Journal of Information Security and Applications最新文献

{"title":"Accelerating volatile memory forensics for bare-metal malware analysis with FPGA devices","authors":"Dan Cristian Turicu,&nbsp;Florin Oniga","doi":"10.1016/j.jisa.2026.104393","DOIUrl":"10.1016/j.jisa.2026.104393","url":null,"abstract":"<div><div>Modern malware often employs anti-analysis techniques to detect virtualized or emulated environments, evading traditional dynamic analysis systems. To address this challenge, bare-metal analysis platforms have emerged as a more transparent alternative. However, efficiently monitoring them while preserving transparency and minimizing interference remains a key challenge. In this paper, we present a proof-of-concept hardware accelerator implemented on an FPGA device, designed for high-speed volatile memory acquisition and on-the-fly pool tag scanning of the memory content to extract information about active and terminated processes on a bare-metal malware execution system running Windows 10. The memory forensics accelerator leverages PCIe-based DMA to acquire the volatile memory from the monitored system and performs the scanning for process structures directly on the FPGA, without requiring any software installation on the monitored system. Our approach improves transparency and isolation, and shows significant speed advantages over conventional snapshot-based memory forensics. We evaluate the prototype and discuss its limitations and applicability in malware analysis workflows.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"98 ","pages":"Article 104393"},"PeriodicalIF":3.7,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146190336","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Zerovision: A privacy-preserving iris authentication framework using zero knowledge proofs and steganographic safeguards","authors":"Khushil Godhani ,&nbsp;Nihhar Shukla ,&nbsp;Janam Patel ,&nbsp;Rajesh Gupta ,&nbsp;Sudeep Tanwar","doi":"10.1016/j.jisa.2025.104323","DOIUrl":"10.1016/j.jisa.2025.104323","url":null,"abstract":"<div><div>Biometric authentication systems, particularly those relying on iris recognition, offer an extremely accurate and secure method of identity verification, but the very fact that such an industry exists has raised issues regarding individual privacy. Biometric data stolen from a system, unlike passwords, cannot be replaced and can be used for identity theft. This paper presents <em>ZeroVision</em>, a novel privacy-preserving iris authentication scheme with a blend of steganography, convolutional neural networks (CNNs), zero-knowledge proofs (zk-SNARKs), and blockchain. <em>ZeroVision</em> conceals iris images in cover facial images through steganography to hide their transmission and provoke transmission security. CNNs are utilized to obtain compact binary feature templates from iris image, whereas zk-SNARKs allow verifiers to authenticate template validity in zero knowledge, which keeps any sensitive information disclosure distant. Blockchain deployment guarantees that the proofs generated are accurate, verified by the verifier, and stored in a decentralized, tamper-proof fashion. Tested on the CASIA Iris Thousand and FFHQ datasets in a simulation of real-world transactions and transmissions, <em>ZeroVision</em> attains 91.41 % accuracy for recognition despite compact template sizes and additional noise, with proof generation and verification times of under 0.6 and 0.25 seconds, respectively. This novel architecture enables secure biometric authentication in high-risk applications where the privacy of personal data is highest priority.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"98 ","pages":"Article 104323"},"PeriodicalIF":3.7,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146080983","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Semantic characterization of android malware through runtime system call analysis","authors":"Sanaya Malik,&nbsp;Narendra Singh,&nbsp;Somanath Tripathy","doi":"10.1016/j.jisa.2026.104406","DOIUrl":"10.1016/j.jisa.2026.104406","url":null,"abstract":"<div><div>The popularity and adoption of smartphones, especially on the Android platform, has led to the rapid growth of malware. Meanwhile, modern malware increasingly employs obfuscation and evasion techniques to bypass signature-based detection models. Malware characterization is essential as it enables understanding of the tactics and techniques that aid in threat attribution and detection of novel variants. Existing malware characterization methods often rely on static features and manually predefined rules to map techniques and procedures, which often leads to inconsistent mapping. In this work, a malware characterization approach is developed which uses system calls to capture the behavior of malicious applications. To provide lower-level abstraction, the system calls are divided into five distinct families. An autoencoder is trained on execution traces to identify the system calls characteristic to malicious operations. In addition, a fine-tuned Mistral model is used to generate system call descriptions, which are mapped with MITRE ATT&amp;CK techniques using Sentence-BERT embeddings. We experimented with 241 different malware families, which shows that our approach achieves high-quality semantic mappings, with a cosine similarity of 0.912, BLEU score of 0.445, and BERT F1 score of 0.827. It is observed that, at the system level, malware executes system calls (across all five categories) at much higher frequencies than benign applications. Also, different malware families show distinct behavioral characteristics, for example, ransomware relied heavily on file system operations, while adware and SMSware emphasized process control. On the top, <span>SMC-SAM</span> achieves better detection accuracy (97.54%) as compared to other approaches.