Computers & Security最新文献

{"title":"Deep learning-based prediction of reflection attacks using NetFlow data","authors":"Edward Chuah ,&nbsp;Arshad Jhumka ,&nbsp;Aladdin Ayesh","doi":"10.1016/j.cose.2025.104527","DOIUrl":"10.1016/j.cose.2025.104527","url":null,"abstract":"<div><div>Large networks provide tremendous support for the deployment of networked services with fast response times by deploying a large number of servers and high-speed routers. While several techniques exist to detect network attacks, predicting future attacks can help to enhance the security of the network. Reflection attacks are known to be one of the most common causes of service disruption in large networks. A reflection attack is a special type of Distributed Denial-of-Service (DDoS) attack that hides the identity of the attacker and floods the network with a large volume of malicious traffic by using reflectors. Modern networks generate a large volume of NetFlow data, and analyzing this data is an advocated basis for identifying reflection attacks. A comprehensive analysis of 3.1 billion NetFlow records obtained from a large enterprise network is conducted, and reflection attacks on the Domain Name Service (DNS) and NetBIOS servers are identified in the NetFlow data. As far as it is known, there is no work that evaluated Temporal Convolution Network (TCN), Recurrent Neural Network (RNN) and Long Short Term Memory (LSTM) deep learning (DL) models to predict reflection attacks in a large network. Thus, the aim of this paper is to determine if TCN, RNN and LSTM can predict reflection attacks using NetFlow data. This paper proposes an approach to predict reflection attacks and evaluates TCN, RNN and LSTM on real NetFlow data. The results from this study show that: (a) RNN and LSTM predicted DNS server reflection attacks with the highest coefficient-of-determination (<span><math><msup><mrow><mi>R</mi></mrow><mrow><mn>2</mn></mrow></msup></math></span>) value that ranged from 0.39 to 0.992 on different dates, (b) RNN, LSTM and TCN predicted NetBIOS server reflection attacks with the highest value of <span><math><msup><mrow><mi>R</mi></mrow><mrow><mn>2</mn></mrow></msup></math></span> that ranged from 0.749 to 0.999 on different dates, (c) the percentage of packets generated by DNS server reflection attacks ranged from 0.001% to 18%, (d) the percentage of packets generated by NetBIOS server reflection attacks ranged from 0.2% to 16%, (e) the percentage of source and destination devices associated with DNS server reflection attacks ranged from 0.0006% to 0.022% and (f) the percentage of source and destination devices associated with NetBIOS server reflection attacks ranged from 0.071% to 34%. The outcomes are: (a) RNN and LSTM predicted DNS server reflection attacks with high accuracy on 12 dates, (b) RNN, LSTM and TCN predicted NetBIOS server reflection attacks with high accuracy on 14 dates, (c) RNN, LSTM and TCN predicted DNS server reflection attacks with low accuracy on 2 dates, (d) the traffic generated by DNS and NetBIOS servers reflection attacks did not overwhelm the network, and (e) a small number of source and destination devices are associated with these reflection attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104527"},"PeriodicalIF":4.8,"publicationDate":"2025-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144089608","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"PMkR: Privacy-preserving multi-keyword top-k reachability query","authors":"Ting Xu,&nbsp;Xinrui Ge,&nbsp;Changheng Shao","doi":"10.1016/j.cose.2025.104525","DOIUrl":"10.1016/j.cose.2025.104525","url":null,"abstract":"<div><div>Privacy-preserving reachability query can determine whether one vertex is reachable from another vertex, which is applied in many domains. Due to the growing size of graphs, more and more users upload blinded graphs to the cloud, which can reduce the computation and storage burden for users. While privacy-preserving reachability query schemes have been proposed, they do not consider the keyword information in vertices. In this paper, we propose a privacy-preserving multi-keyword top-<span><math><mi>k</mi></math></span> reachability query scheme (PM<span><math><mi>k</mi></math></span>R), which can find <span><math><mi>k</mi></math></span> vertices nearest to the source vertex, and containing the given keywords. In order to achieve the multi-keyword reachability query, we build the secure indexes based on the 2-hop labeling and the balanced binary tree. The 2-hop labeling index can help quickly determine whether two vertices are reachable and the distance between them. We convert the inclusion relationship between vertices and keywords into vectors, and store in the tree index. We use the secure Euclidean distance calculation to protect data privacy, which can judge whether the vertices contain the query keywords by secure inner product computation. To avoid the cloud learning the correspondence between vertices in the tree index and 2-hop index, we perform two-layer blinding on the vertices. The security analysis and extensive experiments on real-world datasets show that our scheme is secure and efficient.