首页 > 最新文献

Journal of Information Security and Applications最新文献

英文 中文
MSG: Missing-sequence generator for metamorphic malware detection
IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Journal of Information Security and Applications
Pub Date : 2025-01-21 DOI: 10.1016/j.jisa.2024.103962
Rama Krishna Koppanati, Sateesh K. Peddoju
Metamorphic malware is a sophisticated malware that frequently modifies its code to avoid being detected by signature-based methods while maintaining the same output during the run time. Invariably, the output of the register values reflects the malware’s behavior. Therefore, capturing the output sequence from the register values of a binary is essential to identify the evolutionary relationship between the sequences, leading to effective malware detection. In other words, generating register value sequences for the malicious code in a binary, distinct or missing from benign binary, is vital to effectively detecting the typical and metamorphic malware. This paper proposes a novel Missing Sequence Generator (MSG) to generate features in the form of missing sequences by capturing the registers’ output sequence from a binary’s Control Flow Graph (CFG) with context, semantics, and control flow. We create a diverse and large-scale dataset of metamorphic malware using the metamorphic engine to conduct experiments. Also, we experiment with diverse non-metamorphic malware. The proposed model achieves an accuracy of 99.82% for the non-metamorphic dataset and 99.06% for the metamorphic dataset, with negligible False Positive Rates (FPRs). The proposed model outperforms the state-of-the-art models. Further, the proposed work proves its performance and effectiveness by surpassing 47 existing anti-malware.
{"title":"MSG: Missing-sequence generator for metamorphic malware detection","authors":"Rama Krishna Koppanati,&nbsp;Sateesh K. Peddoju","doi":"10.1016/j.jisa.2024.103962","DOIUrl":"10.1016/j.jisa.2024.103962","url":null,"abstract":"<div><div>Metamorphic malware is a sophisticated malware that frequently modifies its code to avoid being detected by signature-based methods while maintaining the same output during the run time. Invariably, the output of the register values reflects the malware’s behavior. Therefore, capturing the output sequence from the register values of a binary is essential to identify the evolutionary relationship between the sequences, leading to effective malware detection. In other words, generating register value sequences for the malicious code in a binary, distinct or missing from benign binary, is vital to effectively detecting the typical and metamorphic malware. This paper proposes a novel <em>Missing Sequence Generator (MSG)</em> to generate features in the form of missing sequences by capturing the registers’ output sequence from a binary’s Control Flow Graph (CFG) with context, semantics, and control flow. We create a diverse and large-scale dataset of metamorphic malware using the metamorphic engine to conduct experiments. Also, we experiment with diverse non-metamorphic malware. The proposed model achieves an accuracy of 99.82% for the non-metamorphic dataset and 99.06% for the metamorphic dataset, with negligible False Positive Rates (FPRs). The proposed model outperforms the state-of-the-art models. Further, the proposed work proves its performance and effectiveness by surpassing 47 existing anti-malware.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103962"},"PeriodicalIF":3.8,"publicationDate":"2025-01-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170131","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Real-time monitoring model of DDoS attacks using distance thresholds in Edge cooperation networks
IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Journal of Information Security and Applications
Pub Date : 2025-01-21 DOI: 10.1016/j.jisa.2025.103972
Mingyue Li , Liudong Zheng , Xiaoxue Ma , Shuang Li
Edge networks have an increasing demand for real-time attack detection as the duration of Distributed Denial-of-Service (DDoS) attacks decreases and causes missing of reporting insecure cases. However, the training and testing time of the existing detection model deployed on the edge server side is more expensive and cannot be well applied in practice. In this paper, we propose a real-time monitoring framework for DDoS attacks with edge server-device collaboration to solve these problems. Specifically, the edge server uses the k-means algorithm to represent the model boundaries and builds a separate group of recognition and monitoring models for each device by splitting the feature vectors. Furthermore, each device monitors the generated data in real-time through the model and submits suspicious data to the edge server for analysis. Finally, the server utilizes the k-neighbor algorithm which adds threshold selection and judgment to fine-grained identify updated benign data and specific categories of attack data. Experimental results show that the proposed scheme can effectively monitor benign data and attack data and identify attack types while the train time, test time and storage cost are less than that of the centralized model.
