Computers & Security最新文献

{"title":"A graph representation framework for encrypted network traffic classification","authors":"Zulu Okonkwo,&nbsp;Ernest Foo,&nbsp;Zhe Hou,&nbsp;Qinyi Li,&nbsp;Zahra Jadidi","doi":"10.1016/j.cose.2024.104134","DOIUrl":"10.1016/j.cose.2024.104134","url":null,"abstract":"<div><div>Network Traffic Classification (NTC) is crucial for ensuring internet security, but encryption presents significant challenges to this task. While Machine Learning (ML) and Deep Learning (DL) methods have shown promise, issues such as limited representativeness leading to sub-optimal generalizations and performance remain prevalent. These problems become more pronounced with advanced obfuscation, network security, and privacy technologies, indicating a need for improved model robustness. To address these issues, we focus on <em>feature extraction</em> and <em>representation</em> in NTC by leveraging the expressive power of graphs to represent network traffic at various granularity levels. By modeling network traffic as interconnected graphs, we can analyze both flow-level and packet-level data. Our graph representation method for encrypted NTC effectively preserves crucial information despite encryption and obfuscation. We enhance the robustness of our approach by using cosine similarity to exploit correlations between encrypted network flows and packets, defining relationships between abstract entities. This graph structure enables the creation of structural embeddings that accurately define network traffic across different encryption levels. Our end-to-end process demonstrates significant improvements where traditional NTC methods struggle, such as in Tor classification, which employs anonymization to further obfuscate traffic. Our packet-level classification approach consistently outperforms existing methods, achieving accuracies exceeding 96%.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104134"},"PeriodicalIF":4.8,"publicationDate":"2024-09-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142326768","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Beyond the west: Revealing and bridging the gap between Western and Chinese phishing website detection","authors":"Ying Yuan ,&nbsp;Giovanni Apruzzese ,&nbsp;Mauro Conti","doi":"10.1016/j.cose.2024.104115","DOIUrl":"10.1016/j.cose.2024.104115","url":null,"abstract":"<div><div>Phishing attacks are on the rise, and phishing <em>websites</em> are everywhere, denoting the brittleness of security mechanisms reliant on blocklists. To cope with this threat, many works proposed to enhance Phishing Website Detectors (PWD) with data-driven techniques powered by Machine Learning (ML). Despite achieving promising results both in research and practice, existing solutions mostly focus “on the West”, e.g., they consider websites in English, German, or Italian. In contrast, phishing websites targeting “Eastern” countries, such as China, have been mostly neglected—despite phishing being rampant also in this side of the world.</div><div>In this paper, we scrutinize whether current PWD can simultaneously work against Western and Chinese phishing websites. First, after highlighting the difficulties of practically testing PWD on Chinese phishing websites, we create CghPghrg—a dataset which enables assessment of PWD on Chinese websites. Then, we evaluate 72 PWD developed by industry practitioners and 10 ML-based PWD proposed in recent research on Western and Chinese websites: our results highlight that existing solutions, despite achieving low false positive rates, exhibit unacceptably low detection rates (sometimes inferior to 1%) on phishing websites of different <em>regions</em>. Next, to bridge the gap we brought to light, we elucidate the differences between Western and Chinese websites, and devise an enhanced feature set that accounts for the unique characteristics of Chinese websites. We empirically demonstrate the effectiveness of our proposed feature set by replicating (and testing) state-of-the-art ML-PWD: our results show a small but statistically significant improvement over the baselines. Finally, we review all our previous contributions and combine them to develop practical PWD that simultaneously work on Chinese and Western websites, achieving over 0.98 detection rate while maintaining only 0.01 false positive rate in a cross-regional setting. We openly release all our tools, disclose all our benchmark results, and also perform proof-of-concept experiments revealing that the problem tackled by our paper extends to other “Eastern” countries that have been overlooked by prior research on PWD.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104115"},"PeriodicalIF":4.8,"publicationDate":"2024-09-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142661692","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Edge-featured multi-hop attention graph neural network for intrusion detection system","authors":"Ping Deng,&nbsp;Yong Huang","doi":"10.1016/j.cose.2024.104132","DOIUrl":"10.1016/j.cose.2024.104132","url":null,"abstract":"<div><div>With the development of the Internet, the application of computer technology has rapidly become widespread, driving the progress of Internet of Things (IoT) technology. The attacks present on networks have become more complex and stealthy. However, traditional network intrusion detection systems with singular functions are no longer sufficient to meet current demands. While some machine learning-based network intrusion detection systems have emerged, traditional machine learning methods cannot effectively respond to the complex