Laurens Sion, Dimitri Van Landuyt, Kim Wuyts, Wouter Joosen
{"title":"Robust and reusable LINDDUN privacy threat knowledge","authors":"Laurens Sion, Dimitri Van Landuyt, Kim Wuyts, Wouter Joosen","doi":"10.1016/j.cose.2025.104419","DOIUrl":"10.1016/j.cose.2025.104419","url":null,"abstract":"<div><div>Privacy threat modeling is an intrinsically complex analysis task that requires expertise in sophisticated privacy threats, their harms and implications, as well as potential mitigations. To support both novices and experts in attaining a desired degree of rigor and completeness in their analysis, supporting materials such as privacy threat trees and threat examples are crucial as they consolidate and harmonize the complete spectrum of threat characteristics, and as such assist with the broader uptake of privacy threat modeling practices.</div><div>However, the existing knowledge structures, taxonomies, and trees used in privacy threat analysis prove to have limited use in practice. They are either too broad and generic, or too tightly coupled to a specific modeling approach (<span>dfd</span>s) or to a specific threat elicitation method (e.g., per-element). In addition, current privacy threat knowledge structures suffer from semantic ambiguity. Finally, existing structures are too rigid to support evolution, thus hindering the incorporation of emerging privacy threats.</div><div>This article introduces three contributions to address these shortcomings: (i) it defines the metamodel to express threat knowledge in the form of threat types, elicitation criteria, examples, and additional metadata; (ii) it discusses its application to the privacy threat knowledge of the <span>linddun</span> privacy threat modeling framework; and (iii) it introduces the automated knowledge management tools comprised of extraction logic that allows more flexible adoption in different privacy analysis approaches, and that fundamentally supports continuous evolution and refinement of this privacy threat knowledge. A major outcome is the updated <span>linddun</span> privacy threat knowledge which completely subsumes earlier versions and provides more rooted support for adoption, refinement, and continuous evolution.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104419"},"PeriodicalIF":4.8,"publicationDate":"2025-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143739073","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A comprehensive review of security vulnerabilities in heavy-duty vehicles: Comparative insights and current research gaps","authors":"Narges Rahimi , Beth-Anne Schuelke-Leech , Mitra Mirhassani","doi":"10.1016/j.cose.2025.104452","DOIUrl":"10.1016/j.cose.2025.104452","url":null,"abstract":"<div><div>The increasing connectivity and integration of advanced technologies in vehicular systems have amplified the need for robust cybersecurity measures, particularly in heavy-duty (HD) vehicles, which are crucial to commercial transportation. Despite their importance, HD vehicles have received less attention in cybersecurity research compared to light-duty (LD) vehicles, leaving critical vulnerabilities unaddressed. This paper aims to bridge this gap by conducting a thorough analysis of the unique security challenges faced by HD vehicles. By comparing HD vehicles with LD vehicles, we identify distinct and vulnerabilities in two key areas: intra-vehicle networks and external connections. The study includes a comprehensive literature review focused on the cybersecurity of heavy- and medium-duty vehicles, through which we identify prevalent threats and potential mitigation strategies. This analysis underscores the necessity for enhanced protocol security and advocates for a detailed examination of both intra-vehicle networks and external connections.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104452"},"PeriodicalIF":4.8,"publicationDate":"2025-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143714571","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jinchuan Pei , Yuxiang Hu , Le Tian , Xinglong Pei , Zihao Wang
{"title":"Dynamic anomaly detection using In-band Network Telemetry and GCN for cloud–edge collaborative networks","authors":"Jinchuan Pei , Yuxiang Hu , Le Tian , Xinglong Pei , Zihao Wang","doi":"10.1016/j.cose.2025.104422","DOIUrl":"10.1016/j.cose.2025.104422","url":null,"abstract":"<div><div>In the intelligent era of the Internet of Everything, the cloud–edge collaborative network architecture solves the data storage and computing problems caused by the exponential growth of terminal data. However, at the same time, the network attack situation is becoming increasingly severe and the types of network anomalies are complex and diverse. The traffic characteristic information collected in traditional network security situation analysis is single and coarse in granularity, which makes it difficult to completely reflect the original traffic and network equipment status. Moreover, the collection of a large amount of fine-grained telemetry data generates substantial telemetry overhead, which hinders the efficient detection of network anomalies and malicious intrusions. To solve this problem, we propose a dynamic anomaly detection method using In-band