Computers & Security最新文献

{"title":"FTOA-RP: A ‘group’-based flow entry replacement policy probing and flow table overflow attack method","authors":"Jinlong Wang,&nbsp;Yunhe Cui,&nbsp;Rongfei He,&nbsp;Yi Chen,&nbsp;Chun Guo,&nbsp;Guowei Shen","doi":"10.1016/j.cose.2025.104629","DOIUrl":"10.1016/j.cose.2025.104629","url":null,"abstract":"<div><div>As a new network architecture, Software-Defined Networking (SDN) introduces potential risks, such as configuration probing of switches and flow table overflow attacks. The existing flow entry replacement probing methods may not accurately probe the replacement policies due to network jitter and packet loss. Meanwhile, existing flow table overflow attacks ignore the fact that the flow entry replacement policy will evict the malicious flow entries during the attack. As evicted flow entries are not reinstalled promptly, the attack’s effect is reduced. To address the above issues, FTOA-RP, a new two-phase flow entry replacement policy probing method, and a new flow table overflow attack method considering the flow entry replacement policy are proposed. To overcome the decrease in replacement policy probing accuracy caused by network jitter and packet loss, FTOA-RP probes the replacement policy using a group of probing packets. In particular, FTOA-RP designs TPRPP, a probing algorithm that consists of a forward/backward eviction detection phase and a forward eviction fine-grained detection phase to probe the flow entry replacement policies. TPRPP designs a specially structured packet group, which consists of multiple subgroups, each containing several probing packets. By sending probing packets in groups, TPRPP effectively mitigates the negative effects of network jitter and packet loss. To address the issue that the effectiveness of existing flow table overflow attacks is reduced by the flow entry replacement policy, FTOA-RP designs a flow table overflow attack method that considers the impact of flow entry replacement. More specifically, FTOA-RP designs two attack packet-sending algorithms. The first one is SAP-FLR, which is used to launch a flow table overflow attack under FIFO and LRU. The second one is SAP-LF, used to launch a flow table overflow attack under LFU. During the attack phase, SAP-FLR and SAP-LF adjust the sending order of attack packets based on the replacement policies to ensure the timely reinstallation of evicted flow entries. The evaluation results show that FTOA-RP outperforms the existing attack methods in terms of the probing accuracy, probing cost, and the ability to maintain malicious flow entries during the attack.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104629"},"PeriodicalIF":5.4,"publicationDate":"2025-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145050571","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Understanding smartphone security behavior through the core constructs of protection motivation theory: A comparative study of iOS and android users","authors":"Tuğçe Karayel ,&nbsp;Metin Saygılı","doi":"10.1016/j.cose.2025.104652","DOIUrl":"10.1016/j.cose.2025.104652","url":null,"abstract":"<div><div>This study investigates the factors influencing smartphone users’ security behavior intentions through the lens of Protection Motivation Theory (PMT). Utilizing structural equation modeling (PLS-SEM), the research analyzes both a general sample and subgroups based on mobile operating systems (iOS and Android) to explore potential platform-based differences. The findings reveal that threat appraisal components—particularly perceived vulnerability—have a significant impact on users’ intentions to engage in mobile security behaviors. Similarly, coping appraisal components, including response efficacy and self-efficacy, are found to be strong predictors of behavioral intention. Interestingly, response cost shows a significant effect only among iOS users, suggesting that perceived burden varies by platform. These results highlight the importance of both cognitive evaluations and contextual factors such as operating systems in shaping users’ cybersecurity motivations. The study contributes to the literature by providing nuanced insights into the predictive power of PMT and offering empirical evidence of user segmentation in mobile security behavior.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104652"},"PeriodicalIF":5.4,"publicationDate":"2025-09-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145004565","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"EnhanceCTI: Enhanced semantic filtering and feature extraction framework for industry-specific cyber threat intelligence","authors":"Sheng-Shan Chen,&nbsp;Tun-Wen Pai,&nbsp;Chin-Yu Sun","doi":"10.1016/j.cose.2025.104649","DOIUrl":"10.1016/j.cose.2025.104649","url":null,"abstract":"<div><div>The rapid digitization of various industries has created an urgent need for robust cyber threat intelligence (CTI) systems. Organizations are increasingly developing cyber threat intelligence platforms (TIPs) to gather open-source intelligence (OSINT) and transform it into actionable defenses against information security breaches. However, the overwhelming volume and complexity of OSINT data, often including false or misleading information, pose significant challenges for effective CTI analysis. This study introduces EnhanceCTI, a novel system designed to improve the quality and industry-specific applicability