Computers & Security最新文献_第6页

Otupy: A flexible, portable, and extensible framework for remote control of security functions Otupy：一个灵活的、可移植的、可扩展的框架，用于远程控制安全功能

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-08-21 DOI: 10.1016/j.cose.2025.104597

Matteo Repetto

{"title":"Otupy: A flexible, portable, and extensible framework for remote control of security functions","authors":"Matteo Repetto","doi":"10.1016/j.cose.2025.104597","DOIUrl":"10.1016/j.cose.2025.104597","url":null,"abstract":"<div><div>The growing proliferation of heterogeneous security functions ensures diversity, robustness, and adaptivity in addressing cyber-threats, but also poses management and integration challenges. OpenC2 defines a vendor- and application-agnostic abstract language for remote command and control of cyber-defense technologies. Its architecture supports multiple encoding and transfer options, but this might complicate its implementation and usage.</div><div>This paper describes Otupy, a flexible and extensible implementation of the OpenC2 language specification. Otupy defines an Application Programming Interface (API) that allows programmers to focus on the control and business logic of security functions, rather than the communication syntax, protocol, and encoding. The design of Otupy leverages an abstract data notation, an inheritance model, and meta-serialization to simplify the development of extensions for specific <em>profiles</em> of security functions, as well as additional encoding and transfer protocols. We evaluate the correctness of our implementation by validating its output against both a syntax schema and external good and bad samples provided by a third party. Our analysis points out unclear and ambiguous aspects of OpenC2 that deserve further attention by its technical committee.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104597"},"PeriodicalIF":5.4,"publicationDate":"2025-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144907921","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A fine-grained message clustering method based on message representation and identifier fingerprints 基于消息表示和标识符指纹的细粒度消息聚类方法

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-08-20 DOI: 10.1016/j.cose.2025.104631

Degang Li , Xi Chen, Mingliang Zhu, Qingjun Yuan, Chunxiang Gu

{"title":"A fine-grained message clustering method based on message representation and identifier fingerprints","authors":"Degang Li , Xi Chen, Mingliang Zhu, Qingjun Yuan, Chunxiang Gu","doi":"10.1016/j.cose.2025.104631","DOIUrl":"10.1016/j.cose.2025.104631","url":null,"abstract":"<div><div>Protocol reverse engineering is a critical technique for analyzing private protocols and unknown protocols. Message clustering is a foundational element of protocol reverse engineering, playing a key role in traffic classification and format inference. In this paper, we propose a fine-grained unknown message clustering method, termed FG-MCRF. FG-MCRF extracts deep representation vectors from the raw message data by constructing a representation network with low information loss and constructs high-purity message clusters based on representation vectors. The FG-MCRF method constructs high-precision global message fingerprints for each message cluster based on message length identifiers, operation identifiers, and counter identifiers. Subsequently, FG-MCRF constructs a message relationship graph based on these global message fingerprints and determines the final message type using the relationship graph. We also introduce the fine-grained multi-protocol dataset (FgMPD) to evaluate the clustering performance of our method. The experimental results demonstrate that the FG-MCRF methodology achieves superior clustering performance on the FgMPD dataset, outperforming other baseline methods. The clustering purity, Adjusted Rand Index (ARI), completeness, and accuracy of FG-MCRF in the fine-grained message clustering task are 0.9961, 0.9897, 0.9837, and 0.9899, respectively, representing improvements of 3.2%, 10.5%, 10.9% and 8.7% compared to state-of-the-art (SOTA) baseline methods. These results indicate that the FG-MCRF method possesses robust generalization capacity and extensibility, facilitating fine-grained message clustering.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104631"},"PeriodicalIF":5.4,"publicationDate":"2025-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144896709","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Business email compromise: A systematic review of understanding, detection, and challenges 商业电子邮件妥协：对理解、检测和挑战的系统回顾

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-08-20 DOI: 10.1016/j.cose.2025.104630

Amirah Almutairi , BooJoong Kang , Nawfal Alhashimy

引用次数: 0

VERTFuzz: Version transformer-driven fuzzing for complex file parsers VERTFuzz：用于复杂文件解析器的版本转换器驱动的模糊测试

