Journal of Information Security and Applications最新文献_第8页

Defeating evasive malware with Peekaboo: Extracting authentic malware behavior with dynamic binary instrumentation 用躲猫猫打败逃避恶意软件：用动态二进制工具提取真实的恶意软件行为

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications

Pub Date : 2025-10-31 DOI: 10.1016/j.jisa.2025.104290

Matthew Gaber, Mohiuddin Ahmed, Helge Janicke

The accuracy of Artificial Intelligence (AI) in malware detection is dependent on the features it is trained with, where the quality and authenticity of these features is dependent on the dataset and the analysis tool. Evasive malware, that alters its behavior in analysis environments, is challenging to extract authentic features from where widely used static and dynamic analysis tools have several limitations. However, Dynamic Binary Instrumentation (DBI) allows deep and precise control of the malware sample, thereby facilitating the extraction of authentic behavior from evasive malware. Considering the limitations of malware analysis for use with AI, this research had two primary objectives: investigation of the evasive techniques used by modern malware and the creation of Peekaboo, a DBI tool to extract authentic data from live Windows malware samples. Peekaboo instruments and defeats evasive techniques that target analysis tools and virtual environments. A dataset of 20,500 samples was assembled and each sample was run for up to 15 min to observe not only the anti-analysis techniques used but also its complete behavior. Peekaboo outperforms other tools on several fronts, it is the only tool to measure start and completion rates, capture the executed Assembly (ASM) instructions, record all network traffic and implements the largest coverage against evasive techniques.

人工智能（AI）在恶意软件检测中的准确性取决于它所训练的特征，其中这些特征的质量和真实性取决于数据集和分析工具。规避型恶意软件会改变其在分析环境中的行为，很难从广泛使用的静态和动态分析工具中提取出真实的特征。然而，动态二进制检测（DBI）允许对恶意软件样本进行深入和精确的控制，从而促进从规避恶意软件中提取真实行为。考虑到与AI一起使用的恶意软件分析的局限性，本研究有两个主要目标：调查现代恶意软件使用的规避技术，以及创建Peekaboo（一种DBI工具，用于从实时Windows恶意软件样本中提取真实数据）。针对分析工具和虚拟环境的躲猫猫工具和失败规避技术。收集了20,500个样本的数据集，每个样本运行长达15分钟，不仅观察使用的反分析技术，还观察其完整行为。Peekaboo在几个方面都优于其他工具，它是测量启动率和完成率的唯一工具，捕获已执行的汇编（ASM）指令，记录所有网络流量，并实现最大范围的规避技术。

{"title":"Defeating evasive malware with Peekaboo: Extracting authentic malware behavior with dynamic binary instrumentation","authors":"Matthew Gaber, Mohiuddin Ahmed, Helge Janicke","doi":"10.1016/j.jisa.2025.104290","DOIUrl":"10.1016/j.jisa.2025.104290","url":null,"abstract":"<div><div>The accuracy of Artificial Intelligence (AI) in malware detection is dependent on the features it is trained with, where the quality and authenticity of these features is dependent on the dataset and the analysis tool. Evasive malware, that alters its behavior in analysis environments, is challenging to extract authentic features from where widely used static and dynamic analysis tools have several limitations. However, Dynamic Binary Instrumentation (DBI) allows deep and precise control of the malware sample, thereby facilitating the extraction of authentic behavior from evasive malware. Considering the limitations of malware analysis for use with AI, this research had two primary objectives: investigation of the evasive techniques used by modern malware and the creation of Peekaboo, a DBI tool to extract authentic data from live Windows malware samples. Peekaboo instruments and defeats evasive techniques that target analysis tools and virtual environments. A dataset of 20,500 samples was assembled and each sample was run for up to 15 min to observe not only the anti-analysis techniques used but also its complete behavior. Peekaboo outperforms other tools on several fronts, it is the only tool to measure start and completion rates, capture the executed Assembly (ASM) instructions, record all network traffic and implements the largest coverage against evasive techniques.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"95 ","pages":"Article 104290"},"PeriodicalIF":3.7,"publicationDate":"2025-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145424931","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Intrusion detection systems in IoT: A detailed review of threat categories, detection strategies, and future technologies 物联网中的入侵检测系统：对威胁类别、检测策略和未来技术的详细回顾

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications

Pub Date : 2025-10-31 DOI: 10.1016/j.jisa.2025.104291

Burak Aydin , Hakan Aydin , Sedat Gormus

The rapid growth of the Internet of Things (IoT) has transformed numerous sectors by enabling enhanced connectivity and automation among devices in industrial settings. However, this expansion has brought forward notable security concerns, as Internet enabled and connected devices has become increasingly vulnerable to a variety of cyberattacks. This has elevated the importance of Internet of Things security, necessitating robust defense mechanisms. In this paper, we thoroughly examine Intrusion Detection Systems (IDS) within the context of IoT networks, focusing on the different types of attacks and the corresponding detection methods designed to counteract them. Specifically, we classify IoT-specific threats into categories such as network based, device-level, data-centric, and insider attacks, providing insights into their mechanisms, impacts, and real-world occurrences. To address these threats, various IDS approaches are discussed, including signature based IDS, anomaly based IDS, specification based IDS, and hybrid IDS techniques. We further explore the application of Machine Learning in enhancing IDS capabilities for Internet of Things security. Each method’s strengths and limitations are evaluated in terms of accuracy, adaptability, computational efficiency, and scalability. By exploring emerging trends, ongoing challenges, and potential future directions in IDS research for IoT, this study underscores the urgent need for adaptive, scalable, and effective IDS frameworks to protect IoT ecosystems against evolving cyber threats. In addition, this survey provides a critical assessment of the current research landscape, highlighting the fundamental challenges that remain unresolved and outlining future research directions derived both from the existing literature and our own domain-specific analysis.

