Computers & Security最新文献_第4页

A cloud-assisted anonymous and privacy-preserving authentication scheme for internet of medical things 一种云辅助的医疗物联网匿名保密认证方案

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-07-25 DOI: 10.1016/j.cose.2025.104614

Ping Guo , Shuilong Xu , Wenfeng Liang

{"title":"A cloud-assisted anonymous and privacy-preserving authentication scheme for internet of medical things","authors":"Ping Guo , Shuilong Xu , Wenfeng Liang","doi":"10.1016/j.cose.2025.104614","DOIUrl":"10.1016/j.cose.2025.104614","url":null,"abstract":"<div><div>With the rapid advancement of the Internet of Medical Things (IoMT) and the increasing adoption of cloud computing, the storage and processing of medical data have become significantly more efficient. However, in cloud-assisted IoMT environments, data is exposed to risks due to open networks and semi-trusted cloud service providers, potentially compromising sensitive information. Ensuring data security is paramount; yet, existing authentication protocols often exhibit limitations, such as high computational overhead and security vulnerabilities. In this paper, we propose a cloud-assisted authentication scheme designed to ensure secure privacy protection for physiological data within the open network environment of IoMT, while accommodating the resource-constrained nature of sensor nodes. Our innovative remote anonymous authentication scheme leverages Elliptic Curve Cryptography to facilitate secure mutual authentication over insecure channels. During the authentication phase, the cloud server cannot ascertain the user's true identity, allowing patients to access services anonymously. To enhance security, we employ proxy re-encryption techniques, enabling users to decrypt the cloud server's encrypted shared intermediate ciphertexts securely. Comprehensive security and privacy analyses, along with performance evaluations, demonstrate that the proposed scheme offers superior cost-effectiveness, enhanced privacy protection, and improved execution efficiency compared to existing solutions.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104614"},"PeriodicalIF":5.4,"publicationDate":"2025-07-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144766610","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Attack structure matters: Causality-preserving metrics for Provenance-based Intrusion Detection Systems 攻击结构问题：基于来源的入侵检测系统的因果关系保持度量

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-07-23 DOI: 10.1016/j.cose.2025.104578

Manuel Suarez-Roman, Juan Tapiador

{"title":"Attack structure matters: Causality-preserving metrics for Provenance-based Intrusion Detection Systems","authors":"Manuel Suarez-Roman, Juan Tapiador","doi":"10.1016/j.cose.2025.104578","DOIUrl":"10.1016/j.cose.2025.104578","url":null,"abstract":"<div><div>Provenance-based Intrusion Detection Systems (PIDS) detect attacks and reconstruct attack scenarios by analyzing provenance graphs. These graphs, constructed from events captured by system logs and security sensors, model the causal relationships between operations performed by system entities. In PIDS research, evaluations typically rely on standard metrics such as precision and recall, computed at the graph level. To assess the accuracy of reconstructed attack graphs, researchers often use proxy metrics at the node level, as computing similarity between provenance graphs remains an open problem. In this paper, we address this problem by introducing SDTED (Structure and Depth Preserving Tree Edit Distance), a variant of the recently proposed Generalized Weisfeiler–Lehman Graph Kernel, adapted to capture the distinctive properties of provenance graphs. Using a dataset of attack scenarios from the DARPA Engagements program, we show that SDTED accurately measures similarity between provenance graphs in cases where node-level metrics yield suboptimal results. Moreover, SDTED is capable of detecting changes in causal relationships between provenance graphs, an essential property for robust evaluation of PIDS proposals. We open source our implementation of SDTED to support reproducibility and encourage adoption within the research community.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104578"},"PeriodicalIF":5.4,"publicationDate":"2025-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144757107","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Power of union: Federated honey password vaults against differential attack 联合的力量：联合蜂蜜密码库对抗差分攻击

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-07-23 DOI: 10.1016/j.cose.2025.104592

