Computers & Security最新文献

{"title":"VeracOS: An operating system extension for the veracity of files","authors":"Naser AlDuaij","doi":"10.1016/j.cose.2025.104565","DOIUrl":"10.1016/j.cose.2025.104565","url":null,"abstract":"<div><div>As generative artificial intelligence has improved, there is a growing trend of generating false media for spreading misinformation, driving propaganda, and theft through enhanced social engineering. This creates a global concern, leading to a heavy demand for verification and fact-checking of information. Existing solutions aim at educating users or using artificial intelligence to fact-check and detect false documents or media. While these methods provide a measure for combating misinformation, many of these existing methods are inaccurate. Methods such as deepfake detection for videos are an uphill battle as deepfake generation keeps improving and newer methods are created to subvert deepfake detection techniques. VeracOS is introduced and presented as an operating system modification that is easily deployed, can certify files that are created, and ensures that any user can automatically check the authenticity of files across any existing application or platform. VeracOS invents a unique algorithm for certifying and verifying files. VeracOS aims to revolutionize the war against misinformation and exploitation of fake content by introducing several key features: VeracOS allows users or corporations to easily and automatically certify their media. Unlike existing solutions, VeracOS avoids intensive computations, specialized hardware, and private data sharing. VeracOS also allows any user to automatically be notified if the file they are viewing is verified to be authentic. VeracOS does not require the modification of existing applications nor does it require the sharing of private information such as what files or media are being viewed by a user. These key features provide a highly portable and easily deployed system for users of any operating system, including Internet of Things devices and mobile operating systems. Using media files such as images and videos as exemplary file types and using Android as an exemplary operating system, a VeracOS prototype was implemented to allow any user to automatically certify or verify their media files. The results show that VeracOS is easy to use and can be easily run on smartphones without the need for specialized systems, applications, or hardware.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104565"},"PeriodicalIF":4.8,"publicationDate":"2025-07-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144623503","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Ransomware dynamics: Mitigating personal data exfiltration through the SCIRAS lens","authors":"David Cevallos-Salas,&nbsp;José Estrada-Jiménez,&nbsp;Danny S. Guamán,&nbsp;Luis Urquiza-Aguiar","doi":"10.1016/j.cose.2025.104583","DOIUrl":"10.1016/j.cose.2025.104583","url":null,"abstract":"<div><div>Ransomware’s capability to exfiltrate personal data is one of the most significant threats to privacy today. Its growing complexity and resistance to static analysis have driven research efforts to implement security controls on endpoints using dynamic analysis. However, the <em>critical security threshold</em> that these endpoint controls must overcome to effectively mitigate personal data exfiltration and stop ransomware propagation once an infection has begun in communication networks remains unclear. This paper addresses this issue by analyzing the <em>Susceptible–Carriers–Infected–Recovered–Attacked–Susceptible</em> (SCIRAS) epidemiological model in the context of a critical ransomware attack, with limited network and administrative security, that defines the critical scenario to be overcome. Unlike previous studies, this research first estimates a <em>critical execution rate</em> by studying the behavior of LockBit, Ryuk, and TeslaCrypt ransomware families and simulating CL0P MOVEit and Conti attacks in a controlled environment. To reflect more realistic conditions, we introduce a <em>critical dynamic infection rate</em> based on the <em>critical execution rate</em>, several attack vectors of modern ransomware, and the effect of limited network security. Using this baseline, a proposed triple extortion SCIRAS model is simulated and analyzed under its estimated parameters’ critical values to solve for each ransomware family the optimization problem of finding the <em>critical security threshold</em> required for endpoint controls to reach the <em>Kermack and McKendrick’s non-epidemic status</em> with the minimum feasible basic reproduction number. Our results demonstrate that a <em>critical security threshold</em> of at least 0.961 might contain modern ransomware exceeding the thresholds reported in previous simulations of SCIRAS and other models. Furthermore, we introduce a novel deep-learning-based framework called RansomSentinel, validated on the RanSAP120GB, RanSAP250GB, and RanSMAP datasets, which outperforms traditional machine learning classifiers and surpasses the estimated <em>critical security threshold</em> of each analyzed ransomware family.