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-08-20 DOI: 10.1016/j.cose.2025.104641

Zhaoyu Wen , Zhiqiang Wang , Biao Liu

{"title":"VERTFuzz: Version transformer-driven fuzzing for complex file parsers","authors":"Zhaoyu Wen , Zhiqiang Wang , Biao Liu","doi":"10.1016/j.cose.2025.104641","DOIUrl":"10.1016/j.cose.2025.104641","url":null,"abstract":"<div><div>Fuzzing test technology has seen significant growth in recent years and has evolved into an important tool for more thoroughly and efficiently identifying programme vulnerabilities and defects. However, fuzzing test for complex format files remains challenging. Most fuzz testers require extensive expert knowledge and heavily rely on manually constructed format models, or struggle to accurately identify complex structural relationships, resulting in numerous invalid test variants. In this paper, we propose a metadata-based mutation technique that leverages deep learning models to identify metadata location information and incorporate it into specific mutations, enabling rapid identification of file structures. We also utilise the Version Transformer model to filter out valid test cases from the queue, effectively addressing the issue of sparse defect space in input, making the mutated test cases more effective. Experimental results show that VERTFuzz has identified 32 unique errors across ten different programs, including four complex file formats. On average, VERTFuzz discovered 29% more paths and 14.54% more code blocks than AFL++.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104641"},"PeriodicalIF":5.4,"publicationDate":"2025-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144891925","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

AI algorithms under scrutiny: GDPR, DSA, AI Act and CRA as pillars for algorithmic security and privacy in the European Union 人工智能算法受到严格审查：GDPR、DSA、AI法案和CRA是欧盟算法安全和隐私的支柱

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-08-19 DOI: 10.1016/j.cose.2025.104628

Marta Beltrán

引用次数: 0

OPMonitor: Continuously monitoring residual over-granted permissions in verified access control policies OPMonitor：持续监控已验证的访问控制策略中剩余的超额权限

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-08-18 DOI: 10.1016/j.cose.2025.104623

Xiao Wang , Yunchuan Guo , Zhe Sun , Mingjie Yu , Fenghua Li , Liang Fang

{"title":"OPMonitor: Continuously monitoring residual over-granted permissions in verified access control policies","authors":"Xiao Wang , Yunchuan Guo , Zhe Sun , Mingjie Yu , Fenghua Li , Liang Fang","doi":"10.1016/j.cose.2025.104623","DOIUrl":"10.1016/j.cose.2025.104623","url":null,"abstract":"<div><div>Over-permissive access control policies, which grant users permissions beyond sysadmins’ intended scope, are a primary cause of data breaches. Although policy verification serves as a critical defense mechanism by formalizing design intentions into verification goals and validating policies compliance with these goals, its effectiveness bounded by sysadmins’ expertise and the comprehensiveness of predefined intentions. Consequently, over-granted permissions which fall outside the scope of verification goals often remain undetected. This paper introduces <em>OPMonitor</em>, a continuous monitoring tool that enables early detection of residual over-granted permissions overlooked by policy verification methods. <em>OPMonitor</em> operates by inferring a granting baseline from access logs, which serves as a reference model for identifying access violations in real time. To mitigate over-permissive results while ensuring correctness, we develop a two-phase framework based on approximate optimization for baseline inference. To facilitate real-time evaluation and incremental updates of the inferred baseline, we develop the locally abstract baseline tree, a tree structure that consolidates implicit authorization conditions to reduce the scale of states. Our experimental evaluation across 25 datasets, comprising both real-world and synthetic data, demonstrates the effectiveness of our approach. <em>OPMonitor</em> achieves a 1.5x higher detection rate for over-granted permissions compared to state-of-the-art solutions, while keeping the inference time under 30 s. Additionally, our locally abstract baseline tree enables microsecond-level evaluation and incremental updates that are 7x and 2x faster, respectively, than existing approaches.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104623"},"PeriodicalIF":5.4,"publicationDate":"2025-08-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144896700","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Integrating system calls and position-specific scoring for enhanced anomaly detection in Internet of Things environments 集成系统调用和位置特定评分，以增强物联网环境中的异常检测