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"98 ","pages":"Article 104406"},"PeriodicalIF":3.7,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146190334","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Explainable android malware detection and malicious code localization using graph attention","authors":"Merve Cigdem Ipek ,&nbsp;Sevil Sen","doi":"10.1016/j.jisa.2026.104385","DOIUrl":"10.1016/j.jisa.2026.104385","url":null,"abstract":"<div><div>With the escalating threat of mobile malware, there is a growing need for techniques that not only detect malware but also precisely identify and localize the malicious code within applications. Existing security solutions, including AI-based approaches, often function as black boxes, offering limited insights into the actual code responsible for malicious behavior. Manual analysis remains time-consuming and reliant on scarce expertise. To address these challenges, we propose XAIDroid, a novel framework that leverages graph neural networks (GNNs) and graph attention mechanisms to automatically locate malicious code snippets within malware. By representing code as API call graphs, XAIDroid captures semantic context and enhances resilience to obfuscation. Utilizing the Graph Attention Model (GAM) and Graph Attention Network v2 (GATv2), we assign importance scores to API nodes, facilitating focused attention on critical regions for malicious code localization. Evaluation on synthetic and real-world malware datasets demonstrates the efficacy of our approach, achieving high recall and F1-score rates for identifying malicious code. The successful implementation of automatic malicious code localization enhances the interpretability of malware analysis by explicitly identifying malicious code regions, enables scalable analysis by eliminating the need for manual localization baselines during training, and improves reliability through consistent performance on previously unseen malware variants.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"98 ","pages":"Article 104385"},"PeriodicalIF":3.7,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146190386","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"MoMEP: A formally verified protocol with modifiable signed messages","authors":"Reyhane Falanji,&nbsp;Mikael Asplund,&nbsp;Niklas Carlsson","doi":"10.1016/j.jisa.2026.104378","DOIUrl":"10.1016/j.jisa.2026.104378","url":null,"abstract":"<div><div>In this study, we introduce MoMEP, a message transmission protocol relying on chameleon signatures. These signatures allow modification of signed messages while keeping the original signature valid. Despite their useful features, chameleon signatures have received limited use in real-world applications, such as internet protocols. Our work bridges this the gap by presenting a protocol based on chameleon signatures, and formally proving its trustworthiness using symbolic formal verification. In particular, providing accountability guarantees presents unique challenges, as message modifications can erase evidence of misbehavior, breaking traditional assumptions about trace-based accountability. To address this, we define three protocol-level accountability properties (i.e., unforgeability, non-repudiation, and non-frameability) for MoMEP, complementing earlier definitions applicable for cryptographic primitives. These properties are essential to allow symbolic protocol verification and ensure accountability for all relevant entities involved in the message exchange. We also introduce an entity accountability notion that does not rely on storing protocol traces and is based on an evidence-driven verdict function. We model MoMEP in the Tamarin theorem prover and formally verify that it satisfies our accountability properties. Finally, we prove the soundness and completeness of MoMEP’s evidence-based verdict function, reinforcing its correctness and applicability for deciding accountability in real-world scenarios.