{"title":"A novel proactive and dynamic cyber risk assessment methodology","authors":"Pavlos Cheimonidis, Konstantinos Rantos","doi":"10.1016/j.cose.2025.104439","DOIUrl":"10.1016/j.cose.2025.104439","url":null,"abstract":"<div><div>In today’s operational environment, organizations face numerous cybersecurity challenges and risks. This paper presents a novel risk assessment methodology designed to assess cyber risks in a proactive and dynamic manner. Our approach gathers information from both the organization’s internal environment and cybersecurity-related open sources. It then converts the collected qualitative data into numerical form by applying predefined mapping rules, including categorical assignments and frequency-based quantification. These numerical values are then integrated with other quantitative data using a probabilistic method. Subsequently, all this information is integrated into a Bayesian network model to dynamically estimate the probability of success of a cyber attack. This probability, combined with the impact assessments of the organization’s assets, is used to provide risk estimations. By incorporating the Exploit Prediction Scoring System, our model is capable of delivering not only dynamic but also proactive risk assessments. To validate the effectiveness of the proposed methodology, we present a use case that demonstrates its application in assessing risk within a SCADA environment.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104439"},"PeriodicalIF":4.8,"publicationDate":"2025-03-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143684228","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Semantics-aware location privacy preserving: A differential privacy approach","authors":"Dikai Zou , Jun Tao , Zuyan Wang","doi":"10.1016/j.cose.2025.104402","DOIUrl":"10.1016/j.cose.2025.104402","url":null,"abstract":"<div><div>The protection of location privacy, as a highly sensitive characteristic of information, has been extensively analyzed and discussed for a significant period. Recently, exploiting the semantics of locations offers a new dimension to enhance privacy preservation by enabling more effective control over the information disclosed by users. Different from most prior research efforts, which regard location semantics as a category, in this paper, location semantics is the statistical information about the Points of Interest (PoIs) in the specific location’s vicinity, which can be represented as a multi-dimensional vector. Further, Semantic Indistinguishability (Sem-Ind), a more relaxed privacy guarantee for location privacy than Geo-Indistinguishability (Geo-Ind), is derived under the paradigm of differential privacy. Multiple location obfuscation mechanisms, which integrate linear programming and heuristic search, respectively, are proposed to reduce utility loss while ensuring Sem-Ind. Based on the defined utility and privacy metrics, these obfuscation mechanisms are empirically evaluated on the GeoLife dataset. Experimental results indicate that the existing Geo-Ind-based obfuscation mechanisms satisfy Sem-Ind at an excessive loss of utility. Furthermore, the linear programming-based approach is capable of discovering optimal obfuscation functions, whereas the heuristic algorithms are more efficient in obtaining acceptable utility results.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104402"},"PeriodicalIF":4.8,"publicationDate":"2025-03-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143684123","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Dominic Too, Louise Axon, Ioannis Agrafiotis, Michael Goldsmith, Sadie Creese
{"title":"Enhancing maritime cyber situational awareness: A cybersecurity visualisation for non-experts","authors":"Dominic Too, Louise Axon, Ioannis Agrafiotis, Michael Goldsmith, Sadie Creese","doi":"10.1016/j.cose.2025.104433","DOIUrl":"10.1016/j.cose.2025.104433","url":null,"abstract":"<div><div>Cyber situational awareness is key to mitigating the impacts of cyber threats. However, maritime falls short of its comparative industries, with very little attention given to cyber threats despite the growing concern. In this paper, we explore the use of visualisations as a way to improve the situational awareness of non-experts onboard ships. We designed a visualisation tool with focus on systems that are accessible once onboard. In order to elicit requirements for our visualisations, we conducted semi-structured interviews with experts. We further created a synthetic dataset of attacks that target the systems of ships, which we used to assess the usability of our visualisation. In order to evaluate our visualisations, we conducted a user study with both expert and non-expert users. Our results show that non-expert participants were able to accurately and efficiently detect synthetic attacks targeting ships in an experimental setting, and they were able to use the visualisation to consider what the consequences of these attacks might be. Expert evaluations further suggest the visualisation has merit as a training tool for raising awareness among maritime employees.