{"title":"Real-time monitoring model of DDoS attacks using distance thresholds in Edge cooperation networks","authors":"Mingyue Li ,&nbsp;Liudong Zheng ,&nbsp;Xiaoxue Ma ,&nbsp;Shuang Li","doi":"10.1016/j.jisa.2025.103972","DOIUrl":"10.1016/j.jisa.2025.103972","url":null,"abstract":"<div><div>Edge networks have an increasing demand for real-time attack detection as the duration of Distributed Denial-of-Service (DDoS) attacks decreases and causes missing of reporting insecure cases. However, the training and testing time of the existing detection model deployed on the edge server side is more expensive and cannot be well applied in practice. In this paper, we propose a real-time monitoring framework for DDoS attacks with edge server-device collaboration to solve these problems. Specifically, the edge server uses the k-means algorithm to represent the model boundaries and builds a separate group of recognition and monitoring models for each device by splitting the feature vectors. Furthermore, each device monitors the generated data in real-time through the model and submits suspicious data to the edge server for analysis. Finally, the server utilizes the k-neighbor algorithm which adds threshold selection and judgment to fine-grained identify updated benign data and specific categories of attack data. Experimental results show that the proposed scheme can effectively monitor benign data and attack data and identify attack types while the train time, test time and storage cost are less than that of the centralized model.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103972"},"PeriodicalIF":3.8,"publicationDate":"2025-01-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170756","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of vulnerabilities in cybersecurity
IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Journal of Information Security and Applications
Pub Date : 2025-01-20 DOI: 10.1016/j.jisa.2025.103971
F.R. Parente, Emanuel B. Rodrigues, César L.C. Mattos
Inadequate Vulnerability Management (VM) techniques, relying solely on metrics such as the Common Vulnerability Scoring System (CVSS), may lead to overestimating the risk of vulnerability exploitation. This work presents FRAPE, a novel Risk-Based Vulnerability Management (RBVM) framework designed to help analysts classify and prioritize the remediation of security flaws. FRAPE combines a labeling technique called Active Learning (AL) with a Supervised Learning approach to create a Machine Learning model capable of emulating the experience of security experts in assessing vulnerability risk. The framework includes four main modules: Data Collection, which gathers essential information for risk assessment; Vulnerability Labeling, where vulnerabilities are labeled via AL based on significant characteristics; Classification and Prioritization, which categorizes vulnerabilities and prioritizes them for remediation based on the estimated risk; and Explainability of Results, which offers a detailed analysis of why vulnerabilities are considered critical. Additionally, we implemented a computer network simulator capable of comparing the effectiveness of different VM classification and prioritization techniques. The performed experiments indicate that FRAPE outperforms the use of CVSS in VM and correctly classifies 88% of critical vulnerabilities, which is comparable to the performance obtained by security analysts.
{"title":"FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of vulnerabilities in cybersecurity","authors":"F.R. Parente,&nbsp;Emanuel B. Rodrigues,&nbsp;César L.C. Mattos","doi":"10.1016/j.jisa.2025.103971","DOIUrl":"10.1016/j.jisa.2025.103971","url":null,"abstract":"<div><div>Inadequate Vulnerability Management (VM) techniques, relying solely on metrics such as the Common Vulnerability Scoring System (CVSS), may lead to overestimating the risk of vulnerability exploitation. This work presents FRAPE, a novel Risk-Based Vulnerability Management (RBVM) framework designed to help analysts classify and prioritize the remediation of security flaws. FRAPE combines a labeling technique called Active Learning (AL) with a Supervised Learning approach to create a Machine Learning model capable of emulating the experience of security experts in assessing vulnerability risk. The framework includes four main modules: Data Collection, which gathers essential information for risk assessment; Vulnerability Labeling, where vulnerabilities are labeled via AL based on significant characteristics; Classification and Prioritization, which categorizes vulnerabilities and prioritizes them for remediation based on the estimated risk; and Explainability of Results, which offers a detailed analysis of why vulnerabilities are considered critical. Additionally, we implemented a computer network simulator capable of comparing the effectiveness of different VM classification and prioritization techniques. The performed experiments indicate that FRAPE outperforms the use of CVSS in VM and correctly classifies 88% of critical vulnerabilities, which is comparable to the performance obtained by security analysts.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103971"},"PeriodicalIF":3.8,"publicationDate":"2025-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170132","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Laconic updatable private set intersection
IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Journal of Information Security and Applications
Pub Date : 2025-01-16 DOI: 10.1016/j.jisa.2025.103969
