{"title":"HoleMal: A lightweight IoT malware detection framework based on efficient host-level traffic processing","authors":"Ziqian Chen, Wei Xia, Zhen Li, Gang Xiong, Gaopeng Gou, Heng Zhang, Haikuo Li, Junchao Xiao","doi":"10.1016/j.cose.2025.104360","DOIUrl":"10.1016/j.cose.2025.104360","url":null,"abstract":"<div><div>With the popularization of Internet of Things (IoT) devices, IoT security issues are becoming increasingly prominent. A significant number of devices remain highly vulnerable to malware attacks due to inadequate security management. As a solution, machine learning-based network traffic behavior analysis has proven to be effective and is widely deployed across various scenarios. However, the efficiency of network feature extraction and online detection is significantly constrained by the insufficient computing resources available on the IoT devices. To address the challenge, we propose HoleMal, a novel host-level framework to detect malicious network behavior in resource-constrained environment. HoleMal provides a comprehensive suite of host-level traffic monitoring, processing, and detection solutions, aiming to achieve optimal network protection with minimal resource cost. During the detection process, HoleMal constructs host-level traffic features from the device’s perspective. It describes a device’s behavior in 3 dimensions, including connection behavior, network activity and accessed service, corresponding to a total of 36 host-level features. As these features are unrelated to payloads, they are not affected by traffic encryption. Furthermore, HoleMal provides a cost-sensitive feature selector which is able to quantify the feature computational cost and involve the cost into the feature selection process. It identifies the host-level feature subset with superior detection capability and minimal computational cost, thereby providing theoretical basis for detection model construction, further enhancing the efficiency advantages of HoleMal. We evaluate HolaMal by multiple datasets on Raspberry Pi. The experimental results demonstrate that HoleMal exhibits robust detection performance across all datasets, and it achieves significant efficiency improvements compared to fine-grained approaches.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104360"},"PeriodicalIF":4.8,"publicationDate":"2025-02-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143394688","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"PDCleaner: A multi-view collaborative data compression method for provenance graph-based APT detection systems","authors":"Jiaobo Jin, Tiantian Zhu, Qixuan Yuan, Tieming Chen, Mingqi Lv, Chenbin Zheng, Jian-Ping Mei, Xiang Pan","doi":"10.1016/j.cose.2025.104359","DOIUrl":"10.1016/j.cose.2025.104359","url":null,"abstract":"<div><div>In recent years, advanced persistent threats (APTs) have frequently occurred with increasing severity on a global scale. Provenance graph-based APT detection systems have demonstrated significant effectiveness. However, current data compression methods face challenges in processing massive data volumes, including compression imbalance, limited generality, and semantic loss. To address these challenges, we propose PDCleaner, a multi-perspective collaborative data compression method designed to preserve the semantics of provenance graphs. This method comprises three core strategies: a global semantics-driven event deletion strategy, a behavior-preserving entity aggregation strategy, and a similarity-based event chain merging strategy. These strategies collaboratively compress data across three perspectives: events, entities, and event chains, resulting in concise and generalizable datasets suitable for model training and prediction. Experimental results indicate that the multi-perspective collaborative compression method achieves a compression rate of 14.43X while maintaining an average semantic loss of only 4.98%, significantly reducing data size and preserving provenance graph semantics. Furthermore, in a deep learning-based threat detection model, this method reduces training time by up to 20.22% and improves the F1 score by 0.051, offering an optimal data foundation for efficient and accurate threat detection.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104359"},"PeriodicalIF":4.8,"publicationDate":"2025-02-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143387679","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Conceptual inconsistencies in variable definitions and measurement items within ISP non-/compliance research: A systematic literature review","authors":"Marcus Gerdin, Åke Grönlund, Ella Kolkowska","doi":"10.1016/j.cose.2025.104365","DOIUrl":"10.1016/j.cose.2025.104365","url":null,"abstract":"<div><div>The rich stream of research focusing on employee non-/compliance with information security policies (ISPs) suffers from inconsistent results. Attempts to explain such inconsistencies have included investigation of possible contextual moderating factors. Another promising, yet not systematically investigated, explanation concerns conceptual inconsistencies in variable definitions and in questionnaire measurement items.