Computers & Security最新文献

{"title":"A malware traffic detection method based on Victim-Attacker interaction patterns","authors":"Yanze Qu ,&nbsp;Hailong Ma ,&nbsp;Chaofan Zheng ,&nbsp;Yiming Jiang ,&nbsp;Wenbo Wang","doi":"10.1016/j.cose.2025.104487","DOIUrl":"10.1016/j.cose.2025.104487","url":null,"abstract":"<div><div>The widespread adoption of encryption protocols has provided benefits for personal privacy, while also offering cover for the command and control (C&amp;C) communication of malware such as Trojans, presenting significant challenges to existing network monitoring systems. Existing methods exhibit limited capacity to discern threats across network flows, while neglecting the prevalent packet loss phenomenon in real-world network environments. This paper proposes a malware traffic detection method based on the interaction patterns between compromised hosts and C&amp;C servers. With a novel detection unit called channel unit representing interaction patterns, compared to existing methods, our proposed method is capable of discerning threats across network flows and is more resilient to packet loss. Evaluation experiments show that our method has superior detection performance in both binary and multi-class classification scenarios, achieving accuracy rates of 99.84 % and 96.08 % respectively. In terms of packet loss tolerance, compared with existing methods, our method exhibits the minimal performance degradation under a 20 % packet loss rate, maintaining a multi-classification accuracy of 99.63 % and a binary classification accuracy of 95.72 %.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104487"},"PeriodicalIF":4.8,"publicationDate":"2025-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143821507","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Securing IoT devices in edge computing through reinforcement learning","authors":"Anit Kumar ,&nbsp;Dhanpratap Singh","doi":"10.1016/j.cose.2025.104474","DOIUrl":"10.1016/j.cose.2025.104474","url":null,"abstract":"<div><div>The exponentially increasing demand for IoT devices with the expectation of maximum fulfillment of the user needs to bring the integration of the Edger server on the premise of the IoT devices. The small size but the need for complex computation and high-end software requires the amount of additional hardware setup that can never be possible with the absence of an Edge server. Since the Edger server continuously gathers the data from the IoT device for further computation and permanent storage in either local storage or a cloud server, it attracts intruders to try to steal sensitive data of the IoT devices from the Edge server. With the presence of many artificial intelligence tools, an intruder can make serious attacks on the Edger server by breaking its security boundaries. Any individual autonomous entity like a robot, satellite, or self-driving vehicle has a set of interconnected IoT devices (sensors) to form a network, which needs to be so flexible that any new IoT device can easily be integrated into this network without any major difficulties. None of the organizations has ever adopted non-scalable IoT networks. To counter such security challenges, we propose a scalable, robust, and reliable Novel Reinforcement Learning approach having a proper task scheduling mechanism that is powered by using the epsilon-greedy search Q-learning method. The novelty of our proposed method is its high performance which allows the agent to take actions at the time only when it finds a noticeable drop in the network performance in terms of packet delivery ratio, average throughput, and end-to-end delay hyperparameters. Experiments carried out by us along with simulation and real datasets, prove that our proposed security method provides outstanding results as compared to other security approaches discussed in this paper and can counter malicious attacks efficiently. Once our security model gets trained with a threshold amount of times, then after this threshold time, we observe that no benign data packets are lost even with the presence of any external threats and always provide stable communication to the end users. The proposed novel reinforcement learning method is more consistent, resilient, scalable, and accurate than other similar machine learning-based security methods and always has a false positive rate of &lt;2 %.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104474"},"PeriodicalIF":4.8,"publicationDate":"2025-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143828565","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Investigating the Impact of Label-flipping Attacks against Federated Learning for Collaborative Intrusion Detection","authors":"Léo Lavaur ,&nbsp;Yann Busnel ,&nbsp;Fabien Autrel","doi":"10.1016/j.cose.2025.104462","DOIUrl":"10.1016/j.cose.2025.104462","url":null,"abstract":"<div><div>The recent advances in Federated Learning (FL) and its promise of privacy-preserving information sharing have led to a renewed interest in the development of collaborative models for Intrusion Detection Systems (IDSs). However, its distributed nature makes FL vulnerable to malicious contributions from its participants, including data poisoning attacks. Label-flipping attacks — where the labels of a subset of the training data are flipped — have been overlooked in the context of IDSs that leverage FL primitives. This work contributes to closing this gap by providing a systematic and comprehensive overview of the impact of label-flipping attacks on Federated Intrusion Detection Systems (FIDSs). We show that the effects of such attacks can range from severe to highly mitigated, depending on hyperparameters and dataset characteristics, and that their mitigation is non-trivial in heterogeneous settings. We discuss these findings in the context of existing literature and propose recommendations for the evaluation of FIDSs. Finally, we provide a methodology and tools to extend our findings to other models and datasets, thus enabling the comparable evaluation of existing and future countermeasures.