Computers & Security最新文献

{"title":"iQUIC: An intelligent framework for defending QUIC connection ID-based DoS attack using advantage actor–critic RL","authors":"Debasmita Dey,&nbsp;Nirnay Ghosh","doi":"10.1016/j.cose.2025.104463","DOIUrl":"10.1016/j.cose.2025.104463","url":null,"abstract":"<div><div>QUIC (Quick UDP Internet Connections) is a relatively recent transport layer protocol that Google deployed and implemented for the first time in 2012. The key aspect of this protocol is that it is faster than TCP, more secure than UDP, and more efficient regarding resource usage. It has been adopted by some Internet-based applications, viz., YouTube, Gmail, etc. Recent advancements in 5G/6G communication technology have enabled the integration of QUIC with many real-time applications. One of the drawbacks in the design of the QUIC protocol is its vulnerability against attacks related to connection ID, and a recent attack of this type is the <em>retire connection ID stuffing attack</em>. This attack leads to a denial of service (DoS) condition, thus hindering network operations and services. Few preventive solutions have been proposed, but they focus on closing the connection after detecting an attack scenario, which results in service disruption. In this paper, we attempted to render flexibility to this rigid security defense mechanism situation by proposing <em>iQUIC</em>, an intelligent framework to configure a network condition monitoring QUIC server. The framework inputs the network data to a local <em>Advantage Actor–Critic (A2C) Reinforcement Learning (RL)</em> engine to support decision-making regarding accepting/rejecting a request from a client or issuing a warning signal to it. The framework also enables the server to stochastically suspend connections with the client(s) following in <span><math><mi>ϵ</mi></math></span>-greedy approach after a predefined observation window. To replicate a real-world QUIC-enabled network, we devised a small QUIC network consisting of two clients and a server and generated substantial QUIC traffic by implementing a U-Net-based GAN (Generative Adversarial Network) model from scratch. A simulation-based performance evaluation demonstrates that the QUIC server powered by the actor–critic RL learns to make optimal decisions with time.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104463"},"PeriodicalIF":4.8,"publicationDate":"2025-04-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143869442","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Privacy preservation techniques through data lifecycle: A comprehensive literature survey","authors":"Sheema Madhusudhanan,&nbsp;Arun Cyril Jose","doi":"10.1016/j.cose.2025.104473","DOIUrl":"10.1016/j.cose.2025.104473","url":null,"abstract":"<div><div>With the increasing user data volume, safeguarding sensitive information has become more critical than ever. This survey reviews privacy-preserving techniques and models designed to protect Personally Identifiable Information (PII) and other sensitive data. Privacy is essential at every data lifecycle stage, including data collection, storage, processing, sharing and transmission, retention and deletion, and access control. We discuss the challenges associated with each stage and highlight relevant research work. The survey concludes with a discussion of ongoing challenges and potential research directions in data privacy preservation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104473"},"PeriodicalIF":4.8,"publicationDate":"2025-04-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143851396","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Exploring capacitive swipe gesture for user authentication using a new large dataset","authors":"Kiran K.C.,&nbsp;Md Shafaeat Hossain,&nbsp;Carl Haberfeld","doi":"10.1016/j.cose.2025.104475","DOIUrl":"10.1016/j.cose.2025.104475","url":null,"abstract":"<div><div>We investigate the viability of the capacitive swipe gesture as a biometric modality. While the regular swipe gesture and the capacitive image have been widely explored in biometric literature, the capacitive swipe gesture is fairly new in this line of research. To our knowledge, only one recent study has explored the capacitive swipe gesture, and demonstrated its promise. However, that study is limited by a number of factors, such as using a very small data set in the experiments, collecting data in a single session, allowing the same impostor in both training and testing phases of authentication models, etc. In our paper, we address all these limitations, and rigorously explore the capacitive swipe gesture by creating a new large data set. Additionally, we develop a new technique to preprocess capacitive swipe gesture data, and demonstrate its effectiveness by comparing with existing techniques. A large set of experiments with four machine learning classifiers and two swipe directions prove that the capacitive swipe gesture can be effectively used for user authentication in smartphones.