Computers & Security最新文献

A scenario-driven dynamic assessment model for data credibility 情景驱动的数据可信度动态评估模型

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-12-14 DOI: 10.1016/j.cose.2025.104805

Zechen Li , Guozhen Shi , Kai Chen

With the rapid development of information technology, data has become the core element driving decision-making, and the explosive growth of massive data makes data governance face new challenges. The diversity of data sources and the dynamic complexity of application scenarios lead to uneven data quality, so there is an urgent practical need to construct accurate and efficient data credibility assessment methods. Existing researches are mostly limited to a single domain, which leads to fragmentation of assessment standards and makes it difficult to adapt to the needs of multiple scenarios. To address the above problems, this study proposes a dynamic data credibility assessment paradigm with universal applicability. Specifically, firstly, we construct a four-layer data credibility assessment index system based on national standards and domain guidelines through UML modeling technology, which realizes quantifiable disassembly from the target layer to the index layer and ensures cross-scenario compatibility and scalability of the assessment framework. Second, a scenario-driven dynamic fuzzy assessment model is proposed, which consists of a scene adaptation layer, an index optimization layer, a weight dynamic allocation layer and a comprehensive assessment layer. The key assessment indexes are screened by the scene feature analysis and the improved analytical hierarchy process, and the combination of the subjective and objective weights and the modification model are combined to achieve a dynamic balance of the weights, and a fuzzy comprehensive evaluation model is introduced to deal with uncertainties in the assessment process, and finally get the comprehensive assessment grade of data credibility. Finally, this study applies the framework to a vehicle forensics scenario for case analysis and evaluates the method’s accuracy using both simulated and real-world data. The results demonstrate its effectiveness in complex scenarios.

随着信息技术的快速发展，数据已成为驱动决策的核心要素，海量数据的爆发式增长使数据治理面临新的挑战。数据源的多样性和应用场景的动态复杂性导致数据质量参差不齐，因此迫切需要构建准确高效的数据可信度评估方法。现有研究多局限于单一领域，导致评估标准碎片化，难以适应多场景的需求。针对上述问题，本研究提出了一种具有普遍适用性的动态数据可信度评估范式。具体而言，首先，基于国家标准和领域指南，通过UML建模技术构建了四层数据可信度评估指标体系，实现了从目标层到指标层的可量化分解，保证了评估框架的跨场景兼容性和可扩展性。其次，提出了场景驱动的动态模糊评价模型，该模型由场景适应层、指标优化层、权重动态分配层和综合评价层组成；通过场景特征分析和改进的层次分析法筛选关键评价指标，结合主客观权重组合和修正模型实现权重的动态平衡，并引入模糊综合评价模型处理评价过程中的不确定性，最终得到数据可信度的综合评价等级。最后，本研究将该框架应用于车辆取证场景进行案例分析，并使用模拟和真实数据评估该方法的准确性。结果证明了该方法在复杂场景下的有效性。

{"title":"A scenario-driven dynamic assessment model for data credibility","authors":"Zechen Li , Guozhen Shi , Kai Chen","doi":"10.1016/j.cose.2025.104805","DOIUrl":"10.1016/j.cose.2025.104805","url":null,"abstract":"<div><div>With the rapid development of information technology, data has become the core element driving decision-making, and the explosive growth of massive data makes data governance face new challenges. The diversity of data sources and the dynamic complexity of application scenarios lead to uneven data quality, so there is an urgent practical need to construct accurate and efficient data credibility assessment methods. Existing researches are mostly limited to a single domain, which leads to fragmentation of assessment standards and makes it difficult to adapt to the needs of multiple scenarios. To address the above problems, this study proposes a dynamic data credibility assessment paradigm with universal applicability. Specifically, firstly, we construct a four-layer data credibility assessment index system based on national standards and domain guidelines through UML modeling technology, which realizes quantifiable disassembly from the target layer to the index layer and ensures cross-scenario compatibility and scalability of the assessment framework. Second, a scenario-driven dynamic fuzzy assessment model is proposed, which consists of a scene adaptation layer, an index optimization layer, a weight dynamic allocation layer and a comprehensive assessment layer. The key assessment indexes are screened by the scene feature analysis and the improved analytical hierarchy process, and the combination of the subjective and objective weights and the modification model are combined to achieve a dynamic balance of the weights, and a fuzzy comprehensive evaluation model is introduced to deal with uncertainties in the assessment process, and finally get the comprehensive assessment grade of data credibility. Finally, this study applies the framework to a vehicle forensics scenario for case analysis and evaluates the method’s accuracy using both simulated and real-world data. The results demonstrate its effectiveness in complex scenarios.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104805"},"PeriodicalIF":5.4,"publicationDate":"2025-12-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145791416","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Techniques and metrics for evasion attack mitigation 规避攻击缓解的技术和指标

