Computers & Security最新文献

{"title":"A model for information security vulnerability awareness","authors":"Roberto J. Mejias ,&nbsp;Joshua J. Greer ,&nbsp;Gabrila C. Greer ,&nbsp;Morgan M. Shepherd ,&nbsp;Raul Y. Reyes","doi":"10.1016/j.cose.2024.104305","DOIUrl":"10.1016/j.cose.2024.104305","url":null,"abstract":"<div><div>As new and evolving technologies are rapidly adopted by organizations, often without the integration of cybersecurity safeguards, information systems have become increasingly vulnerable to a range of cyber threats. Our research suggests a multi-criteria approach in analyzing possible factors that influence an awareness of information security vulnerabilities. Drawing from prior cybersecurity and vulnerability assessment research, this empirical field study develops a research model to analyze possible determinants influencing information security vulnerability awareness. Three constructs were considered to explore their association to information security vulnerability awareness: vulnerability assessment, assessment of IS security controls, and knowledge of an organization's cyber threatscape. The data analyzed was obtained via a survey questionnaire instrument. Confirmatory factor analysis and structural equation modeling were used to validate the proposed research model. Results of this analysis indicate that these three constructs and their related indicator constructs are significantly correlated with an awareness of information security vulnerability. These results provide useful insights for organizations regarding their awareness of information security vulnerability in an increasingly evolving global cyber threatscape.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104305"},"PeriodicalIF":4.8,"publicationDate":"2025-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143148937","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Retraction notice to “TriCh-LKRepNet: A large kernel convolutional malicious code classification network for structure reparameterisation and triple-channel mapping” [Computers & Security 144 (2024) 103937]","authors":"Sicong Li ,&nbsp;Jian Wang ,&nbsp;Yafei Song ,&nbsp;Shuo Wang","doi":"10.1016/j.cose.2024.104207","DOIUrl":"10.1016/j.cose.2024.104207","url":null,"abstract":"<div><div>This article has been retracted: please see Elsevier Policy on Article Withdrawal (<span><span>https://www.elsevier.com/locate/withdrawalpolicy</span><svg><path></path></svg></span>).</div><div>This article has been retracted at the request of the Author.</div><div>The corresponding author requested to modify the title of the article, as the authors thought the new name of the model applied in the research would be better aligned with the research focus and innovations in the article. Title modification is not allowed after the publication of the article. The authors insisted that it is crucial to modify the title and decided to retract the article. The journal has agreed that the authors may submit a new version of the manuscript to the journal for review and publication, if accepted by the Editor-in-Chief.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104207"},"PeriodicalIF":4.8,"publicationDate":"2024-12-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143143485","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Cybersecurity serious games development: A systematic review","authors":"Chiu Yeong Ng,&nbsp;Mohammad Khatim Bin Hasan","doi":"10.1016/j.cose.2024.104307","DOIUrl":"10.1016/j.cose.2024.104307","url":null,"abstract":"<div><div>Cybercrime tactics evolve alongside technology, prompting researchers to enhance cybersecurity training for diverse internet users. Serious games have been developed as modern training methods over the years. However, despite all efforts, cybercrime cases continue to rise. This motivated the paper to conduct a comprehensive review of cybersecurity game development from 2014 to 2024, using PRISMA guidelines. The type of games covered include serious games, gamification and entertainment games. The scope of the games studied cover basic or general cybersecurity knowledge and specific fields such as ethical hacking and computer networking. A total of 53 papers were identified and analyzed in this study. The analysis results showed that most cybersecurity games were developed for users who already possessed prior knowledge of the topics delivered, though there were quite a number of games targeting general internet users. The majority of the games seemed to focus on technical aspects more than human aspects by training users on technology-related topics such as hacking, network architectures, and more. Game design suggestions and potential features were also discussed in this paper. Considering game design aspects could help practitioners and researchers in the future when developing new games, the discussions in this paper could be beneficial in improving cybersecurity training efficacy and mitigating cybercrime