Computers & Security最新文献

{"title":"The Security Awareness Adventure: A serious game for security awareness training utilizing a state transition system and a probabilistic model","authors":"Tong Li,&nbsp;Fangqi Dong,&nbsp;Chaoqun Wen","doi":"10.1016/j.cose.2025.104500","DOIUrl":"10.1016/j.cose.2025.104500","url":null,"abstract":"<div><div>Social engineering attacks target people who lack awareness of security. These attacks have become increasingly threatening to modern software systems, which rely heavily on human interactions. Recent studies propose to conduct serious game-based security training against such threats. However, it is challenging to simulate real-world scenarios in serious games, making the training less effective. In this paper, we introduce Security Awareness Adventure, a novel social engineering serious game that allows participants to play the role of attackers and realistically experience the social engineering attack process from the attacker’s perspective. Our game works with state transition models to realistically simulate stakeholder interactions within specific scenarios and to capture stakeholders’ alternative behaviors using a branching system. To evaluate our game’s effectiveness, we conducted an experiment with 41 participants and a real social engineering security scenario. The experimental results show that our game can effectively improve the learner’s security awareness.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104500"},"PeriodicalIF":4.8,"publicationDate":"2025-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143891630","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Industrial internet of things fortify: multi-domain feature learning framework with deepdetectnet++ for improved intrusion detection","authors":"Kuldeep Singh","doi":"10.1016/j.cose.2025.104506","DOIUrl":"10.1016/j.cose.2025.104506","url":null,"abstract":"<div><div>The Internet of Things (IoT) connects more devices that have low user intervention requirements and can converse with each other. Intelligent Transportation (IoT) is a fast-growing field in computer science, but it's also vulnerable to various types of assaults due to the increasingly dangerous nature of the Internet. To secure IoT networks, the DeepDetectNet++ framework is proposed to identify and detect intrusions in IIoT systems and strengthen the IIoT system's security. The need for this research is informed by the fact that Intelligent Transportation IoT systems are becoming more exposed to complex cyberattacks that endanger the core functions of the systems. The goal is to design and implement a new generation intrusion detection system, DeepDetectNet++, that combines hybrid optimization and improved deep learning algorithms to increase the accuracy, sensitivity, and effectiveness of IIoT attack identification and categorization. Two IIoT datasets are used and they are preprocessed using outliers detection and missing values handling techniques. Moreover, the feature extraction phase extracts temporal features, flow-based features, and frequency domain features. A hybrid optimization strategy such as the Hybrid Pelican and Dragonfly Optimization (HPDF) technique is employed in the feature selection to identify the most discriminative features. Finally, a DeepDetectNet++ model is proposed to improve SKA-ResNet's model and Spatiotemporal Self-Attention (STSA)-Based LSTNet component to enhance the detection and classification performance of the developed model. The experimental results of the designed technique are validated with existing models and the developed model gained an accuracy of 98.3%, sensitivity of 97.75%, and F-measure of 98.3%. The developed model detects and classifies IIoT attacks accurately and with high efficiency.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104506"},"PeriodicalIF":4.8,"publicationDate":"2025-04-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143936431","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Covert penetrations: Analyzing and defending SCADA systems from stealth and Hijacking attacks","authors":"Syed Wali ,&nbsp;Yasir Ali Farrukh ,&nbsp;Irfan Khan ,&nbsp;John A. Hamilton","doi":"10.1016/j.cose.2025.104449","DOIUrl":"10.1016/j.cose.2025.104449","url":null,"abstract":"<div><div>SCADA (Supervisory Control and Data Acquisition) systems are critical for managing industrial processes, including energy production, manufacturing, and transportation. However, their reliance on protocols such as Modbus, which lack inherent security features, exposes them to sophisticated cyber threats. This paper explores vulnerabilities in the Modbus protocol to design advanced SCADA-specific attack scenarios—SCADA Hijacking and SCADA Blackout. These covert attacks exploit protocol weaknesses to manipulate process parameters or halt operations while evading detection by intrusion detection systems (IDS) and human operators, representing a significant escalation in the sophistication of cyber threats. To counter these threats, we propose a novel machine learning-based defense mechanism that incorporates heterogeneous graph embeddings, combining multimodal network data such as flow-level and packet-level features. The proposed attacks and defense mechanism were rigorously evaluated using precision, recall, F1 score, accuracy and false positive rate as key metrics, demonstrating the stealthiness of the