{"title":"MADONNA: Browser-based malicious domain detection using Optimized Neural Network by leveraging AI and feature analysis","authors":"Janaka Senanayake , Sampath Rajapaksha , Naoto Yanai , Harsha Kalutarage , Chika Komiya","doi":"10.1016/j.cose.2025.104371","DOIUrl":"10.1016/j.cose.2025.104371","url":null,"abstract":"<div><div>Detecting malicious domains is a critical aspect of cybersecurity, with recent advancements leveraging Artificial Intelligence (AI) to enhance accuracy and speed. However, existing browser-based solutions often struggle to achieve both high accuracy and efficient throughput. In this paper, we present MADONNA, a novel browser-based malicious domain detector that exceeds the current state-of-the-art in both accuracy and throughput. MADONNA utilizes feature selection through correlation analysis and model optimization techniques, including pruning and quantization, to significantly enhance detection speed without compromising accuracy. Our approach employs a Shallow Neural Network (SNN) architecture, outperforming Large Language Models (LLMs) and state-of-the-art methods by improving accuracy by 6% (reaching 0.94) and F1-score by 4% (reaching 0.92). We further integrated MADONNA into a Google Chrome extension, demonstrating its practical application with a real-time domain detection accuracy of 94% and an average inference time of 0.87 s. These results highlight MADONNA’s effectiveness in balancing speed and accuracy, providing a scalable, real-world solution for malicious domain detection.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104371"},"PeriodicalIF":4.8,"publicationDate":"2025-02-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143463650","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Vladimir Radunović, Mladen Veinović, Aleksandar Jevremović
{"title":"The efficiency of ICT suppliers' product security incident response teams in reducing the risk of exploitation of vulnerabilities in the wild","authors":"Vladimir Radunović, Mladen Veinović, Aleksandar Jevremović","doi":"10.1016/j.cose.2025.104388","DOIUrl":"10.1016/j.cose.2025.104388","url":null,"abstract":"<div><div>Exploitation of vulnerabilities in digital products is among the key components of cyberattacks. Suppliers of digital products use different security-by-design practices, such as a product security incident response team (PSIRT), to respond to discovered vulnerabilities and minimise the cybersecurity risk. However, the efficiency of such practices, including PSIRT, remains underexplored.</div><div>This paper evaluates the efficiency of PSIRT in reducing risks of exploitation of vulnerabilities 'in the wild' (i.e. their active use in real-world cyberattacks) using a customised model based on randomised matched case-control design with data from authoritative public sources. Results show that PSIRT reduces the likelihood of exploitation by 17 % (absolute risk reduction). Additionally, factors like the availability of proof of concept for vulnerability exploitation, type of supplier's industry, and the open-source nature of its products influence the risk altering the absolute risk reduction by 10 %, 3.6 % and 2.2 % respectively.</div><div>The study confirms PSIRT as a good practice that cybersecurity practitioners – particularly large suppliers and suppliers to critical infrastructure – should consider in order to reduce risk of vulnerability exploitation in the wild. It recommends coupling PSIRT with other security-by-design practices to maximise risk reduction. The proposed model allows researchers and practitioners to assess the efficiency of similar practices in reducing the risk of vulnerability exploitation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104388"},"PeriodicalIF":4.8,"publicationDate":"2025-02-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143453265","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Hongjoo Jin , Sumin Yang , Haehyun Cho , Dong Hoon Lee
{"title":"Enhancing in-process isolation for robust defense against information disclosure attacks","authors":"Hongjoo Jin , Sumin Yang , Haehyun Cho , Dong Hoon Lee","doi":"10.1016/j.cose.2025.104370","DOIUrl":"10.1016/j.cose.2025.104370","url":null,"abstract":"<div><div>Memory corruption attacks continue to be a critical issue in system security, as defenders and adversaries constantly compete to develop new means to protect or exploit vulnerabilities. To safeguard against these malicious attacks, researchers have developed various methods, such as Address Space Layout Randomization (ASLR) and Stack Canary, to protect sensitive data in the memory. One method in this category is stack isolation, which relocates sensitive objects in the stack to a dedicated “safe region” to enhance security. However, attackers have devised sophisticated methods, like Allocation Oracle, to locate these safe regions, thereby undermining the protection this technique can provide. In response to these threats, we propose Satellite, a novel method that securely defends against memory corruption