Computers & Security最新文献

Understanding the chief information security officer: Qualifications and responsibilities for cybersecurity leadership

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-02-07 DOI: 10.1016/j.cose.2025.104363

Christopher A. Ramezan

As cyberattacks on businesses and critical infrastructure grow in sophistication and frequency, the Chief Information Security Officer (CISO) has become a pivotal role in organizations, tasked with leading cybersecurity programs and reducing risks to organizational assets. Given the importance of the position, this study seeks to expand on the sparse literature on the role of the CISO and provide insights on current position requirements and responsibilities to guide and inform higher education cybersecurity management programs as well as aspiring cybersecurity leaders. To better understand this critical role, this study uses a combination of natural language processing methods and manual information extraction to provide an in-depth dive into the responsibilities and requirements of the role through a comprehensive analysis of 250 CISO job postings listed across 27 nations. The results of the analysis showed that nearly 99 % of positions required prior professional experience, with 10 years being the most common experience requirement. Employers highly valued bachelor's or master's degrees in STEM or business fields, vendor-neutral certifications like the Certified Information Systems Security Manager (CISSP) or Certified Information Security Manager (CISM), strong communication skills, and knowledge of regulatory frameworks and cybersecurity standards. In contrast, technical expertise in cybersecurity platforms, programming skills, and security clearance were less frequently required, as were travel commitments. Current CISO responsibilities and requirements also emphasize the strategic and business-facing nature of the role, with an emphasis on strategic & management-level tasks, rather than tactical, technical tasks. Higher education programs seeking to train the next generation of cybersecurity leaders, as well as information technology, cybersecurity, or management professionals aspiring to obtain a CISO position should note the role requirements currently in demand by industry, as well as the strategic and management-focused tasks commonly assigned to the role and prepare accordingly.

{"title":"Understanding the chief information security officer: Qualifications and responsibilities for cybersecurity leadership","authors":"Christopher A. Ramezan","doi":"10.1016/j.cose.2025.104363","DOIUrl":"10.1016/j.cose.2025.104363","url":null,"abstract":"<div><div>As cyberattacks on businesses and critical infrastructure grow in sophistication and frequency, the Chief Information Security Officer (CISO) has become a pivotal role in organizations, tasked with leading cybersecurity programs and reducing risks to organizational assets. Given the importance of the position, this study seeks to expand on the sparse literature on the role of the CISO and provide insights on current position requirements and responsibilities to guide and inform higher education cybersecurity management programs as well as aspiring cybersecurity leaders. To better understand this critical role, this study uses a combination of natural language processing methods and manual information extraction to provide an in-depth dive into the responsibilities and requirements of the role through a comprehensive analysis of 250 CISO job postings listed across 27 nations. The results of the analysis showed that nearly 99 % of positions required prior professional experience, with 10 years being the most common experience requirement. Employers highly valued bachelor's or master's degrees in STEM or business fields, vendor-neutral certifications like the Certified Information Systems Security Manager (CISSP) or Certified Information Security Manager (CISM), strong communication skills, and knowledge of regulatory frameworks and cybersecurity standards. In contrast, technical expertise in cybersecurity platforms, programming skills, and security clearance were less frequently required, as were travel commitments. Current CISO responsibilities and requirements also emphasize the strategic and business-facing nature of the role, with an emphasis on strategic & management-level tasks, rather than tactical, technical tasks. Higher education programs seeking to train the next generation of cybersecurity leaders, as well as information technology, cybersecurity, or management professionals aspiring to obtain a CISO position should note the role requirements currently in demand by industry, as well as the strategic and management-focused tasks commonly assigned to the role and prepare accordingly.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104363"},"PeriodicalIF":4.8,"publicationDate":"2025-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143372089","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

HER-PT: An intelligent penetration testing framework with Hindsight Experience Replay

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-02-04 DOI: 10.1016/j.cose.2025.104357

