Computers & Security最新文献

{"title":"FedMSE: Semi-supervised federated learning approach for IoT network intrusion detection","authors":"Van Tuan Nguyen ,&nbsp;Razvan Beuran","doi":"10.1016/j.cose.2025.104337","DOIUrl":"10.1016/j.cose.2025.104337","url":null,"abstract":"<div><div>This paper proposes a novel federated learning approach for improving IoT network intrusion detection. The rise of IoT has expanded the cyber attack surface, making traditional centralized machine learning methods insufficient due to concerns about data availability, computational resources, transfer costs, and especially privacy preservation. A semi-supervised federated learning model was developed to overcome these issues, combining the Shrink Autoencoder and Centroid one-class classifier (SAE-CEN). This approach enhances the performance of intrusion detection by effectively representing normal network data and accurately identifying anomalies in the decentralized strategy. Additionally, a mean square error-based aggregation algorithm (MSEAvg) was introduced to improve global model performance by prioritizing more accurate local models. The results obtained in our experimental setup, which uses various settings relying on the N-BaIoT dataset and Dirichlet distribution, demonstrate significant improvements in real-world heterogeneous IoT networks in detection accuracy from 93.98 ± 2.90 to 97.30 ± 0.49, reduced learning costs when requiring only 50% of gateways participating in the training process, and robustness in large-scale networks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104337"},"PeriodicalIF":4.8,"publicationDate":"2025-01-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149514","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"How to decrypt files encrypted by Rhysida ransomware without the attacker’s private key","authors":"Giyoon Kim ,&nbsp;Soojin Kang ,&nbsp;Seungjun Baek ,&nbsp;Kimoon Kim ,&nbsp;Jongsung Kim","doi":"10.1016/j.cose.2025.104340","DOIUrl":"10.1016/j.cose.2025.104340","url":null,"abstract":"<div><div>Ransomware is malicious software that is a prominent global cybersecurity threat. It typically encrypts data in a system, rendering victims unable to decrypt it without the attacker’s private key. Subsequently, victims often pay substantial ransoms to regain access to their data, yet some may still suffer damage or loss. This study examines Rhysida ransomware, which caused significant damage in the second half of 2023, and proposes a decryption method. Rhysida ransomware employed a secure random number generator to generate the encryption keys for data encryption. However, a vulnerability in its implementation enabled us to reconstruct the internal state of the random number generator, resulting in the disclosure of the encryption keys. In a practical time, we successfully decrypted the data infected with Rhysida using the regenerated state. To the best of our knowledge, this is the first successful decryption of data infected by Rhysida. We aim for our findings to contribute to mitigating the harm inflicted by the Rhysida ransomware.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104340"},"PeriodicalIF":4.8,"publicationDate":"2025-01-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149510","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"CO-STOP: A robust P4-powered adaptive framework for comprehensive detection and mitigation of coordinated and multi-faceted attacks in SD-IoT networks","authors":"Ameer El-Sayed ,&nbsp;Ahmed A. Toony ,&nbsp;Fayez Alqahtani ,&nbsp;Yasser Alginahi ,&nbsp;Wael Said","doi":"10.1016/j.cose.2025.104349","DOIUrl":"10.1016/j.cose.2025.104349","url":null,"abstract":"<div><div>The increasing sophistication of multi-faceted attacks (MFAs) presents significant challenges for securing Internet of Things (IoT) networks, where traditional defenses and even contemporary solutions often fail to provide comprehensive protection. Current frameworks in the literature face critical limitations such as centralized control architectures that are prone to bottlenecks and single points of failure, inadequate traffic monitoring capabilities, and limited adaptability to dynamic attack surfaces. These gaps make IoT environments vulnerable to stealthy, coordinated, and complex attacks that can simultaneously target multiple layers of the network. Addressing these challenges requires a more dynamic and distributed approach to security. This paper introduces CO-STOP, an innovative framework designed to overcome these limitations by integrating machine learning (ML), the P4 programming language, Software-Defined Networking (SDN), and a novel multi-control design (MCD). CO-STOP enhances IoT network management by distributing both detection and mitigation efforts across multiple controllers, improving scalability and resilience. It also addresses the shortcomings of existing solutions by incorporating adaptive traffic monitoring and a distributed mitigation strategy that reduces the risks of network disruption. The framework comprises four interconnected modules: (1) Authenticated