and dynamic nature of network attacks. Intrusion detection systems utilizing deep learning can better enhance detection capabilities through diverse data learning and training. To capture the topological relationships in network data, using graph neural networks (GNNs) is most suitable. Most existing GNNs for intrusion detection use multi-layer network training, which may lead to over-smoothing issues. Additionally, current intrusion detection solutions often lack efficiency. To mitigate the issues mentioned above, this paper proposes an <u>E</u>dge-featured <u>M</u>ulti-hop <u>A</u>ttention Graph Neural Network for <u>I</u>ntrusion <u>D</u>etection <u>S</u>ystem (EMA-IDS), aiming to improve detection performance by capturing more features from data flows. Our method enhances computational efficiency through attention propagation and integrates node and edge features, fully leveraging data characteristics. We carried out experiments on four public datasets, which are NF-CSE-CIC-IDS2018-v2, NF-UNSW-NB15-v2, NF-BoT-IoT, and NF-ToN-IoT. Compared with existing models, our method demonstrated superior performance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104132"},"PeriodicalIF":4.8,"publicationDate":"2024-09-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419447","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"An explainable unsupervised anomaly detection framework for Industrial Internet of Things","authors":"Yilixiati Abudurexiti ,&nbsp;Guangjie Han ,&nbsp;Fan Zhang ,&nbsp;Li Liu","doi":"10.1016/j.cose.2024.104130","DOIUrl":"10.1016/j.cose.2024.104130","url":null,"abstract":"<div><div>Industrial Internet of Things (IIoT) systems require effective anomaly detection techniques to ensure optimal operational efficiency. However, constructing a suitable anomaly detection framework for IIoT poses challenges due to the scarcity of labeled data. Additionally, most existing anomaly detection frameworks lack interpretability. To tackle these issues, an innovative unsupervised framework based on time series data analysis is proposed. This framework initially detects anomalous patterns in IIoT sensor data by extracting local features. An improved Time Convolutional Network (TCN) and Kolmogorov–Arnold Network (KAN) based Variational Auto-Encoder (VAE) is then constructed to capture long-term dependencies. The framework is trained in an unsupervised manner and interpreted using Explainable Artificial Intelligence (XAI) techniques. This approach offers insightful explanations regarding the importance of features, thereby facilitating informed decision-making and enhancements. Experimental results demonstrate that the framework is capable of extracting informative features and capturing long-term dependencies. This enables efficient anomaly detection in complex, dynamic industrial systems, surpassing other unsupervised methods.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104130"},"PeriodicalIF":4.8,"publicationDate":"2024-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419448","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Improving IIoT security: Unveiling threats through advanced side-channel analysis","authors":"Dalin He ,&nbsp;Huanyu Wang ,&nbsp;Tuo Deng ,&nbsp;Jishi Liu ,&nbsp;Junnian Wang","doi":"10.1016/j.cose.2024.104135","DOIUrl":"10.1016/j.cose.2024.104135","url":null,"abstract":"<div><div>The widespread deployment of IIoT edge devices makes them attractive victims for malicious activities. Consequently, how to implement trustworthy operations becomes a realistic topic in embedded systems. While most current physical systems for detecting malicious activities primarily focus on identifying known intrusion codes at the block level, they ignore that even an unnoticeable injected function can result in system-wide loss of security. In this paper, we propose a framework called CNDSW built on deep-learning side-channel analysis for function-level industrial control flow integrity monitoring. By collaboratively utilizing correlation analysis and deep-learning techniques, the dual window sliding monitoring mechanism in the proposed CNDSW framework demonstrates a real-time code intrusion tracking capacity on embedded controllers with a 99% detection accuracy on average. Instead of focusing on known block-level intrusions, we experimentally show that our model is feasible to detect function-level code intrusions without knowing the potential threat type. Besides, we further explore how different configurations of the CNDSW framework can help the monitoring process with different emphases and to which extent the model can concurrently detect multiple code intrusion activities. All our experiments are conducted on 32-bit ARM Cortex-M4 and 8-bit RISC MCUs across five different control flow programs, providing a comprehensive evaluation of the framework’s capabilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104135"},"PeriodicalIF":4.8,"publicationDate":"2024-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419449","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"E-WebGuard: Enhanced neural architectures for precision web attack detection","authors":"Luchen Zhou ,&nbsp;Wei-Chuen Yau ,&nbsp;Y.S. Gan ,&nbsp;Sze-Teng Liong","doi":"10.1016/j.cose.2024.104127","DOIUrl":"10.1016/j.cose.2024.104127","url":null,"abstract":"<div><div>Web applications have become a favored tool for organizations to disseminate vast amounts of information to the public. With the increasing adoption and inherent openness of these applications, there is an observed surge in web-based attacks exploited by