Computers & Security最新文献

{"title":"Assessing the impact of packing on static machine learning-based malware detection and classification systems","authors":"Daniel Gibert ,&nbsp;Nikolaos Totosis ,&nbsp;Constantinos Patsakis ,&nbsp;Quan Le ,&nbsp;Giulio Zizzo","doi":"10.1016/j.cose.2025.104495","DOIUrl":"10.1016/j.cose.2025.104495","url":null,"abstract":"<div><div>The proliferation of malware, particularly through the use of packing, presents a significant challenge to static analysis and signature-based malware detection techniques. Applying packing to the original executable code renders extracting meaningful features and signatures challenging. To deal with the increasing amount of malware in the wild, researchers and anti-malware companies started harnessing machine learning capabilities with very promising results. However, little is known about the effects of packing on static machine learning-based malware detection and classification systems. This work addresses this gap by investigating the impact of packing on the performance of static machine learning-based models used for malware detection and classification, with a particular focus on those using visualization techniques. To this end, we present a comprehensive analysis of various packing techniques and their effects on the performance of machine learning-based detectors and classifiers. Our findings highlight the limitations of current static detection and classification systems and underscore the need to be proactive to effectively counteract the evolving tactics of malware authors.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104495"},"PeriodicalIF":4.8,"publicationDate":"2025-05-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143936579","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Detecting Cybercrime in Online Video Gaming","authors":"James Higgs,&nbsp;Stephen Flowerday","doi":"10.1016/j.cose.2025.104528","DOIUrl":"10.1016/j.cose.2025.104528","url":null,"abstract":"<div><div>Cybercrime is often assumed to be limited to more mature economic sectors. Yet, cybercrime is known to migrate to less tightly regulated domains—including online video gaming. Account compromise and virtual asset theft is a challenge that confronts the entire online video gaming industry. Increasingly, video game companies are required to promptly identify malicious online activity and take prompt remedial action. This paper conducts a social network analysis of 358,054 Roblox users that participated in the Roblox virtual asset marketplace over a 12-month period. Results from a multiple logistic regression analysis provide video game companies with actionable findings that can be leveraged during the implementation of organizational security controls, including policy, governance mechanism and system design decisions. Key findings reveal that the prosocial nature of online gamers’ friendship circles play a central role in determining the likelihood that accounts are banned for malicious account activity. Third-party trading website usage, posting trade advertisements as part of a social engineering exploit, and the age of user accounts constitute further risk factors that should be accounted for when managing customer risk. To complement the regression analysis, five classifiers were trained with social network-derived features. Cross-validated results show that network-derived features have strong discriminative power and should form part of a defense-in-depth approach to combatting cybercrime in online video gaming.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104528"},"PeriodicalIF":4.8,"publicationDate":"2025-05-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143924467","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Antivirus applied to Google Chrome's extension malware","authors":"Gabriela Leite Pereira,&nbsp;Leonardo Silvino Brito,&nbsp;Sidney Marlon Lopes de Lima","doi":"10.1016/j.cose.2025.104465","DOIUrl":"10.1016/j.cose.2025.104465","url":null,"abstract":"<div><h3>Background and Objective</h3><div>Despite the massive use of antivirus on personal computers, malicious applications are on the rise. Nowadays, modern malware uses browser extensions rather than portable files. A three-month study found that Chrome users downloaded malicious extensions 33 million times. Some of these extensions received more than ten million installs. These malicious extensions captured keystrokes, including passwords, and screenshots.</div></div><div><h3>Methods</h3><div>This work aims to create antivirus software to detect malicious Google Chrome extensions (CRX). Our engine runs the CRX suspicious sample to infect a monitored Windows OS in a controlled environment. In total, our antivirus monitors and considers 1098 actions that the suspicious CRX file can perform when executed. The audited behaviors serve as input neurons for author neural networks. The aim is to recognize the pattern of malicious add-ons and separate them from benign ones. Instead of deep networks, authorial networks are of low computational complexity. Due to the excellent results in different areas, there is a common belief that deep learning can always provide the best results. In fact, this consideration is false. To prove the theory, the author's antivirus uses shallow morphological neural networks.