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-08-13 DOI: 10.1016/j.cose.2025.104613

Nouman Shamim , Muhammad Asim , Thar Baker , Zeeshan Pervez , Ali Ismail Awad , Albert Y. Zomaya

{"title":"Integrating system calls and position-specific scoring for enhanced anomaly detection in Internet of Things environments","authors":"Nouman Shamim , Muhammad Asim , Thar Baker , Zeeshan Pervez , Ali Ismail Awad , Albert Y. Zomaya","doi":"10.1016/j.cose.2025.104613","DOIUrl":"10.1016/j.cose.2025.104613","url":null,"abstract":"<div><div>Identifying attacks on Internet of Things (IoT) systems through anomaly detection is an effective approach and remains a crucial area of research. The core method involves collecting system-related data during normal operation to establish a baseline of typical behavior and then continuously monitoring for deviations from this baseline. Using system call sequences for anomaly detection is a well-established and important field. System call sequences effectively capture the behavior of a target system at a low level, allowing identification of any changes in this behavior; however, these approaches face several challenges, including high false-positive rates, the need for segmentation of long sequences, and the difficulty of detecting anomalies when the system call data comes from multiple processes. This work presents a novel anomaly-detection approach that uses a position-specific scoring mechanism to analyze the content and structural properties of system call sequences. The proposed approach addresses key challenges in this field, including fixed-length segmentation of system call sequences, predetermined anomaly-detection thresholds, the detection of anomalies in both single and multiple processes, and high false-positive rates. We extensively evaluated the proposed approach using system-call-specific public datasets (ADFA-LD and UNM) of a diverse nature. The performance of the proposed content-based, structure-based, and combined content- and structure-based anomaly-detection methods was evaluated using ten-fold cross-validation. The proposed anomaly-detection approach achieves an impressive detection rate of 1.0, along with exceptionally low false-positive rates of 0.001 and 0.017 when evaluated on the UNM and ADFA-LD datasets, respectively.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104613"},"PeriodicalIF":5.4,"publicationDate":"2025-08-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144866730","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Points of the local optimal privacy utility tradeoff 局部最优隐私效用权衡点

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-08-13 DOI: 10.1016/j.cose.2025.104622

Zhenyu Chen , Lin Yao , Haibo Hu , Guowei Wu

{"title":"Points of the local optimal privacy utility tradeoff","authors":"Zhenyu Chen , Lin Yao , Haibo Hu , Guowei Wu","doi":"10.1016/j.cose.2025.104622","DOIUrl":"10.1016/j.cose.2025.104622","url":null,"abstract":"<div><div>With the increasing prevalence of data sharing and publishing, striking a balance between data privacy and data utility, known as the privacy utility tradeoff problem, has emerged as a core challenge. Recent studies treat this tradeoff as an optimization process within the privacy protection process for certain privacy protection mechanism. However, the ability to achieve an optimal tradeoff is inherently constrained by the chosen privacy protection mechanism. In this paper, we provide a new perspective by conceptualizing the privacy utility tradeoff as a series of distinct “tradeoff points,” where the inference privacy and inference utility serve as the components to represent a tradeoff point. To identify local optimal tradeoff points, we first select those that maximize utility for a given level of privacy. Then, we discard those points that do not ensure optimal privacy for the corresponding utility. Simulations on four real-world datasets using three state-of-the-art methods demonstrate that existing tradeoff solutions are limited by their underlying privacy mechanisms, while our solution helps integrate local optimal tradeoff points into the design of privacy protection mechanisms.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104622"},"PeriodicalIF":5.4,"publicationDate":"2025-08-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144886307","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Tool or Toy: Are SCA tools ready for challenging scenarios? 工具还是玩具：SCA工具是否为具有挑战性的场景做好了准备？

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-08-09 DOI: 10.1016/j.cose.2025.104624