Peng Xu , Tingting Rao , Wei Wang , Zhaojun Lu , Kaitai Liang

{"title":"Power of union: Federated honey password vaults against differential attack","authors":"Peng Xu , Tingting Rao , Wei Wang , Zhaojun Lu , Kaitai Liang","doi":"10.1016/j.cose.2025.104592","DOIUrl":"10.1016/j.cose.2025.104592","url":null,"abstract":"<div><div>The honey password vault is a promising method for managing user passwords and mitigating password-guessing attacks by creating plausible-looking decoy password vaults. Recently, various methods, such as Chatterjee-PCFG (IEEE S&P’15), Golla-Markov (ACM CCS’16), and Cheng-IUV (USENIX Security’21), have been proposed to construct the cornerstone of honey password vaults, known as the distribution transforming encoder (DTE). These innovations significantly enhance the security and functionality of each kind of DTE. However, our findings indicate that when users employ multiple honey password vaults of distinct DTEs to manage their passwords, a passive attacker can easily compromise user passwords by exploiting differences among those DTEs. Consequently, we propose the <em>differential attack</em> targeting existing honey password vaults. The extensive experimental results confirm the effectiveness of this attack, distinguishing real from decoy password vaults with accuracy from 99.13% to 100.00%. In response, we design a novel, collaborative approach to train DTE, called <em>federated DTE model</em>, and construct a secure honey password vault. This strategy markedly bolsters security, reducing the differential attack’s distinguishing accuracy to approximately 52.41%, nearing the ideal threshold of 50.00%. Our findings emphasize the need for collaborative strategies to maintain password security to combat advanced cyber threats.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104592"},"PeriodicalIF":5.4,"publicationDate":"2025-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144725007","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Metaverse security and privacy research: A systematic review 虚拟世界安全和隐私研究：系统回顾

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-07-21 DOI: 10.1016/j.cose.2025.104602

Argianto Rahartomo , Leonel Merino , Mohammad Ghafari

{"title":"Metaverse security and privacy research: A systematic review","authors":"Argianto Rahartomo , Leonel Merino , Mohammad Ghafari","doi":"10.1016/j.cose.2025.104602","DOIUrl":"10.1016/j.cose.2025.104602","url":null,"abstract":"<div><div>The rapid growth of metaverse technologies, including virtual worlds, augmented reality, and lifelogging, has accelerated their adoption across diverse domains. This rise exposes users to significant new security and privacy challenges due to sociotechnical complexity, pervasive connectivity, and extensive user data collection in immersive environments. We present a systematic review of the literature published between 2013 and 2024, offering a comprehensive analysis of how the research community has addressed metaverse-related security and privacy issues over the past decade. We organize the studies by method, examined the security and privacy properties, immersive components, and evaluation strategies. Our investigation reveals a sharp increase in research activity in the last five years, a strong focus on practical and user-centered approaches, and a predominant use of benchmarking, human experimentation, and qualitative methods. Authentication and unobservability are the most frequently studied properties. However, critical gaps remain in areas such as policy compliance, accessibility, interoperability, and back-end infrastructure security. We emphasize the intertwined technical complexity and human factors of the metaverse and call for integrated, interdisciplinary approaches to securing inclusive and trustworthy immersive environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104602"},"PeriodicalIF":4.8,"publicationDate":"2025-07-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144702574","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Location privacy protection method based on social network platform 基于社交网络平台的位置隐私保护方法

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-07-21 DOI: 10.1016/j.cose.2025.104611