</div></div><div><h3>Results</h3><div>Author antivirus is both accurate and efficient, based on neural networks. The authorial antivirus can combine high accuracy with reduced learning time. The antivirus achieved a 99.99 % success rate in detecting malware. It distinguished between benign CRX files and malware. Training takes an average of 0.60 s. The researchers investigate different initial conditions, learning functions and antivirus architectures.</div></div><div><h3>Conclusions</h3><div>Intelligent antiviruses can fix traditional antiviruses' flaws. They rely on a client's prior infection to act against new threats. Unlike this reactive approach, our antivirus detects harmful add-ons before the user triggers them. Unlike most traditional antiviruses, our antivirus works differently. It can detect the malicious intent of a suspicious add-on before the user clicks it. Our antivirus detects malware preventively rather than reactively. Our antivirus, also, is statistically superior to commercial and state-of-the-art antiviruses.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104465"},"PeriodicalIF":4.8,"publicationDate":"2025-05-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144071046","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Intrusion detection system for autonomous vehicles using sensor spatio-temporal information","authors":"Qingxin Liu,&nbsp;Guihe Qin,&nbsp;Yanhua Liang,&nbsp;Jiaru Song,&nbsp;Wanning Liu,&nbsp;Xue Zhou","doi":"10.1016/j.cose.2025.104502","DOIUrl":"10.1016/j.cose.2025.104502","url":null,"abstract":"<div><div>Connected Autonomous Vehicles (CAVs) have great potential to improve driving safety and comfort, but they still face cybersecurity risks. Intrusion Detection Systems (IDS) have now become the primary means of addressing this problem. There are two weaknesses in existing studies that consider sensor correlation. First, few studies focus on the degree of correlation between sensors. Second, existing studies usually focus only on anomaly detection and ignore the precise location of attack targets. In this paper, we propose a two-stage intrusion detection system based on in-vehicle sensors spatio-temporal information. The first stage is set as a behavior predictor, which uses historical data to predict current data. Where the spatial Multi-head Graph Attention (MGAT) layer considers the degree of correlation among sensors through the attention weights in the graph structure, and the temporal Multi-head Graph Attention layer models the dependence of data at different time points of a single sensor. In the second phase, the attack detector first detects anomalies based on the deviation between predicted and observed values, after which a threshold deviation ratio is introduced to locate the attacked sensor. Experimental results in real vehicle data sets show that the proposed system can efficiently detect multiple types of attacks with an average F1 score of 98.28%, which is at least 1.45% higher than the existing methods. In various single-sensor attack scenarios, the accuracy of identifying attack targets exceeds 97.00%.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104502"},"PeriodicalIF":4.8,"publicationDate":"2025-04-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143898957","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Assessing the usefulness of Data Flow Diagrams for validating security threats","authors":"Winnie Bahati Mbaka ,&nbsp;Xinran Zhang ,&nbsp;Yunduo Wang ,&nbsp;Tong Li ,&nbsp;Fabio Massacci ,&nbsp;Katja Tuma","doi":"10.1016/j.cose.2025.104498","DOIUrl":"10.1016/j.cose.2025.104498","url":null,"abstract":"<div><h3>Context:</h3><div>Threat analysis is a pillar of security-by-design which plays an important role in the elicitation and refinement of security threats. In preparation for the analysis, a model of the system under analysis e.g., the Data Flow Diagram (DFD for short) is often created.</div></div><div><h3>Problem:</h3><div>Empirical measures of success are important for practitioners that are struggling to meet the current demands for expertise. But no previous work has investigated the role of these diagrams during the validation of identified security threats.</div></div><div><h3>Methods:</h3><div>This paper presents an experiment conducted with 98 students in two countries. We measured the impact of the DFD on the perceived and actual effectiveness of validating a list of identified security threats including both fabricated and actual threats.</div></div><div><h3>Results:</h3><div>In presence of sequence diagrams, the participants perceived DFDs as more useful. However, when exposed to both a DFD and a sequence diagram, DFDs had no significant impact on the participants’ ability to validate security threats.