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104433"},"PeriodicalIF":4.8,"publicationDate":"2025-03-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143706518","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Enhancing intrusion detection in containerized services: Assessing machine learning models and an advanced representation for system call data","authors":"Iury Araujo , Marco Vieira","doi":"10.1016/j.cose.2025.104438","DOIUrl":"10.1016/j.cose.2025.104438","url":null,"abstract":"<div><div>Security is one of the most critical requirements for modern digital systems. As the paradigm shifts from attempting to develop <em>fully</em> secure systems to designing resilient strategies that detect, respond to, and recover from attacks, Intrusion Detection Systems (IDS) become indispensable. However, developing robust IDS that address sophisticated attacks—especially in scenarios such as Cloud services, IoT, edge computing, and microservices, remains a significant challenge. Among these, containerized services present unique security challenges due to their architecture, deployment methods, and reliance on shared resources. On the other hand, Machine Learning (ML) offers promising, but not yet fully understood, solutions to enable automated, scalable, and adaptive intrusion detection mechanisms. In this paper, we study the applicability of a ML-based approach to enhance intrusion detection in containerized services by training and testing various ML algorithms on system call data, a commonly used data type in intrusion detection. Furthermore, we propose a novel graph-based representation for system calls that preserves critical relationships and contextual information between system calls. With this improved representation, we achieve enhancements in intrusion detection performance, including an increase in detection rates by at least 193% for the tested vulnerabilities while maintaining false alarms at a safer threshold, below a mean of 0.4% to maximize attack identification while minimizing false alarms we also incorporate a post-processing phase using a sliding window technique. This work not only addresses the challenges of securing containerized environments but also provides a robust framework for leveraging machine learning to build next-generation IDS.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104438"},"PeriodicalIF":4.8,"publicationDate":"2025-03-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143696232","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Performance analysis of dynamic ABAC systems using a queuing theoretic framework","authors":"Gaurav Madkaikar , Karthikeya S.M. Yelisetty , Shamik Sural , Jaideep Vaidya , Vijayalakshmi Atluri","doi":"10.1016/j.cose.2025.104432","DOIUrl":"10.1016/j.cose.2025.104432","url":null,"abstract":"<div><div>A policy comprised of a set of rules forms the backbone of Attribute-based Access Control (ABAC) systems. Every incoming request is checked against such a policy and if at least one rule grants the access, it is allowed. Else, access is denied. The initial ABAC policy could be hand crafted by the security administrator or mined from a given set of authorizations using a policy engineering technique. In dynamic ABAC systems, over a period of time, additional authorizations may have to be granted or some removed as per situational changes. These changes are maintained in an auxiliary list. For access resolution, both the policy as well as the auxiliary list are considered before taking a decision. Since such a list can grow indefinitely and checking it adversely affects access resolution efficiency, periodic policy rebuilding must be done by combining the existing policy and the auxiliary list. However, regenerating the ABAC policy requires re-running computationally expensive policy mining algorithms. Further, access mediation has to be put on hold while this step is being carried out, resulting in periods of unavailability of the system. In this paper, we study the intricate problem of balancing access request resolution, accommodating dynamic authorization updates, and ABAC policy rebuilding. We employ a queuing theoretic approach where the access mediation process is modeled as an M/G/1 queue with vacation or limited service. While the server is primarily involved in resolving access requests, it occasionally goes on vacation to rebuild the ABAC policy. We study the effect of queue discipline on several performance parameters like request arrival rate, access resolution time, vacation duration and interval between vacations. Results of an extensive set of experiments provide a direction toward efficient implementation of dynamic ABAC systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104432"},"PeriodicalIF":4.8,"publicationDate":"2025-03-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143706516","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"DPO-Face: Differential privacy obfuscation for facial sensitive regions","authors":"Yuling Luo, Tinghua Hu, Xue Ouyang, Junxiu Liu, Qiang Fu, Sheng Qin, Zhen Min, Xiaoguang Lin","doi":"10.1016/j.cose.2025.104434","DOIUrl":"10.1016/j.cose.2025.104434","url":null,"abstract":"<div><div>User-sensitive face images captured by widely used image-collection devices are frequently shared on social media. If these images are misused, they may pose a serious threat to users’ privacy. To ensure both privacy-preserving and image usability, this