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104583"},"PeriodicalIF":4.8,"publicationDate":"2025-07-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144655704","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"MIRDETECTOR: Applying malicious intent representation for enhanced APT anomaly detection","authors":"Hongmei Li ,&nbsp;Tiantian Zhu ,&nbsp;Jie Ying ,&nbsp;Tieming Chen ,&nbsp;Mingqi Lv ,&nbsp;Jian-Ping Mei ,&nbsp;Zhengqiu Weng ,&nbsp;Lili Shi","doi":"10.1016/j.cose.2025.104588","DOIUrl":"10.1016/j.cose.2025.104588","url":null,"abstract":"<div><div>Advanced Persistent Threats (APTs) infiltrate target systems covertly, exhibiting behavior that is difficult to detect using conventional detection methods. Posing significant risks to enterprise security. Data provenance technology is widely used in attack detection to counter these threats. Among the different types of Provenance-based Intrusion Detection Systems (PIDSes), anomaly-based PIDSes are gaining increasing attention due to their ability to counter zero-day vulnerabilities without relying on attack knowledge. The detection mechanism of anomaly-based PIDSes is based on modeling the system’s normal behavior patterns (structural/attribute features) to detect deviations in behavior. However, existing anomaly-based PIDSes are prone to a significant number of false positives due to benign data fluctuations, limiting their effectiveness against complex APT attacks. To address this, we propose MIRDETECTOR, a novel anomaly detection system for APT attacks. The core idea of MIRDETECTOR is that a node is considered malicious not only due to changes in its structural/attribute features but also because it exhibits a certain inclination toward malicious intent. Building on this idea, MIRDETECTOR models nodes from three dimensions: structural features, attribute features, and malicious intent representation. By employing lightweight models for training and detection, it effectively reduces the false positives and achieves efficient real-time detection. We have thoroughly evaluated MIRDETECTOR on several public datasets and compared it with state-of-the-art anomaly detection systems. The results demonstrate that MIRDETECTOR achieves excellent detection accuracy and recall. Compared to the baseline detection system, MIRDETECTOR has increased the node-level detection accuracy by up to 99% and the recall rate by up to 68%. This significantly mitigates the high false positives in traditional PIDSes that rely solely on structural/attribute features. MIRDetector demonstrates remarkable accuracy and efficiency in identifying complex threats. Its deployment will effectively mitigate the risks posed by APTs.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104588"},"PeriodicalIF":4.8,"publicationDate":"2025-07-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144605476","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"CSFuzzer: A grey-box fuzzer for network protocol using context-aware state feedback","authors":"Xiangpu Song ,&nbsp;Yingpei Zeng ,&nbsp;Jianliang Wu ,&nbsp;Hao Li ,&nbsp;Chaoshun Zuo ,&nbsp;Qingchuan Zhao ,&nbsp;Shanqing Guo","doi":"10.1016/j.cose.2025.104581","DOIUrl":"10.1016/j.cose.2025.104581","url":null,"abstract":"<div><div>Code coverage-guided fuzzers have achieved great success in discovering vulnerabilities, but since code coverage does not adequately describe protocol states, they are not effective enough for protocol fuzzing. Although there has been some work introducing state feedback to guide state exploration in protocol fuzzing, they ignore the complexity of protocol state space, e.g., state variables have different categories and are diverse in data type and number, facing the challenges of inaccurate state variable identification and low fuzzing efficiency.</div><div>In this paper, we propose a novel context-aware state-guided fuzzing approach, CSFuzzer, to address the above challenges. CSFuzzer first divides the state variables into two categories, i.e., protocol-state variables and sub-state variables based on the context of the states, and automatically identifies and distinguishes these two categories of state variables from code. Then, CSFuzzer uses a new state coverage metric named <em>context-aware state transition coverage</em> to more efficiently guide fuzzing. We have implemented a prototype of CSFuzzer and evaluated it on 12 open-source protocol programs. Our experiments show that CSFuzzer outperforms the existing state-of-the-art fuzzers in terms of code and state coverage as well as fuzzing efficiency. CSFuzzer successfully discovered 10 zero-day vulnerabilities, which have been confirmed by the stakeholders and assigned 9 CVEs/CNVDs.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104581"},"PeriodicalIF":4.8,"publicationDate":"2025-07-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144605472","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Impact assessment of third-party library vulnerabilities through vulnerability reachability analysis","authors":"Zhizhuang Jia,&nbsp;Chao Yang,&nbsp;Pengbin Feng,&nbsp;Xiaoyun Zhao,&nbsp;Xinghua Li,&nbsp;Jianfeng Ma","doi":"10.1016/j.cose.2025.104546","DOIUrl":"10.1016/j.cose.2025.104546","url":null,"abstract":"<div><div>Modern software development increasingly relies on third-party libraries (TPLs) to accelerate development, yet this practice introduces security risks when vulnerabilities emerge in dependencies. When a new TPL vulnerability is disclosed, project maintainers must assess whether their projects are affected, a process that demands considerable developer effort. Vulnerability reachability analysis automates this process by evaluating whether a client program’s control flow can reach the vulnerable TPL function. Despite the numerous advantages, however, existing vulnerability reachability analysis fail to account for the impact of path constraints, leading to false alarms by incorrectly identifying unreachable vulnerable functions as reachable. In this paper, we propose CPVRA, a novel impact assessment framework designed to reduce false alarms by incorporating a satisfiability assessment of path constraints into the analysis process. We evaluated CPVRA using a benchmark dataset comprising 201 test cases derived from 6 widely used TPLs and 24 dependent client programs. The results show that CPVRA reduced false alarms by 40.9% compared to Dep-scan and by 39.5% compared to standard vulnerability reachability analysis. Additionally, CPVRA demonstrated high computational efficiency, with an average analysis time of 15.3 s per client program.