{"title":"Strengthening edge defense: A differential game-based edge intelligence strategy against APT attacks","authors":"Man Zhou , Lansheng Han , Xin Che","doi":"10.1016/j.cose.2025.104580","DOIUrl":"10.1016/j.cose.2025.104580","url":null,"abstract":"<div><div>In modern industrial settings, the Industrial Internet of Things (IIoT) serves as a backbone, connecting devices, sensors, and systems to enhance production efficiency and facilitate real-time data processing and decision-making. As the adoption of IIoT expands, edge nodes have emerged as critical components, functioning as hubs for data collection, transmission, and real-time response. However, their physical accessibility and limited computational resources render them susceptible to Advanced Persistent Threat (APT) attacks. This study proposes a defense mechanism specifically designed for edge nodes to effectively mitigate APT attacks, leveraging a combination of optimal control theory and intelligent edge game theory. First, we develop a system evolution model based on covert adversarial dynamics to accurately capture the complex interactions between attacks and defenses in real-world edge networks, thereby improving detection and response capabilities against emerging threats. Additionally, we propose an attack-defense model that integrates optimal control techniques and differential games, allowing the detection system to dynamically adapt its defense strategies while optimizing the trade-off between attack detection effectiveness and resource utilization efficiency. Finally, we implement a Nash strategy reinforcement learning mechanism based on multi-agent deep Q-networks to optimize edge game strategies and enhance attack detection performance. Experimental evaluations conducted on an ethanol distillation system testbed demonstrate the effectiveness, robustness, and computational efficiency of our defense approach compared to SG-LMM and DDQN-PV methodologies.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104580"},"PeriodicalIF":4.8,"publicationDate":"2025-07-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144571211","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"FiPiBox:Development of firewall for IoT networks using P4Pi","authors":"Suvrima Datta , Venkanna U. , Aditya Kotha","doi":"10.1016/j.cose.2025.104560","DOIUrl":"10.1016/j.cose.2025.104560","url":null,"abstract":"<div><div>The IoT has experienced remarkable expansion, connecting an extensive array of devices to the internet. With this proliferation, the security of IoT networks has become a paramount concern. Unfortunately, existing security mechanisms failed due to the static security policies, deficiency in understanding device behavioral patterns, limited visibility of IoT traffic flows, and vendor dependency on IoT devices. To overcome the security problems in IoT networks, FiPiBox: a firewall, has been developed by leveraging P4Pi to filter the IoT traffic flows precisely by analyzing the flow behavior. Initially, the incoming IoT traffic flows have been parsed in the FiPiBox data plane to obtain several header field information. Subsequently, the header information is sent to the controller through a message digest. This information helps the FiPiBox controller build the behavioral profile of IoT devices. Further, the FiPibox controller monitors the behavior of incoming IoT traffic flows based on the behavioral profile’s flow statistics. If the controller finds that the incoming traffic behavior is normal, forward the traffic to the desired destination. Otherwise, if the IoT traffic behavior deviates from its normal behavior, quarantine the device for a specified time to understand its behavior. Further, a user interface has been developed to monitor the device’s behavior to take appropriate action. The evaluation result of FiPiBox shows that packet processing time in FiPiBox is 0.01998 ms for 1000 devices and has a nominal false alarm rate (0.034 for 1000 devices), which ensures the reliability of FiPiBox to filter IoT traffic flows. Additionally, FiPiBox updates the firewall rules dynamically based on the IoT traffic behavior. Specifically, FiPiBox takes 0.124 ms to install the firewall rules. Finally, the proposed firewall, FiPibox, emerges as a robust solution to enhance IoT security by accurately filtering IoT traffic flows.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104560"},"PeriodicalIF":4.8,"publicationDate":"2025-07-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144557022","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Zehui Wang, Hao Li, Yinhao Qi, Wei Qiao, Song Liu, Chen Zhang, Bo Jiang, Zhigang Lu
{"title":"PathWatcher: A path-based behavior detection method for attack detection and investigation","authors":"Zehui Wang, Hao Li, Yinhao Qi, Wei Qiao, Song Liu, Chen Zhang, Bo Jiang, Zhigang Lu","doi":"10.1016/j.cose.2025.104563","DOIUrl":"10.1016/j.cose.2025.104563","url":null,"abstract":"<div><div>Advanced Persistent Threats (APTs) comprise complex and stealthy attack techniques. Due to the characteristics of system audit logs in capturing system-level process calls and providing granular log data, using audit logs for causal analysis of advanced threat behaviors has become a popular solution. However, existing solutions still suffer from several deficiencies: (1) semantic gaps between raw data in low-level views and high-level system behaviors, (2) fatigue alert, and (3) poor interpretability and inferability.