</div><div>Based on a systematic literature review covering 36 ISP non-/compliance articles using Protection Motivation Theory (PMT) and/or Theory of Planned Behavior (TPB), we found four major types of conceptual inconsistencies and unclarities within and across studies; (i) inconsistencies in variable definitions; (ii) inconsistencies between variable measurement items; (iii) inconsistencies between variable definitions and measurement items; and (iv) unclearly/vaguely worded measurement items. The review contributes to the field by demonstrating that the inconsistent results in the field may not only be due to unknown contextual moderators, but also to conceptual incongruences within and across studies.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104365"},"PeriodicalIF":4.8,"publicationDate":"2025-02-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143421529","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Understanding the chief information security officer: Qualifications and responsibilities for cybersecurity leadership","authors":"Christopher A. Ramezan","doi":"10.1016/j.cose.2025.104363","DOIUrl":"10.1016/j.cose.2025.104363","url":null,"abstract":"<div><div>As cyberattacks on businesses and critical infrastructure grow in sophistication and frequency, the Chief Information Security Officer (CISO) has become a pivotal role in organizations, tasked with leading cybersecurity programs and reducing risks to organizational assets. Given the importance of the position, this study seeks to expand on the sparse literature on the role of the CISO and provide insights on current position requirements and responsibilities to guide and inform higher education cybersecurity management programs as well as aspiring cybersecurity leaders. To better understand this critical role, this study uses a combination of natural language processing methods and manual information extraction to provide an in-depth dive into the responsibilities and requirements of the role through a comprehensive analysis of 250 CISO job postings listed across 27 nations. The results of the analysis showed that nearly 99 % of positions required prior professional experience, with 10 years being the most common experience requirement. Employers highly valued bachelor's or master's degrees in STEM or business fields, vendor-neutral certifications like the Certified Information Systems Security Manager (CISSP) or Certified Information Security Manager (CISM), strong communication skills, and knowledge of regulatory frameworks and cybersecurity standards. In contrast, technical expertise in cybersecurity platforms, programming skills, and security clearance were less frequently required, as were travel commitments. Current CISO responsibilities and requirements also emphasize the strategic and business-facing nature of the role, with an emphasis on strategic & management-level tasks, rather than tactical, technical tasks. Higher education programs seeking to train the next generation of cybersecurity leaders, as well as information technology, cybersecurity, or management professionals aspiring to obtain a CISO position should note the role requirements currently in demand by industry, as well as the strategic and management-focused tasks commonly assigned to the role and prepare accordingly.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104363"},"PeriodicalIF":4.8,"publicationDate":"2025-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143372089","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Evaluating the potential of quantum machine learning in cybersecurity: A case-study on PCA-based intrusion detection systems","authors":"Armando Bellante , Tommaso Fioravanti , Michele Carminati , Stefano Zanero , Alessandro Luongo","doi":"10.1016/j.cose.2025.104341","DOIUrl":"10.1016/j.cose.2025.104341","url":null,"abstract":"<div><div>Quantum computing promises to revolutionize our understanding of the limits of computation, and its implications in cryptography have long been evident. Today, cryptographers are actively devising post-quantum solutions to counter the threats posed by quantum-enabled adversaries. Meanwhile, quantum scientists are innovating quantum protocols to empower defenders. However, the broader impact of quantum computing and quantum machine learning (QML) on other cybersecurity domains still needs to be explored. In this work, we investigate the potential impact of QML on cybersecurity applications of traditional ML. First, we explore the potential advantages of quantum computing in machine learning problems specifically related to cybersecurity. Then, we describe a methodology to quantify the future impact of fault-tolerant QML algorithms on real-world problems. As a case study, we apply our approach to standard methods and datasets in network intrusion detection, one of the most studied applications of machine learning in cybersecurity. Our results provide insight into the conditions for obtaining a quantum advantage and the need for future quantum hardware and software advancements.