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104546"},"PeriodicalIF":4.8,"publicationDate":"2025-07-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144633983","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"ASIDS: Acoustic side-channel based intrusion detection system for industrial robotic arms","authors":"Kai Yang ,&nbsp;Yingjun Zhang ,&nbsp;Ting Li ,&nbsp;Limin Sun","doi":"10.1016/j.cose.2025.104586","DOIUrl":"10.1016/j.cose.2025.104586","url":null,"abstract":"<div><div>Industrial robotic arms play a vital role in manufacturing systems. However, they are susceptible to attackers executing malicious mechanical movements, thereby presenting significant threats to both industrial manufacturing and human safety. Existing techniques attempt to detect the abnormal signals within a manufacturing network to mitigate these attacks. However, these signals are unreliable since they might be deliberately tampered with by network attackers, including trajectory signals, and thus bypass anomaly detection. In this work, we propose ASIDS, a novel acoustic side-channel intrusion detection system to protect industrial robotic arms against data tampering attacks. We take advantage of an important insight that the acoustic side-channel signal emitted by an industrial robotic arm during a mechanical movement is unique, which could be used to reconstruct industrial robotic arms’ trajectory and detect abnormal movements. In particular, we extract the time-domain and frequency-domain features of the sounds emitted by the industrial robotic arm during a movement and reconstruct its trajectory by using a neural network. The data tampering attack can be detected by identifying the discrepancy between the reconstructed trajectory and the fake trajectory tampered with by the attackers through network traffic. To validate the performance of ASIDS, we have conducted real-world experiments on three industrial robotic arms, testing across more than 25,000 operational cycles. The experimental results indicate that ASIDS can accurately reconstruct trajectories and detect the attacks, achieving an average reconstruction error of 2.36% and an average detection rate of 95.9%.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104586"},"PeriodicalIF":4.8,"publicationDate":"2025-07-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144655702","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"To insure or not to insure: How attackers exploit cyber-insurance via game theory","authors":"Zhen Li ,&nbsp;Qi Liao","doi":"10.1016/j.cose.2025.104585","DOIUrl":"10.1016/j.cose.2025.104585","url":null,"abstract":"<div><div>Cyber-insurance provides organizations with financial protection against losses from cyber incidents. As its adoption grows, organizations face the challenge of balancing investments in cybersecurity defense measures with the acquisition of cyber-insurance. This convergence presents opportunities but also introduces risks. The effects of cyber-insurance on the interplay between cybersecurity investment and attacker strategies remains poorly understood. In this paper, we systematically analyze an organization’s decision-making process regarding optimal cybersecurity investment and cyber-insurance, with a particular focus on the strategic behavior of attackers. Using economic and game-theoretic models, supported by simulation studies, our findings reveal that while cyber-insurance can mitigate financial losses, it may inadvertently weaken overall cybersecurity defenses. Furthermore, we demonstrate that cyber-attacks are not random events but calculated actions influenced by the attacker’s understanding of the organization’s insurance and defense posture. Attackers can exploit cyber-insurance by strategically launching targeted attacks to manipulate an organization’s reliance on insurance and disrupt its investment equilibrium. This manipulation can persist up to a critical threshold, beyond which escalating threats prompt organizations to strengthen their defenses. In this way, attackers effectively “play God,” strategically shaping an organization’s insurance and cybersecurity portfolio. To counter these risks, we propose actionable recommendations to prevent attackers from exploiting the cyber-insurance market, ensuring a more resilient and secure cybersecurity ecosystem.