</div><div>In this paper, we propose PathWatcher, a path-based behavior detection method, which enables attack investigation based on detection results. PathWatcher enhances low-level semantics by combining operation sequences, extracting paths as behavioral entities from the provenance graph, and learning path features. This approach reduces the semantic gap between low-level data and high-level system behaviors. PathWatcher first performs graph construction and path extraction in the graph construction module, followed by feature learning of nodes and paths in the behavioral sequence extraction module, the data generated during the process exists in the path record with a certain rule, and finally the data from the path record is used for feature extraction and path tracing in the behavior identification and attack clues module, the data from the path record is used for feature extraction and path tracing. This model exhibits strong inferability and interpretability by matching paths to operational behaviors in logs. This allows security researchers to combine path records and investigate attacks directly using high-level semantics, thereby alleviating alert fatigue. Our experimental results demonstrate that PathWatcher effectively improves the detection accuracy of malicious behaviors while enhancing semantic interpretability. The detection results are inferable, achieving accuracies of 99.76% and 99.07% on two datasets, and we provide an analysis of attack investigations.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104563"},"PeriodicalIF":4.8,"publicationDate":"2025-07-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144662187","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Tariq Hussain , Muhammad Nawaz Khan , Bailin Yang , Razaz Waheeb Attar , Ahmed Alhomoud
{"title":"LiDAR point cloud transmission: Adversarial perspectives of spoofing attacks in autonomous driving","authors":"Tariq Hussain , Muhammad Nawaz Khan , Bailin Yang , Razaz Waheeb Attar , Ahmed Alhomoud","doi":"10.1016/j.cose.2025.104544","DOIUrl":"10.1016/j.cose.2025.104544","url":null,"abstract":"<div><div>LiDAR technology uses laser light to illuminate the surrounding area and detect 3D objects. Calculates different features such as distance, shape, height, and direction of objects, ultimately generating comprehensive 3D maps by collecting cloud points. They are frequently used in autonomous vehicles, robotics, forestry, archaeology, and environmental monitoring. LiDAR is important in autonomous vehicles for recognizing objects, pedestrians, and other vehicles, allowing them to make judgments to prevent collisions and ensure human safety. The LiDAR systems are generally robust; they are not immune to certain types of security attacks that could compromise the integrity of the signals and may affect the accuracy of the data. If the signal is compromised, the system could incorrectly interpret the environment, resulting in erroneous object recognition, incorrect obstacle avoidance decisions, or inaccurate environment mapping. As a result, it can lead to serious consequences, such as property damage, accidents, or dangerous driving conditions. To address these security challenges and establish better security mechanisms for LiDAR systems, we have proposed a novel technique for detecting and avoiding all possible spoofing attacks on LiDAR signals. Initially, the system identifies potential spoofing attacks, and as a preventive measure, it employs an optimized path strategy. This strategy ensures safe crossings and autonomous navigation while avoiding obstacles along the vehicle’s route. The main aim is to identify the spoofed objects, suitably map the 3D presentation of the objects, and properly navigate autonomous vehicles with an optimized path selection in the automatic driving system. The proposed system is validated in different scenarios, and the experimental results demonstrate a success rate of 94.57% in true positive and false positive rates, indicating the effectiveness of the system. The average precision rate of 0.95 further supports its performance. The strength of the system was confirmed by testing it with different intersection over union (IoU) rates in different situations and closely looking at the attacker’s success rate.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104544"},"PeriodicalIF":4.8,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144587558","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Arthur Dantas Mangussi , Ricardo Cardoso Pereira , Ana Carolina Lorena , Miriam Seoane Santos , Pedro Henriques Abreu
{"title":"Studying the robustness of data imputation methodologies against adversarial attacks","authors":"Arthur Dantas Mangussi , Ricardo Cardoso Pereira , Ana Carolina Lorena , Miriam Seoane Santos , Pedro Henriques Abreu","doi":"10.1016/j.cose.2025.104574","DOIUrl":"10.1016/j.cose.2025.104574","url":null,"abstract":"<div><div>Cybersecurity attacks, such as poisoning and evasion, can intentionally introduce false or misleading information in different forms into data, potentially leading to catastrophic consequences for critical infrastructures, like water supply or energy power plants. While numerous studies have investigated the impact of these attacks on model-based prediction approaches, they often overlook the impurities present in the data used to train these models. One of those forms is missing data, the absence of values in one or more features. This issue is typically addressed by imputing missing values with plausible estimates, which directly impacts the performance of the classifier.