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104498"},"PeriodicalIF":4.8,"publicationDate":"2025-04-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143924465","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The human factor: Addressing computing risks for critical national infrastructure towards 2040","authors":"Charles Weir ,&nbsp;Cecilia Loureiro-Koechlin ,&nbsp;Lucy Hunt ,&nbsp;Louise Dennis","doi":"10.1016/j.cose.2025.104524","DOIUrl":"10.1016/j.cose.2025.104524","url":null,"abstract":"<div><div>The authors conducted a UK-based future study employing the Delphi method to explore the impact of emerging computing technologies on Critical National Infrastructure (CNI). The study engaged 22 domain experts specializing in software, cybersecurity, and CNI, whose roles all include forecasting technological trends and challenges. The findings propose making Internet Services a CNI sector, and suggested the weightiest concern to be human-centric challenges around the recovery from software disasters and cyberattacks. Other major concerns also related to human factors, such as attacks via operators, and errors stemming from poorly designed human-computer interfaces. The suggested mitigation strategies therefore concentrate on human-centred approaches. Key recommendations include promoting human-focused cyber resilience, and using legislation, regulation and standards to help establish it in CNI organizations.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104524"},"PeriodicalIF":4.8,"publicationDate":"2025-04-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144280460","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"ARLHNIDS-IoT: An accurate and robust lightweight hybrid-NIDS for IoT network security","authors":"Arpita Srivastava,&nbsp;Ditipriya Sinha","doi":"10.1016/j.cose.2025.104515","DOIUrl":"10.1016/j.cose.2025.104515","url":null,"abstract":"&lt;div&gt;&lt;div&gt;The rapid growth of IoT networks has heightened vulnerabilities in IoT devices, making them targets for sophisticated attackers. These vulnerabilities compromise sensitive user data and disrupt services for legitimate users. Therefore, securing IoT devices is a crucial research area to protect against cyber-attacks and fully realize the benefits of IoT technologies. Various solutions have already been proposed, including firewalls, antivirus software, and intrusion detection systems (IDS). Firewalls and antivirus software provide only some level of security by filtering known threats and blocking unauthorized access; they primarily rely on predefined rules and filter the packet according to rules without monitoring its behavior in the network. The firewall functions in either inline mode or transparent mode at the network boundary. In contrast, IDS offers more comprehensive protection by continuously monitoring network traffic and system activities, employing both signature-based and anomaly-based detection techniques to identify previously unseen threats (or zero-day attacks). It typically functions in monitoring mode rather than inline with the traffic flow. However, designing an effective IDS for IoT environments presents significant challenges. The limited computational resources of IoT devices make it difficult to process high-dimensional IDS datasets efficiently. On the other hand, dataset imbalance is another major hurdle (as it hinders the accurate identification of intrusive activities, leading to biased detection performance) in the design of efficient intrusion detection systems. To address these challenges, this paper proposes a novel hybrid network intrusion detection system that integrates advanced oversampling, feature selection techniques, and intelligent detection models to enhance the attack detection accuracy and reduce the processing time of intrusion detection in IoT networks. Firstly, the imbalanced IDS dataset is balanced with the help of the modified generative adversarial minority oversampling (GAMO) and fuzzy C-means clustering techniques. In the proposed framework, the existing GAMO model is modified by integrating the attention mechanism to focus on significant patterns in the network traffic and achieve efficacious performance. Hyperparameters of the fuzzy C-means clustering algorithm are optimized using the OPTUNA technique. Secondly, feature selection is performed using the modified Grey Wolf Optimization (GWO) technique by integrating the correlation coefficient in the initialization stage and introducing a novel objective function. This modified feature selection approach reduces the resource constraint and is compatible with IoT networks. Signature-based IDS (SIDS) is designed using the majority voting classifier to detect known attacks. The voting classifier ensembles seven tree-based models, which are optimized using the OPTUNA technique. On the other hand, anomaly-based IDS (AIDS) is proposed, which ","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104515"},"PeriodicalIF":4.8,"publicationDate":"2025-04-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143928643","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Multi-dimensional assessment for Android application security based on users’ evaluation","authors":"Guang Shi ,&nbsp;Tao Li ,&nbsp;Qinghe Zhou ,&nbsp;Menglin Liu ,&nbsp;Yuan Feng","doi":"10.1016/j.cose.2025.104499","DOIUrl":"10.1016/j.cose.2025.104499","url":null,"abstract":"<div><div>With the increasing Android applications, the problem of malicious behavior in Android applications is growing. Some applications are hostile in their design, and some collect excessive information in use and behave in a user-unexpected way. Existing application’s security detection methods include static and dynamic analysis, with limitations such as single detection methods, poorly integrated detection, and failure to consider user expectations. Therefore, based on the behavior of the Android application, this paper proposes a comprehensive mobile applications detection mechanism combining static analysis, dynamic