Xiangqian Kong , Lanxiang Chen , Yizhao Zhu , Yi Mu
A laconic private set intersection (PSI) protocol features a two-round communication process with an initial message that remains independent of the set sizes. It is useful for efficiently matching large server sets with smaller client sets without multiple rounds of interaction. The previous work by Aranha et al. (CCS’22) demonstrated superior efficiency but relied on a trusted third party to generate a secret value s and all its powers, denoted as (g,gs,,gs2,,gs|X|), where |X| represents the size of the receiver’s set X. However, these protocols did not address the practical need for updatable sets for both the receiver and sender, which implies the ability to add new elements, delete existing ones, or update an element by deleting it and subsequently adding a new one. In our work, we present an updatable private set intersection protocol that eliminates the need for a trusted third party. Our approach achieves constant communication complexity from the receiver to the sender and linear complexity from the sender to the receiver while partially hiding the size of the receiver’s set. We first establish an efficient PSI protocol and then propose two variants that allow both parties to modify their sets. Additionally, we prove the security of our proposed protocol against semi-honest participants within our security model.
{"title":"Laconic updatable private set intersection","authors":"Xiangqian Kong ,&nbsp;Lanxiang Chen ,&nbsp;Yizhao Zhu ,&nbsp;Yi Mu","doi":"10.1016/j.jisa.2025.103969","DOIUrl":"10.1016/j.jisa.2025.103969","url":null,"abstract":"<div><div>A laconic private set intersection (PSI) protocol features a two-round communication process with an initial message that remains independent of the set sizes. It is useful for efficiently matching large server sets with smaller client sets without multiple rounds of interaction. The previous work by Aranha et al. (CCS’22) demonstrated superior efficiency but relied on a trusted third party to generate a secret value <span><math><mi>s</mi></math></span> and all its powers, denoted as <span><math><mrow><mo>(</mo><mi>g</mi><mo>,</mo><msup><mrow><mi>g</mi></mrow><mrow><mi>s</mi></mrow></msup><mo>,</mo><mo>…</mo><mo>,</mo><msup><mrow><mi>g</mi></mrow><mrow><msup><mrow><mi>s</mi></mrow><mrow><mn>2</mn></mrow></msup></mrow></msup><mo>,</mo><mo>…</mo><mo>,</mo><msup><mrow><mi>g</mi></mrow><mrow><msup><mrow><mi>s</mi></mrow><mrow><mrow><mo>|</mo><mi>X</mi><mo>|</mo></mrow></mrow></msup></mrow></msup><mo>)</mo></mrow></math></span>, where <span><math><mrow><mo>|</mo><mi>X</mi><mo>|</mo></mrow></math></span> represents the size of the receiver’s set <span><math><mi>X</mi></math></span>. However, these protocols did not address the practical need for updatable sets for both the receiver and sender, which implies the ability to add new elements, delete existing ones, or update an element by deleting it and subsequently adding a new one. In our work, we present an updatable private set intersection protocol that eliminates the need for a trusted third party. Our approach achieves constant communication complexity from the receiver to the sender and linear complexity from the sender to the receiver while partially hiding the size of the receiver’s set. We first establish an efficient PSI protocol and then propose two variants that allow both parties to modify their sets. Additionally, we prove the security of our proposed protocol against semi-honest participants within our security model.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103969"},"PeriodicalIF":3.8,"publicationDate":"2025-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170669","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Severity-based triage of cybersecurity incidents using kill chain attack graphs
IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Journal of Information Security and Applications
Pub Date : 2025-01-16 DOI: 10.1016/j.jisa.2024.103956
Lukáš Sadlek , Muhammad Mudassar Yamin , Pavel Čeleda , Basel Katt
Security teams process a vast number of security events. Their security analysts spend considerable time triaging cybersecurity alerts. Many alerts reveal incidents that must be handled first and escalated to the more experienced staff to allow appropriate responses according to their severity. The current state requires an automated approach, considering contextual relationships among security events, especially detected attack tactics and techniques. In this paper, we propose a new graph-based approach for incident triage. First, it generates a kill chain attack graph from host and network data. Second, it creates sequences of detected alerts that could represent ongoing multi-step cyber attacks and matches them with the attack graph. Last, it assigns severity levels to the created sequences of alerts according to the most advanced kill chain phases that were used and the criticality of assets. We implemented the approach using the MulVAL attack graph generator and generation rules for MITRE ATT&CK techniques. The evaluation was accomplished in a testbed where multi-step attack scenarios were executed. Classification of sequences of alerts based on computed match scores obtained 0.95 area under the receiver operating characteristic curve in a feasible time. Moreover, a threshold exists for classifying 80% of positive sequences correctly and only a small percentage of negative sequences wrongly. Therefore, the approach selects malicious sequences of alerts and significantly improves incident triage.