Mingda Li, Tiantian Zhu, Haoqi Yan, Tieming Chen, Mingqi Lv

Penetration testing (PT) is an active method to evaluate the security of computer systems. With the continuous expansion of the scale of the network, the difficulty of penetration testing increases sharply, and at the same time, it relies heavily on expert experience. Therefore, AI-based techniques such as Deep Reinforcement Learning (DRL) will be an effective solution to automate penetration testing and reduce labor costs. However, in the existing DRL-based PT work, the attacker has a large number of low feedback behaviors, and it is difficult to collect enough successful experiences and positive learning rewards, that is, the sparse reward problem. In addition, existing works on automatic penetration based on MSF in real environments mainly focus on single-host scenarios and have not been extended to multi-host networks. In this paper, we propose a new intelligent PT framework “HER-PT” that integrates Hindsight Experience Replay (HER) techniques into DRL-based PT models in the hope of solving sparse reward problems in reinforcement learning and applying penetration testing to real multi-host scenarios. We constructed several network scenarios, trained HER-PT model agents in the cyber attack simulator Nasim for autonomous penetration testing experiments, and tried different reinforcement learning optimization schemes. Experimental results show that HER-PT can converge within 500 episodes in a medium scenario of 16 hosts, which is about 50% faster than other models. It can still maintain a success rate of 85.76% in the medium frequency dynamic change scene. The results show that HER-PT can effectively accelerate the training of the model and shorten the training period.

{"title":"HER-PT: An intelligent penetration testing framework with Hindsight Experience Replay","authors":"Mingda Li, Tiantian Zhu, Haoqi Yan, Tieming Chen, Mingqi Lv","doi":"10.1016/j.cose.2025.104357","DOIUrl":"10.1016/j.cose.2025.104357","url":null,"abstract":"<div><div>Penetration testing (PT) is an active method to evaluate the security of computer systems. With the continuous expansion of the scale of the network, the difficulty of penetration testing increases sharply, and at the same time, it relies heavily on expert experience. Therefore, AI-based techniques such as Deep Reinforcement Learning (DRL) will be an effective solution to automate penetration testing and reduce labor costs. However, in the existing DRL-based PT work, the attacker has a large number of low feedback behaviors, and it is difficult to collect enough successful experiences and positive learning rewards, that is, the sparse reward problem. In addition, existing works on automatic penetration based on MSF in real environments mainly focus on single-host scenarios and have not been extended to multi-host networks. In this paper, we propose a new intelligent PT framework “<span>HER-PT</span>” that integrates Hindsight Experience Replay (HER) techniques into DRL-based PT models in the hope of solving sparse reward problems in reinforcement learning and applying penetration testing to real multi-host scenarios. We constructed several network scenarios, trained <span>HER-PT</span> model agents in the cyber attack simulator Nasim for autonomous penetration testing experiments, and tried different reinforcement learning optimization schemes. Experimental results show that <span>HER-PT</span> can converge within 500 episodes in a medium scenario of 16 hosts, which is about 50% faster than other models. It can still maintain a success rate of 85.76% in the medium frequency dynamic change scene. The results show that <span>HER-PT</span> can effectively accelerate the training of the model and shorten the training period.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104357"},"PeriodicalIF":4.8,"publicationDate":"2025-02-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143349565","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

AGLFuzz: Automata-Guided Fuzzing for detecting logic errors in security protocol implementations

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-02-01 DOI: 10.1016/j.cose.2024.103979

Dongliang Zhao, Jiaxing Guo, Chunxiang Gu, Yonghui Zheng, Xieli Zhang

Security protocols are crucial for ensuring communication security and safeguarding data integrity in computer networks and distributed systems. The complexity of security protocol logic, coupled with implementation challenges, often results in protocol implementations failing to satisfy the security requirements due to logical errors. Unlike memory-related bugs, logical errors do not exhibit fixed patterns or behaviors, thereby rendering them especially challenging to detect. Therefore, we propose a logic error detection method based on blackbox fuzzing. This method takes protocol interaction behavior as atomic proposition, utilizes linear temporal logic on finite traces (

L T L_{f}

) to express expected properties. Logical errors are identified according to whether the abstract interaction sequence extracted from the fuzz data can be accepted by the automata corresponding to the

L T L_{f}

property. Furthermore, we design an automata-guided fuzz testing algorithm that leverages the state information of automatas to drive test sequence generation, thereby accelerating the error search process. To support this method, a general-purpose black-box fuzz testing framework, AGLFuzz, has been implemented, currently including testing modules for the TLS1.3 and IPsec protocol implementations. Experimental evaluations on several widely used TLS1.3 and IPsec protocol implementations have led to the discovery of multiple counterexamples that violated specific properties and vulnerabilities that could cause the target to crash. Notably, three of these vulnerabilities have been assigned CVE numbers, highlighting the effectiveness of the proposed method.