risks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104307"},"PeriodicalIF":4.8,"publicationDate":"2024-12-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142419","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Unmasking the hidden credential leaks in password managers and VPN clients","authors":"Efstratios Chatzoglou ,&nbsp;Vyron Kampourakis ,&nbsp;Zisis Tsiatsikas ,&nbsp;Georgios Karopoulos ,&nbsp;Georgios Kambourakis","doi":"10.1016/j.cose.2024.104298","DOIUrl":"10.1016/j.cose.2024.104298","url":null,"abstract":"<div><div>With the rapid growth of software services and applications, the need to secure digital assets became paramount. The introduction of Password Manager (PM) and Virtual Private Network (VPN) software was established as a prerequisite toolkit to bolster the end-user arsenal. As a matter of fact, these types of artifacts have been around for at least 25 years in various flavors, including desktop and browser-based applications. This work assesses the ability of 12 desktop PM applications, 5 browsers with integrated PM, and 12 PMs in the form of browser plugins, along with 21 VPN client applications, to effectively protect the confidentiality of secret credentials. Our analysis focuses on the period during which an app is loaded into RAM. Despite the sensitive nature of these applications, our results show that across all scenarios the majority of PM applications store plaintext passwords in the system memory; more specifically, 75% (or 9 out of 12) of desktop PM applications, 100% (5 out of 5) of browser PMs and 75% (or 9 out of 12) of PM browser plugins leak such sensitive information. In addition, 33% (or 7 out of 21) of VPN applications leak user credentials. This practice of storing cleartext sensitive information in system memory is widely recognized as a weakness, having also been registered as CWE-316. At the time of writing, merely four vendors have recognized our exploits as vulnerabilities. Three of these vendors have assigned the relevant Common Vulnerabilities and Exposures (CVE) IDs, namely CVE-2023-23349, CVE-2024-9203, and CVE-2024-50570, whereas the fourth one will issue a CVE ID once it implements the relevant fixes. The remaining vendors have either chosen to disregard or downplay the severity of this issue.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104298"},"PeriodicalIF":4.8,"publicationDate":"2024-12-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142814","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"CORAL: Container Online Risk Assessment with Logical attack graphs","authors":"David Tayouri,&nbsp;Omri Sgan Cohen,&nbsp;Inbar Maimon,&nbsp;Dudu Mimran,&nbsp;Yuval Elovici,&nbsp;Asaf Shabtai","doi":"10.1016/j.cose.2024.104296","DOIUrl":"10.1016/j.cose.2024.104296","url":null,"abstract":"<div><div>Container-based architectures, with their highly volatile runtime configurations, rapid code changes, and dependence on third-party code, have raised security concerns. The first step in establishing solid security footing in a production application is understanding its risk exposure profile. Attack graphs (AGs), which organize the topology and identified vulnerabilities into possible attack paths as part of a larger graph, help organizations assess and prioritize risks and establish a baseline for countermeasure planning and remediation. Although AGs are valuable, their use in the container environment, where the AG must be repeatedly rebuilt due to frequent data changes, is challenging. In this paper, we present a novel approach for efficiently building container-based AGs that meets the needs of highly dynamic, real-life applications. We propose CORAL, a framework for identifying attack paths between containers, which does not require rebuilding the graph each time the underlying architecture (code or topology) changes. CORAL accomplishes this by intelligently disregarding changes that should not trigger AG build and reusing fragments of existing AGs. We propose a model to evaluate the attack paths’ risks and highlighting the riskiest path in any AG. We evaluate CORAL’s performance in maintaining an up-to-date AG for an environment with many containers. Our proposed framework demonstrated excellent performance for large topologies — searching similar topologies and reusing their AGs was two orders of magnitude faster than AG regeneration. We demonstrate how CORAL can assist in efficiently detecting lateral movement attacks in containerized environments using provenance graphs.