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-12-13 DOI: 10.1016/j.cose.2025.104802

Francesco Bergadano , Sandeep Gupta , Bruno Crispo

Evasion attacks pose a substantial risk to the application of Machine Learning (ML) in Cybersecurity, potentially leading to safety hazards or security breaches in large-scale deployments. Adversaries can employ evasion attacks as an initial tactic to deceive malware or network scanners using ML, thereby orchestrating traditional cyber attacks to disrupt systems availability or compromise integrity. Adversarial data designed to fool AI systems for cybersecurity can be engineered by strategically selecting, modifying, or creating test instances. This paper presents novel defender-centric techniques and metrics for mitigating evasion attacks by leveraging adversarial knowledge, exploring potential exploitation methods, and enhancing alarm detection capabilities. We first introduce two new evasion resistance metrics: adversarial failure rate (afr) and adversarial failure curves (afc). These metrics generalize previous approaches, as they can be applied to threshold classifiers, facilitating analyses for adversarial attacks comparable to those performed with Receiver Operating Characteristics (ROC) curve. Subsequently, we propose two novel evasion resistance techniques (trainset size pinning and model matrix), extending research in keyed intrusion detection and randomization. We explore the application of proposed techniques and metrics to an intrusion detection system as a pilot study using two public datasets, ‘BETH 2021’ and ‘Kyoto 2015’, which are well-established cybersecurity datasets for uncertainty and robustness benchmarking. The experimental results demonstrate that the combination of the proposed randomization techniques consistently produces remarkable improvement over other known randomization techniques.

规避攻击对机器学习（ML）在网络安全中的应用构成了重大风险，可能导致大规模部署中的安全隐患或安全漏洞。攻击者可以将逃避攻击作为初始策略，使用ML欺骗恶意软件或网络扫描仪，从而编排传统的网络攻击，以破坏系统可用性或损害完整性。可以通过战略性地选择、修改或创建测试实例来设计用于欺骗人工智能系统进行网络安全的对抗性数据。本文提出了新的以防御者为中心的技术和指标，通过利用对抗性知识、探索潜在的利用方法和增强警报检测能力来减轻逃避攻击。我们首先引入了两个新的规避阻力指标：对抗失败率（afr）和对抗失效曲线（afc）。这些指标概括了以前的方法，因为它们可以应用于阈值分类器，促进对抗性攻击的分析，可与使用接收者操作特征（ROC）曲线进行的分析相媲美。随后，我们提出了两种新的抗规避技术（列车集尺寸固定和模型矩阵），扩展了键控入侵检测和随机化的研究。我们将提出的技术和指标应用于入侵检测系统作为试点研究，使用两个公共数据集“BETH 2021”和“京都2015”，这两个数据集是用于不确定性和鲁棒性基准测试的成熟网络安全数据集。实验结果表明，与其他已知的随机化技术相比，所提出的随机化技术的组合始终产生显著的改进。