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104475"},"PeriodicalIF":4.8,"publicationDate":"2025-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143843562","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"DFirmSan: A lightweight dynamic memory sanitizer for Linux-based firmware","authors":"Shanquan Yang ,&nbsp;Yansong Gao ,&nbsp;Boyu Kuang ,&nbsp;Yixuan Yang ,&nbsp;Anmin Fu","doi":"10.1016/j.cose.2025.104467","DOIUrl":"10.1016/j.cose.2025.104467","url":null,"abstract":"<div><div>Vulnerabilities in Linux-based firmware present a significant risk to IoT security, with memory-related issues being especially hidden and dangerous. Despite substantial efforts to uncover firmware vulnerabilities through fuzzing, these methods are often ineffective in detecting memory vulnerabilities. To address this issue, prior research introduces sanitizers integrated into fuzzers. However, applying existing sanitizers to Linux-based firmware poses three significant challenges: First, embedded Linux systems lack robust memory protection and operate under tight performance constraints, making it difficult to detect “silent memory corruption”. Second, most binary sanitizers focus on executables, such as the main program (the core backend service programs handling requests), and fail to effectively monitor dynamically loaded libraries, which are often assumed to be trustworthy. Third, sanitizers that rely on global memory monitoring techniques, such as shadow memory or redzone, introduce substantial performance overhead. These mechanisms significantly slow down resource-constrained firmware, rendering fuzz testing impractical for IoT devices. This paper introduces DFirmSan, a lightweight dynamic memory sanitizer for Linux-based firmware. DFirmSan addresses key challenges in detecting memory vulnerabilities through a two-step process. First, the pre-analysis phase identifies service programs and vendor-customized libraries, analyzing them for sensitive function calls and key parameters. In the second step, dynamic memory corruption detection, DFirmSan leverages this information to perform targeted dynamic boundary checks during runtime, focusing on detecting memory flaws, particularly silent corruptions. To minimize overhead, DFirmSan focuses on selectively monitoring sensitive function parameters influenced by untrusted data, rather than tracking all memory variables. It further reduces false positives by dynamically adjusting parameter boundaries. We evaluate DFirmSan on 18 real-world firmware samples. By integrating DFirmSan, two advanced fuzzers detect 117 and 25 additional known CVEs, respectively. Besides, it helps uncover 4 CNVD zero-day vulnerabilities. Despite this enhanced capability, the impact on fuzzing speed remains minimal, with reductions of only 16.43% and 2.69%, well within acceptable limits. Moreover, DFirmSan maintains an impressively low false positive rate of under 0.35% for detecting memory corruption, further underscoring its practicality in real-world firmware.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104467"},"PeriodicalIF":4.8,"publicationDate":"2025-04-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143828564","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"IR-IDS: A network intrusion detection method based on causal feature selection and explainable model optimization","authors":"Yazhuo Gao ,&nbsp;Lin Yang ,&nbsp;Ran Zhu ,&nbsp;Yixuan Wu ,&nbsp;Feng Yang ,&nbsp;Yining Cao","doi":"10.1016/j.cose.2025.104496","DOIUrl":"10.1016/j.cose.2025.104496","url":null,"abstract":"<div><div>With the rapid advancement of computer network technologies, the complexity of cybersecurity issues has grown significantly. Intrusion Detection Systems (IDS), serving as the first line of defense against network attacks, are vital components in ensuring network security. However, traditional IDS often struggle to balance the robustness of detection capabilities with the interpretability of the model. To address these challenges, this paper proposes an interpretable and robust intrusion detection method (IR-IDS). The proposed approach begins by efficiently and accurately selecting the optimal feature subset for predicting the target variable, using a causal effect-based conditional testing method and a Markov blanket search algorithm. Subsequently, it enhances the decision tree algorithm using Shapley values, enabling fine-grained classification of attacks. Finally, by integrating Kolmogorov–Arnold Networks (KAN) and Conditional Variational Autoencoders (CVAE), the method further improves the detection of unknown attacks. Experimental results demonstrate that the proposed method outperforms existing techniques on five datasets, including CIC-IDS2017, CSE-CIC-IDS2018, CIC-DDoS2019, CIC-UNSW-NB15 and CIC-IoT-IDAD-2024, with multi-class accuracies of 98.83 %, 99.37 %, 99.57 %, 99.52 % and 97.11 %, respectively. From the results, it can be seen that this method not only ensures the interpretability of the model but also improves the accuracy and robustness of intrusion detection.