物联网（IoT）的快速增长通过增强工业环境中设备之间的连接和自动化，改变了许多行业。然而，这种扩张也带来了显著的安全问题，因为支持互联网和连接的设备越来越容易受到各种网络攻击。这提升了物联网安全的重要性，需要强大的防御机制。在本文中，我们深入研究了物联网网络背景下的入侵检测系统（IDS），重点关注不同类型的攻击以及相应的检测方法。具体来说，我们将物联网特定的威胁分为基于网络、设备级、以数据为中心和内部攻击等类别，并提供了对其机制、影响和现实世界事件的见解。为了解决这些威胁，本文讨论了各种入侵检测方法，包括基于签名的入侵检测、基于异常的入侵检测、基于规范的入侵检测和混合入侵检测技术。我们进一步探索机器学习在增强物联网安全入侵检测能力方面的应用。每种方法的优点和局限性都是根据准确性、适应性、计算效率和可伸缩性来评估的。通过探索物联网入侵防御研究的新兴趋势、持续挑战和潜在的未来方向，本研究强调了对自适应、可扩展和有效的入侵防御框架的迫切需求，以保护物联网生态系统免受不断变化的网络威胁。此外，本调查还对当前的研究前景进行了批判性评估，突出了尚未解决的基本挑战，并从现有文献和我们自己的领域特定分析中概述了未来的研究方向。

{"title":"Intrusion detection systems in IoT: A detailed review of threat categories, detection strategies, and future technologies","authors":"Burak Aydin , Hakan Aydin , Sedat Gormus","doi":"10.1016/j.jisa.2025.104291","DOIUrl":"10.1016/j.jisa.2025.104291","url":null,"abstract":"<div><div>The rapid growth of the Internet of Things (IoT) has transformed numerous sectors by enabling enhanced connectivity and automation among devices in industrial settings. However, this expansion has brought forward notable security concerns, as Internet enabled and connected devices has become increasingly vulnerable to a variety of cyberattacks. This has elevated the importance of Internet of Things security, necessitating robust defense mechanisms. In this paper, we thoroughly examine Intrusion Detection Systems (IDS) within the context of IoT networks, focusing on the different types of attacks and the corresponding detection methods designed to counteract them. Specifically, we classify IoT-specific threats into categories such as network based, device-level, data-centric, and insider attacks, providing insights into their mechanisms, impacts, and real-world occurrences. To address these threats, various IDS approaches are discussed, including signature based IDS, anomaly based IDS, specification based IDS, and hybrid IDS techniques. We further explore the application of Machine Learning in enhancing IDS capabilities for Internet of Things security. Each method’s strengths and limitations are evaluated in terms of accuracy, adaptability, computational efficiency, and scalability. By exploring emerging trends, ongoing challenges, and potential future directions in IDS research for IoT, this study underscores the urgent need for adaptive, scalable, and effective IDS frameworks to protect IoT ecosystems against evolving cyber threats. In addition, this survey provides a critical assessment of the current research landscape, highlighting the fundamental challenges that remain unresolved and outlining future research directions derived both from the existing literature and our own domain-specific analysis.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"95 ","pages":"Article 104291"},"PeriodicalIF":3.7,"publicationDate":"2025-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145424927","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Collusion-resistant multi-user searchable symmetric encryption with conjunctive query and suppressed pattern leakage 具有联合查询和抑制模式泄漏的抗合谋多用户可搜索对称加密

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications

Pub Date : 2025-10-28 DOI: 10.1016/j.jisa.2025.104289

Yanpeng Ba , Yuan Ping , Zengpeng Li , Zheng Yuan

Existing multi-user searchable symmetric encryption (MUSSE) schemes often depend on the honesty of users or the assumption that multiple servers will not collude, which compromises security to some extent. While a few collusion-resistant MUSSE schemes are designed for single-server settings, they are limited to single-keyword searches and suffer from significant pattern leakage, making them vulnerable to leakage-abuse attacks (LAAs). We introduce CQ-MUSSE, the first collusion-resistant MUSSE scheme in a single-server setting that supports conjunctive queries to address these limitations. Indeed, CQ-MUSSE enables users to search for multiple keywords simultaneously with a single query. The scheme leverages bloom filters to construct forward indexes and incorporates random dummy keywords into queries to obfuscate search patterns effectively reducing pattern leakage. This design enhances security at the expense of a minor reduction in search result accuracy. The scheme can precisely return documents matching the conjunctive query when pattern leakage is ignored. Experimental evaluations confirm that CQ-MUSSE provides greater search flexibility and improved security with only a moderate increase in computational overhead.

现有的多用户可搜索对称加密（MUSSE）方案往往依赖于用户的诚实性或多台服务器不会串通的假设，这在一定程度上损害了安全性。虽然一些抗合谋的MUSSE方案是为单服务器设置而设计的，但它们仅限于单关键字搜索，并且遭受严重的模式泄漏，使它们容易受到泄漏滥用攻击（LAAs）。我们引入了CQ-MUSSE，这是单服务器设置中第一个抗合谋的MUSSE方案，它支持连接查询来解决这些限制。实际上，CQ-MUSSE允许用户通过一个查询同时搜索多个关键字。该方案利用布隆过滤器构建前向索引，并在查询中加入随机虚拟关键字来混淆搜索模式，有效减少模式泄漏。这种设计增强了安全性，但代价是搜索结果的准确性略有降低。该方案可以在忽略模式泄漏的情况下，精确地返回与连接查询匹配的文档。实验评估证实，CQ-MUSSE提供了更大的搜索灵活性和改进的安全性，而计算开销仅略有增加。