{"title":"Techniques and metrics for evasion attack mitigation","authors":"Francesco Bergadano , Sandeep Gupta , Bruno Crispo","doi":"10.1016/j.cose.2025.104802","DOIUrl":"10.1016/j.cose.2025.104802","url":null,"abstract":"<div><div>Evasion attacks pose a substantial risk to the application of Machine Learning (ML) in Cybersecurity, potentially leading to safety hazards or security breaches in large-scale deployments. Adversaries can employ evasion attacks as an initial tactic to deceive malware or network scanners using ML, thereby orchestrating traditional cyber attacks to disrupt systems availability or compromise integrity. Adversarial data designed to fool AI systems for cybersecurity can be engineered by strategically selecting, modifying, or creating test instances. This paper presents novel defender-centric techniques and metrics for mitigating evasion attacks by leveraging adversarial knowledge, exploring potential exploitation methods, and enhancing alarm detection capabilities. We first introduce two new evasion resistance metrics: adversarial failure rate (<em>afr</em>) and adversarial failure curves (<em>afc</em>). These metrics generalize previous approaches, as they can be applied to threshold classifiers, facilitating analyses for adversarial attacks comparable to those performed with Receiver Operating Characteristics (ROC) curve. Subsequently, we propose two novel evasion resistance techniques (trainset size pinning and model matrix), extending research in keyed intrusion detection and randomization. We explore the application of proposed techniques and metrics to an intrusion detection system as a pilot study using two public datasets, ‘BETH 2021’ and ‘Kyoto 2015’, which are well-established cybersecurity datasets for uncertainty and robustness benchmarking. The experimental results demonstrate that the combination of the proposed randomization techniques consistently produces remarkable improvement over other known randomization techniques.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104802"},"PeriodicalIF":5.4,"publicationDate":"2025-12-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145790900","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

An 〈entity, organization〉 integrated access control model 一个<实体、组织>集成访问控制模型

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-12-06 DOI: 10.1016/j.cose.2025.104799

Ruijun Zhang , Chengyi Lu , Yang Wu , Zexi Zhang

Literature indicates that traditional access control models face critical challenges in dynamic business environments, including excessive storage costs, delayed permission adjustments, and insufficient precision in cross-departmental collaboration. To solve these problems, we propose an <entity, organization>-integrated access control model (EO-IAC).The model utilizes quad-dimensional dynamic permission entities to generate policy sets in real time, and combines with hierarchical resource classification strategies to automate data ownership labeling. It innovatively adopts an orthogonally decoupled architecture separating business permissions from data permissions, reducing permission storage complexity from the combinatorial explosion of traditional models to linear scale. The model integrates task-based dynamic authorization mechanisms and lightweight permission generation/verification algorithms to resolve cross-departmental fine-grained control failures. Experiments show EO-IAC model reduces storage overhead by 1–2 orders of magnitude compared to RBAC and ABAC in manufacturing scenarios, while decreasing high-frequency access latency by at least 15%. This study provides a lightweight solution for zero-trust access control in dynamic environments.

文献表明，传统的访问控制模型在动态的业务环境中面临着严峻的挑战，包括存储成本过高、权限调整延迟、跨部门协作精度不足等。为了解决这些问题，我们提出了实体、组织集成访问控制模型（EO-IAC）。该模型利用四维动态权限实体实时生成策略集，并结合分层资源分类策略实现数据所有权自动标注。创新采用正交解耦架构，将业务权限与数据权限分离，将传统模型的组合爆炸式的权限存储复杂度降低到线性规模。该模型集成了基于任务的动态授权机制和轻量级权限生成/验证算法，以解决跨部门的细粒度控制故障。实验表明，与RBAC和ABAC相比，EO-IAC模型在制造场景下将存储开销降低了1-2个数量级，同时将高频访问延迟降低了至少15%。本研究为动态环境下的零信任访问控制提供了一个轻量级的解决方案。

{"title":"An 〈entity, organization〉 integrated access control model","authors":"Ruijun Zhang , Chengyi Lu , Yang Wu , Zexi Zhang","doi":"10.1016/j.cose.2025.104799","DOIUrl":"10.1016/j.cose.2025.104799","url":null,"abstract":"<div><div>Literature indicates that traditional access control models face critical challenges in dynamic business environments, including excessive storage costs, delayed permission adjustments, and insufficient precision in cross-departmental collaboration. To solve these problems, we propose an <entity, organization>-integrated access control model (EO-IAC).The model utilizes quad-dimensional dynamic permission entities to generate policy sets in real time, and combines with hierarchical resource classification strategies to automate data ownership labeling. It innovatively adopts an orthogonally decoupled architecture separating business permissions from data permissions, reducing permission storage complexity from the combinatorial explosion of traditional models to linear scale. The model integrates task-based dynamic authorization mechanisms and lightweight permission generation/verification algorithms to resolve cross-departmental fine-grained control failures. Experiments show EO-IAC model reduces storage overhead by 1–2 orders of magnitude compared to RBAC and ABAC in manufacturing scenarios, while decreasing high-frequency access latency by at least 15%. This study provides a lightweight solution for zero-trust access control in dynamic environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104799"},"PeriodicalIF":5.4,"publicationDate":"2025-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145738724","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