</div><div>The goal of this work is to promote a Data-centric AI approach by investigating how different types of cybersecurity attacks impact the imputation process. To this end, we conducted experiments using four popular evasion and poisoning attacks strategies across 29 real-world datasets, including the NSL-KDD and Edge-IIoT datasets, which were used as case study. For the adversarial attack strategies, we employed the Fast Gradient Sign Method, Carlini & Wagner, Project Gradient Descent, and Poison Attack against Support Vector Machine algorithm. Also, four state-of-the-art imputation strategies were tested under Missing Not At Random, Missing Completely at Random, and Missing At Random mechanisms using three missing rates (5%, 20%, 40%). We assessed imputation quality using MAE, while data distribution shifts were analyzed with the Kolmogorov–Smirnov and Chi-square tests. Furthermore, we measured classification performance by training an XGBoost classifier on the imputed datasets, using F1-score, Accuracy, and AUC. To deepen our analysis, we also incorporated six complexity metrics to characterize how adversarial attacks and imputation strategies impact dataset complexity. Our findings demonstrate that adversarial attacks significantly impact the imputation process. In terms of imputation assessment in what concerns to quality error, the scenario that enrolees imputation with Project Gradient Descent attack proved to be more robust in comparison to other adversarial methods. Regarding data distribution error, results from the Kolmogorov–Smirnov test indicate that in the context of numerical features, all imputation strategies differ from the baseline (without missing data) however for the categorical context Chi-Squared test proved no difference between imputation and the baseline.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104574"},"PeriodicalIF":4.8,"publicationDate":"2025-06-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144518064","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Behind the scenes of attack graphs: Vulnerable network generator for in-depth experimental evaluation of attack graph scalability","authors":"Alessandro Palma, Silvia Bonomi","doi":"10.1016/j.cose.2025.104576","DOIUrl":"10.1016/j.cose.2025.104576","url":null,"abstract":"<div><div>An Attack Graph represents potential paths for attackers to compromise a computer network and security analysts use it to pinpoint vulnerable areas for cyber risk assessment. Due to their combinatorial complexity, designing scalable algorithms for generating these graphs without sacrificing their accuracy remains a challenge. Previous research focused on improving scalability, but evaluations often overlooked key parameters beyond network size, thus raising the natural question of their application in real-world settings. One of the main causes is the lack of data that the cybersecurity community faces in different areas, and cyber risk assessment in particular. To address this problem and support the comprehensive evaluation of attack graph algorithms, we introduce a dataset generator of vulnerable networks, which includes realistic reachability graphs and vulnerability inventories. This enables the design of an analytical framework to assess attack graph scalability comprehensively, considering diverse network and vulnerability dimensions. According to the proposed framework, we perform an in-depth experimental evaluation of the time and space complexities of attack graphs, offering novel insights into the critical parameters affecting them, and we extensively discuss how they inform and benefit future approaches.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104576"},"PeriodicalIF":4.8,"publicationDate":"2025-06-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144513613","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jakub Suchorab, Sebastian Plamowski, Maciej Ławryńczuk
{"title":"Anomaly detection system for Modbus data based on an open source tool","authors":"Jakub Suchorab, Sebastian Plamowski, Maciej Ławryńczuk","doi":"10.1016/j.cose.2025.104572","DOIUrl":"10.1016/j.cose.2025.104572","url":null,"abstract":"<div><div>This paper presents an anomaly detection system based on the Modbus TCP/IP protocol for industrial networks. The system has been developed using Zeek, an open-source tool for monitoring and analyzing network traffic. The data model is based on discrete-time Markov chains, extended with time parameters and observations of process parameters. The detection model defines ten types of anomalies, allowing for the recognition of specific deviations from normal network operations. To assess the quality of the model, a series of test scenarios have been developed to simulate potential anomalies in a control system, including a realistic real-time manipulation attack. These tests have been conducted in a simulated environment. The results confirm that the system is capable of real-time anomaly detection, accurately identifying most of the simulated attack scenarios without generating false positive alerts, thanks to customizable detection parameters.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104572"},"PeriodicalIF":4.8,"publicationDate":"2025-06-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144510909","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Renato Solimar Alves , Jady Pamella Barbacena da Silva , Luiz Antonio Ribeiro Junior , Rafael Rabelo Nunes