Haohua Qing, Roliana Ibrahim, Hui Wen Nies

{"title":"Location privacy protection method based on social network platform","authors":"Haohua Qing, Roliana Ibrahim, Hui Wen Nies","doi":"10.1016/j.cose.2025.104611","DOIUrl":"10.1016/j.cose.2025.104611","url":null,"abstract":"<div><div>In recent years, rapid advancements in wireless communication and positioning technologies have made location-based services (LBS) common and highly convenient in daily life, from navigation to social networking applications. However, this convenience often comes at the expense of user privacy, raising significant security concerns regarding unauthorized access and misuse of location data. This research addresses the dual nature of LBS by highlighting the critical need for robust and practical privacy mechanisms to safeguard sensitive geolocation data. Specifically, this paper proposes a novel privacy-preserving method leveraging Application Programming Interface (API) hijacking technology integrated into social network platforms. Through intercepting and perturbing location-based API calls, the method enhances privacy protection with minimal disruption to the user experience. Simulation experiments utilizing over 10,000 real-world QQ check-in records demonstrate that injecting random noise (ranging from 0.0001°–0.01°, approximately 11 m–1.1 km) significantly increases median location error from approximately 11 m to over 1 km, while introducing negligible latency overhead of only 15±3 milliseconds. This favorable trade-off confirms the method’s practical effectiveness in achieving a balance between privacy enhancement and service utility. Furthermore, this study critically reviews existing location privacy solutions, identifies their limitations, and introduces API hijacking as an innovative perspective for location privacy protection on popular social media platforms.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104611"},"PeriodicalIF":4.8,"publicationDate":"2025-07-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144713777","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Hybrid framework of differential privacy and secure multi-party computation for privacy-preserving entity resolution 基于差分隐私和安全多方计算的保护隐私实体解析混合框架

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-07-19 DOI: 10.1016/j.cose.2025.104603

Maxwell Dorgbefu Jnr , Yaw Marfo Missah , Najim Ussiph , Gaddafi Abdul-Salaam , Oliver Kornyo , Joseph Mawulorm Mensah

{"title":"Hybrid framework of differential privacy and secure multi-party computation for privacy-preserving entity resolution","authors":"Maxwell Dorgbefu Jnr , Yaw Marfo Missah , Najim Ussiph , Gaddafi Abdul-Salaam , Oliver Kornyo , Joseph Mawulorm Mensah","doi":"10.1016/j.cose.2025.104603","DOIUrl":"10.1016/j.cose.2025.104603","url":null,"abstract":"<div><div>The exponential improvement and precision in hardware design, coupled with sophisticated software systems, are the basis of unprecedented rates of data generation and storage. However, extracting actionable knowledge, formulating impactful policies, and making insightful decisions from these massive datasets rely on data integration with entity resolution as its core task. Despite significant advances in entity resolution methods, the risk of data breaches, matching accuracy, utility and scalability remain critical challenges to the data science research community. This study introduces a novel hybrid framework of differential privacy (DP) and secure multi-party computation (SMPC) for privacy-preserving entity resolution (PPER), thereby addressing critical data utility and confidentiality challenges. We rigorously evaluated the framework using the Febrl4 and North Carolina Voter Registration (NCVR) datasets across three supervised machine learning models (Logistic Regression, SVM, Naïve Bayes), through adaptive <em>ε</em>-allocation (0.1 to 5.0), demonstrating the crucial privacy-utility trade-off. Our findings reveal that the framework maintains high linkage utility, with F1-scores consistently above 0.81 even under stringent privacy budgets (ϵ=0.1), and achieving over 0.90 at moderate ϵ values, notably with support vector machine exhibiting robust performance. This research provides empirical evidence and theoretical guarantees for developing highly practical and ethically compliant PPER solutions, offering clear guidance for balancing data utility with privacy requirements across diverse application domains.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104603"},"PeriodicalIF":4.8,"publicationDate":"2025-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144713235","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

ATHITD: Attention-based temporal heterogeneous graph neural network for insider threat detection ATHITD：基于注意力的时间异构图神经网络内部威胁检测

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-07-19 DOI: 10.1016/j.cose.2025.104587