and information disclosure attacks by effectively protecting the safe region. Satellite ensures that return addresses stored in the safe region are safeguarded from typical vulnerabilities like buffer overflows. Moreover, our method counters information disclosure attacks, as it continuously modifies the memory layout at runtime, thus making it difficult for attackers to pinpoint the safe region. Satellite also works within the LLVM compiler framework and can, therefore, seamlessly support general C/C++ programs. To address potential compatibility issues, we develop supplementary libraries that enhance the flexibility of compiler instrumentation and evaluate the performance and effectiveness of Satellite with benchmark programs such as SPEC CPU2006 and SPEC CPU2017. We also test the impact of our proposed method on real-world applications, including the Nginx web server and the ProFTPD FTP server. Our results demonstrate that Satellite imposes a performance overhead of less than 1%, making it an efficient and effective solution for enhancing stack memory safety.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104370"},"PeriodicalIF":4.8,"publicationDate":"2025-02-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143453043","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Zijie Chen , Hailin Zou , Tao Hu , Xun Yuan , Xiaofen Fang , Yuanyuan Pan , Jianqing Li
{"title":"HC-NIDS: Historical contextual information based network intrusion detection system in Internet of Things","authors":"Zijie Chen , Hailin Zou , Tao Hu , Xun Yuan , Xiaofen Fang , Yuanyuan Pan , Jianqing Li","doi":"10.1016/j.cose.2025.104367","DOIUrl":"10.1016/j.cose.2025.104367","url":null,"abstract":"<div><div>In the context of the burgeoning Internet of Things (IoT), the security of interconnected devices is of paramount importance. Nevertheless, the dynamic nature of IoT networks and the challenges in low-label data volume present significant difficulties for traditional network security technologies. This paper introduces HC-NIDS, a Historical Contextual Traffic Based Network Intrusion Detection System, which addresses these challenges by leveraging contextual information from historical traffic. In HC-NIDS, we propose a novel feature representation technique based on the structure of Graph Neural Networks (GNNs), called Signal Channel Correlation Fusion Representation. This technique is designed to extract compelling features from complex historical traffic in a dynamic manner. Subsequently, the incorporation of extracted historical and current traffic features facilitates the enhancement of the efficacy and resilience of HC-NIDS against evolving network threats. A series of comprehensive experiments on four public datasets have validated the effectiveness of HC-NIDS, demonstrating its superior performance even when utilizing disparate volumes of labeled data. Notably, in multi-classification tasks, the detection outcomes remain markedly enhanced even when employing a mere 2% of original labeled training data, in comparison to the baselines. The study also investigates the impact of varying lengths of historical data and the functionality of different modules within HC-NIDS, confirming its adaptability and potential for practical application in securing IoT networks. The findings highlight the critical role of historical traffic information in enhancing the accuracy of network intrusion detection, indicating a promising direction for future research in network security.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104367"},"PeriodicalIF":4.8,"publicationDate":"2025-02-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143429272","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Adaptive patch transformation for adversarial defense","authors":"Xin Zhang , Shijie Xiao , Han Zhang , Lixia Ji","doi":"10.1016/j.cose.2025.104368","DOIUrl":"10.1016/j.cose.2025.104368","url":null,"abstract":"<div><div>Deep learning models are vulnerable to adversarial attacks. Although various defense methods have been proposed, such as incorporating perturbations during training, removing them in preprocessing steps or using image-to-image mapping to counter these attacks, these methods often struggle to robustly defend against diverse adversarial attacks and may affect the model’s predictions on normal samples. To address this issue, we propose an adversarial example defense method based on image transformation. First, we designed an image transformation combiner that integrates multiple image transformations for defending against adversarial examples, thereby enhancing the robustness of the method. Second, we divide the image into patches and apply different combinations of image transformations to each patch to ensure the retention of useful information and increase the flexibility of the transformations. We combined 12 geometric or color transformations using the image transformation combiner and tested it on adversarial examples generated from the MNIST, CIFAR - 10, and ImageNet datasets. Experimental results show that our method outperforms other advanced detection methods in terms of accuracy and effectively mitigates the impact of adversarial perturbations on the model.