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"98 ","pages":"Article 104378"},"PeriodicalIF":3.7,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146039807","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Fed-Adapt: A Federated Learning Framework for Adaptive Topology Reconfiguration Against Multi-Rate DDoS and Database Flooding Attacks","authors":"M. Hormozi ,&nbsp;S.H. Erfani ,&nbsp;A. Sahafi ,&nbsp;M. Moradi","doi":"10.1016/j.jisa.2026.104384","DOIUrl":"10.1016/j.jisa.2026.104384","url":null,"abstract":"<div><div>The rise of advanced adversarial methods, especially polymorphic multi-rate Distributed Denial of Service (DDoS) attacks that use TCP congestion control mechanisms and application-layer database flooding attacks that take advantage of query complexity weaknesses, means that we need to move from reactive signature-based defenses to proactive, intelligent mitigation strategies. This study introduces Fed-Adapt, an innovative Byzantine-resilient Federated Learning framework that facilitates real-time Software-Defined Network (SDN) topology reconfiguration through mathematically assured optimization. Our architecture uses a hierarchical deep learning pipeline. Edge-deployed TCNs with dilated causal convolutions are used for real-time feature extraction. Transformer-based attention mechanisms are used for global threat correlation. The framework deals with the basic trilemma of modern network security: keeping cryptographic privacy guarantees, getting close to the best detection accuracy (95.2% F1-score), and allowing mitigation in less than a second (1.8±0.4s end-to-end latency). We present a novel entropy-variance divergence metric that captures both instantaneous statistical anomalies and temporal gradient shifts, demonstrating 40% superior sensitivity (AUC=0.97) compared to traditional Shannon entropy (AUC=0.89) for detecting slow-rate attacks operating below 0.1% of link capacity. Our Byzantine-resilient aggregation protocol uses cryptographic commitment methods (SHA-256 hash chains) and gradient clipping to keep the model converging even while 30% of the participants are trying to mess it up. This was shown through formal verification using TLA+ specifications. The topology reconfiguration engine defines network adaptation as a Mixed-Integer Quadratic Programming (MIQP) problem with 10^4 decision variables, which is addressed using interior-point methods with warm-start initialization that find ε-optimal solutions in 187±23ms. A lot of testing on different testbeds shows that Fed-Adapt is better: it has a detection accuracy of 95.2%, it has an 85% lower false positive rate than threshold-based systems, and it keeps the SLA for service availability at 99.7% during active mitigation. The framework's unique contribution is that it shows that the NP-hard topology reconfiguration problem can be solved in polynomial time (PTAS) under certain network conditions, making it possible to use it on a large scale on the Internet. In comparison with existing models such as SDN-Defend, FlowBlock, FL-Shield, Centra-Guard, and FL-SDN-Sync, Fed-Adapt achieves 95.2% detection accuracy while preserving privacy, clearly outperforming them across both SDN and Database-Flooding scenarios.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"98 ","pages":"Article 104384"},"PeriodicalIF":3.7,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146190339","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"AMF-CFL: Anomaly model filtering based on clustering in federated learning","authors":"Bo Wang ,&nbsp;Xiaorui Dai ,&nbsp;Wei Wang ,&nbsp;Zi Yang ,&nbsp;Zhaoning Wang ,&nbsp;Maozhen Zhang","doi":"10.1016/j.jisa.2026.104387","DOIUrl":"10.1016/j.jisa.2026.104387","url":null,"abstract":"<div><div>Federated learning (FL) allows multiple participants to collaboratively train a shared model without exposing their local data, thereby mitigating the risk of data leakage. Despite its advantages, FL is vulnerable to attacks by malicious clients, and existing defense mechanisms, while effective under independent and identically distributed (i.i.d.) settings, often exhibit degraded performance in non-i.i.d. scenarios where client data distributions differ. To overcome this limitation, we propose AMF-CFL, a robust aggregation algorithm specifically designed for federated learning under non-i.i.d. conditions. AMF-CFL reduces the influence of malicious updates through a two-step filtering strategy: it first applies multi-<em>k</em>-means clustering to identify anomalous update patterns, followed by <em>z</em>-score-based statistical analysis to refine the selection of benign updates. Comprehensive evaluations against four untargeted and two targeted attack types demonstrate that AMF-CFL effectively preserves the integrity and robustness of the global model, offering a reliable defense in challenging federated learning environments.