{"title":"AGLFuzz: Automata-Guided Fuzzing for detecting logic errors in security protocol implementations","authors":"Dongliang Zhao, Jiaxing Guo, Chunxiang Gu, Yonghui Zheng, Xieli Zhang","doi":"10.1016/j.cose.2024.103979","DOIUrl":"10.1016/j.cose.2024.103979","url":null,"abstract":"<div><div>Security protocols are crucial for ensuring communication security and safeguarding data integrity in computer networks and distributed systems. The complexity of security protocol logic, coupled with implementation challenges, often results in protocol implementations failing to satisfy the security requirements due to logical errors. Unlike memory-related bugs, logical errors do not exhibit fixed patterns or behaviors, thereby rendering them especially challenging to detect. Therefore, we propose a logic error detection method based on blackbox fuzzing. This method takes protocol interaction behavior as atomic proposition, utilizes linear temporal logic on finite traces (<span><math><mrow><mi>L</mi><mi>T</mi><msub><mrow><mi>L</mi></mrow><mrow><mi>f</mi></mrow></msub></mrow></math></span>) to express expected properties. Logical errors are identified according to whether the abstract interaction sequence extracted from the fuzz data can be accepted by the automata corresponding to the <span><math><mrow><mi>L</mi><mi>T</mi><msub><mrow><mi>L</mi></mrow><mrow><mi>f</mi></mrow></msub></mrow></math></span> property. Furthermore, we design an automata-guided fuzz testing algorithm that leverages the state information of automatas to drive test sequence generation, thereby accelerating the error search process. To support this method, a general-purpose black-box fuzz testing framework, AGLFuzz, has been implemented, currently including testing modules for the TLS1.3 and IPsec protocol implementations. Experimental evaluations on several widely used TLS1.3 and IPsec protocol implementations have led to the discovery of multiple counterexamples that violated specific properties and vulnerabilities that could cause the target to crash. Notably, three of these vulnerabilities have been assigned CVE numbers, highlighting the effectiveness of the proposed method.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 103979"},"PeriodicalIF":4.8,"publicationDate":"2025-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143097074","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Design and implementation of a closed loop time delay feedback control (CLTD-FC) system for mitigating DDos attacks

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-02-01 DOI: 10.1016/j.cose.2025.104353

Kaijiao Huang, Lifei Wang, Faisal Mehmood, Jianxun Liu

Denial of Service (DoS) attacks can be used to disrupt the availability and performance of networked systems by bombarding targeted hosts with malicious traffic thus hampering their capabilities, or worse exhausting them. In this paper, by utilizing a mathematical model that reflects the dominant features of DDoS attacks we will introduce how to explore an approach in countering its effects. We propose a closed loop time delay feedback control (CLTD-FC) system by designing an appropriate feedback controller. This infrastructure is in turn exploited to design a control theoretic mitigation strategy that effectively dampens the queue dynamics of internet routers during DDoS scenarios. Specifically, we demonstrate that the CLTD-FC scheme appropriately maintains and monitors queue stability whilst simultaneously enabling convergence to desired operational targets under continual attacks. The method is implemented in the network simulator platform NS2 to validate its proposed effectiveness. Simulation results show that the proposed CLTD-FC scheme can help to improve QoS, ensure network fairness as well as stabilize and optimize queue performance compared with Drop-tail solution.