{"title":"Severity-based triage of cybersecurity incidents using kill chain attack graphs","authors":"Lukáš Sadlek ,&nbsp;Muhammad Mudassar Yamin ,&nbsp;Pavel Čeleda ,&nbsp;Basel Katt","doi":"10.1016/j.jisa.2024.103956","DOIUrl":"10.1016/j.jisa.2024.103956","url":null,"abstract":"<div><div>Security teams process a vast number of security events. Their security analysts spend considerable time triaging cybersecurity alerts. Many alerts reveal incidents that must be handled first and escalated to the more experienced staff to allow appropriate responses according to their severity. The current state requires an automated approach, considering contextual relationships among security events, especially detected attack tactics and techniques. In this paper, we propose a new graph-based approach for incident triage. First, it generates a kill chain attack graph from host and network data. Second, it creates sequences of detected alerts that could represent ongoing multi-step cyber attacks and matches them with the attack graph. Last, it assigns severity levels to the created sequences of alerts according to the most advanced kill chain phases that were used and the criticality of assets. We implemented the approach using the MulVAL attack graph generator and generation rules for MITRE ATT&amp;CK techniques. The evaluation was accomplished in a testbed where multi-step attack scenarios were executed. Classification of sequences of alerts based on computed match scores obtained 0.95 area under the receiver operating characteristic curve in a feasible time. Moreover, a threshold exists for classifying 80% of positive sequences correctly and only a small percentage of negative sequences wrongly. Therefore, the approach selects malicious sequences of alerts and significantly improves incident triage.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103956"},"PeriodicalIF":3.8,"publicationDate":"2025-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170671","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
MLPN: Multi-Scale Laplacian Pyramid Network for deepfake detection and localization
IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Journal of Information Security and Applications
Pub Date : 2025-01-14 DOI: 10.1016/j.jisa.2025.103965
Yibo Zhang , Weiguo Lin , Junfeng Xu , Wanshang Xu , Yikun Xu
Sophisticated and realistic facial manipulation videos created by deepfake technology have become ubiquitous, leading to profound trust crises and security risks in contemporary society. However, various researchers concentrate on enhancing the precision and generalization of deepfake detection models, with little attention to forgery localization. Detecting deepfakes and identifying fake regions is a challenging task. We propose an end-to-end model for performing deepfake detection and forgery localization based on the Laplacian pyramid. The model is designed by an encoder–decoder architecture. Specifically, the encoder generates multi-scale features. The decoder gradually integrates multi-scale features and Laplacian residuals to reconstruct the prediction masks coarse-to-finely. Otherwise, we adopt a spatial pyramid pool approach to deal with high-level semantic features and integrate local and global information. Comprehensive experiments demonstrate that the proposed model performs satisfactorily in deepfake detection and localization.