{"title":"Collusion-resistant multi-user searchable symmetric encryption with conjunctive query and suppressed pattern leakage","authors":"Yanpeng Ba , Yuan Ping , Zengpeng Li , Zheng Yuan","doi":"10.1016/j.jisa.2025.104289","DOIUrl":"10.1016/j.jisa.2025.104289","url":null,"abstract":"<div><div>Existing multi-user searchable symmetric encryption (MUSSE) schemes often depend on the honesty of users or the assumption that multiple servers will not collude, which compromises security to some extent. While a few collusion-resistant MUSSE schemes are designed for single-server settings, they are limited to single-keyword searches and suffer from significant pattern leakage, making them vulnerable to leakage-abuse attacks (LAAs). We introduce CQ-MUSSE, the first collusion-resistant MUSSE scheme in a single-server setting that supports conjunctive queries to address these limitations. Indeed, CQ-MUSSE enables users to search for multiple keywords simultaneously with a single query. The scheme leverages bloom filters to construct forward indexes and incorporates random dummy keywords into queries to obfuscate search patterns effectively reducing pattern leakage. This design enhances security at the expense of a minor reduction in search result accuracy. The scheme can precisely return documents matching the conjunctive query when pattern leakage is ignored. Experimental evaluations confirm that CQ-MUSSE provides greater search flexibility and improved security with only a moderate increase in computational overhead.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"95 ","pages":"Article 104289"},"PeriodicalIF":3.7,"publicationDate":"2025-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145424929","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

WeiDetect: Weibull distribution-based defense against poisoning attacks in federated learning for network intrusion detection systems WeiDetect：在网络入侵检测系统的联邦学习中，基于Weibull分布的中毒攻击防御

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications

Pub Date : 2025-10-28 DOI: 10.1016/j.jisa.2025.104275

Sameera K.M. , Vinod P. , Anderson Rocha , Rafidha Rehiman K.A. , Mauro Conti

The rapid growth of Internet of Things (IoT) devices has expanded the cyber-attack surface, making traditional Network Intrusion Detection Systems (NIDS) less effective against modern, dynamic threats. The rise of privacy concerns and legal restrictions also limits the use of centralized security systems, highlighting the need for decentralized alternatives. Federated Learning (FL)-based NIDS addresses this by training models without sharing private user data. However, these systems are still vulnerable to poisoning attacks and can suffer from performance issues due to varied client data. In this paper, we introduce WeiDetect, a novel two-phase defense mechanism for FL-based NIDS. Operating on the server side, WeiDetect tackles both adversarial attacks and client data heterogeneity. It works by evaluating local models with a validation dataset, fitting their performance scores to a Weibull distribution for identifying and excluding malicious or low-quality models before aggregation. Our experimental results show that WeiDetect outperforms existing defenses, improving target class recall by up to 70% and enhancing the global model’s F1 score by 1%–14%.

物联网（IoT）设备的快速增长扩大了网络攻击面，使传统的网络入侵检测系统（NIDS）对现代动态威胁的有效性降低。隐私问题和法律限制的增加也限制了集中式安全系统的使用，凸显了对分散替代方案的需求。基于联邦学习（FL）的NIDS通过在不共享私有用户数据的情况下训练模型来解决这个问题。然而，这些系统仍然容易受到中毒攻击，并且由于客户端数据的变化，可能会出现性能问题。本文介绍了一种新的基于网络入侵的两阶段防御机制WeiDetect。在服务器端操作，WeiDetect处理对抗性攻击和客户端数据异构。它的工作原理是用验证数据集评估局部模型，将它们的性能分数拟合到威布尔分布，以便在聚合之前识别和排除恶意或低质量的模型。我们的实验结果表明，WeiDetect优于现有的防御，将目标类别召回率提高了70%，并将全局模型的F1分数提高了1%-14%。

{"title":"WeiDetect: Weibull distribution-based defense against poisoning attacks in federated learning for network intrusion detection systems","authors":"Sameera K.M. , Vinod P. , Anderson Rocha , Rafidha Rehiman K.A. , Mauro Conti","doi":"10.1016/j.jisa.2025.104275","DOIUrl":"10.1016/j.jisa.2025.104275","url":null,"abstract":"<div><div>The rapid growth of Internet of Things (IoT) devices has expanded the cyber-attack surface, making traditional Network Intrusion Detection Systems (NIDS) less effective against modern, dynamic threats. The rise of privacy concerns and legal restrictions also limits the use of centralized security systems, highlighting the need for decentralized alternatives. Federated Learning (FL)-based NIDS addresses this by training models without sharing private user data. However, these systems are still vulnerable to poisoning attacks and can suffer from performance issues due to varied client data. In this paper, we introduce WeiDetect, a novel two-phase defense mechanism for FL-based NIDS. Operating on the server side, WeiDetect tackles both adversarial attacks and client data heterogeneity. It works by evaluating local models with a validation dataset, fitting their performance scores to a Weibull distribution for identifying and excluding malicious or low-quality models before aggregation. Our experimental results show that WeiDetect outperforms existing defenses, improving target class recall by up to 70% and enhancing the global model’s F1 score by 1%–14%.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"95 ","pages":"Article 104275"},"PeriodicalIF":3.7,"publicationDate":"2025-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145424930","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Quantum-safe and provable secure vehicle to infrastructure authenticated key-agreement for VANETs 量子安全和可验证的安全车辆到基础设施的VANETs认证密钥协议

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications

Pub Date : 2025-10-27 DOI: 10.1016/j.jisa.2025.104274

Nahida Majeed Wani , Girraj Kumar Verma , Neeraj Kumar

The rapid progression of Vehicular Ad-Hoc Networks (VANETs) has greatly eased the dissemination of safety-critical data among vehicles. However, the susceptibility of wireless links in VANETs to malicious attacks presents a significant obstacle. To mitigate the obstacle, various authenticated key agreement (AKA) schemes have been devised to establish secure communication between vehicles and infrastructure. However, the advent of quantum computing threatens the security of traditional number theory-based AKA schemes. As a countermeasure, lattice-based schemes have emerged, offering quantum resistance. However, many such lattice-based schemes incur high computational and communication overhead. To overcome these limitations, this paper proposes an efficient and provably secure lattice-based AKA scheme for VANETs. Devised AKA protocol leverages quantum-safe lattice-based cryptography to ensure communication security between vehicles and infrastructure. A comprehensive security analysis within the Real-or-Random model framework validates the proposed scheme’s robustness. Furthermore, performance analysis shows that the proposed scheme reduces computational cost by approximately 92% and communication cost by 29% compared to the existing recent approach, making it well-suited for VANET deployment.