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104585"},"PeriodicalIF":4.8,"publicationDate":"2025-07-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144597016","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Feature attention assisted convolutional stacked sparse auto-encoder model for intrusion detection in network function virtualization environment","authors":"Gajanan Nanaji Tikhe,&nbsp;Pushpinder Singh Patheja","doi":"10.1016/j.cose.2025.104595","DOIUrl":"10.1016/j.cose.2025.104595","url":null,"abstract":"<div><div>Network function virtualization (NFV) in 5 G networks has recently received much attention. However, it generates numerous challenges while providing security in emerging technologies such as information, education, biotechnology, etc. NFV exploration has concentrated on intrusion detection because detecting an intrusion is necessary due to the wastage of resources and security threats. Therefore, an intrusion detection system called Feature Attention assisted Convolutional Stacked Sparse Auto-encoder (FA_CS²ANet) Model for Intrusion Detection in the NFV Environment has been proposed. To detect intrusions in the NFV network, the input data is first collected from a publicly available dataset, and then pre-processing is performed to remove the unwanted data using min-max normalization, standardization and missing value replacement. Next, feature selection is done to reduce the dimensionality issues using Chaotic Osprey Optimization (COO). After selecting the necessary features, the intrusions in NFVs are identified by using the deep learning-based FA_CS²ANet model, which is a combination of the Convolutional Neural Network (CNN) and Stacked Sparse Auto-encoder (SSAE) model. The simulation is completed using Python programming, and the results demonstrate that the suggested method outperforms existing methods with an accuracy of 93.12%. The intrusions are discovered, and the suggested method’s performance metrics for accuracy, precision, recall, and F-score are assessed.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104595"},"PeriodicalIF":4.8,"publicationDate":"2025-07-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144662185","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Detecting DBMS bugs with context-sensitive instantiation and multi-plan execution","authors":"Jiaqi Li ,&nbsp;Ke Wang ,&nbsp;Yaoguang Chen ,&nbsp;Yajin Zhou ,&nbsp;Lei Wu ,&nbsp;Jiashui Wang","doi":"10.1016/j.cose.2025.104564","DOIUrl":"10.1016/j.cose.2025.104564","url":null,"abstract":"<div><div>DBMS (Database Management System) bugs can cause serious consequences, posing severe security and privacy concerns. This paper works towards the detection of crash-related bugs and logic bugs in DBMSs, and aims at solving the two innate challenges, including how to generate semantically correct SQL queries in a test case, and how to propose effective oracles to capture logic bugs. To this end, our system proposes two key techniques. The first key technique is called context-sensitive instantiation, which can obtain all static semantic requirements to guide query generation. The second key technique is called multi-plan execution, which can effectively capture logic bugs. Given a test case, multi-plan execution makes the DBMS execute all query plans instead of the default optimal one, and compares the results. A logic bug is detected if a difference is found among the execution results of the executed query plans. We have implemented a prototype system called Kangaroo and applied it to three widely used and well-tested DBMSs, including SQLite, PostgreSQL, and MySQL. Our system successfully detected 54 previously unknown bugs, including 41 crash-related bugs and 13 logic bugs. The comparison between our system with the state-of-the-art systems shows that our system outperforms them in terms of the number of generated semantically valid SQL queries, the explored code paths during testing, and the detected bugs.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104564"},"PeriodicalIF":4.8,"publicationDate":"2025-07-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144655705","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Physical-layer identity-authentication mechanism for network time synchronisation using network and precision time protocols","authors":"Ting He","doi":"10.1016/j.cose.2025.104590","DOIUrl":"10.1016/j.cose.2025.104590","url":null,"abstract":"<div><div>Time-spoofing attacks, especially those using time-source spoofing, pose a serious threat to network time synchronisation. Such attacks can be suppressed by authenticating received time-synchronisation messages at the receiving terminal. Current identity-authentication mechanisms under the network time protocol (NTP) and precision time protocol (PTP) are based on cryptography and network-security technologies and have inherent limitations. This study proposes a novel physical-layer identity-authentication mechanism based on a general physical-layer security-architecture for network time synchronisation and a special system-infrastructure model. In this approach, legitimate messages and transmission paths are endowed with unique characteristics, thus the legitimate time source is uniquely identified. The receiving terminal can determine whether the received signal characteristics and transmission path are consistent with the preset conditions, and thus whether the signal comes from a legitimate time source. Simulation results show that under zero-false-alarm conditions, the proposed physical-layer identity-authentication mechanism successfully suppresses all illegitimate messages in channels containing additive white Gaussian noise and in Rayleigh fading channels. Moreover, this mechanism covers all operational modes of NTP/PTP, achieving a reasonable trade-off between security performance and computational complexity. It can thus significantly improve NTP/PTP resistance to time-source spoofing.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104590"},"PeriodicalIF":4.8,"publicationDate":"2025-07-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144605410","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}