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104341"},"PeriodicalIF":4.8,"publicationDate":"2025-02-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143684126","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"HER-PT: An intelligent penetration testing framework with Hindsight Experience Replay","authors":"Mingda Li, Tiantian Zhu, Haoqi Yan, Tieming Chen, Mingqi Lv","doi":"10.1016/j.cose.2025.104357","DOIUrl":"10.1016/j.cose.2025.104357","url":null,"abstract":"<div><div>Penetration testing (PT) is an active method to evaluate the security of computer systems. With the continuous expansion of the scale of the network, the difficulty of penetration testing increases sharply, and at the same time, it relies heavily on expert experience. Therefore, AI-based techniques such as Deep Reinforcement Learning (DRL) will be an effective solution to automate penetration testing and reduce labor costs. However, in the existing DRL-based PT work, the attacker has a large number of low feedback behaviors, and it is difficult to collect enough successful experiences and positive learning rewards, that is, the sparse reward problem. In addition, existing works on automatic penetration based on MSF in real environments mainly focus on single-host scenarios and have not been extended to multi-host networks. In this paper, we propose a new intelligent PT framework “<span>HER-PT</span>” that integrates Hindsight Experience Replay (HER) techniques into DRL-based PT models in the hope of solving sparse reward problems in reinforcement learning and applying penetration testing to real multi-host scenarios. We constructed several network scenarios, trained <span>HER-PT</span> model agents in the cyber attack simulator Nasim for autonomous penetration testing experiments, and tried different reinforcement learning optimization schemes. Experimental results show that <span>HER-PT</span> can converge within 500 episodes in a medium scenario of 16 hosts, which is about 50% faster than other models. It can still maintain a success rate of 85.76% in the medium frequency dynamic change scene. The results show that <span>HER-PT</span> can effectively accelerate the training of the model and shorten the training period.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104357"},"PeriodicalIF":4.8,"publicationDate":"2025-02-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143349565","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Semi-supervised deep-ELM for DDoS attack detection and mitigation using the OptimalLink model in IoT networks","authors":"K. Rajkumar, S.Mercy shalinie","doi":"10.1016/j.cose.2025.104323","DOIUrl":"10.1016/j.cose.2025.104323","url":null,"abstract":"<div><div>Human-machine interaction is becoming smarter because of an emerging technology called the Internet of Things. Internet of Things devices are made by different manufacturers, which may lead to a lack of security standards. The attackers use this lack, such as unpatched vulnerabilities, to form botnets by simply hacking the Internet of Things devices. Of the several security breaches, distributed denial of service attacks are quite tricky, dismember the network, and offer end consumers a variety of services. For instance, sapping bandwidth, depleting server resources, and ruining the end-user experience. As a result, in many Internet of Things use cases, distributed denial of service might create the possibility of catastrophe. This paper explores encountering the distributed denial of service attack mooting by malicious Internet of Things systems. To detect and prevent distributed denial of service attacks, our security strategy modifies the software-defined network paradigm. To identify and counteract distributed denial of service attacks, we have suggested a unique semi-supervised deep-extreme learning machine-learning technique for detection with unique dataset features and a unique optimal link mitigation algorithm. These detection and mitigation methods are incorporated into the software-defined network controller, which is located in the internet of things and application layers. Compared with other solutions results, our detection and mitigation strategy increases the throughput and bandwidth level and decreases the network load. We tested the semi-supervised deep extreme learning machine algorithm using an emulated topology and testbed, and then we compared the outcomes to cutting-edge solutions. We improved the accuracy rate for distributed denial of service attack detection to 99.97 %.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104323"},"PeriodicalIF":4.8,"publicationDate":"2025-02-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143387680","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"AGLFuzz: Automata-Guided Fuzzing for detecting logic errors in security protocol implementations","authors":"Dongliang Zhao, Jiaxing Guo, Chunxiang Gu, Yonghui Zheng, Xieli Zhang","doi":"10.1016/j.cose.2024.103979","DOIUrl":"10.1016/j.cose.2024.103979","url":null,"abstract":"<div><div>Security protocols are crucial for ensuring communication security and safeguarding data integrity in computer networks and distributed systems. The complexity of security protocol logic, coupled with implementation challenges, often results in protocol implementations failing to satisfy the security requirements due to logical errors. Unlike memory-related bugs, logical errors do not exhibit fixed patterns or behaviors, thereby rendering them especially challenging to detect. Therefore, we propose a logic error detection method based on blackbox fuzzing. This method takes protocol interaction behavior as atomic proposition, utilizes linear temporal logic on finite traces (<span><math><mrow><mi>L</mi><mi>T</mi><msub><mrow><mi>L</mi></mrow><mrow><mi>f</mi></mrow></msub></mrow></math></span>) to