车载自组织网络（VANETs）的快速发展极大地简化了安全关键数据在车辆之间的传播。然而，vanet中无线链路对恶意攻击的易感性是一个重大障碍。为了减轻这一障碍，已经设计了各种身份验证密钥协议（AKA）方案来建立车辆和基础设施之间的安全通信。然而，量子计算的出现威胁着传统的基于数论的AKA方案的安全性。作为一种对策，基于晶格的方案已经出现，提供量子抗性。然而，许多这样的基于格的方案会产生很高的计算和通信开销。为了克服这些限制，本文提出了一种高效且可证明安全的基于格子的VANETs AKA方案。设计AKA协议利用基于量子安全的格子加密技术来确保车辆和基础设施之间的通信安全。在Real-or-Random模型框架内进行了全面的安全性分析，验证了该方案的鲁棒性。此外，性能分析表明，与现有的最新方法相比，所提出的方案减少了约92%的计算成本和29%的通信成本，使其非常适合VANET部署。

{"title":"Quantum-safe and provable secure vehicle to infrastructure authenticated key-agreement for VANETs","authors":"Nahida Majeed Wani , Girraj Kumar Verma , Neeraj Kumar","doi":"10.1016/j.jisa.2025.104274","DOIUrl":"10.1016/j.jisa.2025.104274","url":null,"abstract":"<div><div>The rapid progression of Vehicular Ad-Hoc Networks (VANETs) has greatly eased the dissemination of safety-critical data among vehicles. However, the susceptibility of wireless links in VANETs to malicious attacks presents a significant obstacle. To mitigate the obstacle, various authenticated key agreement (AKA) schemes have been devised to establish secure communication between vehicles and infrastructure. However, the advent of quantum computing threatens the security of traditional number theory-based AKA schemes. As a countermeasure, lattice-based schemes have emerged, offering quantum resistance. However, many such lattice-based schemes incur high computational and communication overhead. To overcome these limitations, this paper proposes an efficient and provably secure lattice-based AKA scheme for VANETs. Devised AKA protocol leverages quantum-safe lattice-based cryptography to ensure communication security between vehicles and infrastructure. A comprehensive security analysis within the Real-or-Random model framework validates the proposed scheme’s robustness. Furthermore, performance analysis shows that the proposed scheme reduces computational cost by approximately 92% and communication cost by 29% compared to the existing recent approach, making it well-suited for VANET deployment.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"95 ","pages":"Article 104274"},"PeriodicalIF":3.7,"publicationDate":"2025-10-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145424925","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Multi-party post-quantum key exchange schemes 多方后量子密钥交换方案

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications

Pub Date : 2025-10-27 DOI: 10.1016/j.jisa.2025.104288

Xuejun Fan , Fei Zhao , Xiu Xu

With the growing number of multi-user interaction scenarios, the security and efficiency of multi-party key exchange protocols have become increasingly important. Meanwhile, the rapid advancement of quantum computing brings security risks for traditional public key protocols, spurring interest in post-quantum key exchange schemes. Among various approaches, isogeny-based ones are notable for their compact parameter sizes, making them attractive for storage-constrained environments. In particular, CSIDH and its more efficient surface variant, CSURF, stand out for retaining a Diffie–Hellman (DH) structure that is rare in the post-quantum landscape.

To diversify the isogeny-based landscape and adapt the well-studied constructions from the classical DH world to the post-quantum setting, we leverage the hard homogeneous space in CSURF and propose three multi-party key exchange protocols, G-CSURF, CSURFBD and CSURFBDII. All of the protocols are formally proven to be correct and secure under the SCSSDDH assumption. Theoretical analysis reveals that CSURFBD and CSURFBDII require fewer rounds than G-CSURF, with CSURFBDII further optimizing computational and communication efficiency compared to CSURFBD. Moreover, our implementations of the three protocols demonstrate a speed-up of approximately 2% compared with the existing CSIDH-based multi-party key exchange protocols. Notably, the CSURFBDII scheme achieves the highest efficiency among the existing isogeny-based group key exchange primitives by virtue of its special tree structure and its efficient shared key computation strategy.

随着多用户交互场景的增多，多方密钥交换协议的安全性和效率变得越来越重要。同时，量子计算的快速发展给传统的公钥协议带来了安全风险，激发了人们对后量子密钥交换方案的兴趣。在各种方法中，基于等同源的方法以其紧凑的参数大小而闻名，这使得它们对存储受限的环境具有吸引力。特别是，CSIDH及其更高效的表面变体CSURF，因保留了在后量子领域中罕见的迪菲-赫尔曼（DH）结构而脱颖而出。为了使基于等基因的景观多样化，并使经典DH世界的结构适应后量子环境，我们利用CSURF中的硬同质空间，提出了三种多方密钥交换协议，G-CSURF， CSURFBD和CSURFBDII。在SCSSDDH假设下，所有协议都被正式证明是正确和安全的。理论分析表明，CSURFBD和CSURFBDII比G-CSURF所需的轮数更少，与CSURFBD相比，CSURFBDII进一步优化了计算和通信效率。此外，与现有的基于csidh的多方密钥交换协议相比，我们对这三个协议的实现证明了大约2%的速度提升。值得注意的是，CSURFBDII方案由于其特殊的树状结构和高效的共享密钥计算策略，在现有的基于同基因的组密钥交换原语中实现了最高的效率。