adversaries. However, most of the web attack detection works are based on public datasets that are outdated or do not cover a sufficient quantity of web application attacks. Furthermore, most of them are binary detection (i.e., normal or attack) and there is little work on multi-class web attack detection. This highlights the crucial need for automated web attack detection models to bolster web security. In this study, a suite of integrated machine learning and deep learning models is designed to detect web attacks. Specifically, this study employs the Character-level Support Vector Machine (Char-SVM), Character-level Long Short-Term Memory (Char-LSTM), Convolutional Neural Network - SVM (CNN-SVM), and CNN-Bi-LSTM models to differentiate between standard HTTP requests and HTTP-based attacks in both the CSIC 2010 and SR-BH 2020 datasets. Note that the CSIC 2010 dataset involves binary classification, while the SR-BH 2020 dataset involves multi-class classification, specifically with 13 classes. Notably, the input data is first converted to the character level before being fed into any of the proposed model architectures. In the binary classification task, the Char-SVM model with a linear kernel outperforms other models, achieving an accuracy rate of 99.60%. The CNN-Bi-LSTM model closely follows with a 99.41% accuracy, surpassing the performance of the CNN-LSTM model presented in previous research. In the context of multi-class classification, the CNN-Bi-LSTM model demonstrates outstanding performance with a 99.63% accuracy rate. Furthermore, the multi-class classification models, namely Char-LSTM and CNN-Bi-LSTM, achieve validation accuracies above 98%, outperforming the two machine learning-based methods mentioned in the original research.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104127"},"PeriodicalIF":4.8,"publicationDate":"2024-09-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142323984","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Enhancing data integrity in opportunistic mobile social network: Leveraging Berkle Tree and secure data routing against attacks","authors":"Vimitha R. Vidhya Lakshmi ,&nbsp;Gireesh Kumar T","doi":"10.1016/j.cose.2024.104133","DOIUrl":"10.1016/j.cose.2024.104133","url":null,"abstract":"<div><div>In Opportunistic Mobile Social Networks (OMSNs), ensuring data integrity is crucial. The anonymous and opportunistic nature of node communication makes these networks vulnerable to data integrity attacks. The existing literature identified significant shortcomings in effectively addressing data integrity attacks with high efficiency and accuracy. This paper addresses these issues by proposing the \"Berkle Tree\", a novel data structure designed to mitigate data integrity attacks in OMSNs. The Berkle Tree leverages the EvolvedBloom filter, which is a variant of the bloom filter with a negligible False Positive Rate (FPR). The key contributions of this study include i) an innovative application of EvolvedBloom for membership testing and Berkle Tree root validation, and ii) comparative analysis with existing data structures like Merkle and Verkle Trees. The Berkle Tree demonstrates superior performance, reducing tree generation and integrity validation times and leading to substantial computational cost reductions of 79.50 % and 90.57 %, respectively. The proposed method integrates the Berkle Tree into OMSN routing models and evaluates performance against Packet Drop, Modification, and Fake Attacks (PDA, PMA, PFA). Results show average Malicious Node Detection Accuracy of 98.2 %, 85.2 %, and 94.4 %; Malicious Path Detection Accuracy of 98.6 %, 86.6 %, and 90.2 %; Malicious Data Detection Accuracy of 98.4 %, 80.2 %, and 93.4 %; and False Negative Rates of 1.8 %, 14.8 %, and 5.6 % for PDA, PMA, and PFA, respectively. The major findings demonstrate that the proposed approach significantly improves OMSN routing models by reducing Packet Dropping, Modifying, and Faking Rates by 48.62 %, 28.99 %, and 31.2 %, respectively. Compared to existing methods, the Berkle Tree achieves a substantial reduction in filter size by approximately 25 %–40 %, while maintaining a negligible FPR. These advancements contribute to the state-of-the-art of OMSNs by providing robust solutions for data integrity with significant implications for enhancing security and trustworthiness in OMSNs.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104133"},"PeriodicalIF":4.8,"publicationDate":"2024-09-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142356816","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Adaptive edge security framework for dynamic IoT security policies in diverse environments","authors":"Malka N. Halgamuge ,&nbsp;Dusit Niyato","doi":"10.1016/j.cose.2024.104128","DOIUrl":"10.1016/j.cose.2024.104128","url":null,"abstract":"<div><div>The rapid expansion of Internet of Things (IoT) technologies has introduced significant cybersecurity challenges, particularly at the network edge where IoT devices operate. Traditional security policies designed for static environments fall short of addressing the dynamic, heterogeneous, and resource-constrained nature of IoT ecosystems. Existing dynamic security policy models lack versatility and fail to fully integrate comprehensive risk assessments, regulatory compliance, and AI/ML (artificial intelligence/machine learning)-driven adaptability. We develop a novel adaptive edge security framework that dynamically generates and adjusts security policies for IoT edge devices. Our framework integrates a dynamic security policy generator, a conflict detection and