected vehicle ecosystems. Current vehicle cyber-security efforts primarily concentrate on vulnerabilities within the Controller Area Network (CAN) of existing automobiles. However, the anticipated proliferation of Internet of Vehicles (IoV) capabilities in the near future brings forth a new set of cyber-security challenges. Traditional IoV security analysis methods often focus on either data or dynamic models to assess malicious vehicle behavior, lacking a comprehensive, multidimensional security evaluation approach. In this paper, a novel IoV security analysis framework is proposed, integrating vehicle dynamics models with driving behavior and communication traffic data. The framework employs set-membership filtering algorithms and deep learning techniques to comprehensively assess vehicle status and detect a wide range of security threats, including ARP spoofing, flooding attacks, and speeding, while ensuring adaptability to diverse threat scenarios. Security scores are dynamically generated based on varying threat levels using an enhanced Dempster-Shafer theory, enabling robust threat evaluation. Although the proposed framework is designed for future IoV implementations, its effectiveness is validated through joint simulations conducted in CARLA and OMNeT++, demonstrating its potential to enhance both current and next-generation vehicle networks. Additionally, the proposed framework is designed to be modular, enabling seamless integration with existing connected vehicle security systems and ensuring its relevance for both current and future IoV networks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"153 ","pages":"Article 104398"},"PeriodicalIF":4.8,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143528749","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Multi-strategy RIME optimization algorithm for feature selection of network intrusion detection","authors":"Lan Wang ,&nbsp;Jialing Xu ,&nbsp;Liyun Jia ,&nbsp;Tao Wang ,&nbsp;Yujie Xu ,&nbsp;Xingchen Liu","doi":"10.1016/j.cose.2025.104393","DOIUrl":"10.1016/j.cose.2025.104393","url":null,"abstract":"<div><div>Feature selection in network intrusion detection is an important research hotspot in network security. The performance of meta-heuristic algorithms, as one of the most effective methods for feature selection, will directly affect the solution to the problem. The RIME optimization algorithm, a novel meta-heuristic algorithm proposed in 2023 based on the physical phenomenon of rime, is suitable for intrusion detection feature selection due to its simplicity and efficiency. However, the standard RIME algorithm suffers from low convergence accuracy and a tendency to converge early, which severely limits its problem-solving ability. For this reason, this paper proposes an improved feature selection algorithm, the Multi-strategy RIME optimization algorithm (MRIME), which combines the chaotic local search strategy, an interaction mechanism, and an improved hard-rime puncture mechanism to enhance the performance of the standard RIME algorithm. The proposed MRIME algorithm has been validated through experiments on three publicly available intrusion detection datasets: UNSW-NB15, CIC-IDS-2017, and CICIoV2024. The experimental results demonstrate that MRIME outperforms existing feature selection algorithms, excelling in accuracy, precision, recall, F1 and runtime. Furthermore, MRIME has proven its adaptability to high-dimensional, low-dimensional, and large-scale datasets through scalability experiments on nine UCI datasets. These findings highlight the potential of MRIME for feature selection in intrusion detection systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"153 ","pages":"Article 104393"},"PeriodicalIF":4.8,"publicationDate":"2025-02-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143528751","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Analyzing anomalies in industrial networks: A data-driven approach to enhance security in manufacturing processes","authors":"Karel Kuchar,&nbsp;Radek Fujdiak","doi":"10.1016/j.cose.2025.104395","DOIUrl":"10.1016/j.cose.2025.104395","url":null,"abstract":"<div><div>Industrial networks are adapted to their specific requirements, especially in terms of industrial processes. To ensure sufficient security in these networks, it is necessary to set and use security policies that complement government regulations, recommendations, and relevant security standards. This paper aims to provide an in-depth analysis of the anomalies occurring within the networks and propose a structure for collecting valuable data from the experimental site based on dividing anomalies into three main categories: security, operational, and service anomalies (and regular traffic recognition). We present a proof-of-concept solution/design aggregating data in industrial networks for advanced anomaly classification. Multiple data sources such as industrial communication, sensor data (additional sensors controlling device behavior), and HW status data are used as data sources. A total of three scenarios (using a physical testbed) were implemented, where we achieved an accuracy of 0.8541/0.9972 in advanced anomaly classification.