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104296"},"PeriodicalIF":4.8,"publicationDate":"2024-12-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142813","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"LeakFocus: Catching the perpetrator in routing leak event","authors":"Yuancheng Xie,&nbsp;Zhaoxin Zhang,&nbsp;Ning Li,&nbsp;Haoyang Gao","doi":"10.1016/j.cose.2024.104300","DOIUrl":"10.1016/j.cose.2024.104300","url":null,"abstract":"<div><div>Route leaks pose a significant threat to the Internet, yet traditional machine learning-based detection models often fail to accurately identify the responsible AS, hindering timely alerting. To address this, we introduce LeakFocus, a novel framework that precisely identifies routing leak perpetrators. By analyzing the impact of route leaks on neighboring ASes, we establish a correlation between the severity of impact and proximity to the perpetrator. Leveraging this insight, we collected and optimized a large ground truth dataset using BGPmon and custom filters, significantly enhancing detection accuracy. An IQR-based (interquartile range) feature filtering approach was then employed to select ten key features that effectively differentiate legitimate from illegitimate valley paths. LeakFocus integrates temporal convolutional neural networks (TCNs) and node feature aggregation algorithms for routing leak detection and perpetrator localization. Experimental results show that LeakFocus improves detection precision by over 16% and reduces false positive rates by more than 34% compared to state-of-the-art models. Furthermore, LeakFocus provides network operators with a probabilistic list of likely violators, speeding up response times. This framework offers significant practical value, facilitating faster localization and mitigation of routing leaks, and represents a notable advancement in managing the harmful effects of route leakage.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104300"},"PeriodicalIF":4.8,"publicationDate":"2024-12-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142812","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"RansoGuard: A RNN-based framework leveraging pre-attack sensitive APIs for early ransomware detection","authors":"Mingcan Cen,&nbsp;Frank Jiang,&nbsp;Robin Doss","doi":"10.1016/j.cose.2024.104293","DOIUrl":"10.1016/j.cose.2024.104293","url":null,"abstract":"<div><div>Ransomware has emerged as a significant security threat in cyberspace, inflicting severe economic losses and privacy breaches on individual users and organizations. Ransomware typically encrypts critical user files and demands a ransom for decryption. Traditional signature-based defense methods effectively identify known ransomware but perform poorly when confronting unknown zero-day attacks. Addressing this challenge, a ransomware detection framework called ‘RansoGuard’ is proposed. This framework aims to achieve timely identification and defense against ransomware by capturing and analyzing the sensitive Application Programming Interface (API) call behavior exhibited before the encryption attack is launched. A real-world ransomware sample dataset was constructed. The dynamic behavioral data during the pre-attack stage was analyzed, and natural language processing techniques were used to represent and extract key features from API call sequences. A Recurrent Neural Network (RNN) classifier was trained on these features to distinguish ransomware from benign software. Experimental results demonstrate that the RansoGuard framework exhibits outstanding early ransomware detection performance across different datasets, achieving a recall of 96.18% and an accuracy of 94.26%. Furthermore, it exhibits robustness in effectively countering zero-day attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104293"},"PeriodicalIF":4.8,"publicationDate":"2024-12-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142950","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"IEA-DMS: An Interpretable feature-driven, Efficient and Accurate Detection Method for Slow HTTP DoS in high-speed networks","authors":"Jinfeng Chen ,&nbsp;Hua Wu ,&nbsp;Xiaohui Wang ,&nbsp;Suyue Wang ,&nbsp;Guang Cheng ,&nbsp;Xiaoyan Hu","doi":"10.1016/j.cose.2024.104291","DOIUrl":"10.1016/j.cose.2024.104291","url":null,"abstract":"<div><div>Slow HTTP DoS (SHD) is a novel DoS attack that exploits HTTP/HTTPS. SHD often operates at the application layer with encryption and has long packet intervals due to its slow transmission rate, making it more concealed and difficult to detect. Therefore, traditional detection methods for high-speed DDoS are ineffective against SHD. Meanwhile, Existing SHD detection approaches need many generic features or complex models, thus becoming less interpretable and more resource-intensive to meet real-time demands in high-speed networks. Moreover, most methods rely on bidirectional traffic, neglecting the prevalent issue of asymmetric routing in high-speed networks. To overcome these shortcomings, this paper proposes IEA-DMS, an Interpretable feature-driven, Efficient and Accurate Detection Method for Slow HTTP DoS in high-speed networks. We first analyze SHD mechanisms and construct a representative feature set based on its traffic characteristics to perform effectively under sampling and asymmetric routing. Then, to fast and accurately record the features, we employ Slow HTTP DoS Sketch and provide a detailed error analysis and suggest appropriate parameters. Experiments using public datasets show that the proposed features are efficient and interpretable. Even with numerous unidirectional flows and a 1/64 sampling rate, IEA-DMS detects SHD accurately within 2 min with low memory usage. Besides, IEA-DMS’s processing performance reaches 13.1 Mpps and can continuously process more than 100 days of traffic without clearing memory.