Network Telemetry (INT) and GCN for cloud–edge collaborative networks, which flexibly and efficiently collects network state information to identify network anomalies and network intrusions. Firstly, we design an anomaly telemetry architecture for cloud–edge collaborative networks and use in-band network telemetry technology of programmable network to extract network characteristic information, and then use dynamic telemetry mechanism to extract network situation elements on demand, so as to quickly identify network anomalies by information entropy method in the edge layer. According to the identified network anomaly information, we deeply telemetry the abnormal position and design a novel Graph Convolutional Network (GCN) that aggregates anomaly information named AGCN in the cloud layer, and analyze whether there is malicious intrusion by combining spatiotemporal dimensions, so that network administrators can accurately grasp the network security situation and discover malicious intrusion in time. The experimental results show that the proposed method can quickly identify network anomalies and detect network intrusions, which can quickly converge while saving telemetry overhead, and the detection accuracy of network intrusions can reach 98.69%.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104422"},"PeriodicalIF":4.8,"publicationDate":"2025-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143714572","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Naif Alsharabi , Akashdeep Bhardwaj , Abdulaziz Ayaba , Amr Jadi
{"title":"Threat hunting for adversary impact inhibiting system recovery","authors":"Naif Alsharabi , Akashdeep Bhardwaj , Abdulaziz Ayaba , Amr Jadi","doi":"10.1016/j.cose.2025.104464","DOIUrl":"10.1016/j.cose.2025.104464","url":null,"abstract":"<div><div>The rise of advanced cyber threats targeting critical system recovery mechanisms necessitates proactive and scalable threat-hunting solutions. This research introduces a novel methodology leveraging a Linux-based Elasticsearch server to detect adversary techniques that inhibit system recovery (T1490). By integrating Elasticsearch for centralized log storage, Kibana for dynamic visualization, and Lucene for precise query search, the proposed platform offers a cost-effective and adaptable alternative to proprietary SIEM solutions. The methodology emphasizes real-time identification of indicators of compromise (IOCs) such as shadow copy deletions, suspicious commands, and backup configuration modifications, enabling security teams to uncover adversarial behaviors before they disrupt recovery processes. Practical implementation demonstrates the platform's flexibility across diverse IT environments, accommodating logs from endpoints with varying operating systems and infrastructures. The study further highlights the adaptability of the approach, with Kibana dashboards and Lucene queries tailored to specific organizational needs, making it a versatile tool for enterprises. Additionally, the research underscores the significance of proactive detection by moving beyond traditional reactive methods, positioning organizations to address system recovery threats effectively. This work bridges a critical gap in cybersecurity by offering a scalable, open-source threat-hunting platform that aligns with the growing need for robust defenses against evolving adversary techniques. The findings hold practical significance for enhancing incident response strategies and bolstering organizational resilience, paving the way for future integration with advanced threat intelligence feeds and automated detection mechanisms. This novel approach not only strengthens the security landscape but also provides a blueprint for cost-efficient, real-world applications in defending against adversary techniques designed to inhibit system recovery.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104464"},"PeriodicalIF":4.8,"publicationDate":"2025-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143785007","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Chaitanya Joshi , Sergeja Slapničar , Jinming Yang , Ryan K.L. Ko
{"title":"Contrasting the optimal resource allocation to cybersecurity controls and cyber insurance using prospect theory versus expected utility theory","authors":"Chaitanya Joshi , Sergeja Slapničar , Jinming Yang , Ryan K.L. Ko","doi":"10.1016/j.cose.2025.104450","DOIUrl":"10.1016/j.cose.2025.104450","url":null,"abstract":"<div><div>Protecting against cyber-threats is essential for every organization and can be achieved by investing in cybersecurity controls and purchasing cyber insurance. These two alternatives are interlinked, as insurance premiums can be reduced by investing more in cybersecurity controls. However, cyber insurance remains under-utilized, a puzzle that Expected Utility Theory (EUT) cannot explain. In this paper, we analyze how decision-makers allocate resources between cybersecurity controls and cyber insurance, comparing optimal allocation under Prospect Theory (PT) to that under EUT. We propose a new functional form of risk curves to model the relationship between investment in cybersecurity controls and cyber risk, demonstrating how a bespoke risk curve can be fitted for