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104462"},"PeriodicalIF":4.8,"publicationDate":"2025-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143908215","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Anomalous identity recognition model based on vehicle driving characteristic verification in typical scenarios","authors":"Xing Chen,&nbsp;Jingsheng Wang,&nbsp;Song Yan,&nbsp;Zuyin Wang","doi":"10.1016/j.cose.2025.104476","DOIUrl":"10.1016/j.cose.2025.104476","url":null,"abstract":"<div><div>Vehicle-to-everything (V2X) enables the exchange and sharing of information between vehicles and the outside world, which improves driving safety, reduces traffic congestion, and enhances traffic efficiency. However, this information exchange and transmission of massive data also exposes many attack surfaces, which may result in security incidents such as vehicle theft, information leakage, and driving failure. Traditional methods to ensure traffic information interaction through information security have limitations. This paper proposes an innovative model for anomalous identity recognition based on vehicle driving characteristic verification. The model aims to ensure consistency among the speed data from different sources, types of transmission data, and perception data obtained by sensors. The model is based on a multi-class support vector machine (multi-class SVM) to identify vehicle behavior and a bidirectional gated recurrent unit (BiGRU) neural network to predict vehicle speed. A credible calculation method was designed to calculate the error between the predicted speed and the actual collected speed in the car-following and lane-changing scenarios. The Next Generation Simulation dataset was used to train and test the models. The experimental results showed that the overall recognition accuracy of the multi-class SVM model was 95.50 %, the predicted precision with an order of magnitude of cm/s was achieved by the BiGRU model, and the overall recognition accuracy of the model was &gt;90 %. The public key infrastructure (PKI) scheme is currently the mainstream scheme of information security in the Internet of Vehicles. This paper analyzes the feasibility of the proposed anomalous identity recognition model applied in the PKI framework, which can effectively identify anomalous vehicle identities by discriminating the vehicle speed and effectively ensure the security between a vehicle and the external network communication (4G/5G/V2X).</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104476"},"PeriodicalIF":4.8,"publicationDate":"2025-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143817725","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Towards targeted and universal adversarial attacks against network traffic classification","authors":"Ruiyang Ding ,&nbsp;Lei Sun ,&nbsp;Zhiyi Ding,&nbsp;Weifei Zang,&nbsp;Leyu Dai","doi":"10.1016/j.cose.2025.104470","DOIUrl":"10.1016/j.cose.2025.104470","url":null,"abstract":"<div><div>With the continuous advancement of technology, deep learning has become the mainstream method in the field of network traffic classification, demonstrating excellent classification performance. However, due to the inherent vulnerability of deep learning models, they also face the threat of adversarial attacks. Currently, adversarial attack techniques for network traffic classification only remain at the level of untargeted attacks, and most of them are attack methods based on specific perturbation. These methods have high time overhead, high sample dependency, and are unable to perform targeted attacks on target categories, which poses significant limitations in practical applications. To this end, this article proposes a targeted and universal adversarial attack method against network traffic classification. It iteratively trains to minimize the distance between network traffic and the target category feature domain, thereby generating the universal perturbation vector for the target category. This maximizes the prediction probability of the model output target category, allowing the classifier to incorrectly predict any non-target category network traffic as the specified target category. Meanwhile, this article uses dynamic masking and modular operations to generate adversarial network traffic, ensuring the data reversibility and transferability of network traffic packets during adversarial attacks. Finally, this article selected three standard network traffic datasets with different classification tasks, CICIoT2023, ISCX2016, and USTC-TFC2016, as well as four mainstream network traffic classification models such as LeNet5, for experiments, and built the adversarial attack testing platform in the real network environment. The results show that the proposed method effectively implements targeted and universal adversarial attacks against network traffic classification on three datasets and four classification models, with the average attack success rate of over 56 % and the single attack time of 1–3 ms, greatly improving the application scope and practical value of adversarial attack techniques in the field of network traffic classification.