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"153 ","pages":"Article 104368"},"PeriodicalIF":4.8,"publicationDate":"2025-02-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143550054","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The silence of the phishers: Early-stage voice phishing detection with runtime permission requests","authors":"Chanjong Lee , Bedeuro Kim , Hyoungshick Kim","doi":"10.1016/j.cose.2025.104364","DOIUrl":"10.1016/j.cose.2025.104364","url":null,"abstract":"<div><div>Voice phishing (vishing) is a sophisticated phone scam that causes significant financial harm to victims. Recently, vishing attacks have become more effective due to the use of vishing malware installed on victims’ devices. Conventional anti-malware solutions, which rely on static analysis of app code and permissions at install time, are circumvented by vishing malware that requests additional code and permissions after installation. We introduce <span>VishielDroid</span>, a novel system for real-time detection of vishing malware on Android devices. By dynamically tracking apps’ <em>runtime permission</em> requests, a critical indicator of malicious behavior specific to vishing malware, <span>VishielDroid</span> outperforms state-of-the-art systems in detection accuracy. Using only 98 features, <span>VishielDroid</span> achieved an F1-score of 99.78% with systematic testing, surpassing other solutions that achieve lower F1-scores (69.27% to 80.25%). The system demonstrated superior robustness across various scenarios: maintaining high performance with reduced training data and imbalanced datasets, achieving a 99.57% F1-score with a reduced feature set despite evasion attempts, and operating effectively across Android versions 8.1 to 12 with minimal modifications. We validated <span>VishielDroid</span>’s practicality through deployment on real devices, confirming marginal memory and battery consumption overheads.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104364"},"PeriodicalIF":4.8,"publicationDate":"2025-02-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143429269","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Adam Janovsky, Łukasz Chmielewski, Petr Svenda, Jan Jancar, Vashek Matyas
{"title":"Revisiting the analysis of references among Common Criteria certified products","authors":"Adam Janovsky, Łukasz Chmielewski, Petr Svenda, Jan Jancar, Vashek Matyas","doi":"10.1016/j.cose.2025.104362","DOIUrl":"10.1016/j.cose.2025.104362","url":null,"abstract":"<div><div>With almost six thousand security certificates for IT products and systems, the Common Criteria for Information Technology Security Evaluation has bred an ecosystem entangled with various kinds of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria-certified products remain largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem – making them a prime target for malicious actors. The impact of their compromise is assessed, and potentially problematic references to archived products are discussed. Processing of all public certificate artifacts additionally provides insights into the dynamics of the whole certification ecosystem in time, including the popularity of categories, average assurance levels, length of validity periods, the adoption rate of selected cryptographic algorithms, and cross-referencing among national schemes.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104362"},"PeriodicalIF":4.8,"publicationDate":"2025-02-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143421528","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Fuzzy-rule based optimized hybrid deep learning model for network intrusion detection in SDN enabled IoT network","authors":"Johnpeter T , Sakthisudhan Karuppanan","doi":"10.1016/j.cose.2025.104372","DOIUrl":"10.1016/j.cose.2025.104372","url":null,"abstract":"<div><div>The Internet of Things (IoT) devices are connected to the Internet and are prone to various IoT-based attacks. IoT attack problems cannot be adequately resolved by the existing methods. Additionally, a Software Defined Networking (SDN) based intrusion detection mechanism is proposed in this work because the existing intrusion detection mechanisms are difficult to use. This paper presents a hybrid deep learning method called Extended Hunger Games Search Optimization based on long short-term memory for intrusion detection. Initially, the input data is pre-processed with min-max normalization and one hot encoding. After that, the most significant features are identified using the Extended Wrapper Approach (EWA). Next, Fuzzy logic calculates the probabilities of intrusions such as benign user, attacker, and mixed. The request has been classified using the Dense Bidirectional long short-term memory. In order to fine-tune the parameters of the classification model, Extended Hunger Games search optimization (ExHgO) is utilized. The proposed technique's performance is compared to that of existing techniques in order to demonstrate its efficiency. The proposed technique has an accuracy of 99.5 % for the CIDDS-001 dataset, 98.76 % for the NSL-KDD dataset, 99 % for the KDD cup ’99 dataset, and 99.64 % for the UNSW NB15 dataset.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104372"},"PeriodicalIF":4.8,"publicationDate":"2025-02-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143453044","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Andrea Augello, Alessandra De Paola, Giuseppe Lo Re