work introduces a Differential Privacy Obfuscation method of Face images (DPO-Face), which addresses the current limitations in balancing privacy and recognition accuracy. DPO-Face effectively balances privacy preservation and recognition accuracy to meet practical application demands. First, sensitive and non-sensitive regions of the image are accurately identified and located using an improved hybrid convolutional neural network by DPO-Face. Subsequently, face parsing technology is employed to precisely segment the input face image into multiple internal and external facial components. Moreover, precisely adjusted noise is introduced to the internal facial component regions using a differential privacy mechanism to disturb them, effectively protecting the privacy information of these regions while leaving the non-sensitive external components unchanged. Finally, the privacy-protected image is transmitted to the face detection and recognition module to evaluate the effectiveness of the privacy protection, such as maintaining high face detection and recognition accuracy. Experimental results demonstrate that DPO-Face meets <span><math><mi>ɛ</mi></math></span>-local differential privacy requirements, achieving recognition rates of 91%–96% and a maximum privacy protection success rate of 0.9720. This method allows the privacy level to be precisely adjusted, preventing privacy leaks to honest but curious third-party servers, thus achieving a balance between privacy-preserving and usability.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104434"},"PeriodicalIF":4.8,"publicationDate":"2025-03-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143684108","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mohammed Asiri , Arjun Arunasalam , Neetesh Saxena , Z. Berkay Celik
{"title":"Frontline responders: Rethinking indicators of compromise for industrial control system security","authors":"Mohammed Asiri , Arjun Arunasalam , Neetesh Saxena , Z. Berkay Celik","doi":"10.1016/j.cose.2025.104421","DOIUrl":"10.1016/j.cose.2025.104421","url":null,"abstract":"<div><div>Industrial Control Systems (ICSs), widely employed in many critical infrastructure sectors that manage and control physical processes (e.g., energy, water, transportation), face heightened security risks due to increased digitization and connectivity. Monitoring Indicators of Compromise (IoCs), observable signs of intrusion, such as unusual network activity or unauthorized system changes, are crucial for early detection and response to malicious activities, including data breaches and insider threats. While IoCs have been extensively studied in traditional Information Technology (IT), their effectiveness and suitability for the unique challenges of ICS environments, which directly control physical processes, remain unclear. Moreover, the influence of human factors (e.g., sociotechnical factors, usability) on the utilization and interpretation of IoCs for attack prevention in ICSs is not well understood.</div><div>To address this gap, we conducted two studies involving 52 ICS security professionals. In an IoC Applicability study (n=32), we explore the relevance of existing IoCs within ICS environments and investigate factors contributing to potential ambiguities in their interpretation. We examine the perceived value, effort required for the collection, and volatility of various data sources used for IoC identification. Participants in the IoC Applicability Study emphasized the significant role of human factors in recognizing and interpreting IoCs for threat mitigation within ICS ecosystems. Based on this insight, we conducted a Socio-technical Factors in Recognition and Detection study (n=20) to investigate the impact of human factors on threat detection and explore the sociotechnical factors that influence the effective utilization of IoCs. Our results show significant discrepancies between conventional IT-based IoCs and their applicability to ICS environments, along with various socio-technical challenges (e.g., alert overload and desensitization). Our study provides pointers to rethinking the specific operational, technological, and human aspects of IoCs within the ICS context. Our findings provide insights for the development of ICS-specific IoC to enable security analysts to better respond to potential threats in industrial environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104421"},"PeriodicalIF":4.8,"publicationDate":"2025-03-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143746476","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Wavelet-based CSI reconstruction for improved wireless security through channel reciprocity","authors":"Nora Basha , Bechir Hamdaoui","doi":"10.1016/j.cose.2025.104423","DOIUrl":"10.1016/j.cose.2025.104423","url":null,"abstract":"<div><div>The reciprocity of channel state information (CSI) collected by two devices communicating over a wireless channel has been leveraged to provide security solutions to resource-limited IoT devices. Despite the extensive research that has been done on this topic, much of the focus has been on theoretical and simulation analysis. However, these security solutions face key implementation challenges, mostly pertaining to limitations of IoT hardware and