Yinhao Qi, Chuyi Yan, Zehui Wang, Chen Zhang, Song Liu, Zhigang Lu, Bo Jiang

{"title":"ATHITD: Attention-based temporal heterogeneous graph neural network for insider threat detection","authors":"Yinhao Qi, Chuyi Yan, Zehui Wang, Chen Zhang, Song Liu, Zhigang Lu, Bo Jiang","doi":"10.1016/j.cose.2025.104587","DOIUrl":"10.1016/j.cose.2025.104587","url":null,"abstract":"<div><div>Insider threats can lead to data leakage and system crashes within an organization, seriously compromising the security of information systems. Most existing detection methods focus on analyzing user behavior sequences or constructing user relationship networks based on behavior feature similarities between users to uncover malicious insiders. However, these methods ignore the association between users and entities (e.g., files, processes, PCs, websites, and removable devices) and the evolution of user behavior patterns over time. This paper proposes an attention-based temporal heterogeneous graph neural network for insider threat detection (<strong>ATHITD</strong>) to address these issues. Firstly, ATHITD constructs sequences of temporal heterogeneous graphs from various logs based on the specified time window to depict the evolving and complex relationships between users and entities. Secondly, it introduces temporal neighbors for target nodes within each time window to describe short-term temporal dependencies. Temporal neighbors are nodes identical to the target nodes and appeared in the previous time windows. It then employs the attention mechanism to learn the spatial heterogeneity of target nodes and the short-term feature evolution from temporal neighbors to target nodes. Additionally, it uses the self-attention mechanism in Transformer to learn the long-term feature evolution of user nodes across various time windows. Furthermore, ATHITD can focus on the time windows in which malicious activities occur, helping security personnel analyze potential malicious activities in the highlighted time windows. Extensive experiments on the public datasets CERT and LANL demonstrate that the long and short-term spatio-temporal node embeddings learned by ATHITD can be effectively used to identify malicious insiders. ATHITD achieves F1 scores of 0.96 and 0.97 on the CERT and LANL datasets, respectively, outperforming existing state-of-the-art methods.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104587"},"PeriodicalIF":4.8,"publicationDate":"2025-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144702573","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Privacy-preserving WiFi sensing in WSNs via CSI obfuscation 通过CSI混淆在wsn中保护隐私的WiFi传感

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-07-18 DOI: 10.1016/j.cose.2025.104594

Zhiming Chu , Guyue Li , Qingchun Meng , Haobo Li , Yuwei Zeng

{"title":"Privacy-preserving WiFi sensing in WSNs via CSI obfuscation","authors":"Zhiming Chu , Guyue Li , Qingchun Meng , Haobo Li , Yuwei Zeng","doi":"10.1016/j.cose.2025.104594","DOIUrl":"10.1016/j.cose.2025.104594","url":null,"abstract":"<div><div>WiFi’s inherent openness introduces significant privacy risks from unauthorized sensing, driving considerable research efforts to mitigate these threats. However, the latest spatial obfuscation schemes like repeater-based signal forwarding and beamforming control ones have limitations in recovering legitimate sensing and maintaining communication performance respectively. To address these challenges, this paper presents a privacy-preserving WiFi sensing framework, which supports shielding unauthorized sensing while allowing normal communication and legitimate sensing. It uses a dynamic channel obfuscation technique at the transmitter side, which filters the whole frame including the Long Training Sequence (LTS) to perturb Channel State Information (CSI) while ensuring receiver equalization decoding for communication performance. Moreover, a deep network-based de-obfuscation approach is employed to support legitimate sensing. This approach models the nonlinear relationship between obfuscation response and tap coefficients to accurately predict the original CSI, addressing issues like deviations due to hardware defects and phase unavailability due to transceiver separation. The proposed framework has been rigorously tested in real-world scenarios, whose effectiveness is evaluated through indoor localization experiments conducted on the Software Defined Radio (SDR) platform. The results indicate that the framework can diminish eavesdroppers’ sensing performance to below 50%, while maintaining legitimate sensing performance above 90%. This work advances dual-functional WiFi systems by establishing the hardware-compatible architecture that fundamentally resolves the privacy-utility conflict through three key innovations: (1) formalized CSI obfuscation with provable communication preservation, (2) physics-informed nonlinear deobfuscation network architecture, and (3) comprehensive validation from PHY-layer security to application-layer functionality based on hardware implementation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104594"},"PeriodicalIF":4.8,"publicationDate":"2025-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144672403","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Cyber risk communication during vessel incident management: A case study 船舶事故管理中的网络风险沟通：案例研究