BeaCon: Automatic container policy generation using environment-aware dynamic analysis BeaCon：使用环境感知动态分析自动生成容器策略

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-12-05 DOI: 10.1016/j.cose.2025.104789

Haney Kang , Eduard Marin , Myoungsung You , Diego Perino , Seungwon Shin , Jinwoo Kim

This paper introduces BeaCon, a novel tool for the automated generation of adjustable container security policies. Unlike prior approaches, BeaCon leverages dynamic analysis to simulate realistic environments, uncovering container execution paths that may remain hidden during the profiling phase. To address the challenge of exploring vast profiling spaces, we employ efficient heuristics to reveal additional system events with minimal effort. In addition, BeaCon incorporates a security and functionality scoring mechanism to prioritize system calls and capabilities based on their impact on the host OS kernel’s security and the functionality of containerized applications. By integrating these scores, BeaCon achieves a customized balance between security and functionality, enabling cloud providers to enforce security measures while maintaining tenant availability. We implemented a prototype of BeaCon using eBPF kernel technology and conducted extensive evaluations. Results from the top 15 containers, which revealed significant improvements, demonstrate that BeaCon identifies an average of 16.5 % additional syscalls by applying diverse environments. Furthermore, we evaluated its effectiveness in mitigating risks associated with 45 known vulnerabilities (e.g., CVEs), showcasing its potential to significantly enhance container security. Additionally, we performed proof-of-concept demonstrations for two well-known security vulnerabilities, showing that BeaCon successfully reduces attack surface by blocking these exploits.

本文介绍了一种用于自动生成可调容器安全策略的新工具BeaCon。与之前的方法不同，BeaCon利用动态分析来模拟真实的环境，揭示在分析阶段可能仍然隐藏的容器执行路径。为了解决探索巨大分析空间的挑战，我们使用有效的启发式方法以最小的努力揭示额外的系统事件。此外，BeaCon还集成了一个安全性和功能性评分机制，根据系统调用和功能对主机操作系统内核安全性和容器化应用程序功能的影响对它们进行优先级排序。通过集成这些分数，BeaCon实现了安全性和功能之间的自定义平衡，使云提供商能够在维护租户可用性的同时实施安全措施。我们使用eBPF内核技术实现了一个BeaCon原型，并进行了广泛的评估。来自前15个容器的结果显示了显著的改进，表明通过应用不同的环境，BeaCon平均识别出16.5%的额外系统调用。此外，我们评估了其在降低45个已知漏洞（例如cve）相关风险方面的有效性，展示了其显著增强容器安全性的潜力。此外，我们对两个众所周知的安全漏洞进行了概念验证演示，表明BeaCon通过阻止这些漏洞成功地减少了攻击面。