attacks and the robustness of the defense. By exposing critical vulnerabilities and presenting an advanced intrusion detection framework, this research establishes a foundation for strengthening SCADA systems against evolving cyber threats, ensuring the security and reliability of industrial control systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104449"},"PeriodicalIF":4.8,"publicationDate":"2025-04-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143878652","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A decision-making framework for user authentication using keystroke dynamics","authors":"Viktor Medvedev,&nbsp;Arnoldas Budžys,&nbsp;Olga Kurasova","doi":"10.1016/j.cose.2025.104494","DOIUrl":"10.1016/j.cose.2025.104494","url":null,"abstract":"<div><div>Increasingly sophisticated cyber attacks threaten critical infrastructures, requiring more trusted user authentication mechanisms. In this work, we propose a deep learning-based user authentication framework that combines keystroke dynamics with Siamese neural networks to differentiate legitimate users from impostors. A key challenge in this area is the variability in password lengths, which leads to different feature sizes and complicates model training. Our approach uses interpolation-based data fusion strategies to standardize the number of keystroke features, ensuring consistency across different datasets and password lengths. Through experiments on the fused CMU and KeyRecs datasets, we have evaluated the effectiveness of the proposed decision-making framework with adaptive threshold strategies. The threshold strategy determines how the final decision boundary is set with respect to the user’s baseline typing behavior. We empirically evaluated the framework on fused data, achieving an equal error rate as low as 0.11–0.12, indicating strong efficacy in detecting insider threats. We show how the obtained Siamese neural network with triplet loss function can be used to distinguish genuine users from impostors even under different input conditions, contributing to more robust and scalable intrusion detection systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104494"},"PeriodicalIF":4.8,"publicationDate":"2025-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143869441","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SAFE-IDS: A privacy-preserving framework for overcoming non-IID challenges in federated intrusion detection","authors":"Alimov Abdulboriy Abdulkhay ugli ,&nbsp;Ji Sun Shin","doi":"10.1016/j.cose.2025.104492","DOIUrl":"10.1016/j.cose.2025.104492","url":null,"abstract":"<div><div>Federated learning has advanced intrusion detection systems (IDS) by enabling collaborative model training without requiring direct data sharing. This approach allows multiple institutions to contribute to and benefit from a shared model, enhancing detection capabilities. Despite these advances, the security of model updates remains a significant concern, as malicious actors may reverse-engineer the underlying data from these updates. Additionally, existing federated learning techniques struggle with non-IID (non-Independent and Identically Distributed) data distributions and are vulnerable to inference attacks on model updates. For example, methods like <span>SignSGD</span>, while providing some privacy benefits through gradient sign manipulation, suffer from accuracy degradation, especially when dealing with non-IID data. Similarly, <span>FedAvg</span>, while effective in handling non-IID data, is prone to privacy breaches as it transmits full model updates, potentially revealing sensitive information. To address these challenges, we propose <span>SAFE-IDS</span>, a novel framework combining gradient sign-based aggregation with the <span>zSignFedAvg</span> optimizer. Unlike <span>SignSGD</span>, it incorporates a unified learning rate and weighted loss function to mitigate accuracy loss in non-IID settings. Additionally, while <span>FedAvg</span> shares full model updates, <span>SAFE-IDS</span> only shares gradient signs, enhancing privacy. The integration of <span>zSignFedAvg</span> balances privacy and convergence speed, accelerating convergence and improving robustness, particularly for class imbalance. Notably, <span>SAFE-IDS</span> is the first federated network intrusion detection system that effectively maintains privacy while adeptly managing non-IID data. Our empirical evaluation demonstrates that <span>SAFE-IDS</span> achieves an impressive accuracy of up to 99.74% across various IDS datasets and a varying number of clients, proving its effectiveness in both securing client data and maintaining high model performance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104492"},"PeriodicalIF":4.8,"publicationDate":"2025-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143876533","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Securing the Internet of Robotic Things (IoRT) against DDoS Attacks: A Federated Learning with Differential Privacy Clustering Approach","authors":"Matilda Nkoom ,&nbsp;Sena G. Hounsinou ,&nbsp;Garth V. Crosby","doi":"10.1016/j.cose.2025.104493","DOIUrl":"10.1016/j.cose.2025.104493","url":null,"abstract":"<div><div>The exponential growth of Internet of Robotic Things (IoRT) systems has increased the vulnerability to Distributed Denial of Service (DDoS) attacks. Centralized intrusion detection approaches