an organization. We derive the optimal allocation strategy of resources to cybersecurity controls and cyber insurance under EUT and PT paradigms. Using mathematical results and numerical examples, we identify specific behavioral considerations in PT that lead to different resource allocations compared to EUT. We show that decision-makers aligned with EUT are generally indifferent to purchasing insurance, whereas those aligned with PT favor full insurance coverage; otherwise, they invest more in self-protection. Our results indicate that, in addition to a challenging cybersecurity environment and the nature of insurance coverage, behavioral aspects (diminished sensitivity to losses and probability weights) play a key role in determining the optimal level of investment in cybersecurity.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104450"},"PeriodicalIF":4.8,"publicationDate":"2025-03-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143746525","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Detection of on-manifold adversarial attacks via latent space transformation","authors":"Mohmmad Al-Fawa’reh , Jumana Abu-khalaf , Naeem Janjua , Patryk Szewczyk","doi":"10.1016/j.cose.2025.104431","DOIUrl":"10.1016/j.cose.2025.104431","url":null,"abstract":"<div><div>Out-of-distribution (OOD) generalization is critical for reliable intrusion detection systems (IDS), yet current methods often falter against stealthy, on-manifold adversarial attacks that mimic ID data. To solve this challenge, we propose a semi-supervised approach that applies an invertible transformation to the latent space and leverages changes in differential entropy to detect OOD samples. Experiments on the KDD99 and X-IIoTID datasets demonstrate that our approach outperforms state-of-the-art defenses, providing enhanced robustness and generalizability for IDS.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104431"},"PeriodicalIF":4.8,"publicationDate":"2025-03-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143706517","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Aissa Ben Yahya, Hicham El Akhal, El Mehdi Ismaili Alaoui, Abdelbaki El Belrhiti El Alaoui
{"title":"Bayes-based word weighting for enhanced vulnerability classification in critical infrastructure systems","authors":"Aissa Ben Yahya, Hicham El Akhal, El Mehdi Ismaili Alaoui, Abdelbaki El Belrhiti El Alaoui","doi":"10.1016/j.cose.2025.104451","DOIUrl":"10.1016/j.cose.2025.104451","url":null,"abstract":"<div><div>The increasing number of vulnerabilities in embedded devices poses a significant threat to the critical infrastructure security where these devices are used. While deep learning approaches have advanced software vulnerability classification, they exhibit critical limitations regarding word weighting. Conventional methods like term frequency–inverse document frequency (TF–IDF) prioritize global term distributions but overlook intra-class distinctions. While improved variants of this technique have been proposed, they often fail to consider that a word’s importance can vary across categories and struggle to prioritize rare but distinctive words adequately. Additionally, high inter-class semantic overlap and terminological ambiguity in vulnerability descriptions hinder model performance by failing to separate intra-class keywords From background noise. to address these gaps, we propose a novel vulnerability classification and word vector weighting approach based on bayes theorem. our method dynamically adjusts term relevance by calculating posterior probabilities of word-category associations, emphasizing rare tokens with high intra-class specificity. we validate the approach on four test datasets derived from databases such as the national vulnerability database (NVD) and the chinese vulnerability database (CNNVD). rigorous ablation and comparative studies demonstrate that bayes-based word weighting outperformed other methods by achieving a performance of 97.63% accuracy, and 97.60% F1-score on the most challenging test data. all our models and code to produce our results are open-sourced.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104451"},"PeriodicalIF":4.8,"publicationDate":"2025-03-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143760089","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Okba Ben Atia , Mustafa Al Samara , Ismail Bennis , Abdelhafid Abouaissa , Jaafar Gaber , Pascal Lorenz
{"title":"M3D-FL: Multi-layer Malicious Model Detection for Federated Learning in IoT networks","authors":"Okba Ben Atia , Mustafa Al Samara , Ismail Bennis , Abdelhafid Abouaissa , Jaafar Gaber , Pascal Lorenz","doi":"10.1016/j.cose.2025.104444","DOIUrl":"10.1016/j.cose.2025.104444","url":null,"abstract":"<div><div>Federated learning (FL) is an advanced technique in machine learning that ensures privacy while enabling multiple devices or clients to jointly train a model. Instead of sharing their private data, each device trains a local model on its own data and transmits only the model updates to a central server. However, FL systems face security threats such as poisoning attacks. The maliciously generated data can cause serious consequences on the global model. Also, it can be used to steal sensitive