Andrea Ponte , Dmitrijs Trizna , Luca Demetrio , Battista Biggio , Ivan Tesfai Ogbu , Fabio Roli
{"title":"SLIFER: Investigating performance and robustness of malware detection pipelines","authors":"Andrea Ponte , Dmitrijs Trizna , Luca Demetrio , Battista Biggio , Ivan Tesfai Ogbu , Fabio Roli","doi":"10.1016/j.cose.2024.104264","DOIUrl":"10.1016/j.cose.2024.104264","url":null,"abstract":"<div><div>As a result of decades of research, Windows malware detection is approached through a plethora of techniques. However, there is an ongoing mismatch between academia – which pursues an optimal performances in terms of detection rate and low false alarms – and the requirements of real-world scenarios. In particular, academia focuses on combining static and dynamic analysis within a single or ensemble of models, falling into several pitfalls like (i) firing dynamic analysis without considering the computational burden it requires; (ii) discarding impossible-to-analyze samples; and (iii) analyzing robustness against adversarial attacks without considering that malware detectors are complemented with more non-machine-learning components. Thus, in this paper we bridge these gaps, by investigating the properties of malware detectors built with multiple and different types of analysis. To do so, we develop SLIFER, a Windows malware detection pipeline sequentially leveraging both static and dynamic analysis, interrupting computations as soon as one module triggers an alarm, requiring dynamic analysis only when needed. Contrary to the state of the art, we investigate how to deal with samples that impede analyzes, showing how much they impact performances, concluding that it is better to flag them as legitimate to not drastically increase false alarms. Lastly, we perform a robustness evaluation of SLIFER. Counter-intuitively, the injection of new content is either blocked more by signatures than dynamic analysis, due to byte artifacts created by the attack, or it is able to avoid detection from signatures, as they rely on constraints on file size disrupted by attacks. As far as we know, we are the first to investigate the properties of sequential malware detectors, shedding light on their behavior in real production environment.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104264"},"PeriodicalIF":4.8,"publicationDate":"2024-12-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142731","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Rouhollah Ahmadian , Mehdi Ghatee , Johan Wahlström
{"title":"Enhancing user identification through batch averaging of independent window subsequences using smartphone and wearable data","authors":"Rouhollah Ahmadian , Mehdi Ghatee , Johan Wahlström","doi":"10.1016/j.cose.2024.104265","DOIUrl":"10.1016/j.cose.2024.104265","url":null,"abstract":"<div><div>Throughout daily life, individuals partake in various activities such as walking, sitting, and drinking, often in a random manner. These physical activities generally exhibit similar patterns across different people, posing a challenge for identifying users using smartphone and wearable data. To tackle this issue, we have developed a new model called Batch Averaging Probabilities (BAP). Our approach involves segmenting input sequences into separate windows, independently classifying each segment, and then averaging the probabilistic predictions to make the final decision. The BAP method introduces the concept of primary patterns, which are the smallest meaningful sequences. It effectively deals with the random order of primary patterns within mixed patterns. Our work includes theoretical evidence supporting the BAP method, showcasing its ability to minimize prediction variance and enhance model accuracy. Additionally, the model’s training algorithm employs a unique approach. Model selection and regularization are based on the averaged loss of segments, reducing overfitting and improving performance without the complexity associated with using an ensemble of neural network models. We evaluated the effectiveness of our proposed method using accelerometer and gyroscope data from diverse user activity datasets including UIFW, WISM, HOP, CLD, RSSI, DI, DB2 and HAR, demonstrating significant performance improvements over state-of-the-art models. Specifically, our approach outperforms DB2 by 1.08%, HAR by 7.67%, and DI by 14.76% in terms of accuracy.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104265"},"PeriodicalIF":4.8,"publicationDate":"2024-12-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142432","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jeong Do Yoo, Gang Min Kim, Min Geun Song, Huy Kang Kim