{"title":"MLPN: Multi-Scale Laplacian Pyramid Network for deepfake detection and localization","authors":"Yibo Zhang ,&nbsp;Weiguo Lin ,&nbsp;Junfeng Xu ,&nbsp;Wanshang Xu ,&nbsp;Yikun Xu","doi":"10.1016/j.jisa.2025.103965","DOIUrl":"10.1016/j.jisa.2025.103965","url":null,"abstract":"<div><div>Sophisticated and realistic facial manipulation videos created by deepfake technology have become ubiquitous, leading to profound trust crises and security risks in contemporary society. However, various researchers concentrate on enhancing the precision and generalization of deepfake detection models, with little attention to forgery localization. Detecting deepfakes and identifying fake regions is a challenging task. We propose an end-to-end model for performing deepfake detection and forgery localization based on the Laplacian pyramid. The model is designed by an encoder–decoder architecture. Specifically, the encoder generates multi-scale features. The decoder gradually integrates multi-scale features and Laplacian residuals to reconstruct the prediction masks coarse-to-finely. Otherwise, we adopt a spatial pyramid pool approach to deal with high-level semantic features and integrate local and global information. Comprehensive experiments demonstrate that the proposed model performs satisfactorily in deepfake detection and localization.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103965"},"PeriodicalIF":3.8,"publicationDate":"2025-01-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170173","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
A pairing-free proxy re-encryption scheme suitable for cloud medical information systems
IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Journal of Information Security and Applications
Pub Date : 2025-01-14 DOI: 10.1016/j.jisa.2025.103967
Han Zhou , Lunzhi Deng , Yaying Wu , Sihua Zhou
The cloud medical information system provides a platform for patients and doctors to share data. Patients send files containing personal medical data to cloud storage, which can reduce their own storage burden and facilitate other doctors’ access to data files. To ensure the privacy of sensitive information deposited in the communal network platform, patients should encrypt their data before submitting it to the network platform. Nevertheless, the effective sharing of encrypted data in the public cloud brings us new challenges. Proxy re-encryption (PRE) supports a proxy, who is unable to decrypt the original ciphertext, converts the original ciphertext to a new ciphertext using the re-encryption key, and the new receiver can decrypt the new ciphertext to obtain plaintext. In this article, we design a new PRE programme for cloud medical information systems. There are two merits in the new scheme. To begin with, it is indistinguishable against chosen-ciphertext attacks secure and is resistant to collusion attacks, which means that the proxy is incompetent to acquire data owner’s secret key even if he colludes with data receiver. Secondly, it has higher computational efficiency compared to other schemes because it does not use bilinear pairing operations.
{"title":"A pairing-free proxy re-encryption scheme suitable for cloud medical information systems","authors":"Han Zhou ,&nbsp;Lunzhi Deng ,&nbsp;Yaying Wu ,&nbsp;Sihua Zhou","doi":"10.1016/j.jisa.2025.103967","DOIUrl":"10.1016/j.jisa.2025.103967","url":null,"abstract":"<div><div>The cloud medical information system provides a platform for patients and doctors to share data. Patients send files containing personal medical data to cloud storage, which can reduce their own storage burden and facilitate other doctors’ access to data files. To ensure the privacy of sensitive information deposited in the communal network platform, patients should encrypt their data before submitting it to the network platform. Nevertheless, the effective sharing of encrypted data in the public cloud brings us new challenges. Proxy re-encryption (PRE) supports a proxy, who is unable to decrypt the original ciphertext, converts the original ciphertext to a new ciphertext using the re-encryption key, and the new receiver can decrypt the new ciphertext to obtain plaintext. In this article, we design a new PRE programme for cloud medical information systems. There are two merits in the new scheme. To begin with, it is indistinguishable against chosen-ciphertext attacks secure and is resistant to collusion attacks, which means that the proxy is incompetent to acquire data owner’s secret key even if he colludes with data receiver. Secondly, it has higher computational efficiency compared to other schemes because it does not use bilinear pairing operations.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103967"},"PeriodicalIF":3.8,"publicationDate":"2025-01-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170670","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Intelligent detection framework for IoT-botnet detection: DBN-RNN with improved feature set
IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Journal of Information Security and Applications
Pub Date : 2025-01-12 DOI: 10.1016/j.jisa.2024.103961
Sandip Y. Bobade , Ravindra S Apare , Ravindra H. Borhade , Parikshit N. Mahalle
The pervasive adoption of IoT devices has significantly enhanced connectivity but also introduced vulnerabilities, particularly through IoT botnets, which exploit compromised devices for large-scale attacks. Current detection methods, although effective, often face challenges in accuracy. This work proposes a new framework for IoT botnet detection utilizing an optimized hybrid classification technique. The framework comprises two primary phases: feature extraction and attack detection. Initially, various features including statistical measures, higher-order statistics, improved correlation-based insights, and flow-based characteristics are extracted from IoT network data. Notably, the approach enhances traditional correlation analysis by weighting data points based on proximity, refining the detection of complex relationships crucial for identifying botnet behaviors. To identify attacks, the system uses a hybrid classifier that integrates an Improved Deep Belief Network (IDBN) with a Recurrent Neural Network (RNN). The Improved DBN incorporates batch normalization and dropout layers, along with a modified Gumbel softmax activation function, to bolster its robustness against noisy data and prevent overfitting, while the RNN excels in sequential data analysis, capturing temporal dependencies within IoT traffic. Additionally, Self-Adaptive Beluga Whale Optimization (SA-BWO) is utilized for optimizing RNN weights, to enhance the accuracy for detection through adaptive parameter tuning. Experimental validation demonstrates the framework's superior performance in detecting IoT botnet activities, surpassing conventional methods in accuracy and resilience.