of threat intelligence. EnhanceCTI employs an enhanced bidirectional encoder representations from transformers (DistilBERT)-based semantic filtering method to filter intelligence data and determine its alignment with industry-specific data extracted from TIPs. This filtering is applied across eight major industries: healthcare, finance, government, technology, education, telecommunications, critical infrastructure, and a miscellaneous “others” category. Additionally, EnhanceCTI leverages high-credibility CTI features, integrating them with SentenceBERT to create a merging judgment model. This model determines whether a given piece of intelligence should be merged with existing data or stored independently, thereby ensuring relevance and minimizing redundancy. Finally, a dedicated platform was developed, providing cybersecurity analysts with tools to rapidly assess both intelligence quality and the accuracy of industry-specific classification models. Experimental results demonstrate EnhanceCTI’s effectiveness, achieving an F1-score of 0.99 for intelligence identification and a 0.89 cosine Pearson correlation for SentenceBERT. A random forest algorithm, trained on 750 manually annotated samples, achieved an F1-score of 0.97 on the merging judgment model. These findings highlight EnhanceCTI’s ability to accurately identify threats, offering a valuable, industry-tailored solution for institutions facing the growing challenges of cybersecurity in the modern digital landscape.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104649"},"PeriodicalIF":5.4,"publicationDate":"2025-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145004564","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"In-vehicle device data tampering detection: Accurate identification based on correlation calculation and data relationship","authors":"Zigang Chen ,&nbsp;Hongwei Zhang ,&nbsp;Qinyu Mu ,&nbsp;Danlong Li ,&nbsp;Haihua Zhu","doi":"10.1016/j.cose.2025.104648","DOIUrl":"10.1016/j.cose.2025.104648","url":null,"abstract":"<div><div>The rapid advancement of intelligent connected vehicles (ICVs), driven by the integration of AI and 5G, has intensified the need for reliable accident forensics. We present a novel correlation analysis-based method for detecting tampered vehicle electronic data, addressing critical security vulnerabilities in current systems. Our approach establishes multivariate relationship clusters from in-vehicle data characteristics, performs dimensionality reduction, and computes anomaly scores through tail probability analysis. The experimental results demonstrate that the proposed method exhibits superior detection performance compared to existing approaches for random injection attacks, targeted tampering attacks, and outlier attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104648"},"PeriodicalIF":5.4,"publicationDate":"2025-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144920336","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Cordon: Enhancing security through kernel-level control in containerized computing environments","authors":"Qiqing Deng ,&nbsp;Zhen Xu ,&nbsp;Qihui Zhou ,&nbsp;Yan Zhang","doi":"10.1016/j.cose.2025.104644","DOIUrl":"10.1016/j.cose.2025.104644","url":null,"abstract":"<div><div>Containers have become a foundational technology across a variety of computing environments, enabling an era of agility, efficiency, and scalability due to their inherent advantages. Simultaneously, containers confront escalating security threats, with vulnerabilities being exploited to compromise host machines and broaden attack impacts. Existing security mechanisms predominantly rely on host-based mandatory access control, which contradicts the autonomy and flexibility requirements of dynamic and scalable containerized computing environments. This paper introduces Cordon, a novel framework aimed at providing autonomous and flexible control management within the context of containerized computing, effectively addressing the limitations of existing security mechanisms. Cordon is designed to counter common attack vectors in containerized environments by implementing file access control, capability management, and system call interception, thereby enabling comprehensive container-aware security enforcement at the kernel level. Furthermore, Cordon supports multi-container management, enabling the application of security policies across various dimensions of container resources, a feature that allows for the batch security management of containers of the same type, such as multiple container instances deployed under the same Kubernetes deployment. We develop a prototype implementation of Cordon and evaluate its effectiveness, generality, and performance overhead. Our evaluation demonstrates that Cordon effectively blocks various container attacks while maintaining acceptable overhead.