{"title":"Enhancing cybersecurity in the judiciary: Integrating additional controls into the CIS framework","authors":"Renato Solimar Alves , Jady Pamella Barbacena da Silva , Luiz Antonio Ribeiro Junior , Rafael Rabelo Nunes","doi":"10.1016/j.cose.2025.104584","DOIUrl":"10.1016/j.cose.2025.104584","url":null,"abstract":"<div><div>The Judiciary faces considerable challenges protecting its critical operations from cyber threats in an increasingly digital and vulnerable landscape. This article explores the need to enhance information security practices beyond basic security controls to address operational and technological risks targeting the Judiciary. Intending to propose an expansion of the security controls suggested by the CIS Controls framework, this article focuses on critical areas such as information security management, personnel management, and technological requirements specific to the judicial context. Through qualitative analysis and consultations with experts in the field, preventive and corrective measures were identified, encompassing effective communication practices, mental health programs, and a strong culture of integrity complemented by advanced cybersecurity technologies. The results highlight the need for additional, comprehensive controls ranging from physical security to digital protection, promoting an integrated approach to risk management. The contributions of this article extend to establishing a strengthened foundation for security controls, creating a more effective defense mechanism against emerging threats, and ensuring the sustainability and efficiency of court operations. This article contributes to the evolution of security strategies in the Judiciary, with direct practical implications for risk mitigation and the protection of information assets. The work contributes to the debate on information security in the Judiciary and how to adapt and expand the application of the CIS framework.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104584"},"PeriodicalIF":4.8,"publicationDate":"2025-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144523303","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Manuela M.C. Souza , Camila T. Pontes , João J.C. Gondim , Luís P.F. Garcia , Luiz DaSilva , Eduardo F.M. Cavalcante , Marcelo A. Marotta
{"title":"A novel open set Energy-based Flow Classifier for Network Intrusion Detection","authors":"Manuela M.C. Souza , Camila T. Pontes , João J.C. Gondim , Luís P.F. Garcia , Luiz DaSilva , Eduardo F.M. Cavalcante , Marcelo A. Marotta","doi":"10.1016/j.cose.2025.104569","DOIUrl":"10.1016/j.cose.2025.104569","url":null,"abstract":"<div><div>Several machine learning-based Network Intrusion Detection Systems (NIDS) have been proposed in recent years. Still, most of them were developed and evaluated under the assumption that the training context is similar to the test context. This assumption is false in real networks, given the emergence of new attacks and variants of known attacks. To deal with this reality, the open set recognition field, which is the most general task of recognizing classes not seen during training in any domain, began to gain importance in machine learning based NIDS research. Yet, existing solutions are often bound to high temporal complexities and performance bottlenecks. In this work, we propose an algorithm to be used in NIDS that performs open set recognition. Our proposal is an adaptation of the single-class Energy-based Flow Classifier (EFC), which proved to be an algorithm with strong generalization capability and low computational cost. The new version of EFC correctly classifies not only known attacks, but also unknown ones, and differs from other proposals from the literature by presenting a single layer with low temporal complexity. Our proposal was evaluated against well-established multi-class algorithms and as an open set classifier. It proved to be an accurate classifier in both evaluations, similar to the state of the art. As a conclusion of our work, we consider EFC a promising algorithm to be used in NIDS for its high performance and applicability in real networks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104569"},"PeriodicalIF":4.8,"publicationDate":"2025-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144501444","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sibo Qiao , Haohao Zhu , Lin Sha , Min Wang , Qiang Guo
{"title":"DynMark: A dynamic packet counting watermarking scheme for robust traffic tracing in network flows","authors":"Sibo Qiao , Haohao Zhu , Lin Sha , Min Wang , Qiang Guo","doi":"10.1016/j.cose.2025.104571","DOIUrl":"10.1016/j.cose.2025.104571","url":null,"abstract":"<div><div>To locate malicious attack sources and enhance network defense capabilities, traffic tracing has become a critical technology for defending against network attacks. Existing methods, such as IP address tracing and network flow watermarking, often fail to trace attackers using encrypted channels or network obfuscation techniques. Although watermarking can embed traceable features, its performance degrades in complex environments with delay jitter and packet loss. To address these issues, we propose a novel dynamic watermarking method based on packet count and timing, called DynMark. This method adaptively modulates packet count and timing to construct a multidimensional watermark carrier, thereby enhancing traffic tracking and tracing capabilities and enabling effective tracking of attack traffic in complex network environments. In addition, to ensure watermark synchronization accuracy, we design a dynamic synchronization tag to guarantee precise synchronization of the watermark’s time window. Moreover, considering that non-continuous data flows may lead to inaccurate watermark detection, we further propose a robust error correction mechanism based on fountain codes and error-correcting codes, which significantly enhances the robustness of the watermarking method and ensures the accuracy of data transmission. Experimental results show that under interference conditions such as high delay jitter, packet loss, and chaff packet insertion, DynMark maintains an accuracy rate of over 90%. Compared with state-of-the-art watermarking methods, DynMark achieves an approximate 4% improvement in accuracy. In addition, DynMark successfully passes the K-S test, demonstrating its invisibility.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104571"},"PeriodicalIF":4.8,"publicationDate":"2025-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144472188","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}