{"title":"Multi-party post-quantum key exchange schemes","authors":"Xuejun Fan , Fei Zhao , Xiu Xu","doi":"10.1016/j.jisa.2025.104288","DOIUrl":"10.1016/j.jisa.2025.104288","url":null,"abstract":"<div><div>With the growing number of multi-user interaction scenarios, the security and efficiency of multi-party key exchange protocols have become increasingly important. Meanwhile, the rapid advancement of quantum computing brings security risks for traditional public key protocols, spurring interest in post-quantum key exchange schemes. Among various approaches, isogeny-based ones are notable for their compact parameter sizes, making them attractive for storage-constrained environments. In particular, CSIDH and its more efficient surface variant, CSURF, stand out for retaining a Diffie–Hellman (DH) structure that is rare in the post-quantum landscape.</div><div>To diversify the isogeny-based landscape and adapt the well-studied constructions from the classical DH world to the post-quantum setting, we leverage the hard homogeneous space in CSURF and propose three multi-party key exchange protocols, G-CSURF, CSURFBD and CSURFBDII. All of the protocols are formally proven to be correct and secure under the SCSSDDH assumption. Theoretical analysis reveals that CSURFBD and CSURFBDII require fewer rounds than G-CSURF, with CSURFBDII further optimizing computational and communication efficiency compared to CSURFBD. Moreover, our implementations of the three protocols demonstrate a speed-up of approximately 2% compared with the existing CSIDH-based multi-party key exchange protocols. Notably, the CSURFBDII scheme achieves the highest efficiency among the existing isogeny-based group key exchange primitives by virtue of its special tree structure and its efficient shared key computation strategy.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"95 ","pages":"Article 104288"},"PeriodicalIF":3.7,"publicationDate":"2025-10-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145424928","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

The ransomware blueprint: Attack patterns and strategic variations across gangs 勒索软件的蓝图：跨团伙的攻击模式和战略变化

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications

Pub Date : 2025-10-24 DOI: 10.1016/j.jisa.2025.104264

Francesco Saccone , Pietro Melillo , Arnaldo Sgueglia , Andrea Di Sorbo , Corrado Aaron Visaggio

In recent years, ransomware attacks have attracted the attention of researchers and companies, prompting new issues in identifying effective defense techniques. The study provides a comprehensive analysis of ransomware attacks and their employed tactics from 2020 to 2024, leveraging a large dataset of over 16,000 documented ransomware incidents involving 155 distinct gangs. Using this data, we identify the exploited software vulnerabilities (CVEs) and map them to specific adversarial behaviors within the MITRE ATT&CK framework. In addition to this technical mapping, we differentiated between broadly targeting “generalist” gangs and industry-focused ”specialist” gangs, and we examined variations in attack patterns across target sectors and geographic origins. Our methodology reveals the core ”ransomware blueprint”: a unified kill-chain model comprising recurring techniques spanning initial access through encryption. Key findings include the use of high-severity, widely deployed CVEs (particularly public-facing exploits, such as T1190) as entry points, followed by routine privilege escalation, lateral movement, and impact actions (e.g., T1486 for data encryption). The analysis also reveals regional and sectoral differences: (i) Russian-origin groups often emphasize rapid disruption and recovery inhibition, and (ii) other groups focus on stealthier reconnaissance. Generalist gangs (e.g., LockBit, Cl0p, ALPHV) employ advanced techniques across multiple industries, while specialist gangs concentrate on narrower sectors, using simpler methods such as phishing and credential reuse. Moreover, the number of shared techniques is employed to assess the degree of interconnection among the gangs. These findings provide actionable intelligence for defenders, highlighting the need for multi-layered defenses, targeted vulnerability management, and sector-specific hardening strategies to mitigate evolving ransomware threats.

近年来，勒索软件攻击引起了研究人员和公司的注意，引发了寻找有效防御技术的新问题。该研究对2020年至2024年期间的勒索软件攻击及其使用的策略进行了全面分析，利用了涉及155个不同团伙的16,000多个记录在案的勒索软件事件的大型数据集。使用这些数据，我们确定了被利用的软件漏洞（cve），并将它们映射到MITRE攻击和CK框架内的特定对抗性行为。除了这种技术映射之外，我们区分了广泛瞄准的“通才”团伙和专注于行业的“专家”团伙，并且我们检查了跨目标部门和地理来源的攻击模式的变化。我们的方法揭示了核心的“勒索软件蓝图”：一个统一的杀伤链模型，包括从初始访问到加密的重复技术。主要发现包括使用高严重性、广泛部署的cve（特别是面向公众的漏洞利用，如T1190）作为入口点，然后是常规特权升级、横向移动和影响操作（例如，用于数据加密的T1486）。分析还揭示了区域和部门差异：(i)俄罗斯裔团体经常强调快速破坏和恢复抑制，（ii）其他团体侧重于隐身侦察。通才型团伙（例如LockBit、Cl0p、ALPHV）在多个行业使用先进的技术，而专业团伙则专注于更狭窄的领域，使用更简单的方法，如网络钓鱼和凭证重用。此外，使用共享技术的数量来评估帮派之间的相互联系程度。这些发现为防御者提供了可操作的情报，强调了多层次防御、有针对性的漏洞管理和针对特定行业的强化策略的必要性，以减轻不断演变的勒索软件威胁。