{"title":"MeNU: Memorizing normality for UAV anomaly detection with a few sensor values","authors":"Jeong Do Yoo, Gang Min Kim, Min Geun Song, Huy Kang Kim","doi":"10.1016/j.cose.2024.104248","DOIUrl":"10.1016/j.cose.2024.104248","url":null,"abstract":"<div><div>With advancements in unmanned aerial vehicle (UAV) technology, UAVs have become widely used across various fields, including surveillance, agriculture, and architecture. Ensuring the safety and reliability of UAVs is crucial to prevent potential damage caused by malfunctions or cyberattacks. Consequently, the need for anomaly detection in UAVs is rising as a preemptive measure against undesirable incidents. Therefore, UAV anomaly detection faces challenges such as a lack of labeled data and high system workload. In this paper, we propose MeNU, a lightweight anomaly detection system for UAVs that utilizes various sensor data to detect abnormal events. We generated a concise feature set through preprocessing steps, including timestamp pooling, missing-value imputation, and feature selection. We then employed MemAE, a variant of the autoencoder with a memory module that stores prototypical benign patterns, which is particularly effective for anomaly detection. Experimental results on the ALFA and UA datasets demonstrated MeNU’s superior performance, achieving AUC scores of 0.9856 and 0.9988, respectively, outperforming previous approaches. MeNU can be easily integrated into UAV systems, enabling efficient real-time anomaly detection.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104248"},"PeriodicalIF":4.8,"publicationDate":"2024-12-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142730","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Chrispus Zacharia Oroni , Fu Xianping , Daniela Daniel Ndunguru , Arsenyan Ani
{"title":"Enhancing cyber safety in e-learning environment through cybersecurity awareness and information security compliance: PLS-SEM and FsQCA analysis","authors":"Chrispus Zacharia Oroni , Fu Xianping , Daniela Daniel Ndunguru , Arsenyan Ani","doi":"10.1016/j.cose.2024.104276","DOIUrl":"10.1016/j.cose.2024.104276","url":null,"abstract":"<div><div>E-learning has revolutionized education by increasing accessibility and flexibility, but it also presents unique cybersecurity challenges. This study explores how E-Learning Engagement, Cybersecurity Awareness, and Information Security Policy Compliance Influence Cyber Safety Measures among virtual learning students. Data were collected from 398 virtual learning students and analyzed using Partial Least Squares Structural Equation Modeling (PLS-SEM) and Fuzzy-set Qualitative Comparative Analysis (fsQCA). The PLS-SEM results indicate that Cybersecurity Awareness and Information Security Policy Compliance significantly enhance Cyber Safety Measures. Additionally, E-Learning Engagement indirectly contributes to cyber safety through its positive influence on both cybersecurity awareness and policy compliance. The fsQCA results reveal that different pathways lead to improved cyber safety. For example, a high level of cybersecurity awareness combined with strong policy compliance consistently enhances cyber safety, even with moderate e-learning engagement. Alternatively, for students with lower cybersecurity awareness, active e-learning engagement paired with strict adherence to security policies also significantly improves cyber safety. These insights demonstrate that no single factor guarantees cyber safety; rather, multiple combinations of conditions can achieve positive outcomes. The study provides implications for educational institutions, highlighting the need for integrated strategies that combine enhancing student engagement with promoting cybersecurity awareness and enforcing information security policies to foster safer virtual learning environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104276"},"PeriodicalIF":4.8,"publicationDate":"2024-12-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142724","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A classification-by-retrieval framework for few-shot anomaly detection to detect API injection","authors":"Udi Aharon , Ran Dubin , Amit Dvir , Chen Hajaj","doi":"10.1016/j.cose.2024.104249","DOIUrl":"10.1016/j.cose.2024.104249","url":null,"abstract":"<div><div>Application Programming Interface (API) Injection attacks refer to the unauthorized or malicious use of APIs, which are often exploited to gain access to sensitive data or manipulate online systems for illicit purposes. Identifying actors that deceitfully utilize an API poses a demanding problem. Although there have been notable advancements and contributions in the field of API security, there remains a significant challenge when dealing with attackers who use novel approaches that do not match the well-known payloads commonly seen in attacks. Also, attackers may exploit standard functionalities unconventionally and with objectives surpassing their intended boundaries. Thus, API security needs to be more sophisticated and dynamic than ever, with advanced computational intelligence methods, such as machine learning models that can quickly identify and respond to abnormal behavior. In response to these challenges, we propose a novel unsupervised few-shot anomaly detection framework composed of two main parts: First, we train a dedicated generic language model for API based on FastText embedding. Next, we use Approximate Nearest Neighbor search in a classification-by-retrieval approach. Our framework allows for training a fast, lightweight classification model using only a few examples of normal API requests. We evaluated the performance of our framework using the CSIC 2010 and ATRDF 2023 datasets. The results demonstrate that our framework improves API attack detection accuracy compared to the state-of-the-art (SOTA) unsupervised anomaly detection baselines.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104249"},"PeriodicalIF":4.8,"publicationDate":"2024-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142732","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Lijuan Xu , ZiCheng Zhao , Dawei Zhao , Xin Li , XiYu Lu , DingYu Yan