{"title":"BeaCon: Automatic container policy generation using environment-aware dynamic analysis","authors":"Haney Kang , Eduard Marin , Myoungsung You , Diego Perino , Seungwon Shin , Jinwoo Kim","doi":"10.1016/j.cose.2025.104789","DOIUrl":"10.1016/j.cose.2025.104789","url":null,"abstract":"<div><div>This paper introduces <span>BeaCon</span>, a novel tool for the automated generation of adjustable container security policies. Unlike prior approaches, <span>BeaCon</span> leverages dynamic analysis to simulate realistic environments, uncovering container execution paths that may remain hidden during the profiling phase. To address the challenge of exploring vast profiling spaces, we employ efficient heuristics to reveal additional system events with minimal effort. In addition, <span>BeaCon</span> incorporates a security and functionality scoring mechanism to prioritize system calls and capabilities based on their impact on the host OS kernel’s security and the functionality of containerized applications. By integrating these scores, <span>BeaCon</span> achieves a customized balance between security and functionality, enabling cloud providers to enforce security measures while maintaining tenant availability. We implemented a prototype of <span>BeaCon</span> using eBPF kernel technology and conducted extensive evaluations. Results from the top 15 containers, which revealed significant improvements, demonstrate that <span>BeaCon</span> identifies an average of 16.5 % additional syscalls by applying diverse environments. Furthermore, we evaluated its effectiveness in mitigating risks associated with 45 known vulnerabilities (e.g., CVEs), showcasing its potential to significantly enhance container security. Additionally, we performed proof-of-concept demonstrations for two well-known security vulnerabilities, showing that <span>BeaCon</span> successfully reduces attack surface by blocking these exploits.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104789"},"PeriodicalIF":5.4,"publicationDate":"2025-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145738725","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

The Reverse File System: Towards open cost-effective secure WORM storage devices for logging 反向文件系统：迈向开放、经济、安全的WORM日志存储设备

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-12-05 DOI: 10.1016/j.cose.2025.104786

Gorka Guardiola Múzquiz, Juan González-Gómez, Enrique Soriano-Salvador

Write Once Read Many (WORM) properties for storage devices are desirable to ensure data immutability for applications such as secure logging, regulatory compliance, archival storage, and other types of backup systems. WORM devices guarantee that data, once written, cannot be altered or deleted. However, implementing secure and compatible WORM storage remains a challenge. Traditional solutions often rely on specialized hardware, which is either costly, closed, or inaccessible to the general public. Distributed approaches, while promising, introduce additional risks such as denial-of-service vulnerabilities and operational complexity. We introduce Socarrat, a novel, cost-effective, and local WORM storage solution that leverages a simple external USB device-specifically, a single-board computer running Linux with USB On-The-Go (OTG) support. The resulting device can be connected via USB, appearing as an ordinary external disk formatted with an ext4 or exFAT file system, without requiring any specialized software or drivers. By isolating the WORM enforcement mechanism in a dedicated USB hardware module, Socarrat significantly reduces the attack surface and ensures that even privileged attackers cannot modify or erase stored data. In addition to the WORM capacity, the system is designed to be tamper-evident, becoming resilient against advanced attacks. This work describes a novel approach, the Reverse File System, based on inferring the file system operations occurring at higher layers in the host computer where Socarrat is mounted. The paper also describes the current Socarrat prototype, implemented in Go and available as free/libre software. Finally, it provides a complete evaluation of the logging performance on different single-board computers.

存储设备的WORM （Write Once Read Many）属性对于安全日志记录、法规遵从性、归档存储和其他类型的备份系统等应用程序来说是必要的，可以确保数据的不变性。WORM设备保证数据写入后不能被修改或删除。然而，实现安全兼容的WORM存储仍然是一个挑战。传统的解决方案通常依赖于专门的硬件，这些硬件要么价格昂贵，要么是封闭的，要么是公众无法访问的。分布式方法虽然很有前途，但也带来了额外的风险，比如拒绝服务漏洞和操作复杂性。我们介绍Socarrat，这是一种新颖的、具有成本效益的本地WORM存储解决方案，它利用一个简单的外部USB设备——具体来说，是一台运行Linux并支持USB on - go （OTG）的单板计算机。生成的设备可以通过USB连接，看起来像一个用ext4或exFAT文件系统格式化的普通外部磁盘，不需要任何专门的软件或驱动程序。通过将WORM强制机制隔离在专用的USB硬件模块中，Socarrat大大减少了攻击面，并确保即使是特权攻击者也无法修改或删除存储的数据。除了WORM能力外，该系统还具有防篡改能力，能够抵御高级攻击。这项工作描述了一种新颖的方法，反向文件系统，基于推断在安装Socarrat的主机上发生的更高层的文件系统操作。本文还描述了当前的Socarrat原型，它是用Go语言实现的，并且是免费/自由软件。最后，它提供了在不同单板计算机上的日志记录性能的完整评估。