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"98 ","pages":"Article 104387"},"PeriodicalIF":3.7,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146080917","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Decoupled framework for non-additive adversarial image steganography","authors":"Junfeng Zhao ,&nbsp;Shen Wang","doi":"10.1016/j.jisa.2026.104376","DOIUrl":"10.1016/j.jisa.2026.104376","url":null,"abstract":"<div><div>Adversarial image steganography aims to introduce a small amount of perturbations during the data embedding to improve security performance, while existing works are typically based on additive model under the framework of distortion minimization. Different from additive model, non-additive model assumes that the modification of adjacent elements will interact with each other. If adversarial perturbations are introduced on this basis, the performance of adversarial stegos against re-trained steganalyzers will be further improved. In this paper, we point out the reasons why the existing coupled framework causes the actual embedding structure to fail to fully meet the constraints of the non-additive embedding structure. Then, we decouple the two methods according to their roles, making them independent in structure and more flexible in combination. However, since non-additive adversarial image steganography have to follow the constraints, if the steganographer still aims to successfully attack the target model, excessive perturbations will be occurred. To avoid this phenomenon, we propose a mechanism based on the difference in the attack threshold between the two methods. Extensive experimental results show that if the steganographer uses the decoupled framework to reconstruct the methods, an adversarial stego that satisfies the non-additive constraints can be generated, and the security performance against re-trained steganalyzers in the spatial domain is improved by about 1% ~3% compared with the additive model-based method.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"98 ","pages":"Article 104376"},"PeriodicalIF":3.7,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146080984","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Evaluating lightweight unsupervised online IDS for masquerade attacks in CAN","authors":"Pablo Moriano ,&nbsp;Steven C. Hespeler ,&nbsp;Mingyan Li ,&nbsp;Robert A. Bridges","doi":"10.1016/j.jisa.2026.104392","DOIUrl":"10.1016/j.jisa.2026.104392","url":null,"abstract":"<div><div>Vehicular controller area networks (CANs) are susceptible to masquerade attacks by malicious adversaries. In masquerade attacks, adversaries silence a targeted ID and then send malicious frames with forged content at the expected timing of benign frames. As masquerade attacks could seriously harm vehicle functionality and are the stealthiest attacks to detect in CAN, recent work has devoted attention to compare frameworks for detecting masquerade attacks in CAN. However, most existing works report offline evaluations using CAN logs already collected using simulations that do not comply with the domain’s real-time constraints. Here we contribute to advance the state of the art by presenting a comparative evaluation of four different non-deep learning (DL)-based unsupervised online intrusion detection systems (IDS) for masquerade attacks in CAN. Our approach differs from existing comparative evaluations in that we analyze the effect of controlling streaming data conditions in a sliding window setting. In doing so, we use realistic masquerade attacks being replayed from the ROAD dataset. We show that although evaluated IDS are not effective at detecting every attack type, the method that relies on detecting changes in the hierarchical structure of clusters of time series produces the best results at the expense of higher computational overhead. We discuss limitations, open challenges, and how the evaluated methods can be used for practical unsupervised online CAN IDS for masquerade attacks.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"98 ","pages":"Article 104392"},"PeriodicalIF":3.7,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146190337","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"ML-CLSCKS: Module lattice based certificateless signcryption with keyword search in cloud storage","authors":"Sudeep Guntuka ,&nbsp;Syam Kumar Pasupuleti ,&nbsp;Satish Narayana Srirama","doi":"10.1016/j.jisa.2026.104386","DOIUrl":"10.1016/j.jisa.2026.104386","url":null,"abstract":"<div><div>Public Key Authenticated Encryption with Keyword Search (PAEKS) allows keyword searches over encrypted data in the cloud without revealing actual data and the receiver can verify the sender’s authenticity or detect tampering. However, the existing PAEKS schemes are based on classical hard problems that are vulnerable to quantum attacks. To overcome these issues, lattice-based PAEKS schemes have been proposed, which provide post quantum security but incur high computational overhead and suffer from inherent issues such as the Certificate Management Problem (CMP) or Key Escrow Problem (KEP). To address the above problems, in this paper, we introduce a Module Lattice-based Certificateless Signcryption with Keyword Search (ML-CLSCKS), which relies on Module Learning with Errors (MLWE) and Module Short Integer Solution (MSIS). The security analysis proves that ML-CLSCKS achieves both confidentiality and unforgeability against Type I and Type II adversaries in the Random Oracle Model (ROM). The performance analysis shows that ML-CLSCKS outperforms than existing lattice-based PAEKS schemes and makes the practical quantum-resistant scheme suitable for searchable encryption in cloud environments.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"98 ","pages":"Article 104386"},"PeriodicalIF":3.7,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146190340","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}