{"title":"Intelligent detection framework for IoT-botnet detection: DBN-RNN with improved feature set","authors":"Sandip Y. Bobade ,&nbsp;Ravindra S Apare ,&nbsp;Ravindra H. Borhade ,&nbsp;Parikshit N. Mahalle","doi":"10.1016/j.jisa.2024.103961","DOIUrl":"10.1016/j.jisa.2024.103961","url":null,"abstract":"<div><div>The pervasive adoption of IoT devices has significantly enhanced connectivity but also introduced vulnerabilities, particularly through IoT botnets, which exploit compromised devices for large-scale attacks. Current detection methods, although effective, often face challenges in accuracy. This work proposes a new framework for IoT botnet detection utilizing an optimized hybrid classification technique. The framework comprises two primary phases: feature extraction and attack detection. Initially, various features including statistical measures, higher-order statistics, improved correlation-based insights, and flow-based characteristics are extracted from IoT network data. Notably, the approach enhances traditional correlation analysis by weighting data points based on proximity, refining the detection of complex relationships crucial for identifying botnet behaviors. To identify attacks, the system uses a hybrid classifier that integrates an Improved Deep Belief Network (IDBN) with a Recurrent Neural Network (RNN). The Improved DBN incorporates batch normalization and dropout layers, along with a modified Gumbel softmax activation function, to bolster its robustness against noisy data and prevent overfitting, while the RNN excels in sequential data analysis, capturing temporal dependencies within IoT traffic. Additionally, Self-Adaptive Beluga Whale Optimization (SA-BWO) is utilized for optimizing RNN weights, to enhance the accuracy for detection through adaptive parameter tuning. Experimental validation demonstrates the framework's superior performance in detecting IoT botnet activities, surpassing conventional methods in accuracy and resilience.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103961"},"PeriodicalIF":3.8,"publicationDate":"2025-01-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170745","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
PRAAD: Pseudo representation adversarial learning for unsupervised anomaly detection
IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Journal of Information Security and Applications
Pub Date : 2025-01-11 DOI: 10.1016/j.jisa.2025.103968
Liang Xi, Dong He, Han Liu
As one of the typical means of anomaly detection, unsupervised reconstruction-based anomaly detection methods usually extract the normal representations and utilize the reconstruction error to detect the anomalies. The main framework is autoencoder. If the autoencoder has strong generalization ability, the anomalies could also be well reconstructed, resulting in model misjudgment. Therefore, we propose a Pseudo Representation Adversarial learning model for unsupervised Anomaly Detection (PRAAD). Specifically, we design a pseudo-representation-based data augmentation strategy to enrich latent distribution for capturing additional normal patterns through an adversarial learning strategy. Based on this, PRAAD could improve the confidence of normal reconstruction rather than abnormal reconstruction. Finally, we additionally consider the distance of the sample to the latent distribution to synthesize the anomaly score. Experimental results on real image and cybersecurity datasets show that PRAAD outperforms the state-of-the-art baselines.