resolution in policy generator, a bias-aware risk assessment system, a regulatory compliance analysis system, and an AI-driven adaptability integration system. This approach produces tailored security policies that adapt to changes in the threat landscape, regulatory requirements, and device statuses. Our study identifies critical security challenges in diverse IoT environments and demonstrates the effectiveness of our framework through simulations and real-world scenarios. We found that our framework significantly enhances the adaptability and resilience of IoT security policies. Our results demonstrate the potential of AI/ML integration in creating responsive and robust security measures for IoT ecosystems. The implications of our findings suggest that dynamic and adaptive security frameworks are essential for protecting IoT devices against evolving cyber threats, ensuring compliance with regulatory standards, and maintaining the integrity and availability of IoT services across various applications.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104128"},"PeriodicalIF":4.8,"publicationDate":"2024-09-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142319656","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Security awareness, decision style, knowledge, and phishing email detection: Moderated mediation analyses","authors":"Daniel Sturman ,&nbsp;Jaime C. Auton ,&nbsp;Ben W. Morrison","doi":"10.1016/j.cose.2024.104129","DOIUrl":"10.1016/j.cose.2024.104129","url":null,"abstract":"<div><div>This study examines whether the negative relationship between email information security awareness and phishing email susceptibility is mediated by less intuitive decision-making when assessing emails, and whether this relationship is moderated by phishing email knowledge. Participants (<em>N</em> = 291) completed an online email sorting task, a measure of email use information security awareness, a measure of preference for intuitive decision-making with emails, and a measure of phishing email knowledge. Moderated mediation analyses indicated that information security awareness predicted positive behavioural intentions directly and indirectly through lower preference for intuitive decision-making, and these relationships were stronger when phishing email knowledge was lower. Further, both the direct and indirect relationships between information security awareness and sensitivity through intuitive decision styles were moderated by phishing email knowledge, with information security awareness positively predicting ability to discriminate phishing from genuine emails when phishing knowledge was average or high but not low. These findings suggest that in the absence of phishing knowledge, information security awareness and less intuitive decision styles reduce susceptibility to phishing attacks through increased caution. Further, the findings provide strong support for the proposition that some level of phishing knowledge is required before email security behaviours and decision-making processes aid in the detection of phishing emails. From an applied perspective, the outcomes suggest that focusing on a combination of awareness, knowledge, and decision-making processes could increase the effectiveness of anti-phishing and cybersecurity training programs.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104129"},"PeriodicalIF":4.8,"publicationDate":"2024-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0167404824004346/pdfft?md5=428b80616259772376cc426315aeb174&pid=1-s2.0-S0167404824004346-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142315502","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Towards more realistic evaluations: The impact of label delays in malware detection pipelines","authors":"Marcus Botacin ,&nbsp;Heitor Gomes","doi":"10.1016/j.cose.2024.104122","DOIUrl":"10.1016/j.cose.2024.104122","url":null,"abstract":"<div><div>Developing and evaluating malware classification pipelines to reflect real-world needs is as vital to protect users as it is hard to achieve. In many cases, the experimental conditions when the approach was developed and the deployment settings mismatch, which causes the solutions not to achieve the desired results. In this work, we explore how unrealistic project and evaluation decisions in the literature are. In particular, we shed light on the problem of label delays, i.e., the assumption that ground-truth labels for classifier retraining are always available when in the real world they take significant time to be produced, which also causes a significant attack opportunity window. In our analyses, among diverse aspects, we address: (1) The use of metrics that do not account for the effect of time; (2) The occurrence of concept drift and ideal assumptions about the amount of drift data a system can handle; and (3) Ideal assumptions about the availability of oracle data for drift detection and the need for relying on pseudo-labels for mitigating drift-related delays. We present experiments based on a newly proposed exposure metric to show that delayed labels due to limited analysis queue sizes impose a significant challenge for detection (e.g., up to a 75% greater attack opportunity in the real world than in the experimental setting) and that pseudo-labels are useful in mitigating the delays (reducing the detection loss to only 30% of the original value).</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104122"},"PeriodicalIF":4.8,"publicationDate":"2024-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142311599","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}