{"title":"M2FD: Mobile malware federated detection under concept drift","authors":"Andrea Augello, Alessandra De Paola, Giuseppe Lo Re","doi":"10.1016/j.cose.2025.104361","DOIUrl":"10.1016/j.cose.2025.104361","url":null,"abstract":"<div><div>The ubiquitous diffusion of mobile devices requires the availability of effective malware detection solutions to ensure user security and privacy. The dynamic nature of the mobile ecosystem, characterized by data distribution changes, poses significant challenges to the development of effective malware detection systems. Additionally, collecting up-to-date information for training machine learning models in a centralized fashion is costly, time-consuming, and privacy-invasive. To address these shortcomings, this paper presents a novel federated learning system for collaborative mobile malware detection. M2FD leverages the collective intelligence of the user community to collect valuable contributions to the detection system while preserving user privacy. Additionally, M2FD incorporates robust concept drift detection mechanisms and model retraining strategies to ensure the adaptability of the system to changing data distributions. By effectively handling concept drift, M2FD guarantees a high ability to detect malware, with 85% accuracy and 84% F1-score, even in presence of evolving attack strategies, thus avoiding the need for frequent model retraining, reducing the retraining frequency by up to 84%, so reducing the computational burden on clients. An extensive experimental evaluation performed on KronoDroid, an open-source real-world dataset, proves the effectiveness of M2FD in detecting concept drift, minimizing model updates, and achieving high accuracy in mobile malware detection.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104361"},"PeriodicalIF":4.8,"publicationDate":"2025-02-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143387678","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"HoleMal: A lightweight IoT malware detection framework based on efficient host-level traffic processing","authors":"Ziqian Chen, Wei Xia, Zhen Li, Gang Xiong, Gaopeng Gou, Heng Zhang, Haikuo Li, Junchao Xiao","doi":"10.1016/j.cose.2025.104360","DOIUrl":"10.1016/j.cose.2025.104360","url":null,"abstract":"<div><div>With the popularization of Internet of Things (IoT) devices, IoT security issues are becoming increasingly prominent. A significant number of devices remain highly vulnerable to malware attacks due to inadequate security management. As a solution, machine learning-based network traffic behavior analysis has proven to be effective and is widely deployed across various scenarios. However, the efficiency of network feature extraction and online detection is significantly constrained by the insufficient computing resources available on the IoT devices. To address the challenge, we propose HoleMal, a novel host-level framework to detect malicious network behavior in resource-constrained environment. HoleMal provides a comprehensive suite of host-level traffic monitoring, processing, and detection solutions, aiming to achieve optimal network protection with minimal resource cost. During the detection process, HoleMal constructs host-level traffic features from the device’s perspective. It describes a device’s behavior in 3 dimensions, including connection behavior, network activity and accessed service, corresponding to a total of 36 host-level features. As these features are unrelated to payloads, they are not affected by traffic encryption. Furthermore, HoleMal provides a cost-sensitive feature selector which is able to quantify the feature computational cost and involve the cost into the feature selection process. It identifies the host-level feature subset with superior detection capability and minimal computational cost, thereby providing theoretical basis for detection model construction, further enhancing the efficiency advantages of HoleMal. We evaluate HolaMal by multiple datasets on Raspberry Pi. The experimental results demonstrate that HoleMal exhibits robust detection performance across all datasets, and it achieves significant efficiency improvements compared to fine-grained approaches.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104360"},"PeriodicalIF":4.8,"publicationDate":"2025-02-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143394688","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}