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104496"},"PeriodicalIF":4.8,"publicationDate":"2025-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143833983","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Industrial control system intrusion detection method based on belief rule base with gradient descent","authors":"Jinyuan Li ,&nbsp;Guangyu Qian ,&nbsp;Wei He ,&nbsp;Wei Zhang","doi":"10.1016/j.cose.2025.104488","DOIUrl":"10.1016/j.cose.2025.104488","url":null,"abstract":"<div><div>Intrusion detection is important for maintaining the smooth operation of industrial control systems (ICSs). The belief rule base (BRB), as a hybrid information-driven model, has been widely used in various fields because of its high accuracy and good interpretability. However, when facing intrusion detection problems in ICSs with high-dimensional features, excessive rules often arise, leading to slow model inference and optimization due to the large number of rules. Therefore, this paper proposes an interval structure belief rule base with mini-batch gradient descent optimization (IBRB-MBGD) for ICS intrusion detection. First, to address the issue of rule explosion caused by high-dimensional features, a new modeling approach is proposed that uses reference intervals instead of single values, and the rule generation mode is changed from conjunction to disjunction, further improving the model inference method and effectively solving the combination rule explosion. Second, the large amount of historical data slows down the model optimization process; thus, an optimization method based on minibatch gradient descent is proposed to quickly optimize the parameters in the BRB. Finally, experiments were conducted on natural gas pipeline system and water storage tank system intrusion detection data, and the detection rate reached &gt;90 %, verifying the effectiveness of the model.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104488"},"PeriodicalIF":4.8,"publicationDate":"2025-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143828563","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Updating Windows malware detectors: Balancing robustness and regression against adversarial EXEmples","authors":"Matous Kozak ,&nbsp;Luca Demetrio ,&nbsp;Dmitrijs Trizna ,&nbsp;Fabio Roli","doi":"10.1016/j.cose.2025.104466","DOIUrl":"10.1016/j.cose.2025.104466","url":null,"abstract":"<div><div>Adversarial EXEmples are carefully-perturbed programs tailored to evade machine learning Windows malware detectors, with an ongoing effort to develop robust models able to address detection effectiveness. However, even if robust models can prevent the majority of EXEmples, to maintain predictive power over time, models are fine-tuned to newer threats, leading either to partial updates or time-consuming retraining from scratch. Thus, even if the robustness against adversarial EXEmples is higher, the new models might suffer a regression in performance by misclassifying threats that were previously correctly detected. For these reasons, we study the trade-off between accuracy and regression when updating Windows malware detectors by proposing EXE-scanner, a plugin that can be chained to existing detectors to promptly stop EXEmples without causing regression. We empirically show that previously proposed hardening techniques suffer a regression of accuracy when updating non-robust models, exacerbating the gap when considering low false positives regimes and temporal drifts affecting data. Also, through EXE-scanner we gain evidence on the detectability of adversarial EXEmples, showcasing the presence of artifacts left inside while creating them. Due to its design, EXE-scanner can be chained to any classifier to obtain the best performance without the need for costly retraining. To foster reproducibility, we openly release the source code, along with the dataset of adversarial EXEmples based on state-of-the-art perturbation algorithms.