Congyan Shu , Wentao Chen , Guisheng Fan , Huiqun Yu , Zijie Huang , Yuguo Liang

{"title":"Tool or Toy: Are SCA tools ready for challenging scenarios?","authors":"Congyan Shu , Wentao Chen , Guisheng Fan , Huiqun Yu , Zijie Huang , Yuguo Liang","doi":"10.1016/j.cose.2025.104624","DOIUrl":"10.1016/j.cose.2025.104624","url":null,"abstract":"<div><div>The widespread adoption of open-source software (OSS) has introduced new security challenges to the software supply chain. While existing studies confirm the basic capabilities of Software Composition Analysis (SCA) tools, such as vulnerability detection and dependency resolution. They often focus on single ecosystems or detection aspects. This limited scope overlooks real-world complexities, including multi-language ecosystems, source and binary dependencies, and adversarial threats. Without a comprehensive evaluation, SCA tools may perform well in controlled settings but struggle in more complex scenarios. To address this gap, this study proposes a evaluation framework centered on the core functionalities of SCA tools: dependency detection, vulnerability identification, and license inspection. It covers three key dimensions including multi-language ecosystems compatibility, build forms, and attack defense. Using standardized datasets and quantitative metrics, such as precision, recall, F1-score and standard deviation, we evaluate four representative SCA tools, including both open-source and commercial options. Results reveal significant limitations in binary dependencies, language coverage, and license consistency. SCA tools also face challenges in balancing precision, coverage and robustness. The study highlights systemic shortcomings in current SCA tools, revealing that many perform like limited-use toys under real-world conditions. It offers data-driven recommendations to guide the evolution of these tools into practical, reliable solutions for supply chain security governance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104624"},"PeriodicalIF":5.4,"publicationDate":"2025-08-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144866755","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

SoK: An empirical investigation of malware techniques in advanced persistent threat attacks SoK：对高级持续威胁攻击中的恶意软件技术的实证调查

IF 5.4 2区计算机科学

Computers & Security Pub Date : 2025-08-09 DOI: 10.1016/j.cose.2025.104618

Md Rayhanur Rahman , Setu Kumar Basak , Rezvan Mahdavi Hezaveh , Laurie Williams

{"title":"SoK: An empirical investigation of malware techniques in advanced persistent threat attacks","authors":"Md Rayhanur Rahman , Setu Kumar Basak , Rezvan Mahdavi Hezaveh , Laurie Williams","doi":"10.1016/j.cose.2025.104618","DOIUrl":"10.1016/j.cose.2025.104618","url":null,"abstract":"<div><h3>Context:</h3><div>Adversaries launch advanced persistent threat (APT) attacks, where adversaries design their attack for a specific target and aim to remain undetected for a prolonged time. The attackers deploy a plethora of techniques for delivering and operating multiple malware in manual or automated manners. Cybersecurity vendors publish technical reports, known as cyberthreat intelligence reports, on past APT attacks, a rich information source on malware techniques. To defend organizations, prevalent techniques observed across malware in APT attacks and their association need to be identified.</div></div><div><h3>Objective:</h3><div>The goal of this research is to aid cybersecurity practitioners in defending against APT attacks by analyzing malware techniques documented in cyberthreat intelligence reports.</div></div><div><h3>Methodology:</h3><div>We construct a curated set of 798 cyberthreat intelligence reports and then analyze the reported malware techniques using MITRE ATT&CK, a well-known terminology of cyberattack techniques, cybercriminal groups, and campaigns in APT attacks. We analyze the frequency and trend of techniques, followed by a qualitative analysis. Next, we perform association rule mining to identify co-occurring techniques, followed by a qualitative analysis.</div></div><div><h3>Findings:</h3><div>We identify that obtaining information on the operating and network system of the victim environment is the most prevalent technique and appears in the highest number of co-occurring pairs. We identify that spear-phishing is the most prevalent way of initial infection. We also identify three prevalent misuses of system functionalities: Macros in Office documents, the Registry in Windows, and the Task scheduler. We advocate that organizations prioritize their defense against the identified prevalent techniques and actively hunt for potential malicious intrusions based on the identified association among malware techniques.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104618"},"PeriodicalIF":5.4,"publicationDate":"2025-08-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144852230","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0