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104525"},"PeriodicalIF":4.8,"publicationDate":"2025-05-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144105799","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Decision tree based invariants for intrusion detection in industrial control system","authors":"Abdul Samiah ,&nbsp;Muhammad Azmi Umer ,&nbsp;Shama Siddiqui","doi":"10.1016/j.cose.2025.104511","DOIUrl":"10.1016/j.cose.2025.104511","url":null,"abstract":"<div><div>The proliferation of interconnected Industrial Control Systems (ICS) and their connectivity with internet is expanding the attack surface, making them vulnerable to cyber-threats such as ransomware, malware, and targeted attacks. A cyber-attack launched on a critical infrastructure (CI), such as a water treatment plant, chemical plants or power grid could lead to anomalous behavior. Due to dynamic nature and variety of attributes in cyber data, the detection and prevention of these anomalous behavior is still an open challenge. Cyber physical systems (CPS) includes both the information technology (IT) and operational technology (OT) data. The detection of anomalous behavior is possible using both the IT and the OT data. The study conducted here has used the OT data. A supervised machine learning technique based on decision trees was used to mine the invariants from the OT data. The proposed approach was also compared with the Association Rule Mining (ARM) for generating invariants. The entire study was conducted in the context of scaled down version of water distribution plant (WaDi). The validation of generated invariants was performed using the operational plant and also using the physics of the plant.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104511"},"PeriodicalIF":4.8,"publicationDate":"2025-05-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144069689","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Network intrusion datasets: A survey, limitations, and recommendations","authors":"Patrik Goldschmidt ,&nbsp;Daniela Chudá","doi":"10.1016/j.cose.2025.104510","DOIUrl":"10.1016/j.cose.2025.104510","url":null,"abstract":"<div><div>Data-driven cyberthreat detection has become a crucial defense technique in modern cybersecurity. Network defense, supported by Network Intrusion Detection Systems (NIDSs), has also increasingly adopted data-driven approaches, leading to greater reliance on data. Despite the importance of data, its scarcity has long been recognized as a major obstacle in NIDS research. In response, the community has published many new datasets recently. However, many of them remain largely unknown and unanalyzed, leaving researchers uncertain about their suitability for specific use cases.</div><div>In this paper, we aim to address this knowledge gap by performing a systematic literature review (SLR) of 89 public datasets for NIDS research. Each dataset is comparatively analyzed across 13 key properties, and its potential applications are outlined. Beyond the review, we also discuss domain-specific challenges and common data limitations to facilitate a critical view on data quality. To aid in data selection, we conduct a dataset popularity analysis in contemporary state-of-the-art NIDS research. Furthermore, the paper presents best practices for dataset selection, generation, and usage. By providing a comprehensive overview of the domain and its data, this work aims to guide future research toward improving data quality and the robustness of NIDS solutions.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104510"},"PeriodicalIF":4.8,"publicationDate":"2025-05-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144105797","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Who are querying for me? Measuring the dependency and centralization in recursive resolution","authors":"Meng Luo ,&nbsp;Qiuyun Wang ,&nbsp;Jianrong Zhang ,&nbsp;Cheng Yu ,&nbsp;Kai Zhou ,&nbsp;Baojiang Cui ,&nbsp;Zhengwei Jiang","doi":"10.1016/j.cose.2025.104501","DOIUrl":"10.1016/j.cose.2025.104501","url":null,"abstract":"<div><div>In the DNS resolution, a recursive resolver receives requests from clients and queries the authoritative name servers to resolve domain names. In real networks, some recursive resolvers work as the ingress resolvers, which receive client requests but rely on egress resolvers to communicate with authoritative name servers. This dependency on egress resolvers introduces two issues. First, the failure of egress resolvers can delay or disrupt the resolution of ingress resolvers. Second, dependency centralization constrains the DNS system to a limited number of resolvers and organizations, exposing the system to higher risks of availability issues and cascading failures. Understanding the dependencies and centralization of recursive resolvers is essential for comprehending the DNS ecosystem.</div><div>In this work, we investigate the recursive resolution implemented by open resolvers in IPv4 address space to quantify their dependencies. We propose a set of approaches to identify egress resolvers and third-party providers on which open resolvers depend, and we analyze the degree of dependency centralization from multiple perspectives. Our measurements reveal that open resolvers in the wild exhibit widespread and highly concentrated dependencies. Specifically, more than 1.7 million open resolvers depend on about 147,000 egress resolvers. 