{"title":"Design and implementation of a closed loop time delay feedback control (CLTD-FC) system for mitigating DDos attacks","authors":"Kaijiao Huang, Lifei Wang, Faisal Mehmood, Jianxun Liu","doi":"10.1016/j.cose.2025.104353","DOIUrl":"10.1016/j.cose.2025.104353","url":null,"abstract":"<div><div>Denial of Service (DoS) attacks can be used to disrupt the availability and performance of networked systems by bombarding targeted hosts with malicious traffic thus hampering their capabilities, or worse exhausting them. In this paper, by utilizing a mathematical model that reflects the dominant features of DDoS attacks we will introduce how to explore an approach in countering its effects. We propose a closed loop time delay feedback control (CLTD-FC) system by designing an appropriate feedback controller. This infrastructure is in turn exploited to design a control theoretic mitigation strategy that effectively dampens the queue dynamics of internet routers during DDoS scenarios. Specifically, we demonstrate that the CLTD-FC scheme appropriately maintains and monitors queue stability whilst simultaneously enabling convergence to desired operational targets under continual attacks. The method is implemented in the network simulator platform NS2 to validate its proposed effectiveness. Simulation results show that the proposed CLTD-FC scheme can help to improve QoS, ensure network fairness as well as stabilize and optimize queue performance compared with Drop-tail solution.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104353"},"PeriodicalIF":4.8,"publicationDate":"2025-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149524","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Safeguarding connected autonomous vehicle communication: Protocols, intra- and inter-vehicular attacks and defenses

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-01-31 DOI: 10.1016/j.cose.2025.104352

Mohammed Aledhari , Rehma Razzak , Mohamed Rahouti , Abbas Yazdinejad , Reza M. Parizi , Basheer Qolomany , Mohsen Guizani , Junaid Qadir , Ala Al-Fuqaha

The advancements in autonomous driving technology, coupled with the growing interest from automotive manufacturers and tech companies, suggest a rising adoption of Connected Autonomous Vehicles (CAVs) in the near future. Despite some evidence of higher accident rates in AVs, these incidents tend to result in less severe injuries compared to traditional vehicles due to cooperative safety measures. However, the increased complexity of CAV systems exposes them to significant security vulnerabilities, potentially compromising their performance and communication integrity. This paper contributes by presenting a detailed analysis of existing security frameworks and protocols, focusing on intra- and inter-vehicle communications. We systematically evaluate the effectiveness of these frameworks in addressing known vulnerabilities and propose a set of best practices for enhancing CAV communication security. The paper also provides a comprehensive taxonomy of attack vectors in CAV ecosystems and suggests future research directions for designing more robust security mechanisms. Our key contributions include the development of a new classification system for CAV security threats, the proposal of practical security protocols, and the introduction of use cases that demonstrate how these protocols can be integrated into real-world CAV applications. These insights are crucial for advancing secure CAV adoption and ensuring the safe integration of autonomous vehicles into intelligent transportation systems.

{"title":"Safeguarding connected autonomous vehicle communication: Protocols, intra- and inter-vehicular attacks and defenses","authors":"Mohammed Aledhari , Rehma Razzak , Mohamed Rahouti , Abbas Yazdinejad , Reza M. Parizi , Basheer Qolomany , Mohsen Guizani , Junaid Qadir , Ala Al-Fuqaha","doi":"10.1016/j.cose.2025.104352","DOIUrl":"10.1016/j.cose.2025.104352","url":null,"abstract":"<div><div>The advancements in autonomous driving technology, coupled with the growing interest from automotive manufacturers and tech companies, suggest a rising adoption of Connected Autonomous Vehicles (CAVs) in the near future. Despite some evidence of higher accident rates in AVs, these incidents tend to result in less severe injuries compared to traditional vehicles due to cooperative safety measures. However, the increased complexity of CAV systems exposes them to significant security vulnerabilities, potentially compromising their performance and communication integrity. This paper contributes by presenting a detailed analysis of existing security frameworks and protocols, focusing on intra- and inter-vehicle communications. We systematically evaluate the effectiveness of these frameworks in addressing known vulnerabilities and propose a set of best practices for enhancing CAV communication security. The paper also provides a comprehensive taxonomy of attack vectors in CAV ecosystems and suggests future research directions for designing more robust security mechanisms. Our key contributions include the development of a new classification system for CAV security threats, the proposal of practical security protocols, and the introduction of use cases that demonstrate how these protocols can be integrated into real-world CAV applications. These insights are crucial for advancing secure CAV adoption and ensuring the safe integration of autonomous vehicles into intelligent transportation systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104352"},"PeriodicalIF":4.8,"publicationDate":"2025-01-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143229251","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

PatchView: Multi-modality detection of security patches

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-01-30 DOI: 10.1016/j.cose.2025.104356