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104644"},"PeriodicalIF":5.4,"publicationDate":"2025-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145004562","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Attack smarter: Attention-driven fine-grained webpage fingerprinting attacks","authors":"Yali Yuan,&nbsp;Weiyi Zou,&nbsp;Guang Cheng","doi":"10.1016/j.cose.2025.104643","DOIUrl":"10.1016/j.cose.2025.104643","url":null,"abstract":"<div><div>Website Fingerprinting (WF) attacks aim to infer which websites a user is visiting by analyzing traffic patterns, thereby compromising user anonymity. Although this technique has been demonstrated to be effective in controlled experimental environments, it remains largely limited to small-scale scenarios, typically restricted to recognizing website homepages. In practical settings, however, users frequently access multiple subpages in rapid succession, often before previous content fully loads. WebPage Fingerprinting (WPF) generalizes the WF framework to large-scale environments by modeling subpages of the same site as distinct classes. These pages often share similar page elements, resulting in lower inter-class variance in traffic features. Furthermore, we consider multi-tab browsing scenarios, in which a single trace encompasses multiple categories of webpages. This leads to overlapping traffic segments, and similar features may appear in different positions within the traffic, thereby increasing the difficulty of classification. To address these challenges, we propose an attention-driven fine-grained WPF attack, named ADWPF. Specifically, during the training phase, we apply targeted augmentation to salient regions of the traffic based on attention maps, including attention cropping and attention masking. ADWPF then extracts low-dimensional features from both the original and augmented traffic and applies self-attention modules to capture the global contextual patterns of the trace. Finally, to handle the multi-tab scenario, we employ the residual attention to generate class-specific representations of webpages occurring at different temporal positions. Extensive experiments demonstrate that the proposed method consistently surpasses state-of-the-art baselines across datasets of different scales. Notably, under a challenging setting involving 1,000 monitored webpages, our model achieved a 50.54% mAP and 63.85% Recall@5.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104643"},"PeriodicalIF":5.4,"publicationDate":"2025-08-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144932767","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"FELACS: Federated learning with adaptive client selection for IoT DDoS attack detection","authors":"Mulualem Bitew Anley,&nbsp;Pasquale Coscia,&nbsp;Angelo Genovese,&nbsp;Vincenzo Piuri","doi":"10.1016/j.cose.2025.104642","DOIUrl":"10.1016/j.cose.2025.104642","url":null,"abstract":"<div><div>Distributed denial-of-service (DDoS) attacks pose a significant threat to network security by overwhelming systems with malicious traffic, leading to service disruptions and potential data breaches. The traditional centralized machine learning (ML) methods for detecting DDoS attacks in Internet of Things (IoT) environments raise privacy and security concerns due to their collection and distribution of data to a central entity that may not be trusted to perform model training. Federated learning (FL) offers a privacy-preserving solution that enables distributed collaboration by training a model only on local clients, without data exchanges, where the central entity only performs global model aggregation. However, the current practice of random client selection, combined with the statistical heterogeneity of client data and the device heterogeneity encountered in IoT environments, requires many training rounds to reach optimal accuracy, increasing the imposed computational overhead. To address these challenges, we propose a multiobjective optimization-based FL with adaptive client selection (FELACS) approach that maximizes client importance scores while satisfying resource, performance, and data diversity constraints. Experiments are carried out on the CIC-IDS2018, CIC-DDoS2019, BoT-IoT, and CIC-IoT2023 datasets, demonstrating that FELACS improves upon the accuracy of the existing approaches while exhibiting increased convergence speed when training a model in an FL scenario, hence reducing the number of communication rounds required to achieve the target accuracy, making it highly effective for performing IoT-based DDoS attack detection in FL scenarios.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104642"},"PeriodicalIF":5.4,"publicationDate":"2025-08-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144996824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"How informative are cybersecurity risk disclosures? Empirical analysis of firms targeted by ransomware","authors":"Matthew Adams,&nbsp;Tyler Moore","doi":"10.1016/j.cose.2025.104626","DOIUrl":"10.1016/j.cose.2025.104626","url":null,"abstract":"<div><div>Public companies face escalating requirements to disclose cybersecurity risks and damages in regulatory filings. In theory, such disclosures should equip investors with knowledge required to make informed decisions, while also encouraging firms to adopt more robust strategies for managing cybersecurity risks. In practice, discussions are often embedded in disparate locations of long documents full of legalese, which hinders systematic examination. This paper examines the regulatory filings of 61 firms that experienced ransomware incidents between 2018 and 2021. We describe a process whereby 7681 cyber-related statements were extracted from 314 10-K filings between 2018–23, then categorized using an iterative process inspired by grounded theory. We then perform quantitative and qualitative analysis of the statements, examining how firms discuss cybersecurity before and after experiencing an incident.