variations of channel conditions, limiting their practical adoption. To address this research gap, we revisit the channel reciprocity assumption from an experimental standpoint using resource-constrained devices. Our experimental study reveals a significant degradation in channel reciprocity for low-cost devices due to the varying channel conditions. Through experimental investigations, we first identify key practical causes for the degraded channel reciprocity. We then propose a new wavelet-based CSI reconstruction technique using wavelet coherence and time-lagged cross-correlation to construct CSI data that are consistent between the two participating devices, resulting in significant improvement in channel reciprocity. Additionally, we propose a secret-key generation scheme that exploits the wavelet-based CSI reconstruction, yielding significant increase in the key generation rates. Finally, we propose a technique that exploits CSI temporal variations to enhance device authentication resiliency through effective detection of replay attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104423"},"PeriodicalIF":4.8,"publicationDate":"2025-03-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143684125","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Willi Lazarov , Pavel Seda , Zdenek Martinasek , Roman Kummel
{"title":"Penterep: Comprehensive penetration testing with adaptable interactive checklists","authors":"Willi Lazarov , Pavel Seda , Zdenek Martinasek , Roman Kummel","doi":"10.1016/j.cose.2025.104399","DOIUrl":"10.1016/j.cose.2025.104399","url":null,"abstract":"<div><div>In the contemporary landscape of cybersecurity, the importance of effective penetration testing is underscored by NIS2, emphasizing the need to assess and demonstrate cyber resilience. This paper introduces an innovative approach to penetration testing that employs interactive checklists, supporting both manual and automated tests, as demonstrated within the Penterep environment. These checklists, functioning as a quantifiable measure of test completeness, guide pentesters through methodological testing, addressing the inherent challenges of the security testing domain. While some may perceive a limitation in the dependency on predefined checklists, the results from a presented case study underscore the criticality of methodological testing. The study reveals that relying solely on fully automated tools would be inadequate to identify all vulnerabilities and flaws without the inclusion of manual tests. Our innovative approach complements established methodologies, such as PTES, OWASP, and NIST, providing crucial support to penetration testers and ensuring a comprehensive testing process. Implemented within the Penterep environment, our approach is designed with deployment flexibility (both on-premises and cloud-based), setting it apart through an overview comparison with existing tools aligned with state-of-the-art penetration testing approaches. This flexible and scalable approach effectively bridges the gap between manual and automated testing, meeting the increasing demands for effectiveness and adaptability in penetration testing.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104399"},"PeriodicalIF":4.8,"publicationDate":"2025-03-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143643573","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Systematic analysis of security advice on the topic of insider threats","authors":"Andrew Stewart, Christopher Hobbs","doi":"10.1016/j.cose.2025.104411","DOIUrl":"10.1016/j.cose.2025.104411","url":null,"abstract":"<div><div>Insider threats are an important and enduring security challenge. As a consequence, a number of organizations such as government agencies, research institutions, trade groups, and other parties have published documents containing advice on the topic of insider threats. Here, we provide an evaluation of such advice documents. We employ the relatively new SAcoding (security advice coding) methodology to perform a systematic analysis. This approach enables us both to assess the advice documents and to provide feedback on the use of SAcoding for a novel category (advice intended specifically for organizations), and for a novel topic (advice on the topic of insider threats). We find that 62.5% of 424 advice items extracted from six source documents are actionable, but the per-document proportion of actionable advice ranges substantially from 85.4% to just 35.1%. This finding suggests that organizations may incur opportunity costs by engaging with documents that offer little actionable advice. We also find that organizations may struggle to apply the published guidance, due to the high quantity of advice and the high portion of advice that requires specialist expertise. We use these and other findings to deliver a practical framework that provides guidance for the authors of advice documents, and for organizations seeking advice on the topic of insider threats. Additionally, we provide feedback on various aspects of the SAcoding method.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104411"},"PeriodicalIF":4.8,"publicationDate":"2025-03-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143706519","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}