{"title":"The ransomware blueprint: Attack patterns and strategic variations across gangs","authors":"Francesco Saccone , Pietro Melillo , Arnaldo Sgueglia , Andrea Di Sorbo , Corrado Aaron Visaggio","doi":"10.1016/j.jisa.2025.104264","DOIUrl":"10.1016/j.jisa.2025.104264","url":null,"abstract":"<div><div>In recent years, ransomware attacks have attracted the attention of researchers and companies, prompting new issues in identifying effective defense techniques. The study provides a comprehensive analysis of ransomware attacks and their employed tactics from 2020 to 2024, leveraging a large dataset of over 16,000 documented ransomware incidents involving 155 distinct gangs. Using this data, we identify the exploited software vulnerabilities (CVEs) and map them to specific adversarial behaviors within the MITRE ATT&CK framework. In addition to this technical mapping, we differentiated between broadly targeting “generalist” gangs and industry-focused ”specialist” gangs, and we examined variations in attack patterns across target sectors and geographic origins. Our methodology reveals the core ”ransomware blueprint”: a unified kill-chain model comprising recurring techniques spanning initial access through encryption. Key findings include the use of high-severity, widely deployed CVEs (particularly public-facing exploits, such as T1190) as entry points, followed by routine privilege escalation, lateral movement, and impact actions (e.g., T1486 for data encryption). The analysis also reveals regional and sectoral differences: (i) Russian-origin groups often emphasize rapid disruption and recovery inhibition, and (ii) other groups focus on stealthier reconnaissance. Generalist gangs (e.g., LockBit, Cl0p, ALPHV) employ advanced techniques across multiple industries, while specialist gangs concentrate on narrower sectors, using simpler methods such as phishing and credential reuse. Moreover, the number of shared techniques is employed to assess the degree of interconnection among the gangs. These findings provide actionable intelligence for defenders, highlighting the need for multi-layered defenses, targeted vulnerability management, and sector-specific hardening strategies to mitigate evolving ransomware threats.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"95 ","pages":"Article 104264"},"PeriodicalIF":3.7,"publicationDate":"2025-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145365865","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Entropy collapse in mobile sensors: The hidden risks of sensor-based security 移动传感器中的熵崩溃：基于传感器的安全隐患

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications

Pub Date : 2025-10-24 DOI: 10.1016/j.jisa.2025.104272

Carlton Shepherd, Elliot A.J. Hurley

Mobile sensor data has been proposed for security-critical applications such as device pairing, proximity detection, and continuous authentication. However, the foundational premise that these signals provide sufficient entropy remains under-explored. In this work, we systematically analyse the entropy of mobile sensor data using four datasets from multiple application contexts (UCI-HAR, SHL, Relay, and PerilZIS). Using direct computation and estimation, we report entropy values – max, Shannon, collision, and min-entropy – for an exhaustive range of sensor combinations. We demonstrate that the entropy of mobile sensors remains far below what is considered secure by modern standards for security applications, even when many sensors are combined. In particular, we observe an alarming divergence between average-case Shannon entropy and worst-case min-entropy. Single-sensor min-entropy varies between 3.408–4.483 bits despite Shannon entropy being several multiples higher. We also show that redundancies between sensor modalities contribute to a

\approx

75% reduction between Shannon and min-entropy. Indeed, min-entropy plateaus between 8.1–23.9 bits when combining up to 22 modalities, while Shannon entropy can exceed 80 bits. Adding sensors typically increases Shannon entropy but moves min-entropy by only

\approx

1–2 bits per added modality, evidencing entropy collapse under redundancy. Our results reveal that adversaries may feasibly predict sensor signals through an exhaustive exploration of the measurement space. Our work also calls into question the widely held assumption that adding more sensors inherently yields higher security. Ultimately, we strongly urge caution when relying on mobile sensor data for security applications.

移动传感器数据已被提议用于安全关键应用，如设备配对、接近检测和连续认证。然而，这些信号提供足够熵的基本前提仍有待探索。在这项工作中，我们使用来自多个应用环境（UCI-HAR， SHL， Relay和PerilZIS）的四个数据集系统地分析了移动传感器数据的熵。使用直接计算和估计，我们报告熵值-最大，香农，碰撞和最小熵-为详尽的传感器组合范围。我们证明，移动传感器的熵仍然远远低于现代安全应用标准所认为的安全，即使许多传感器组合在一起。特别是，我们观察到平均情况下香农熵和最坏情况下最小熵之间的惊人差异。单传感器最小熵在3.408-4.483比特之间变化，尽管香农熵高出几倍。我们还表明，传感器模式之间的冗余有助于香农和最小熵之间减少约75%。事实上，当组合多达22种模态时，最小熵稳定在8.1-23.9比特之间，而香农熵可以超过80比特。增加传感器通常会增加香农熵，但每个增加模态只会使最小熵增加≈1-2位，这表明冗余下的熵崩溃。我们的研究结果表明，对手可以通过对测量空间的详尽探索来预测传感器信号。我们的研究也对人们普遍持有的假设提出了质疑，即增加更多的传感器本质上就会提高安全性。最后，我们强烈建议在依赖移动传感器数据进行安全应用时要谨慎。