analysis, and users’ subjective expectations. This paper introduces permission relevancy in static detection to enhance the fine grain of permission-based static detection. Moreover, the historical confidence in dynamic analysis quantitates the applications’ behavior characteristics, and the low efficiency is compensated. Static analysis can guide the dynamic analysis and improve the accuracy and coverage rate. We introduce subjective expectations to private objects and a comprehensive monitoring mechanism during the assessment process. An experiment based on real-world Android applications is carried out to validate the scheme in this paper. According to the Android application test analysis, the proposed mechanism can quantitate and assess the software security based on different users’ degrees of privacy concerns. The experiments demonstrate that our proposed system achieves a recognition rate of 97.27% for identifying malicious behaviors in test application. The proposed mechanism is more accurate than only static analysis, more efficient than only dynamic analysis, and the degree of danger can be adjusted according to the user’s subjective expectations.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104499"},"PeriodicalIF":4.8,"publicationDate":"2025-04-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143924466","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Feature selection method for network intrusion based on hybrid meta-heuristic dynamic optimization algorithm","authors":"XingYu Gong,&nbsp;Yi Yang,&nbsp;Yi Zhang,&nbsp;Na Li,&nbsp;Yu Guan,&nbsp;RongKun Jiang","doi":"10.1016/j.cose.2025.104512","DOIUrl":"10.1016/j.cose.2025.104512","url":null,"abstract":"<div><div>As network attacks become increasingly frequent, ensuring the effectiveness of network intrusion detection systems remains critical to network security. Hybrid metaheuristic-based feature selection methods suffer from poor initial population quality, slow convergence speed, and a tendency to fall into local optimality when processing high-dimensional data. These issues reduce the efficiency and accuracy of network intrusion detection. To address these challenges, a hybrid metaheuristic feature selection method, HMDOA, is proposed. This method enhances detection efficiency and accuracy by optimizing the feature selection process. In the population initialization stage, an enhanced population generation mechanism is introduced to increase the diversity of initial solutions in the feature space distribution and improve the quality of selected feature subsets. During the feature evaluation stage, an adaptive weighting parameter is introduced to accelerate convergence and enhance feature selection efficiency. Additionally, dynamic search mechanisms are integrated using a dynamic strategy to prevent local optimization effectively. Three public network intrusion detection datasets—NSL-KDD, CIC_MalMem_2022, and RT_IOT2022—are used to evaluate the performance of the HMDOA method. Its performance is then compared with six other metaheuristic algorithms. Experimental results indicate that the HMDOA method achieves higher feature selection efficiency, faster convergence speed, and higher-quality solutions. The HMDOA method significantly improves the effect of network traffic feature selection, but the robustness of the algorithm under the background of noise and data anomalies needs to be further explored in the future.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104512"},"PeriodicalIF":4.8,"publicationDate":"2025-04-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143902371","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Privacy-preserving spatiotemporal trajectory generalization publishing scheme with differential privacy","authors":"Yutong Niu ,&nbsp;Jian Zhang ,&nbsp;Zhangguo Tang ,&nbsp;Hao Yan ,&nbsp;Min Zhu ,&nbsp;Huanzhou Li","doi":"10.1016/j.cose.2025.104514","DOIUrl":"10.1016/j.cose.2025.104514","url":null,"abstract":"<div><div>With the development of IoT and mobile sensing devices, trajectory data has an increasingly high research value. However, unauthorized data mining and analyzing will result in privacy violations. Therefore, the key issue is how to maintain user privacy while publishing usable data. To address the above problem, we propose a spatiotemporal trajectory data generalization publishing scheme with differential privacy (STG-DP), which consists of two components: trajectory processing and trajectory publishing. In trajectory processing, to improve data utility, a density-based trajectory clustering framework (DTC) is proposed, integrating two clustering algorithms to compare the impact of synthetic and real cluster centers on experimental results. In terms of trajectory publishing, an adaptive noise perturbation mechanism based on the staircase mechanism is proposed to enhance the degree of privacy protection. We theoretically prove that STG-DP satisfies the definition of differential privacy and experimentally verify it on a real dataset. The experiments demonstrate that STG-DP provides greater data utility and privacy protection than existing studies.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104514"},"PeriodicalIF":4.8,"publicationDate":"2025-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143898961","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}