express expected properties. Logical errors are identified according to whether the abstract interaction sequence extracted from the fuzz data can be accepted by the automata corresponding to the <span><math><mrow><mi>L</mi><mi>T</mi><msub><mrow><mi>L</mi></mrow><mrow><mi>f</mi></mrow></msub></mrow></math></span> property. Furthermore, we design an automata-guided fuzz testing algorithm that leverages the state information of automatas to drive test sequence generation, thereby accelerating the error search process. To support this method, a general-purpose black-box fuzz testing framework, AGLFuzz, has been implemented, currently including testing modules for the TLS1.3 and IPsec protocol implementations. Experimental evaluations on several widely used TLS1.3 and IPsec protocol implementations have led to the discovery of multiple counterexamples that violated specific properties and vulnerabilities that could cause the target to crash. Notably, three of these vulnerabilities have been assigned CVE numbers, highlighting the effectiveness of the proposed method.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 103979"},"PeriodicalIF":4.8,"publicationDate":"2025-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143097074","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Kaijiao Huang, Lifei Wang, Faisal Mehmood, Jianxun Liu
{"title":"Design and implementation of a closed loop time delay feedback control (CLTD-FC) system for mitigating DDos attacks","authors":"Kaijiao Huang, Lifei Wang, Faisal Mehmood, Jianxun Liu","doi":"10.1016/j.cose.2025.104353","DOIUrl":"10.1016/j.cose.2025.104353","url":null,"abstract":"<div><div>Denial of Service (DoS) attacks can be used to disrupt the availability and performance of networked systems by bombarding targeted hosts with malicious traffic thus hampering their capabilities, or worse exhausting them. In this paper, by utilizing a mathematical model that reflects the dominant features of DDoS attacks we will introduce how to explore an approach in countering its effects. We propose a closed loop time delay feedback control (CLTD-FC) system by designing an appropriate feedback controller. This infrastructure is in turn exploited to design a control theoretic mitigation strategy that effectively dampens the queue dynamics of internet routers during DDoS scenarios. Specifically, we demonstrate that the CLTD-FC scheme appropriately maintains and monitors queue stability whilst simultaneously enabling convergence to desired operational targets under continual attacks. The method is implemented in the network simulator platform NS2 to validate its proposed effectiveness. Simulation results show that the proposed CLTD-FC scheme can help to improve QoS, ensure network fairness as well as stabilize and optimize queue performance compared with Drop-tail solution.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104353"},"PeriodicalIF":4.8,"publicationDate":"2025-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149524","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mohammed Aledhari , Rehma Razzak , Mohamed Rahouti , Abbas Yazdinejad , Reza M. Parizi , Basheer Qolomany , Mohsen Guizani , Junaid Qadir , Ala Al-Fuqaha
{"title":"Safeguarding connected autonomous vehicle communication: Protocols, intra- and inter-vehicular attacks and defenses","authors":"Mohammed Aledhari , Rehma Razzak , Mohamed Rahouti , Abbas Yazdinejad , Reza M. Parizi , Basheer Qolomany , Mohsen Guizani , Junaid Qadir , Ala Al-Fuqaha","doi":"10.1016/j.cose.2025.104352","DOIUrl":"10.1016/j.cose.2025.104352","url":null,"abstract":"<div><div>The advancements in autonomous driving technology, coupled with the growing interest from automotive manufacturers and tech companies, suggest a rising adoption of Connected Autonomous Vehicles (CAVs) in the near future. Despite some evidence of higher accident rates in AVs, these incidents tend to result in less severe injuries compared to traditional vehicles due to cooperative safety measures. However, the increased complexity of CAV systems exposes them to significant security vulnerabilities, potentially compromising their performance and communication integrity. This paper contributes by presenting a detailed analysis of existing security frameworks and protocols, focusing on intra- and inter-vehicle communications. We systematically evaluate the effectiveness of these frameworks in addressing known vulnerabilities and propose a set of best practices for enhancing CAV communication security. The paper also provides a comprehensive taxonomy of attack vectors in CAV ecosystems and suggests future research directions for designing more robust security mechanisms. Our key contributions include the development of a new classification system for CAV security threats, the proposal of practical security protocols, and the introduction of use cases that demonstrate how these protocols can be integrated into real-world CAV applications. These insights are crucial for advancing secure CAV adoption and ensuring the safe integration of autonomous vehicles into intelligent transportation systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104352"},"PeriodicalIF":4.8,"publicationDate":"2025-01-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143229251","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}