collect sensitive data from distributed robotic devices, raising privacy concerns. While federated learning (FL) offers collaborative threat detection, it faces challenges due to the heterogeneous nature of the data collected from the diverse IoRT devices and privacy vulnerability. This paper proposes a DDoS detection framework for IoRT systems that addresses both challenges through: (1) applying the Differential Privacy (DP) mechanism to the quantile values shared by clients with the central server, protecting statistical information while enabling effective clustering, and (2) implementing privacy-preserving k-means clustering based on these DP quantile values to group devices with similar data distributions. Using the CICIoT2023 data set and PyTorch framework, we evaluate three models and compare performance between clustered and non-clustered FL approaches. The results from our simulated environment demonstrate that our clustered approach improves performance across all models when compared to our baseline model: CNN accuracy increased from 98.10% to 98.99%, LSTM showed improvement from 95.38% to 98.00%, and GRU accuracy increased from 96.50% to 98.50%. Our evaluation demonstrates that privacy-preserving clustering effectively mitigates the challenges of heterogeneous data in FL while maintaining privacy guarantees.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104493"},"PeriodicalIF":4.8,"publicationDate":"2025-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143869439","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Accountable, Scalable and DoS-resilient Secure Vehicular Communication","authors":"Hongyu Jin,&nbsp;Panos Papadimitratos","doi":"10.1016/j.cose.2025.104469","DOIUrl":"10.1016/j.cose.2025.104469","url":null,"abstract":"<div><div>Standardized Vehicular Communication (VC), mainly Cooperative Awareness Messages (CAMs) and Decentralized Environmental Notification Messages (DENMs), is paramount to vehicle safety, carrying vehicle status information and reports of traffic/road-related events respectively. Broadcasted CAMs and DENMs are pseudonymously authenticated for security and privacy protection, with each node needing to have all incoming messages validated within an expiration deadline. This creates an asymmetry that can be easily exploited by external adversaries to launch a clogging Denial of Service (DoS) attack: each forged VC message forces all neighboring nodes to cryptographically validate it; at increasing rates, easy to generate forged messages gradually exhaust processing resources and severely degrade or deny timely validation of benign CAMs/DENMs. The result can be catastrophic when awareness of neighbor vehicle positions or critical reports are missed. We address this problem making the standardized VC pseudonymous authentication <em>DoS-resilient</em>. We propose efficient cryptographic constructs, which we term message verification <em>facilitators</em>, to prioritize processing resources for verification of potentially valid messages among bogus messages and verify multiple messages based on one signature verification. Any message acceptance is strictly based on public-key based message authentication/verification for <em>accountability</em>, i.e., <em>non-repudiation</em> is not sacrificed, unlike symmetric key based approaches. This further enables drastic <em>misbehavior detection</em>, also exploiting the newly introduced facilitators, based on probabilistic signature verification and cross-checking over multiple facilitators verifying the same message; while maintaining verification latency low even when under attack, trading off modest communication overhead. Our facilitators can also be used for efficient discovery and verification of <em>DENM</em> or any <em>event-driven message</em>, including <em>misbehavior evidence</em> used for our scheme. Even when vehicles are saturated by adversaries mounting a clogging DoS attack, transmitting high-rate bogus CAMs/DENMs, our scheme achieves an average <span><math><mrow><mn>50</mn><mspace></mspace><mi>m</mi><mi>s</mi></mrow></math></span> verification delay with message expiration ratio less than 1% - a huge improvement over the current standard that verifies every message signature in a First-Come First-Served (FCFS) manner and suffers from having 50% to nearly 100% of the received benign messages expiring.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104469"},"PeriodicalIF":4.8,"publicationDate":"2025-04-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143878651","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"HScheduler: An execution history-based seed scheduling strategy for hardware fuzzing","authors":"Zihui Guo ,&nbsp;Yin Lv ,&nbsp;Ningning Cui ,&nbsp;Liwei Chen ,&nbsp;Gang Shi","doi":"10.1016/j.cose.2025.104479","DOIUrl":"10.1016/j.cose.2025.104479","url":null,"abstract":"<div><div>The recent emergence of hardware fuzzing has introduced significant advancements in hardware verification. However, the lack of an efficient seed (input for fuzzing) scheduling mechanism severely affects its performance. In this paper, we propose HScheduler, a novel seed scheduling strategy based on seed execution history. First, HScheduler prioritizes seeds based on the historical coverage points, ensuring that more promising seeds are executed first. Second, it analyzes seed mutation history to guide subsequent mutations, reducing the occurrence of ineffective mutations. Our evaluation demonstrates that HScheduler significantly improves the overall efficiency of hardware fuzzers. We implemented this design on both the state-of-the-art general-purpose hardware fuzzer RFUZZ and the processor-specific fuzzer DifuzzRTL. Experimental results demonstrate that, when fuzzing various real-world hardware designs, our approach achieves up to a <span><math><mrow><mn>41</mn><mo>.