data or cause the model to make incorrect predictions. In this paper, we propose a new approach to enhance the detection of malicious clients against these attacks. Our novel approach is titled M3D-FL for Multi-layer Malicious Model Detection for Federated Learning in IoT networks. The first layer computes the malicious score of participating FL clients using the LOF algorithm, enabling their rejection from the FL aggregation process. Meanwhile, the second layer targets rejected clients and employs MAD outlier detection to permanently eliminate them from the FL process. Simulation results using the CIFAR10, Mnist, and Fashion-Mnist datasets showed that the M3D-FL approach outperforms other studied approaches from the literature regarding several performance metrics like the Accuracy Rate (ACC), Detection Rate (DR), Attack Success Rate (ASR), precision, and the CPU aggregation run-time. The M3D-FL approach is demonstrated to be a more effective and strict detection method of malicious models in FL.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104444"},"PeriodicalIF":4.8,"publicationDate":"2025-03-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143706520","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sanfeng Zhang , Shangze Li , Juncheng Lu , Wang Yang
{"title":"Power-ASTNN: A deobfuscation and AST neural network enabled effective detection method for malicious PowerShell Scripts","authors":"Sanfeng Zhang , Shangze Li , Juncheng Lu , Wang Yang","doi":"10.1016/j.cose.2025.104441","DOIUrl":"10.1016/j.cose.2025.104441","url":null,"abstract":"<div><div>PowerShell is frequently utilized by attackers in the realm of Windows system security, particularly in cyberattack activities such as information stealing, vulnerability exploitation, and password cracking. To evade detection, attackers often employ code obfuscation techniques on their scripts. Current detection solutions face challenges due to limited deobfuscation methods and a predominant focus on identifying static and local features. This limitation hinders the ability to capture fine-grained code features and long-distance semantic relationships, resulting in reduced robustness and accuracy. To address these issues, this paper presents a novel malicious script detection method, Power-ASTNN, which integrates deobfuscation and a tree neural network. Initially, the method utilizes AMSI memory dump to deobfuscate PowerShell scripts, yielding fully deobfuscated samples. Subsequently, a subtree splitting algorithm tailored for abstract syntax trees extracts fine-grained code features from subtree fragments. Finally, a two-layer neural network model encodes representations based on subtree node semantics and sequence semantics, effectively capturing the semantic characteristics of the code. Experimental results demonstrate the effectiveness of Power-ASTNN, achieving an accuracy of 98.87% on a self built dataset collected from multiple publicly available sources, while maintaining a low false negative rate and a high area under the curve (AUC) value exceeding 0.995. Furthermore, Power-ASTNN demonstrates superior detection performance against adversarial samples compared with existing detection models.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104441"},"PeriodicalIF":4.8,"publicationDate":"2025-03-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143684124","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"DecoyPot: A large language model-driven web API honeypot for realistic attacker engagement","authors":"Anıl Sezgin , Aytuğ Boyacı","doi":"10.1016/j.cose.2025.104458","DOIUrl":"10.1016/j.cose.2025.104458","url":null,"abstract":"<div><div>As cyberattacks get more sophisticated, security systems must learn to detect and deceive them. DecoyPot, a honeypot Web Application Programming Interface (API) that generates legitimate API responses, is introduced in this paper. DecoyPot's command extractor module carefully analyzes API requests to create prompt-response pairs that improve a Retrieval-Augmented Generation based (RAG) large language model (LLM). DecoyPot can instantly adjust its answers to mimic API activity in a contextually correct and convincing manner to attackers. To assess system efficacy, we used a two-phase similarity analysis. Initial queries were matched with prompt-response pairs to ensure contextually suitable responses. Second, similarity measures were used to compare generated responses to reference responses, producing an average score of 0.9780. The high score shows that the system can create API-like responses, boosting its utility. DecoyPot engaged opponents and learned their Tactics, Techniques and Procedures (TTPs). The study shows that honeypot cybersecurity effectiveness must be improved by merging AI-driven response creation with enhanced deception technologies. DecoyPot effectively adapts to incoming queries and generates API-like responses, delivering actionable cyber threat intelligence and enhancing proactive defense strategies.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104458"},"PeriodicalIF":4.8,"publicationDate":"2025-03-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143714573","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}