Nitzan Farhi , Noam Koenigstein , Yuval Shavitt

Patching software become overwhelming for system administrators due to the large amounts of patch releases. Administrator should prioritize security patches to reduce the exposure to attacks, and can use for this task the Common Vulnerabilities and Exposures (CVE) system, which catalogs known security vulnerabilities in publicly released software or firmware. However, some developers choose to omit CVE publication and merely update their repositories, keeping the vulnerabilities undisclosed. Such actions leave users uninformed and potentially at risk. To this end, we present PatchView, an innovative multi-modal system tailored for the classification of commits as security patches. The system draws upon three unique data modalities associated with a commit: (1) Time-series representation of developer behavioral data within the Git repository, (2) Commit messages, and (3) The code patches. PatchView merges three single-modality sub-models, each adept at interpreting data from its designated source. A distinguishing feature of this solution is its ability to elucidate its predictions by examining the outputs of each sub-model, underscoring its interpretability. Notably, this research pioneers a language-agnostic methodology for security patch classification. Our evaluations indicate that the proposed solution can reveal concealed security patches with an accuracy of 94.52% and F1-scoreof 95.12%. The code for this paper will be made publicly available on GitHub: https://github.com/nitzanfarhi/PatchView.

{"title":"PatchView: Multi-modality detection of security patches","authors":"Nitzan Farhi , Noam Koenigstein , Yuval Shavitt","doi":"10.1016/j.cose.2025.104356","DOIUrl":"10.1016/j.cose.2025.104356","url":null,"abstract":"<div><div>Patching software become overwhelming for system administrators due to the large amounts of patch releases. Administrator should prioritize security patches to reduce the exposure to attacks, and can use for this task the Common Vulnerabilities and Exposures (CVE) system, which catalogs known security vulnerabilities in publicly released software or firmware. However, some developers choose to omit CVE publication and merely update their repositories, keeping the vulnerabilities undisclosed. Such actions leave users uninformed and potentially at risk. To this end, we present PatchView, an innovative multi-modal system tailored for the classification of commits as security patches. The system draws upon three unique data modalities associated with a commit: (1) Time-series representation of developer behavioral data within the Git repository, (2) Commit messages, and (3) The code patches. PatchView merges three single-modality sub-models, each adept at interpreting data from its designated source. A distinguishing feature of this solution is its ability to elucidate its predictions by examining the outputs of each sub-model, underscoring its interpretability. Notably, this research pioneers a language-agnostic methodology for security patch classification. Our evaluations indicate that the proposed solution can reveal concealed security patches with an accuracy of 94.52% and F1-scoreof 95.12%. The code for this paper will be made publicly available on GitHub: <span><span>https://github.com/nitzanfarhi/PatchView</span><svg><path></path></svg></span>.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104356"},"PeriodicalIF":4.8,"publicationDate":"2025-01-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143229250","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

FineGCP: Fine-grained dependency graph community partitioning for attack investigation

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-01-28 DOI: 10.1016/j.cose.2024.104311

Zhaoyang Wang , Yanfei Hu , Yu Wen , Boyang Zhang , Shuailou Li , Wenbo Wang , Zheng Liu , Dan Meng

With the fierce game between attack and defense technology, network security threats become increasingly covert. Dependency graphs generated from system audit logs are currently critical tools for attack investigating. However, these graphs typically encounter the dependency explosion (edges usually exceeding 100k), making it challenging for security experts to directly analyze the attack behaviors. To reduce analysts’ workload and retain all attack activities in the dependency graph, recent research has proposed community partitioning algorithms on dependency graph. However, they fail to handle the entity involving multiple system tasks, and leave a mixture of entities associated with both attack-related tasks and normal system tasks in the graph, making the analysis of attack investigation difficult.

In this paper, we propose FineGCP, a novel fine-grained dependency graph partitioning method to address the issue of entity involving different tasks. The key idea is to distinguish entities involved in different system tasks, and assign entities performing the same task to the same community. To this end, we first introduce an execution partitioning technique that divides entities in the graph into fine-grained execution units based on their tasks. Second, considering system tasks are usually completed through the collaboration of multiple entities, we developed a graph partitioning technique for performing node embedding and community partitioning on the entities in the fine-grained dependency graphs through leveraging distinct topological structures formed by different tasks. We evaluate the effectiveness of FineGCP using two public datasets. The experimental results demonstrate that FineGCP aggregates attack nodes into an average of 1.34 communities, with 97% of the nodes in these communities being attack-related nodes, effectively aiding in attack investigations.