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104470"},"PeriodicalIF":4.8,"publicationDate":"2025-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143817720","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"LTL-based runtime verification framework for cyber-attack anomaly prediction in cyber–physical systems","authors":"Ayodeji James Akande,&nbsp;Zhe Hou,&nbsp;Ernest Foo,&nbsp;Qinyi Li","doi":"10.1016/j.cose.2025.104455","DOIUrl":"10.1016/j.cose.2025.104455","url":null,"abstract":"<div><div>An anomaly is any unexpected or abnormal behaviour, event, or data pattern within a network of physical and computational components caused by data errors, cyber-attacks, hardware failures, or other unforeseen events. Anomaly detection analyses events after they occur, while anomaly prediction forecasts them before they manifest. The increasing complexity of Cyber-Physical Systems (CPS) presents challenges in fault management and vulnerability to advanced attacks, highlighting the need for early intervention through anomaly prediction. Existing anomaly prediction methods often fail due to a lack of formal guarantees required for safety-critical applications. In this paper, we introduce our anomaly prediction framework which merges the advantages of data analytics and the derivation of Linear Temporal Logic (LTL) formulas. LTL-based runtime monitoring and checking is a well-established technique efficient for tackling challenges in real-time and promptly. The framework processes historical data, clusters them to extract predictive patterns, and forms data sequences that represent these trends. These sequences are fed into an LTL learning algorithm to produce a formula that represents the pattern. This formula functions as a security property programmed into a runtime checker to verify system correctness and predict the possibility of anomalies. We evaluated our framework using three datasets collected from a cyber-physical system testbed and the experimental findings demonstrate a minimum accuracy of 90% in predicting anomalies.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104455"},"PeriodicalIF":4.8,"publicationDate":"2025-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143817717","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"End-to-end anomaly detection of service function chain through multi-source data in cloud-native systems","authors":"Xuefei Chen ,&nbsp;Jinfeng Kou ,&nbsp;Haiqiang Li ,&nbsp;Yuqi Zhang ,&nbsp;Junchao Ma ,&nbsp;Chen Li ,&nbsp;Bibo Tu","doi":"10.1016/j.cose.2025.104461","DOIUrl":"10.1016/j.cose.2025.104461","url":null,"abstract":"<div><div>Cloud native technology enables Network Functions Virtualization (NFV) to dynamically provide and deploy network services to meet specific requirements in Industrial Internet of Things (IIoTs). However, compared to traditional hardware solutions, Service Function Chains (SFCs) are more prone to faults in complex and dynamically changing cloud environments. Existing anomaly detection methods exhibit several shortcomings, including high overhead, low accuracy, and limited detection scope. To address these challenges and ensure service quality, we propose an end-to-end SFC anomaly detection architecture, cSFCAD. First, to overcome the limitations of detection range and single-function detection, the cSFCAD architecture integrates multi-source data from both the data plane and control plane, enabling the effective detection of various types of SFC anomalies. Second, to better capture the spatial relationships of Cloud-Native Network Functions (CNFs) within the SFC, we adopt an encoder based on the self-attention mechanism, which models the behaviour of CNFs and their interdependencies. Finally, to improve the stability of model in dynamic cloud environment, we use adversarial training in order to achieve self-conditioning for robust multi-modal feature extraction and enhanced stability. Additionally, through data reconstruction, we can precisely identify the key metrics contributing most to the anomalies. The difference between the input data and its reconstructed output helps in analysing the underlying causes of the anomalies. Extensive experimental research on two public datasets demonstrates that cSFCAD architecture outperforms existing anomaly detection algorithms.