{"title":"AJSAGE: A intrusion detection scheme based on Jump-Knowledge Connection To GraphSAGE","authors":"Lijuan Xu , ZiCheng Zhao , Dawei Zhao , Xin Li , XiYu Lu , DingYu Yan","doi":"10.1016/j.cose.2024.104263","DOIUrl":"10.1016/j.cose.2024.104263","url":null,"abstract":"<div><div>In the field of network security, attackers often utilize Advanced Persistent Threats (APT) to conduct host-based intrusions for prolonged information gathering, penetration and to cause serious damages. Recent studies have used provenance data containing rich contextual information to achieve effective detection of host-based APT. Extracting system entities (e.g., processes, files) and operations between entities in provenance data to construct a directed acyclic graph (DAG) is the key to realize attack detection by provenance graph. Previous studies extracted the features of the whole provenance graph, which did not fully capture the relationship between the nodes in the graph, and the extracted features were not accurate enough. Moreover, the original node feature information may be lost in the process of aggregation. Therefore, abnormal nodes are recognized in the detection process, leading to low detection performance and a high false alarm rate. Facing the challenge, we introduce AJSAGE, a framework based on graph neural networks. A novel anomaly detection method by adding attention mechanism and Jump-Knowledge Connection to GraphSAGE. It enables the integration of node information across hierarchical levels, improves the detection of complex attack patterns, and enhances the accuracy and generalization of the model in node feature representation. It is able to identify features and nodes that are closely related to the anomaly detection task in a more focused manner. We evaluate the performance of AJSAGE on three publicly available datasets, and the results demonstrate that it significantly outperforms multiple state-of-the-art methods for host intrusion detection.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104263"},"PeriodicalIF":4.8,"publicationDate":"2024-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142374","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Detection of compromised functions in a serverless cloud environment","authors":"Lavi Ben-Shimol, Danielle Lavi, Eitan Klevansky, Oleg Brodt, Dudu Mimran, Yuval Elovici, Asaf Shabtai","doi":"10.1016/j.cose.2024.104261","DOIUrl":"10.1016/j.cose.2024.104261","url":null,"abstract":"<div><div>Serverless computing is an emerging cloud paradigm with serverless functions at its core. While serverless environments enable software developers to focus on developing applications without the need to actively manage the underlying runtime infrastructure, they open the door to a wide variety of security threats that can be challenging to mitigate with existing methods. Existing security solutions do not apply to all serverless architectures, since they require significant modifications to the serverless infrastructure or rely on third-party services for the collection of more detailed data. In this paper, we present an extendable serverless security threat detection model that leverages cloud providers’ <em>native monitoring tools</em> to detect anomalous behavior in serverless applications. Our model aims to detect compromised serverless functions by identifying post-exploitation abnormal behavior related to different types of attacks on serverless functions, and therefore, it is a last line of defense. Our approach is not tied to any specific serverless application, is agnostic to the type of threats, and is adaptable through model adjustments. To evaluate our model’s performance, we developed a serverless cybersecurity testbed in an AWS cloud environment, which includes two different serverless applications and simulates a variety of attack scenarios that cover the main security threats faced by serverless functions. Our evaluation demonstrates our model’s ability to detect all implemented attacks while maintaining a negligible false alarm rate.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104261"},"PeriodicalIF":4.8,"publicationDate":"2024-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142433","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Profiling the victim - cyber risk in commercial banks","authors":"Paweł Smaga","doi":"10.1016/j.cose.2024.104274","DOIUrl":"10.1016/j.cose.2024.104274","url":null,"abstract":"<div><div>The aim of this study is to identify the commonalities in financial characteristics of banks targeted in cyber attacks in recent years. This required merging the databases with reported cyber incidents (from 01.01.2020 until 09.10.2024) with financial data on banks’ condition before the attack, as well as macroeconomic cross-country data. Use of statistical analysis revealed two main trends in cyber attacks on a worldwide sample of 186 attacks on banks. First, criminals (such as the hacker group “Cl0p” targeting mostly US banks) driven by financial gain usually exploit IT vulnerabilities in smaller, less profitable and less resilient commercial and cooperative banks, adopting the “easy prey” strategy. Second, hacktivist attacks (usually by the Russian-linked “NoName057(16)”), which are politically motivated, attempt to disrupt operations of larger, more profitable and solvent commercial banks, in order to “send a message”. Profitability ratios seem to be the most important characteristic distinguishing banks targeted in cyber attacks. The number of cyber attacks on banks, especially financially-driven ones, has been increasing over recent years. There is a strong correlation between the actor type, their motive, and the type of cyber incident. Prevalent data gaps and the growing intensity of cyber attacks on banks point to urgent and relevant policy implications.