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-07-18 DOI: 10.1016/j.cose.2025.104607

Allan Nganga , Joel Scanlan , Margareta Lützhöft , Steven Mallam

{"title":"Cyber risk communication during vessel incident management: A case study","authors":"Allan Nganga , Joel Scanlan , Margareta Lützhöft , Steven Mallam","doi":"10.1016/j.cose.2025.104607","DOIUrl":"10.1016/j.cose.2025.104607","url":null,"abstract":"<div><div>The maritime cyber risk management guidelines developed by the International Maritime Organisation (IMO) highlight communication as a key aspect of the risk management process. This research sought to build upon previous studies highlighting incident communication as a critical part of the ship-to-SOC cyber incident management process. This research adopted a single case study-mixed methods design (CS-MM) featuring a primary case study that includes a nested mixed methods approach. The site for the case study was an M-SOC. The first phase of the case study involved interviews with 5 M-SOC personnel. For the second phase, an exploratory sequential design was applied. The quantitative data collection involved a survey with 10 vessel Information Technology (IT) and Operational Technology (OT) professionals, with 3 follow-up interviews conducted for the qualitative data collection stage. Our findings highlighted how a cyber incident dashboard and alert report complement each other in creating a shared recognised cyber picture (sRCP) between all the vessel incident management stakeholders. The sRCP, therefore, becomes the actionable element of the communication. The case study also sheds light on practical design considerations for enhancing the cyber situation awareness (CSA) of vessel cyber incident dashboards. Specifically, survey results revealed that highlighting the cyber risk of non-response to a security warning was the highest-ranked contextual information. Additionally, detection of potentially suspicious activity emerged as the risk finding that vessel IT teams highlighted as having the highest notification priority. Finally, the top alert grouping approaches were by warning type and by priority.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104607"},"PeriodicalIF":4.8,"publicationDate":"2025-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144696675","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

ProvGOutLiner: A lightweight anomaly detection method based on process behavior features within provenance graphs ProvGOutLiner：基于源图中的过程行为特征的轻量级异常检测方法

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2025-07-16 DOI: 10.1016/j.cose.2025.104589

Weiping Wang , Chenyu Wang , Hong Song , Kai Chen , Shigeng Zhang

{"title":"ProvGOutLiner: A lightweight anomaly detection method based on process behavior features within provenance graphs","authors":"Weiping Wang , Chenyu Wang , Hong Song , Kai Chen , Shigeng Zhang","doi":"10.1016/j.cose.2025.104589","DOIUrl":"10.1016/j.cose.2025.104589","url":null,"abstract":"<div><div>The Provenance Graph is an effective tool for host-based intrusion detection. It uses directed graph to represent interactions between system entities and is widely used to capture and analyze system activities. Provenance graph-based anomaly detection methods aim to identify potential security threats in host environments. Compared to traditional intrusion detection techniques, provenance graph-based methods are more effective at detecting stealthy attacks. However, existing learning-based methods often rely on large amounts of labeled data. These methods have high computational costs and lack interpretability. This makes it difficult to clearly identify specific attack behaviors. To address these issues, we propose ProvGOutLiner: A lightweight and unsupervised anomaly detection method for provenance graphs. This method is based on process behavior characteristics. We analyze common attack behaviors in detail and find that the outgoing edge types and counts from processes in the provenance graph exhibit distinctive behavior patterns. Based on this observation, we introduce a Process Behavior Tree. This tree generates feature vectors for process behaviors by statistically analyzing the types and counts of outgoing edges from its nodes. We then apply a clustering algorithm to detect anomalous behaviors in an unsupervised manner. The construction of the Process Behavior Tree and feature extraction do not require complex models, which enables lightweight detection. We evaluate our method on the DARPA public dataset. The results show that ProvGOutLiner significantly reduces computational overhead while accurately identifying malicious process activities. ProvGOutLiner achieves a recall rate of 99%, a precision rate of 96%, and our method significantly reduces computation time.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104589"},"PeriodicalIF":4.8,"publicationDate":"2025-07-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144672402","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0