{"title":"FineGCP: Fine-grained dependency graph community partitioning for attack investigation","authors":"Zhaoyang Wang , Yanfei Hu , Yu Wen , Boyang Zhang , Shuailou Li , Wenbo Wang , Zheng Liu , Dan Meng","doi":"10.1016/j.cose.2024.104311","DOIUrl":"10.1016/j.cose.2024.104311","url":null,"abstract":"<div><div>With the fierce game between attack and defense technology, network security threats become increasingly covert. Dependency graphs generated from system audit logs are currently critical tools for attack investigating. However, these graphs typically encounter the dependency explosion (edges usually exceeding 100k), making it challenging for security experts to directly analyze the attack behaviors. To reduce analysts’ workload and retain all attack activities in the dependency graph, recent research has proposed community partitioning algorithms on dependency graph. However, they fail to handle the entity involving multiple system tasks, and leave a mixture of entities associated with both attack-related tasks and normal system tasks in the graph, making the analysis of attack investigation difficult.</div><div>In this paper, we propose <span>FineGCP</span>, a novel fine-grained dependency graph partitioning method to address the issue of entity involving different tasks. The key idea is to distinguish entities involved in different system tasks, and assign entities performing the same task to the same community. To this end, we first introduce an execution partitioning technique that divides entities in the graph into fine-grained execution units based on their tasks. Second, considering system tasks are usually completed through the collaboration of multiple entities, we developed a graph partitioning technique for performing node embedding and community partitioning on the entities in the fine-grained dependency graphs through leveraging distinct topological structures formed by different tasks. We evaluate the effectiveness of <span>FineGCP</span> using two public datasets. The experimental results demonstrate that <span>FineGCP</span> aggregates attack nodes into an average of 1.34 communities, with 97% of the nodes in these communities being attack-related nodes, effectively aiding in attack investigations.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104311"},"PeriodicalIF":4.8,"publicationDate":"2025-01-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149512","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A comprehensive review of current trends, challenges, and opportunities in text data privacy

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-01-28 DOI: 10.1016/j.cose.2025.104358

Sakib Shahriar , Rozita Dara , Rajen Akalu

The emergence of smartphones and internet accessibility around the globe have enabled billions of people to be connected to the digital world. Due to the popularity of instant messaging applications and social media, a large quantity of personal data is in text format, and processing text data in a privacy-preserving manner poses unique challenges. While existing reviews focus on privacy concerns from specific algorithmic perspectives or target only a particular domain, such as healthcare or smart metering, they fail to provide a comprehensive view that addresses the multi-layered privacy risks inherent to text data processing. Existing works often limit their scope to specialized solutions like differential privacy, anonymization, or federated learning, neglecting a broader spectrum of challenges. To fill this gap, we present a comprehensive review of privacy-enhancing solutions for text data processing in the present literature and classify the works into six categories of privacy risks: (i) unintentional memorability, (ii) membership inference, (iii) exposure and re-identification, (iv) language models and word embeddings, (v) authorship attribution, and (vi) collaborative processing. We then analyze existing privacy-enhancing solutions for text data by considering the aforementioned privacy risks. Finally, we identified several research gaps, including the need for comprehensive privacy metrics, explainable algorithms, and privacy in social media analytics.