{"title":"Entropy collapse in mobile sensors: The hidden risks of sensor-based security","authors":"Carlton Shepherd, Elliot A.J. Hurley","doi":"10.1016/j.jisa.2025.104272","DOIUrl":"10.1016/j.jisa.2025.104272","url":null,"abstract":"<div><div>Mobile sensor data has been proposed for security-critical applications such as device pairing, proximity detection, and continuous authentication. However, the foundational premise that these signals provide sufficient entropy remains under-explored. In this work, we systematically analyse the entropy of mobile sensor data using four datasets from multiple application contexts (UCI-HAR, SHL, Relay, and PerilZIS). Using direct computation and estimation, we report entropy values – max, Shannon, collision, and min-entropy – for an exhaustive range of sensor combinations. We demonstrate that the entropy of mobile sensors remains far below what is considered secure by modern standards for security applications, even when many sensors are combined. In particular, we observe an alarming divergence between average-case Shannon entropy and worst-case min-entropy. Single-sensor min-entropy varies between 3.408–4.483 bits despite Shannon entropy being several multiples higher. We also show that redundancies between sensor modalities contribute to a <span><math><mo>≈</mo></math></span>75% reduction between Shannon and min-entropy. Indeed, min-entropy plateaus between 8.1–23.9 bits when combining up to 22 modalities, while Shannon entropy can exceed 80 bits. Adding sensors typically increases Shannon entropy but moves min-entropy by only <span><math><mo>≈</mo></math></span>1–2 bits per added modality, evidencing entropy collapse under redundancy. Our results reveal that adversaries may feasibly predict sensor signals through an exhaustive exploration of the measurement space. Our work also calls into question the widely held assumption that adding more sensors inherently yields higher security. Ultimately, we strongly urge caution when relying on mobile sensor data for security applications.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"95 ","pages":"Article 104272"},"PeriodicalIF":3.7,"publicationDate":"2025-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145365341","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Res2Next with attention mechanisms for malware classification based on feature visualization 基于特征可视化的恶意软件分类的注意机制

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications

Pub Date : 2025-10-24 DOI: 10.1016/j.jisa.2025.104271

Liangwei Yao , Hongliang Zhu , Yang Xin

Malware poses a significant threat to cybersecurity due to its diverse types, complex behaviors, and strong destructiveness. Accurately classifying malware is crucial for taking effective defense measures. However, traditional malware classification methods based on static and dynamic features face challenges such as poor adaptability, manual intervention, and low classification accuracy. Although improvements have been made with visualization-based image classification methods, they remain susceptible to interference information in deep feature extraction. To this end, this paper proposes an innovative malware classification framework that utilizes the feature visualization method to convert malware into RGB images, effectively preserving its rich features and avoiding reverse engineering. Afterward, a lightweight adaptive channel attention (ACA) mechanism is proposed, and ensemble models based on Res2NeXt that integrate various attention mechanisms are designed for deep feature extraction and classification. In addition, through t-SNE visualization, confusion matrix, and Grad-CAM heatmap display, the proposed Res2NeXt with ACA model as a typical example shows superior performance in feature space distribution, classification accuracy, and focusing on crucial features. In summary, a series of experiments conducted on public datasets, MMCC and MaleVis, demonstrate that the attention mechanisms in the ensemble models can effectively guide the model to focus on crucial features, filter out interference information, and enhance classification effectiveness. Specifically, the ACA attention mechanisms significantly improve classification accuracy with minimal impact on the model’s efficiency. The proposed framework achieves classification accuracy of up to 99.26% and 98.04%, respectively, surpassing the current state-of-the-art methods.

恶意软件类型多样、行为复杂、破坏性强，对网络安全构成重大威胁。准确分类恶意软件是采取有效防御措施的关键。然而，传统的基于静态和动态特征的恶意软件分类方法存在适应性差、人工干预、分类准确率低等问题。尽管基于可视化的图像分类方法得到了改进，但在深度特征提取中仍然容易受到干扰信息的影响。为此，本文提出了一种创新的恶意软件分类框架，利用特征可视化方法将恶意软件转换为RGB图像，有效地保留了其丰富的特征，避免了逆向工程。随后，提出了一种轻量级的自适应通道注意（ACA）机制，并基于Res2NeXt设计了集成多种注意机制的集成模型，用于深度特征提取和分类。此外，通过t-SNE可视化、混淆矩阵和Grad-CAM热图显示，以ACA模型为典型示例的Res2NeXt在特征空间分布、分类精度和对关键特征的关注方面表现出优异的性能。综上所述，在公共数据集、MMCC和MaleVis上进行的一系列实验表明，集成模型中的注意机制可以有效地引导模型关注关键特征，过滤掉干扰信息，提高分类效率。具体来说，ACA注意机制在对模型效率影响最小的情况下显著提高了分类精度。该框架的分类准确率分别高达99.26%和98.04%，超过了目前最先进的方法。

{"title":"Res2Next with attention mechanisms for malware classification based on feature visualization","authors":"Liangwei Yao , Hongliang Zhu , Yang Xin","doi":"10.1016/j.jisa.2025.104271","DOIUrl":"10.1016/j.jisa.2025.104271","url":null,"abstract":"<div><div>Malware poses a significant threat to cybersecurity due to its diverse types, complex behaviors, and strong destructiveness. Accurately classifying malware is crucial for taking effective defense measures. However, traditional malware classification methods based on static and dynamic features face challenges such as poor adaptability, manual intervention, and low classification accuracy. Although improvements have been made with visualization-based image classification methods, they remain susceptible to interference information in deep feature extraction. To this end, this paper proposes an innovative malware classification framework that utilizes the feature visualization method to convert malware into RGB images, effectively preserving its rich features and avoiding reverse engineering. Afterward, a lightweight adaptive channel attention (ACA) mechanism is proposed, and ensemble models based on Res2NeXt that integrate various attention mechanisms are designed for deep feature extraction and classification. In addition, through t-SNE visualization, confusion matrix, and Grad-CAM heatmap display, the proposed Res2NeXt with ACA model as a typical example shows superior performance in feature space distribution, classification accuracy, and focusing on crucial features. In summary, a series of experiments conducted on public datasets, MMCC and MaleVis, demonstrate that the attention mechanisms in the ensemble models can effectively guide the model to focus on crucial features, filter out interference information, and enhance classification effectiveness. Specifically, the ACA attention mechanisms significantly improve classification accuracy with minimal impact on the model’s efficiency. The proposed framework achieves classification accuracy of up to 99.26% and 98.04%, respectively, surpassing the current state-of-the-art methods.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"95 ","pages":"Article 104271"},"PeriodicalIF":3.7,"publicationDate":"2025-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145365862","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Blockchain-based dynamic MUD profiles for tamper-proof IoT access control 基于区块链的动态MUD配置文件，用于防篡改物联网访问控制