Dynamic Multi-Control (ADMC), which introduces secure, synchronized controller collaboration; (2) P4-Enabled Adaptive Traffic Monitoring (P4-ATM), leveraging programmable state tables for real-time traffic analysis; (3) Multi-Faceted Attack Detection and Prevention (MFADP), employing a Dynamic Meta-Ensemble with Confidence-Based Prioritization (DMECP) for accurate attack detection; and (4) P4-Enabled Multi-Control Adaptive Mitigation (P4-MCAM), which distributes mitigation efforts across multiple controllers. CO-STOP demonstrates significant resource efficiency, with the P4-based solution reducing bandwidth consumption by 27%, memory usage by 19%, and CPU utilization by 21% compared to the OpenFlow-based approach. Experiments reveal that the proposed multi-controller architecture consistently outperforms the single-controller design across six key evaluation metrics. CO-STOP sets new benchmarks in SD-IoT security, achieving 99.25% accuracy, a 98.83% F1-score, and a low false positive rate of 0.51%. By addressing both the limitations of existing frameworks and the critical need for scalable, efficient, and adaptive security solutions, CO-STOP represents a substantial advancement in safeguarding SD-IoT networks from emerging attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104349"},"PeriodicalIF":4.8,"publicationDate":"2025-01-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149509","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Current research on Internet of Things (IoT) security protocols: A survey","authors":"Raghavendra Mishra ,&nbsp;Ankita Mishra","doi":"10.1016/j.cose.2024.104310","DOIUrl":"10.1016/j.cose.2024.104310","url":null,"abstract":"<div><div>The Internet of Things (IoT) has become indispensable for remote monitoring, integrating diverse hardware and software elements to provide seamless, secure, and reliable services. Essential components like network protocols, sensor nodes, actuators, and gateway nodes ensure the functionality and security of these systems. However, the increasing proliferation of IoT devices has raised significant security concerns, particularly regarding user privacy, data integrity, and service availability. This manuscript presents a comprehensive review of existing authenticated key exchange mechanisms for IoT security, focusing on the limitations of current authentication and key agreement methods. We examine relevant schemes for the case study to explore key security challenges. In this regard, we conduct a cryptanalysis of three recently proposed IoT security protocols, evaluating their effectiveness in addressing vulnerabilities. The key contribution of this work lies in offering insights into the latest advancements in IoT security, identifying critical weaknesses, and proposing enhancements to improve the resilience of IoT systems in an increasingly interconnected world.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104310"},"PeriodicalIF":4.8,"publicationDate":"2025-01-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149528","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"HAE-HRL: A network intrusion detection system utilizing a novel autoencoder and a hybrid enhanced LSTM-CNN-based residual network","authors":"Yankun Xue,&nbsp;Chunying Kang,&nbsp;Hongchen Yu","doi":"10.1016/j.cose.2025.104328","DOIUrl":"10.1016/j.cose.2025.104328","url":null,"abstract":"<div><div>As networks evolve, their attacks become ever more varied - which creates an increasing variety of features-rich information which models must incorporate during training. However, this data often includes redundant and irrelevant features that impede its effectiveness as an intrusion detection system. Hybrid Autoencoder- Hybird ResNet-LSTM, an advanced hybrid residual network which combines an innovative hybrid Autoencoder with an enhanced LSTM-CNN architecture, was introduced here to enhance detection capabilities of models and identify pertinent feature subsets within datasets more quickly and efficiently. Initial feature selection within the dataset is performed using a modified self-encoder that incorporates CNN and GRU components, in order to reduce data dimensionality while pinpointing an optimal subset. This paper assesses a proposed intrusion detection model against three datasets commonly used for intrusion detection studies: UNSW-NB15, NSL-KDD, and CICIDS-2018. Experimental findings demonstrate high accuracy rates of 95.7%, 94.9% and 96.7% in intrusion detection for NSL-KDD, UNSW-NB15, and CICIDS-2018 datasets respectively. A comparative analysis with methods proposed by other researchers illustrates how effective our method presented here can be at significantly enhancing intrusion detection accuracy.