{"title":"PRAAD: Pseudo representation adversarial learning for unsupervised anomaly detection","authors":"Liang Xi,&nbsp;Dong He,&nbsp;Han Liu","doi":"10.1016/j.jisa.2025.103968","DOIUrl":"10.1016/j.jisa.2025.103968","url":null,"abstract":"<div><div>As one of the typical means of anomaly detection, unsupervised reconstruction-based anomaly detection methods usually extract the normal representations and utilize the reconstruction error to detect the anomalies. The main framework is autoencoder. If the autoencoder has strong generalization ability, the anomalies could also be well reconstructed, resulting in model misjudgment. Therefore, we propose a Pseudo Representation Adversarial learning model for unsupervised Anomaly Detection (PRAAD). Specifically, we design a pseudo-representation-based data augmentation strategy to enrich latent distribution for capturing additional normal patterns through an adversarial learning strategy. Based on this, PRAAD could improve the confidence of normal reconstruction rather than abnormal reconstruction. Finally, we additionally consider the distance of the sample to the latent distribution to synthesize the anomaly score. Experimental results on real image and cybersecurity datasets show that PRAAD outperforms the state-of-the-art baselines.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103968"},"PeriodicalIF":3.8,"publicationDate":"2025-01-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170744","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
SPNet: Seam carving detection via spatial-phase learning
IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Journal of Information Security and Applications
Pub Date : 2025-01-11 DOI: 10.1016/j.jisa.2025.103963
Jiyou Chen , Zhi Lv , Ge Jiao , Ming Xia , Gaobo Yang
Seam carving is an image content-aware retargeting operation that can automatically insert seams to expand an image or remove seams to reduce image size. However, it can also perform illegal image tampering by inserting or removing objects. We observe that upsampling is a necessary step for seam removal or insertion, and cumulative them can lead to significant changes in the frequency domain, particularly in the phase spectrum. In fact, according to the properties of natural images, the phase spectrum retains rich frequency components, which can complement the loss of the amplitude spectrum and provide additional information. To this end, we propose a spatial phase-based network (SPNet) that combines spatial and phase spectra to capture retargeting artifacts for image seam carving detection. In addition, since the artifacts usually hide in the local regions for the seam carving operation, the local texture feature is more effective than the high-level semantic one. Based on this, we introduce a shallow network to reduce the receptive field, it can highlight the local features while suppressing high-level semantic information. Extensive experiments demonstrate that SPNet achieves state-of-the-art (SOTA) performance.
{"title":"SPNet: Seam carving detection via spatial-phase learning","authors":"Jiyou Chen ,&nbsp;Zhi Lv ,&nbsp;Ge Jiao ,&nbsp;Ming Xia ,&nbsp;Gaobo Yang","doi":"10.1016/j.jisa.2025.103963","DOIUrl":"10.1016/j.jisa.2025.103963","url":null,"abstract":"<div><div>Seam carving is an image content-aware retargeting operation that can automatically insert seams to expand an image or remove seams to reduce image size. However, it can also perform illegal image tampering by inserting or removing objects. We observe that upsampling is a necessary step for seam removal or insertion, and cumulative them can lead to significant changes in the frequency domain, particularly in the phase spectrum. In fact, according to the properties of natural images, the phase spectrum retains rich frequency components, which can complement the loss of the amplitude spectrum and provide additional information. To this end, we propose a spatial phase-based network (SPNet) that combines spatial and phase spectra to capture retargeting artifacts for image seam carving detection. In addition, since the artifacts usually hide in the local regions for the seam carving operation, the local texture feature is more effective than the high-level semantic one. Based on this, we introduce a shallow network to reduce the receptive field, it can highlight the local features while suppressing high-level semantic information. Extensive experiments demonstrate that SPNet achieves state-of-the-art (SOTA) performance.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103963"},"PeriodicalIF":3.8,"publicationDate":"2025-01-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143170130","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
首页 上一页 下一页 尾页
类型
全部 化学•材料 生命科学 医学 物理 工程技术 环境•农林 材料科学 地球科学 法学 管理学 化学 环境科学与生态学 计算机科学 教育学 经济学 农林科学 人文科学 生物学 数学 物理与天体物理 心理学 综合性期刊 其他 工业工程 理学 历史学 农学 文学 信息工程
数据库
全部 ACS Publications Elsevier ieeexplore Springer The Royal Society of Chemistry Wiley
期刊
Journal of Information Security and Applications
全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1