</mo><mn>4</mn><mo>×</mo></mrow></math></span> speed improvement (with an average improvement of <span><math><mrow><mn>7</mn><mo>.</mo><mn>4</mn><mo>×</mo></mrow></math></span>) over RFUZZ, while HScheduler significantly reduces ineffective mutations during fuzzing. Additionally, it boosts coverage speed by 5.6<span><math><mo>×</mo></math></span> in DifuzzRTL, with a notable increase in final coverage, detecting over 1.4 times more mismatch seeds (potential bugs). Moreover, HScheduler introduces only a 0.63% performance overhead.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104479"},"PeriodicalIF":4.8,"publicationDate":"2025-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143869440","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"An evolutionary wrapper to support intrusion detection system configuration","authors":"Javier Maldonado ,&nbsp;María Cristina Riff","doi":"10.1016/j.cose.2025.104478","DOIUrl":"10.1016/j.cose.2025.104478","url":null,"abstract":"<div><div>Detecting and classifying attacks is one of the building blocks of cybersecurity. This is a difficult task, as classification algorithms must deal with a profusion of data used to detect attacks which may be very time consuming. In this paper, an evolutionary approach is proposed to obtain information about a given set of features, as well as to select the best features as input for attack classification algorithms. With this approach, each individual represents an optimized set of features, such that a cybersecurity analyst can evaluate which features and how many of them are required to obtain a suitable metric to detect a specific attack. This set of features improves the quality of attack detection while also reducing the CPU time required for the classification itself. This approach is evaluated using well-known datasets and decision trees generated by C4.5 and Random Forest algorithms for the evaluation and classification. We compare our findings with state-of-the-art results, demonstrating promising advances. Additionally, the features information that can be obtained using this approach is reported, which is useful for making decisions for attack discrimination.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104478"},"PeriodicalIF":4.8,"publicationDate":"2025-04-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143863648","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Safety-security convergence: Automation of IEC 62443-3-2","authors":"Mike Da Silva ,&nbsp;Stéphane Mocanu ,&nbsp;Maxime Puys ,&nbsp;Pierre-Henri Thevenon","doi":"10.1016/j.cose.2025.104477","DOIUrl":"10.1016/j.cose.2025.104477","url":null,"abstract":"<div><div>Industrial Control Systems (ICS) are designed to provide a service, such as power generation or water treatment, while protecting people, assets, and the environment against hazard. However, ICS now integrate Information Technology (IT) and are interconnected with the outside world such as the Internet, thereby exposing their infrastructures to cyberattacks. Cyberattacks have thus become new threats for industrial system operations and, more specifically, for their safety. To address the issue, this paper presents a comprehensive cybersecurity risk assessment for the safety of ICS. We apply our method to automate industrial cybersecurity risk assessment as specified in the recent (2020) IEC 62443-3-2 standard, which is widely used in the industrial cybersecurity domain. By automating parts of these risk assessment processes, we can reduce the error-prone manual efforts and increase the consistency of risk assessment. More specifically, the proposed risk assessment comprises three parts which, respectively: (1) identify the specific vulnerabilities of industrial control systems, (2) determine the attack scenarios that compromise the safety of the system and (3) assess whether the attack scenarios are tolerable by the organization’s policy. In the first part, we automated the entire threat modeling process of <em>Microsoft Threat Modeling Tool</em> by developing an automatable method for building the system model, in the form of a data flow diagram, from a standard XML file called PLCOpen. This automation of the Microsoft Threat Modeling Tool process enables us to automate vulnerability identification for industrial control systems. In the second part, we enhance a previous work that generates theoretical safety-compromising attack scenarios by building a complete attack scenario from system vulnerabilities to safety compromise. Finally, in the third part, we rank the attack scenarios using a specific risk matrix in order to determine which scenarios exceed the risk tolerable by the organization and therefore require additional controls.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104477"},"PeriodicalIF":4.8,"publicationDate":"2025-04-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143882122","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}