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104626"},"PeriodicalIF":5.4,"publicationDate":"2025-08-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145021103","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A flexible ISO 27701-based framework for assessing cybersecurity maturity: a proposition and a case application","authors":"Fábio Dias Carneiro ,&nbsp;Izabela Simon Rampasso ,&nbsp;Sidney Luiz de Matos Mello ,&nbsp;Tiago F.A.C. Sigahi ,&nbsp;Hernán Lespay ,&nbsp;Rosley Anholon","doi":"10.1016/j.cose.2025.104645","DOIUrl":"10.1016/j.cose.2025.104645","url":null,"abstract":"<div><div>This study aims to propose a framework for assessing the cybersecurity management level of organizations, based on ISO 27701. To illustrate the proposed framework, and considering the relevance of cybersecurity for Higher Education Institutions (HEIs), an analysis of the reality of Federal HEIs in Brazil is conducted. To develop the proposed framework, the standard ISO 27701 was used to structure a questionnaire. The proposed data analysis combines Hierarchical Cluster Analysis (HCA), frequency analysis, and Fuzzy TOPSIS. The case application considered experts in information security of Federal HEIs in Brazil. The proposed framework presents eight steps: definition of the application focus, analysis of variables and scale proposed, questionnaire structuring, ethics committee submission, data gathering, HCA, frequency analysis, Fuzzy TOPSIS. Regarding the case application, aspects related to internal auditing, asset management and human resources training and analysis were the most critical. This study presents a comprehensive framework for guiding information security assessment in organizations. The proposed framework presents the necessary flexibility to be adjusted according to the requirements of practitioners and researchers. It can be used by companies and the government to assess their current reality and evaluate the impact of changes performed. Researchers can integrate the proposed framework into an Artificial Intelligence mechanism for risk prediction in organizations. The findings from the case application evidence the contributions of this framework to assess the reality of any kind of institution and highlight the insights that can be obtained from its analysis.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104645"},"PeriodicalIF":5.4,"publicationDate":"2025-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144920337","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Distance-based feature selection using Benford’s law for malware detection","authors":"Pedro Fernandes ,&nbsp;Séamus Ó Ciardhuáin ,&nbsp;Mário Antunes","doi":"10.1016/j.cose.2025.104625","DOIUrl":"10.1016/j.cose.2025.104625","url":null,"abstract":"<div><div>Detecting malware in computer networks and data streams from Android devices remains a critical challenge for cybersecurity researchers. While machine learning and deep learning techniques have shown promising results, these approaches often require large volumes of labelled data, offer limited interpretability, and struggle to adapt to sophisticated threats such as zero-day attacks. Moreover, their high computational requirements restrict their applicability in resource-constrained environments.</div><div>This research proposes an innovative approach that advances the state of the art by offering practical solutions for dynamic and data-limited security scenarios. By integrating natural statistical laws, particularly Benford’s law, with dissimilarity functions, a lightweight, fast, and scalable model is developed that eliminates the need for extensive training and large labelled datasets while improving resilience to data imbalance and scalability for large-scale cybersecurity applications.</div><div>Although Benford’s law has demonstrated potential in anomaly detection, its effectiveness is limited by the difficulty of selecting relevant features. To overcome this, the study combines Benford’s law with several distance functions, including Median Absolute Deviation, Kullback–Leibler divergence, Euclidean distance, and Pearson correlation, enabling statistically grounded feature selection. Additional metrics, such as the Kolmogorov test, Jensen–Shannon divergence, and Z statistics, were used for model validation.</div><div>This approach quantifies discrepancies between expected and observed distributions, addressing classic feature selection challenges like redundancy and imbalance. Validated on both balanced and unbalanced datasets, the model achieved strong results: 88.30% accuracy and 85.08% F1-score in the balanced set, 92.75% accuracy and 95.29% F1-score in the unbalanced set. The integration of Benford’s law with distance functions significantly reduced false positives and negatives.</div><div>Compared to traditional Machine Learning methods, which typically require extensive training and large datasets to achieve F1 scores between 92% and 99%, the proposed approach delivers competitive performance while enhancing computational efficiency, robustness, and interpretability. This balance makes it a practical and scalable alternative for real-time or resource-constrained cybersecurity environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104625"},"PeriodicalIF":5.4,"publicationDate":"2025-08-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144896701","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}