{"title":"A comprehensive review of current trends, challenges, and opportunities in text data privacy","authors":"Sakib Shahriar , Rozita Dara , Rajen Akalu","doi":"10.1016/j.cose.2025.104358","DOIUrl":"10.1016/j.cose.2025.104358","url":null,"abstract":"<div><div>The emergence of smartphones and internet accessibility around the globe have enabled billions of people to be connected to the digital world. Due to the popularity of instant messaging applications and social media, a large quantity of personal data is in text format, and processing text data in a privacy-preserving manner poses unique challenges. While existing reviews focus on privacy concerns from specific algorithmic perspectives or target only a particular domain, such as healthcare or smart metering, they fail to provide a comprehensive view that addresses the multi-layered privacy risks inherent to text data processing. Existing works often limit their scope to specialized solutions like differential privacy, anonymization, or federated learning, neglecting a broader spectrum of challenges. To fill this gap, we present a comprehensive review of privacy-enhancing solutions for text data processing in the present literature and classify the works into six categories of privacy risks: (i) unintentional memorability, (ii) membership inference, (iii) exposure and re-identification, (iv) language models and word embeddings, (v) authorship attribution, and (vi) collaborative processing. We then analyze existing privacy-enhancing solutions for text data by considering the aforementioned privacy risks. Finally, we identified several research gaps, including the need for comprehensive privacy metrics, explainable algorithms, and privacy in social media analytics.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104358"},"PeriodicalIF":4.8,"publicationDate":"2025-01-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149526","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Realistic and balanced automated threat emulation

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-01-27 DOI: 10.1016/j.cose.2025.104351

Hannes Holm, Teodor Sommestad

Cyber defence exercises involve subjecting security analysts to live cyber threats in a safe environment, and is a common proactive method to increase security posture. As the design and execution of cyber threats generally is costly, researchers and practitioners have developed threat emulators that automate cyber threats without the need for human intervention. The ability of these emulators to produce threats useful for cyber defence exercises is, however, uncertain.

This paper presents an evaluation of the automated threat emulator Lore using data collected from three cyber defence exercises. During the exercises, Lore and human threat agents (often called the “red” team) subjected 132 network security analysts (often called the “blue” team) to various threats such as software exploits and shell commands. Six hypotheses related to how the actions by human red teams and Lore were perceived and managed by the security analysts were examined. Evaluations were made by studying the subjective judgments of the analysts as well as by comparing the objective ground truth to their submitted incident reports. The results show that the security analysts could not tell the difference between the actions made by the human red team and those made by Lore, and that their performance was similar regardless of the source of the threats.

{"title":"Realistic and balanced automated threat emulation","authors":"Hannes Holm, Teodor Sommestad","doi":"10.1016/j.cose.2025.104351","DOIUrl":"10.1016/j.cose.2025.104351","url":null,"abstract":"<div><div>Cyber defence exercises involve subjecting security analysts to live cyber threats in a safe environment, and is a common proactive method to increase security posture. As the design and execution of cyber threats generally is costly, researchers and practitioners have developed threat emulators that automate cyber threats without the need for human intervention. The ability of these emulators to produce threats useful for cyber defence exercises is, however, uncertain.</div><div>This paper presents an evaluation of the automated threat emulator Lore using data collected from three cyber defence exercises. During the exercises, Lore and human threat agents (often called the “red” team) subjected 132 network security analysts (often called the “blue” team) to various threats such as software exploits and shell commands. Six hypotheses related to how the actions by human red teams and Lore were perceived and managed by the security analysts were examined. Evaluations were made by studying the subjective judgments of the analysts as well as by comparing the objective ground truth to their submitted incident reports. The results show that the security analysts could not tell the difference between the actions made by the human red team and those made by Lore, and that their performance was similar regardless of the source of the threats.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104351"},"PeriodicalIF":4.8,"publicationDate":"2025-01-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143149568","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

GraphFVD: Property graph-based fine-grained vulnerability detection

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-01-25 DOI: 10.1016/j.cose.2025.104350

Miaomiao Shao, Yuxin Ding, Jing Cao, Yilin Li

Deep learning technology can automatically extract features from software source code, making it widely used for detecting software vulnerabilities. Most existing deep learning-based approaches rely on whole functions or sequence-level program slices to identify vulnerabilities. However, these approaches often struggle to capture comprehensive vulnerability semantics, leading to high false positive rates and false negative rates. In this paper, we propose GraphFVD, a novel property graph-based fine-grained vulnerability detection approach. Our approach extracts property graph-based slices from the Code Property Graph and introduces a Hierarchical Attention Graph Convolutional Network to learn graph embeddings. GraphFVD provides a fine-grained code representation that captures syntax, control flow, data flow, and the natural sequential order of source code relevant to vulnerabilities. We evaluate the effectiveness of our approach on two real-world vulnerability datasets. Experimental results demonstrate that our approach outperforms existing state-of-the-art vulnerability detection methods on both datasets.

引用次数: 0