90% of open resolvers are influenced by 8.41% of egress resolvers, and 36.82% of open resolvers rely on only one egress resolver to perform resolution. Egress resolvers from third-party providers can influence more than 44.40% of the open resolvers. Our work demonstrates that dependencies in recursive resolution are concentrated on a small number of egress resolvers and third-party providers, significantly reducing DNS redundancy and threatening system availability.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104501"},"PeriodicalIF":4.8,"publicationDate":"2025-05-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144069692","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"VADP: Visitor-attribute-based adaptive differential privacy for IoMT data sharing","authors":"Shaobo Zhang ,&nbsp;Lujie Zhang ,&nbsp;Tao Peng ,&nbsp;Qin Liu ,&nbsp;Xiong Li","doi":"10.1016/j.cose.2025.104513","DOIUrl":"10.1016/j.cose.2025.104513","url":null,"abstract":"<div><div>The Internet of Medical Things (IoMT) improves medical services by collecting and sharing patient data, but it also increases the risk of sensitive privacy breaches. To mitigate the risks, existing methods based on personalized differential privacy add different noises to the query results of each data visitor. However, these methods require additional computation to assign a constant privacy budget for each visitor, leading to low sharing efficiency and data utility. To overcome these challenges, this paper proposes a visitor-attribute-based adaptive differential privacy (VADP) data-sharing scheme. The scheme first constructs a quantifiable hierarchical access structure to control visitors’ access to data attributes precisely, and adaptively determines the privacy level for each data attribute by quantifying the matching degree between the visitor attributes and the access structure. To enhance sharing efficiency, the scheme devises a lightweight privacy budget calculation matrix to compute privacy budgets efficiently, reducing computational overhead. Additionally, integrating the VIKOR method enables the scheme to balance data privacy and utility flexibly. Experiments show that regarding the data utility, the VADP scheme reduces the average query error by 39.4% compared with non-adaptive differential privacy methods. It also decreases computational overhead in the data-sharing phase by 40.3% compared to the state-of-the-art schemes.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104513"},"PeriodicalIF":4.8,"publicationDate":"2025-05-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144069690","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Threat detection in reconfigurable Cyber–Physical Systems through Spatio-Temporal Anomaly Detection using graph attention network","authors":"Roberto Canonico,&nbsp;Francesco Lista,&nbsp;Annalisa Navarro,&nbsp;Giancarlo Sperlí,&nbsp;Andrea Vignali","doi":"10.1016/j.cose.2025.104509","DOIUrl":"10.1016/j.cose.2025.104509","url":null,"abstract":"<div><div>Chronicles of the last few years show that industrial Cyber–Physical Systems are the target of dangerous cyber-attacks and face multiple threats. It is important to react as promptly as possible to such attacks and take proper countermeasures. Anomaly detection is a key activity in a Cyber–Physical System’s defense strategy. It involves analyzing sensor data, modeled as a Multivariate Time Series, to identify deviations from expected behavior, that may indicate potential cyber threats or attacks.</div><div>In this paper, we design a novel framework integrating spatial and temporal modules to unveil spatio-temporal dependencies within sensor data in Cyber–Physical Systems to detect possible intrusions. We propose a novel strategy based on time series correlation to build a graph minimizing the number of sensors’ connections to unveil spatial dependencies between multimodal time series. The prediction and reconstruction losses are then leveraged to detect anomalies. The proposed framework has been evaluated on a real-world Cyber–Physical System, on which we evaluated both the efficacy and efficiency with respect to different competing approaches. The experimental analysis shows that the proposed framework outperforms eight state-of-the-art ones by increasing the precision of 0.59% while reducing both the training time (21.05%) for each epoch and memory occupation (77.8%) with respect to the best competitor in the literature. These characteristics make it particularly suitable for industrial environments that need periodic reconfigurations.