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104291"},"PeriodicalIF":4.8,"publicationDate":"2024-12-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142986","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A combined side-channel and transient execution attack scheme on RISC-V processors","authors":"Renhai Dong ,&nbsp;Baojiang Cui ,&nbsp;Yi Sun ,&nbsp;Jun Yang","doi":"10.1016/j.cose.2024.104297","DOIUrl":"10.1016/j.cose.2024.104297","url":null,"abstract":"<div><div>The escalating progress of RISC-V processors in both academic and industrial realms has drawn significant attention to its open-source Instruction Set Architecture (ISA) and microarchitecture. Nevertheless, the growing threat of microarchitecture transient execution attacks in recent years has posed a severe challenge to the design of processors. Some studies have proposed that the RISC-V microarchitecture still has some flaws from the perspective of transient execution and pointed out the attack surface, which results in the RISC-V processor being unable to ensure integrated circuit and system security at the microarchitecture level.</div><div>In this paper, we systematically examine RISC-V microarchitecture security issues and put forward a combined side-channel and transient execution attack scheme. The proposed attack scheme comprehensively analyzes cache security, timing side-channel attacks, and Physical Memory Protection (PMP) across diverse microarchitectures. Not surprisingly, we discover an unknown transient execution flaw by PMP security analysis. Moreover, we introduce 4 transient execution attack primitives exploiting microarchitectural speculative execution flaws and PMP transient execution to bypass data protection and privilege isolation which allow attackers to illegally access sensitive data on the microarchitectures and break the PMP rule-based memory isolation scheme. Experimental results demonstrate that the attack scheme on 6 real-world RISC-V processors achieves a high level of accuracy, successfully attacking 6 microarchitectures with approximately 97.52%. The scheme completes 1,000 attacks in less 60 s which leaks about 2,500 bits, showcasing an average efficiency improvement of 34.17% over the state-of-the-art tool. The attack can successfully retrieve the cryptographic keys, rendering this attack applicable in practical scenarios. Finally, we propose several countermeasures to defend against the attack. We reported CVE and CNNVD vulnerabilities and both are confirmed by the developers for security’s sake.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104297"},"PeriodicalIF":4.8,"publicationDate":"2024-12-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142951","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"LDCDroid: Learning data drift characteristics for handling the model aging problem in Android malware detection","authors":"Zhen Liu ,&nbsp;Ruoyu Wang ,&nbsp;Bitao Peng ,&nbsp;Lingyu Qiu ,&nbsp;Qingqing Gan ,&nbsp;Changji Wang ,&nbsp;Wenbin Zhang","doi":"10.1016/j.cose.2024.104294","DOIUrl":"10.1016/j.cose.2024.104294","url":null,"abstract":"<div><div>The dynamic and evolving nature of malware applications can lead to deteriorating performance in malware detection models, a phenomenon known as the model aging problem. This issue compromises the model’s effectiveness in maintaining mobile security. Model retraining have proven effective in enhancing performance on previously unseen applications. However, the substantial need for annotated data remains a significant challenge in acquiring accurate ground truth for model retraining. Therefore, this paper introduces a new method to address the model aging problem in Android malware detection(AMD). To alleviate the burden of manual annotation, our approach incorporates pseudo-labeled data into the retraining process. Specifically, we introduce a novel method for evaluating the data drift scores of newly emerged samples by learning their data drift characteristics. These scores guide the usage of pseudo-labeled and true-labeled data for retraining the model. Our method significantly reduces the resources required for annotation while maintaining the efficacy of malware detection. In long-term datasets, we demonstrate the efficacy of our models through a series of experiments. Results indicate that our method enhances the F-score by approximately 26% in predicting unseen malware over a span of nine years.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104294"},"PeriodicalIF":4.8,"publicationDate":"2024-12-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142949","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}