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"153 ","pages":"Article 104395"},"PeriodicalIF":4.8,"publicationDate":"2025-02-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143550058","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"FC-Trans: Deep learning methods for network intrusion detection in big data environments","authors":"Yuedi Zhu ,&nbsp;Yong Wang ,&nbsp;Lin Zhou ,&nbsp;Yuan Xia","doi":"10.1016/j.cose.2025.104392","DOIUrl":"10.1016/j.cose.2025.104392","url":null,"abstract":"<div><div>With the continuous expansion of Internet traffic, effectively preventing network intrusions in such a vast data environment has become increasingly challenging. Existing intrusion detection systems (IDS) for different network attacks often struggle to identify unknown attacks or respond to them in real-time. In this article, we propose a novel hybrid deep learning model, FC-Trans, designed to enhance network intrusion monitoring. Our approach involves optimizing feature representation using the Feature Tokenizer method, leveraging CNNs to extract meaningful features from the data, and incorporating Transformer’s self-attentive mechanism and residual structure to capture long-term feature dependencies and mitigate gradient vanishing. To address the issue of imbalanced sample distribution, we utilize MultiF Loss as the training loss function for the multi-classification task, enabling the model to prioritize difficult-to-classify samples. We compare the performance of our method with other approaches on the UNSW-NB15 dataset, and the experimental results demonstrate significant improvements in both binary and multivariate classification tasks. The results verify the effectiveness of our proposed method.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104392"},"PeriodicalIF":4.8,"publicationDate":"2025-02-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143636980","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Vulnerability defence using hybrid moving target defence in Internet of Things systems","authors":"Mohammed Tanvir Masud ,&nbsp;Marwa Keshk ,&nbsp;Nour Moustafa ,&nbsp;Benjamin Turnbull ,&nbsp;Willy Susilo","doi":"10.1016/j.cose.2025.104380","DOIUrl":"10.1016/j.cose.2025.104380","url":null,"abstract":"<div><div>Cyber threat actors are increasingly targeting networked assets and critical infrastructure, with the potential for major socioeconomic impacts. Moving target defence (MTD) is a cyber defence paradigm that creates constantly shifting attack surfaces (i.e., vulnerabilities). It intends to make it more difficult for cyber adversaries to exploit systems, thereby increasing costs and chances of detection. There is a lack of research into the efficiency of combined MTD techniques, especially regarding several types of security considerations like time, cost, and effort. This gap is particularly significant in the Internet of Things (IoT) context, where security problems arise from its heterogeneous architecture. Moreover, MTD may result in the overutilization of network and system resources to enhance cybersecurity. We present a Vulnerability Defence method to address this issue using the three-layer Temporal Hierarchical Attack Representation Model (3-layer-THARM). This approach overcomes this difficulty by evaluating the safety of aggregated network states, considering security metrics in each state and the accessibility of network nodes and edges. Using this model, we can recognize probable attack scenarios in the context of Internet of Things (IoT) systems, conduct a thorough security analysis of the IoT system using well-defined security metrics, and assess the effectiveness of various defence tactics. This feature inherently introduces an additional level of security for the system. Furthermore, this model showcases the ability to identify potential attack pathways and effectively mitigate the consequences of such attacks. Our analysis reveals a noteworthy trend: combining MTD techniques from different categories, such as shuffle and diversity, generally produces more favorable outcomes, including a lower probability of attack success, lower attack risk and higher attack cost.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"153 ","pages":"Article 104380"},"PeriodicalIF":4.8,"publicationDate":"2025-02-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143528862","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}