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104461"},"PeriodicalIF":4.8,"publicationDate":"2025-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143791047","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Leveraging Inter-Arrival Time for Efficient Threat Filtering: A Parsimonious Approach","authors":"Onur Sahin ,&nbsp;Suleyman Uludag","doi":"10.1016/j.cose.2025.104471","DOIUrl":"10.1016/j.cose.2025.104471","url":null,"abstract":"<div><div>In this study, we propose a streamlined approach to intrusion detection by leveraging the Interpacket Arrival Time (IAT) as a primary metric for identifying malicious network traffic. Our objective is to enhance the efficiency of intrusion detection systems by implementing a preliminary filtering layer that rapidly identifies easily detectable attacks, thereby reducing the computational load on more sophisticated, resource-intensive models. Using datasets such as CICIoT2023, CIC-IDS-2017, and UNSW-NB15, we conducted extensive experiments to validate the effectiveness of our approach. The study employed techniques like SMOTE to address dataset imbalances and Min-Max scaling to normalize the IAT feature, ensuring optimal performance of machine learning models. We evaluated models such as Random Forest, K-Nearest Neighbors, and Multilayer Perceptron, with a particular emphasis on their ability to generalize across various datasets. Our findings demonstrate that by focusing on a single, well-chosen feature like IAT, it is possible to achieve high detection accuracy while significantly reducing training and prediction times. This method not only improves the overall efficiency of intrusion detection systems but also suggests a practical solution for real- time applications where resource constraints are a critical concern.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104471"},"PeriodicalIF":4.8,"publicationDate":"2025-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143791356","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"LR-STGCN: Detecting and mitigating low-rate DDoS attacks in SDN based on spatial–temporal graph neural network","authors":"Jin Wang,&nbsp;Liping Wang","doi":"10.1016/j.cose.2025.104460","DOIUrl":"10.1016/j.cose.2025.104460","url":null,"abstract":"<div><div>Software Defined Network (SDN) is an emerging network architecture. The decoupled data plane and control plane provide programmability for efficient network management. As a new network architecture, SDN also faces the threat of Low-rate Distributed Denial of Service (LDDoS) attacks. However, the centralized control, forwarding separation, scalability, and programmability of SDN provide new ideas for the detection and defense of LDDoS attacks. In this paper, we perform feature extraction of LDDoS attack flows in terms of time–frequency distribution of LDDoS attack flows and quality of service (QoS) of TCP flows, and identify the victim switch and victim ports by using the hybrid GCN-GRU deep learning model and the double sliding window method. Finally, the location of the attacking host is determined based on the victim port, and defense measures are issued to the victim switch at the attack source through the OpenFlow protocol. The evaluation results indicate that the detection method deployed on SDN controllers has a high detection rate and low false positive rate for LDDoS attacks, and can detect and alleviate LDDoS attacks online and in real-time.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104460"},"PeriodicalIF":4.8,"publicationDate":"2025-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143776509","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Requirements framework for IoT device authentication using behavioral fingerprinting","authors":"Ole Höfener ,&nbsp;Qinghua Wang","doi":"10.1016/j.cose.2025.104459","DOIUrl":"10.1016/j.cose.2025.104459","url":null,"abstract":"<div><div>The Internet of Things (IoT) has more and more been integrated into our work and life. However, besides the benefits brought by the recent advancements, there is an increasing challenge for securing IoT devices and networks. A common security mechanism is authentication. However, IoT devices are often resource-constrained which make the use of state-of-the-art encryption technologies infeasible. Therefore, researchers are trying to develop lightweight authentication methods. A promising example of this is the use of behavioral device fingerprinting. Still, the remaining problem with this technology is that it is unclear which feature sets are most feasible to implement device fingerprinting schemes in practical systems. In short, the current research body lacks clearly defined requirements. To overcome this issue, this research aims to design a requirements framework for IoT authentication schemes using behavioral device fingerprinting. To do so, Design Science Research is used, incorporating a systematic literature review. In the end, a requirements framework for behavioral device fingerprinting authentication is presented. The proposed framework features 20 requirements in the four categories High-level IoT, Fingerprint sophistication, Machine learning sophistication, and Attack resistance. We have demonstrated the application of the requirements framework in this article. It is believed that the proposed framework will help researchers and practitioners to develop better IoT authentication solutions.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104459"},"PeriodicalIF":4.8,"publicationDate":"2025-03-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143769127","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}