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications

Pub Date : 2025-10-23 DOI: 10.1016/j.jisa.2025.104273

Chouhan Kumar Rath , Amit Kr. Mandal , Anirban Sarkar

The Internet of Things (IoT) has revolutionized various industries by enabling data exchange between different devices across various domains such as smart cities, healthcare, industrial automation etc. However, managing access control with growing number of IoT devices brings major security challenges. Traditional access control mechanisms such as Role-Based Access Control(RBAC) and Attribute-Based Access Control(ABAC) become very complex and computationally expansive for the large scale iot networks. Besides these, Manufacturer Usage Description (MUD) based mechanism empowers networks to restrict IoT devices to communicate only with authorized endpoints, ensuring that each device sends and receives only the intended traffic while preventing unauthorized access or data transmission. However, the static MUD profiles provided by manufacturers are not adaptable to dynamic IoT environments, where devices frequently join, leave, or change behavior. Additionally, manually creating and updating MUD profiles may not be possible and prone to errors for dynamic and large scale IoT network. To address these limitations, this paper proposes an automated framework for generating and enforcing MUD profiles based on network behavior. The framework leverages the MUD specification by analyzing network traffic and extracting the most relevant features using mutual information (MI) scores. These features, which correlate strongly with device behavior, are then used in association rule mining (ARM) to generate refined access control rules. The rules are verified and integrated into the MUD profiles, ensuring automated policy enforcement. Furthermore, the MUD profiles are stored in a tamper-resistant manner using IPFS (InterPlanetary File System), preventing them from unauthorized modifications. The framework also utilizes smart contracts on a blockchain to verify and enforce security policies. The approach improves security by allowing only intended device interactions while denying abnormal traffic, and enhances performance through efficient rule generation and enforcement. The results demonstrate that the use of ARM with MI scores improves rule quality, reduces complexity, and facilitates faster, more reliable network operations in dynamic IoT environments.

物联网（IoT）通过实现智能城市、医疗保健、工业自动化等不同领域的不同设备之间的数据交换，彻底改变了各个行业。然而，管理越来越多的物联网设备的访问控制带来了重大的安全挑战。传统的访问控制机制，如基于角色的访问控制（RBAC）和基于属性的访问控制（ABAC），对于大规模的物联网网络来说变得非常复杂和计算量庞大。除此之外，基于制造商使用描述（MUD）的机制使网络能够限制物联网设备仅与授权的端点通信，确保每个设备仅发送和接收预期的流量，同时防止未经授权的访问或数据传输。然而，制造商提供的静态MUD配置文件不适应动态物联网环境，在动态物联网环境中，设备经常加入、离开或改变行为。此外，对于动态和大规模的物联网网络，手动创建和更新MUD配置文件可能是不可能的，并且容易出错。为了解决这些限制，本文提出了一个基于网络行为生成和执行MUD配置文件的自动化框架。该框架通过分析网络流量和使用互信息（MI）分数提取最相关的特征来利用MUD规范。这些特征与设备行为密切相关，然后在关联规则挖掘（ARM）中使用它们来生成精细的访问控制规则。这些规则经过验证并集成到MUD配置文件中，从而确保自动执行策略。此外，MUD配置文件使用IPFS（星际文件系统）以防篡改的方式存储，防止未经授权的修改。该框架还利用区块链上的智能合约来验证和执行安全策略。该方法通过只允许预期的设备交互而拒绝异常流量来提高安全性，并通过有效的规则生成和实施来提高性能。结果表明，在动态物联网环境中，使用ARM和MI分数可以提高规则质量，降低复杂性，并促进更快、更可靠的网络运行。

{"title":"Blockchain-based dynamic MUD profiles for tamper-proof IoT access control","authors":"Chouhan Kumar Rath , Amit Kr. Mandal , Anirban Sarkar","doi":"10.1016/j.jisa.2025.104273","DOIUrl":"10.1016/j.jisa.2025.104273","url":null,"abstract":"<div><div>The Internet of Things (IoT) has revolutionized various industries by enabling data exchange between different devices across various domains such as smart cities, healthcare, industrial automation etc. However, managing access control with growing number of IoT devices brings major security challenges. Traditional access control mechanisms such as Role-Based Access Control(RBAC) and Attribute-Based Access Control(ABAC) become very complex and computationally expansive for the large scale iot networks. Besides these, Manufacturer Usage Description (MUD) based mechanism empowers networks to restrict IoT devices to communicate only with authorized endpoints, ensuring that each device sends and receives only the intended traffic while preventing unauthorized access or data transmission. However, the static MUD profiles provided by manufacturers are not adaptable to dynamic IoT environments, where devices frequently join, leave, or change behavior. Additionally, manually creating and updating MUD profiles may not be possible and prone to errors for dynamic and large scale IoT network. To address these limitations, this paper proposes an automated framework for generating and enforcing MUD profiles based on network behavior. The framework leverages the MUD specification by analyzing network traffic and extracting the most relevant features using mutual information (MI) scores. These features, which correlate strongly with device behavior, are then used in association rule mining (ARM) to generate refined access control rules. The rules are verified and integrated into the MUD profiles, ensuring automated policy enforcement. Furthermore, the MUD profiles are stored in a tamper-resistant manner using IPFS (InterPlanetary File System), preventing them from unauthorized modifications. The framework also utilizes smart contracts on a blockchain to verify and enforce security policies. The approach improves security by allowing only intended device interactions while denying abnormal traffic, and enhances performance through efficient rule generation and enforcement. The results demonstrate that the use of ARM with MI scores improves rule quality, reduces complexity, and facilitates faster, more reliable network operations in dynamic IoT environments.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"95 ","pages":"Article 104273"},"PeriodicalIF":3.7,"publicationDate":"2025-10-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145365864","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0