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104274"},"PeriodicalIF":4.8,"publicationDate":"2024-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142371","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Piotr Krawiec , Robert Janowski , Jordi Mongay Batalla , Elżbieta Andrukiewicz , Waldemar Latoszek , Constandinos X. Mavromoustakis
{"title":"On providing multi-level security assurance based on Common Criteria for O-RAN mobile network equipment. A test case: O-RAN Distributed Unit","authors":"Piotr Krawiec , Robert Janowski , Jordi Mongay Batalla , Elżbieta Andrukiewicz , Waldemar Latoszek , Constandinos X. Mavromoustakis","doi":"10.1016/j.cose.2024.104271","DOIUrl":"10.1016/j.cose.2024.104271","url":null,"abstract":"<div><div>Open Radio Access Network (O-RAN) technology introduces disaggregation of RAN network functions, offering enhanced flexibility for extending hardware and software. To ensure interoperability between such components, the O-RAN Alliance (the main Standards Development Organisation of O-RAN) defined a set of new interfaces. The network may be built by integrating components from different providers. The introduction of multi-provider components and functions increases security challenges due to the increase of security surfaces (e.g., new interfaces). Therefore, it is relevant for network operators to gain a certain level of assurance that O-RAN components deployed in the network are secure. This paper proposes a framework for the security evaluation of O-RAN interfaces that provides assurance that the O-RAN component has been tested deeply enough to demonstrate its resilience to attacks. Our proposal is based on Common Criteria standards and provides several security assurance levels depending on the intended use of the O-RAN network. Each security assurance level involves a set of tests, from security conformance tests to specialised fuzzy tests. We have specified them in the Vulnerability assessment for the product, as required in the Common Criteria. The validation of the framework focuses on the O-DU (O-RAN Distributed Unit) component, which is a logical module responsible for the implementation of L2 layer functionalities; nevertheless, it can be easily extended to other O-RAN components: O-CU (O-RAN Central Unit) and O-RU (O-RAN Radio Unit) as well as to Non and Near Real Time Radio Intelligent Controller (RIC). The O-DU evaluation results show that it is possible to provide the evaluation at different levels of security assurance, which correspond to different intended uses of the 5G O-RAN mobile network.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104271"},"PeriodicalIF":4.8,"publicationDate":"2024-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142369","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sanfeng Zhang , Heng Su , Hongxian Liu , Wang Yang
{"title":"MPDroid: A multimodal pre-training Android malware detection method with static and dynamic features","authors":"Sanfeng Zhang , Heng Su , Hongxian Liu , Wang Yang","doi":"10.1016/j.cose.2024.104262","DOIUrl":"10.1016/j.cose.2024.104262","url":null,"abstract":"<div><div>The widespread deployment and open nature of the Android system have led to a rapid increase in Android malware, presenting significant challenges to mobile device security. Both static and dynamic analysis methods exhibit inherent limitations while hybrid detection approaches that combine static and dynamic features struggle with efficiency. To address these issues, this paper proposes MPDroid, a multimodal pre-training enabled detection approach. MPDroid effectively learns the critical characteristics of malicious behavior during the pre-training phase and achieves efficient single-modality detection in the downstream tasks. MPDroid utilizes an API call graph to represent dynamic features and a function call graph for static features. During pre-training, MPDroid employs graph convolutional networks and multimodal fusion techniques to capture the relationships between static and dynamic features. We also address the unimodal bias problem in multimodal tasks through modality alignment and model-level fusion. Furthermore, MPDroid significantly reduces the training and inferencing time for downstream tasks by implementing a multimodal pre-training framework with static features-based downstream tasks, thereby enhancing detection efficiency. Experimental results demonstrate that MPDroid achieves an average accuracy of 98.3% and an F1-score of 97.6%, with less than 7.39 s of detection duration, indicating superior overall performance compared to existing detection methods.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104262"},"PeriodicalIF":4.8,"publicationDate":"2024-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142375","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}