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104466"},"PeriodicalIF":4.8,"publicationDate":"2025-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143843561","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Can individual differences in cognitive capacity predict cybersecurity performance?","authors":"Kelly A Cole ,&nbsp;Alexander L. Francis ,&nbsp;Marcus K Rogers ,&nbsp;Joe Balazs","doi":"10.1016/j.cose.2025.104497","DOIUrl":"10.1016/j.cose.2025.104497","url":null,"abstract":"<div><div>Cyber defense analysts work in highly demanding environments, making numerous critical decisions on the basis of complex information presented at a rapid rate. Individual differences in cognitive capacity may contribute significantly to cyber performance success but researchers have yet to definitively determine what cognitive functions play the most significant role in cybersecurity performance. To further understand the role of individual differences in attention and cognition that affect cyber performance in the cybersecurity domain, this exploratory study involved collecting measures of cognitive performance from 19 experienced cybersecurity analysts using three well-established measures designed for individual differences research. The individual differences were compared with behavioral performance (accuracy and response time) in a simulated incident detection system identified as ecologically valid in cybersecurity research. Results showed a significant relationship between incident detection performance and multiple cognitive variables. Specifically, analysts with higher working memory capacity performed more accurately and more quickly, while those that showed more evidence of distractibility performed less well. These findings suggest that easily obtained behavioral measures of attention control may be useful for: (a) identifying individuals who may be better suited to performing specific cognitive demands of incident detection tasks, and (b) informing system design to reduce demands on specific areas of cognitive processing to improve incident response decisions.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104497"},"PeriodicalIF":4.8,"publicationDate":"2025-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143843563","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Protecting machine learning from poisoning attacks: A risk-based approach","authors":"Nicola Bena ,&nbsp;Marco Anisetti ,&nbsp;Ernesto Damiani ,&nbsp;Chan Yeob Yeun ,&nbsp;Claudio A. Ardagna","doi":"10.1016/j.cose.2025.104468","DOIUrl":"10.1016/j.cose.2025.104468","url":null,"abstract":"<div><div>The ever-increasing interest in and widespread diffusion of Machine Learning (ML)-based applications has driven a substantial amount of research into offensive and defensive ML. ML models can be attacked from different angles: poisoning attacks, the focus of this paper, inject maliciously crafted data points in the training set to modify the model behavior; adversarial attacks maliciously manipulate inference-time data points to fool the ML model and drive the prediction of the ML model according to the attacker’s objective. Ensemble-based techniques are among the most relevant defenses against poisoning attacks and replace the monolithic ML model with an ensemble of ML models trained on different (disjoint) subsets of the training set. They assign data points to the training sets of the models in the ensemble (routing) randomly or using a hash function, assuming that evenly distributing poisoned data points positively influences ML robustness. Our paper departs from this assumption and implements a risk-based ensemble technique where a risk management process is used to perform a smart routing of data points to the training sets. An extensive experimental evaluation demonstrates the effectiveness of the proposed approach in terms of its soundness, robustness, and performance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104468"},"PeriodicalIF":4.8,"publicationDate":"2025-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143850079","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"FLADEN: Federated Learning for Anomaly DEtection in IoT Networks","authors":"Fatma Hendaoui ,&nbsp;Rahma Meddeb ,&nbsp;Lamia Trabelsi ,&nbsp;Ahlem Ferchichi ,&nbsp;Rawia Ahmed","doi":"10.1016/j.cose.2025.104446","DOIUrl":"10.1016/j.cose.2025.104446","url":null,"abstract":"<div><div>Sensitive applications are strict in terms of data privacy. In this context, intrusion detection systems cannot access the data and analyze it to discover attacks signatures. As a result, it is necessary to analyze data locally without disclosing it to a third party. Machine learning models can achieve this task. This paper proposes a machine-learning framework for intrusion detection on IoT networks. The proposed framework enables participating entities to analyze their data more efficiently and privately. A new real-world dataset is generated using online threat intelligence sources. FLADEN updates the federated learning library to optimize processing time with an accuracy of 99.85%. The proposed framework was applied to machine learning models and shows a precision of 99. 89%, an F1 score of 99. 93%, and a recall of 99.91%. This work presents implications for those researchers who may focus on large-scale anomaly detection with privacy preservation in IoT networks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104446"},"PeriodicalIF":4.8,"publicationDate":"2025-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143833984","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}