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104509"},"PeriodicalIF":4.8,"publicationDate":"2025-05-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143941776","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Implementing and integrating security controls: A practitioners’ perspective","authors":"Maysa Sinan,&nbsp;Mojtaba Shahin,&nbsp;Iqbal Gondal","doi":"10.1016/j.cose.2025.104516","DOIUrl":"10.1016/j.cose.2025.104516","url":null,"abstract":"&lt;div&gt;&lt;h3&gt;Context:&lt;/h3&gt;&lt;div&gt;Security controls are indispensable in today’s technology-driven world for their essential role in protecting applications and systems in many organizations. They help to manage the organizational controls to ensure confidentiality, integrity and access to vital infrastructure and data (e.g., software applications, financial records, personal information, intellectual property, etc.) by ensuring that only authorized and trustworthy users have privileged access. Further, integrating security controls within the Software Development Lifecycle (SDLC) is imperative for detecting application deficiencies and preventing potential breaches that could result in financial losses and expose the systems to external and/or internal threats. They reduce the exploitation risk by identifying and patching vulnerabilities in applications and networks within the organization.&lt;/div&gt;&lt;/div&gt;&lt;div&gt;&lt;h3&gt;Methods:&lt;/h3&gt;&lt;div&gt;To explore and get in-depth insights, a survey was conducted with 118 software practitioners to determine how they embed and handle security controls in software development environments. Our survey covers the four phases of the security controls lifecycle, including classifying, identifying, implementing, and validating security controls to understand the best practices and essential activities in each process.&lt;/div&gt;&lt;/div&gt;&lt;div&gt;&lt;h3&gt;Results:&lt;/h3&gt;&lt;div&gt;The survey results indicated that most respondents recognized the critical importance of understanding security requirements prior to integrating appropriate security controls in each software release. We highlighted key factors that influence the selection and identification of security controls, including user group considerations, risk management practices, and organizational requirements. It appeared that security practitioners utilize a wide range of security controls that are broadly classified into six categories, where administrative and technical controls come first. With this emphasis and awareness, they could align their responses with practical and contextual factors driving effective security control implementation. Furthermore, the findings showed that most organizations rely on internal departments to implement and maintain security controls in conjunction with continuous security practices throughout the different phases of the SDLC. In contrast, only 36% of respondents utilize automated testing tools for monitoring, while 52% cite insufficient security training as a major obstacle.&lt;/div&gt;&lt;/div&gt;&lt;div&gt;&lt;h3&gt;Conclusion:&lt;/h3&gt;&lt;div&gt;The survey highlighted the need to hire skillful security practitioners who possess a diverse range of cybersecurity skills, enabling them to govern security controls and handle troubleshooting with poise and professionalism, taking advantage of lessons learned in past experiences. The results also demonstrated the need for employing up-to-date tools and carrying out a list of best practices, to implement security controls and improve their effectiv","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104516"},"PeriodicalIF":4.8,"publicationDate":"2025-05-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143941777","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Light-weight slow-rate attack detection framework for resource-constrained Industrial Cyber–Physical Systems","authors":"Farzana Zahid ,&nbsp;Matthew M.Y. Kuo ,&nbsp;Roopak Sinha","doi":"10.1016/j.cose.2025.104508","DOIUrl":"10.1016/j.cose.2025.104508","url":null,"abstract":"<div><div><em>Industrial</em> Cyber–Physical Systems (ICPS) are heterogeneous computer systems interacting with physical processes in an industrial environment. The presence of numerous interconnected components poses significant security threats to ICPS. Slow-Rate Attacks (SRA), in which attackers attack a system constantly at low volumes, are difficult to detect for resource-constrained ICPS computers like programmable logic controllers (PLC). We propose an optimised light-weight active security framework for SRA detection based on Online Sequential Extreme Learning Machine (OSELM). We optimise the memory and space footprint of OSELM for deployment in resource-constrained ICPS. Additionally, a simple stratified k-fold cross training method improves the performance and accuracy of binary and multi-class SRA detection. Compared to existing methods, our technique requires less space and reduces attack detection time by at least 95%.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104508"},"PeriodicalIF":4.8,"publicationDate":"2025-05-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144069691","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Corrigendum to “Threat hunting for adversary impact inhibiting system recovery” [Computers & Security, Volume 154, July 2025, 104464]","authors":"Naif Alsharabi ,&nbsp;Akashdeep Bhardwaj ,&nbsp;Abdulaziz Ayaba ,&nbsp;Amr Jadi","doi":"10.1016/j.cose.2025.104532","DOIUrl":"10.1016/j.cose.2025.104532","url":null,"abstract":"","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104532"},"PeriodicalIF":4.8,"publicationDate":"2025-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144184642","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}