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104328"},"PeriodicalIF":4.8,"publicationDate":"2025-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149516","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A novel framework to identify cybersecurity challenges and opportunities for organizational digital transformation in the cloud","authors":"Xueping Liang,&nbsp;Yilin Xu","doi":"10.1016/j.cose.2025.104339","DOIUrl":"10.1016/j.cose.2025.104339","url":null,"abstract":"<div><div>The rise in security threats faced by organizations has resulted in increased attention towards cloud adoption in organizations and cloud security research. To address these concerns, it is crucial to establish trust between application users and cloud services by exploring the gap of cloud security challenges and opportunities in the cybersecurity context. Due to the growing interest in this topic, a comprehensive and updated review of existing literature is much needed. This paper thoroughly examines the current landscape of cloud security, grounded in an extensive systematic literature review of 1,324 research papers, through the lens of a Design Science Research artifact typology rooted in the Information Systems domain. The paper makes significant technological contributions to the field of cloud security, by categorizing findings into four artifact types: constructs, models, methods, and instantiations. These categories are examined across multiple levels of cloud architecture, including data management, identity and access, application and software, host and virtualization, as well as privacy, trust, and compliance. The proposed research framework is adopted to further analyze the challenges that organizations face in securing their cloud-based systems against threats such as data breaches, unauthorized access, and cyberattacks. In addition, the review explores the potential opportunities for enhancing cloud security through the integration of advanced technologies such as blockchain, zero trust, multi-cloud architecture, machine learning and artificial intelligence, in various domains such as healthcare, IoT, and smart cities. By providing a critical analysis of the current state of cloud security, this review paper offers valuable insights into the challenges and opportunities associated with securing cloud-based systems in the cybersecurity era.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104339"},"PeriodicalIF":4.8,"publicationDate":"2025-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149527","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Stochastic gradient boosted distributed decision trees security approach for detecting cyber anomalies and classifying multiclass cyber-attacks","authors":"J C Sekhar ,&nbsp;R Priyanka ,&nbsp;Ashok Kumar Nanda ,&nbsp;P Joel Josephson ,&nbsp;M J D Ebinezer ,&nbsp;T Kalavathi Devi","doi":"10.1016/j.cose.2025.104320","DOIUrl":"10.1016/j.cose.2025.104320","url":null,"abstract":"<div><div>Identifying cyber anomalies and attacks in today's cybersecurity environment is essential. We can solve these difficulties by combining artificial intelligence (AL) and machine learning (ML) methods. The specifics of the existing security mechanisms and the supply quality define how effective ML-based security systems will be in strengthening such measures. Developing a security system to identify unusual activity and classify threats in the growing complexity and regularity of attacks is essential. This article provides a successful method to identify and classify cyber anomalies. We use a novel method in combination with Stochastic Gradient Boosted Distributed Decision Trees (SGB-DDT) with Honeybees Mating Optimisation (HBMO). To improve the detection accuracy, we use SGD-DDT, a distributed learning technique that is both highly scalable and effective by combining the collective wisdom of several decision trees. The SGB approach's adaptability and error-learning properties make the model less vulnerable to dynamic cyberattacks. The complications of classifying cyberattacks into different types have prompted this research to propose an enhanced HBMO method. The HBMO method aims to improve model performance while reducing processing overhead, which takes inspiration from honeybee mating behaviour. This proposed method, SGB-DDT, can accurately identify several categories of cyberattacks using the enhanced HBMO method. We assess the proposed method using a large and varied dataset of cyberattack incidents from NSL-KDD and UNSW-NB15, encompassing common and uncommon attack types. The experiment results show that the SGB-DDT with higher HBMO outperforms traditional ML techniques.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104320"},"PeriodicalIF":4.8,"publicationDate":"2025-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143297089","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Investigating the impact of feature selection on adversarial transferability in intrusion detection system","authors":"James Msughter Adeke ,&nbsp;Guangjie Liu ,&nbsp;Lord Amoah ,&nbsp;Ogonna Joshua Nwali","doi":"10.1016/j.cose.2025.104327","DOIUrl":"10.1016/j.cose.2025.104327","url":null,"abstract":"<div><div>Adversarial attacks pose a serious threat to cybersecurity systems, particularly intrusion detection systems (IDSs). The property of transferability exacerbates this threat, as attacks designed to fool one IDS model can often fool others in black-box settings. Despite significant efforts to mitigate this property, the impact of feature selection on attack transferability remains unknown. This study investigates adversarial transferability across various machine learning (ML) and deep learning (DL) models used in IDSs. Two transferability scenarios are investigated: inter-model and intra-model transferability. We trained multiple IDS models, including support vector machine (SVM), random forest (RF), decision tree (DT), logistic regression (LR), and deep neural networks (DNNs) with different architectures, on feature subsets from various techniques. These IDS models are then subjected to a black-box attack using the zeroth-order optimization (ZOO) method. With the IoT-23 and UNSW-NB15 datasets, we evaluated transferability across different IDS models and feature subsets. The results show significant variations in transferability, with certain feature subsets notably reducing the attack success rate (ASR). Specifically, we recorded a reduction in ASR ranging from 99.9% to 0% depending on the feature subset and the target IDS model. These findings highlight the impact of feature selection on disrupting attack transferability, and suggest that IDS models trained with appropriate feature subsets are more robust to adversarial transferability.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104327"},"PeriodicalIF":4.8,"publicationDate":"2025-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149515","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"K-Salp Swarm Anomaly Detection (K-SAD): A novel clustering and threshold-based approach for cybersecurity applications","authors":"Vahide Nida Kılıç,&nbsp;Esra Saraç Eşsiz","doi":"10.1016/j.cose.2025.104325","DOIUrl":"10.1016/j.cose.2025.104325","url":null,"abstract":"<div><div>Anomaly detection is a critical task in various domains, particularly in cybersecurity, where ensuring data integrity and security is paramount. In this study, we propose a novel approach to anomaly detection utilizing both the K-medoid and Salp Swarm Algorithms. Our methodology involves clustering the data using K-medoid and determining thresholds with an improved Salp Swarm Algorithm, enabling the identification of outliers within datasets. We conducted experiments on real-world datasets to evaluate the effectiveness of our approach. Significantly, proposed method surpassed alternative methods in performance across 5 of the 10 datasets, thereby showcasing its superior efficacy. For example, It demonstrated superior performance compared to alternative methods, achieving an AUC value of 0.8651 on the Thyroid dataset. Additionally, our approach yielded outcomes falling within the average spectrum across 3 datasets. These observations underscore the effectiveness of our proposed method in factifying anomaly detection methods and factifying cybersecurity protocols.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104325"},"PeriodicalIF":4.8,"publicationDate":"2025-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149519","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A case of smart devices that compromise home cybersecurity","authors":"Davide Bonaventura,&nbsp;Sergio Esposito,&nbsp;Giampaolo Bella","doi":"10.1016/j.cose.2024.104286","DOIUrl":"10.1016/j.cose.2024.104286","url":null,"abstract":"<div><div>The importance of cybersecurity is widely acknowledged as paramount for virtually every computerized application domain. Not only is it concerned with the protection of digital assets and resources from illegitimate use, but it is also essential to people’s privacy, for example for shielding their personal data, and even to their safety, for example for safeguarding the functioning of devices that may potentially harm humans.</div><div>This article investigates the extent to which cybersecurity is properly ensured of IoT devices (also commonly termed <em>smart devices</em>) which are modern, that is, trendy at present, then also inexpensive, hence useful to evaluate a price-cybersecurity ratio, and, finally, commonly used. While it is clear that innumerable such devices exist, the findings reported below focus on the case of the Tapo ecosystem by TP-Link, which features cheap Amazon best sellers at present.</div><div>Our findings suggest that effective Vulnerability Assessment and Penetration Testing sessions can be carried out on such devices by following the PETIoT kill chain. Findings also demonstrate that as many as six devices of the TAPO ecosystem suffer four previously unknown (so called <em>zero-day</em>) vulnerabilities, which we filed as four CVEs on MITRE’s public database. Following Responsible Disclosure with TP-Link, vulnerabilities were publicly disclosed only after the vendor released appropriate fixes. All vulnerabilities were found using freeware, requiring over 600 lines of exploitation code.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104286"},"PeriodicalIF":4.8,"publicationDate":"2025-01-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149518","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}