{"title":"The Reverse File System: Towards open cost-effective secure WORM storage devices for logging","authors":"Gorka Guardiola Múzquiz, Juan González-Gómez, Enrique Soriano-Salvador","doi":"10.1016/j.cose.2025.104786","DOIUrl":"10.1016/j.cose.2025.104786","url":null,"abstract":"<div><div>Write Once Read Many (WORM) properties for storage devices are desirable to ensure data immutability for applications such as secure logging, regulatory compliance, archival storage, and other types of backup systems. WORM devices guarantee that data, once written, cannot be altered or deleted. However, implementing secure and compatible WORM storage remains a challenge. Traditional solutions often rely on specialized hardware, which is either costly, closed, or inaccessible to the general public. Distributed approaches, while promising, introduce additional risks such as denial-of-service vulnerabilities and operational complexity. We introduce Socarrat, a novel, cost-effective, and local WORM storage solution that leverages a simple external USB device-specifically, a single-board computer running Linux with USB On-The-Go (OTG) support. The resulting device can be connected via USB, appearing as an ordinary external disk formatted with an ext4 or exFAT file system, without requiring any specialized software or drivers. By isolating the WORM enforcement mechanism in a dedicated USB hardware module, Socarrat significantly reduces the attack surface and ensures that even privileged attackers cannot modify or erase stored data. In addition to the WORM capacity, the system is designed to be tamper-evident, becoming resilient against advanced attacks. This work describes a novel approach, the Reverse File System, based on inferring the file system operations occurring at higher layers in the host computer where Socarrat is mounted. The paper also describes the current Socarrat prototype, implemented in Go and available as free/libre software. Finally, it provides a complete evaluation of the logging performance on different single-board computers.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104786"},"PeriodicalIF":5.4,"publicationDate":"2025-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145790901","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Systematic mapping study to assess security landscape for IoT-based smart farming systems 系统测绘研究，评估基于物联网的智能农业系统的安全景观

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-12-03 DOI: 10.1016/j.cose.2025.104790

Farzana Zahid , Xiao Chen , Shaleeza Sohail , Boyang Li , Melanie Po-Leen Ooi

Smart farming systems sit at the intersection between three rapidly and independently advancing fields of IoT, Security, and Machine Learning. Its full realisation has tremendous positive impacts on food production; yet agricultural settings come with unique challenges that inhibit the rapid deployment of such state-of-the-art technologies. In this paper, we systematically study the current state of security for IoT-based smart farming research and development landscape and assess the proposed security solutions through the lens of technology readiness levels (TRL) and ISO/IEC 25010 security product evaluation framework. By analysing forty-eight primary studies, we identified the top security technologies under development, the critical security threats being addressed, and the most popularly used machine learning-based security solutions. Furthermore, we found that most of the ISO/IEC 25010 security characteristics considered by the security solutions are currently below TRL 6, indicating that they are well below the deployment readiness levels. Therefore, we recommend several supporting transitional technologies be developed to move the prototype development towards system validation and deployment to avoid the technology “valley of death”, such as farming-specific intrusion detection public datasets and large-scale IoT agriculture testbeds to validate the interoperability and transparency of security solutions at different layers. This systematic mapping study, together with a TRL assessment and ISO 25010 standard mapping, is the first of its kind, intending to provide a standardised comparison of the current state of security technologies for IoT-based smart farms to define a clear roadmap for future research and development. It provides a common terminology for the multidisciplinary stakeholders of smart farming to distinguish between theoretical security concepts and ready-to-deploy solutions, facilitating crucial decisions for investment, deployment, and commercialisation.

智能农业系统位于物联网、安全和机器学习这三个快速且独立发展的领域的交叉点。它的充分实现对粮食生产具有巨大的积极影响；然而，农业环境面临着独特的挑战，阻碍了这些最先进技术的快速部署。在本文中，我们系统地研究了基于物联网的智能农业研发领域的安全现状，并通过技术就绪水平（TRL）和ISO/IEC 25010安全产品评估框架来评估提出的安全解决方案。通过分析48项主要研究，我们确定了正在开发的顶级安全技术，正在解决的关键安全威胁，以及最常用的基于机器学习的安全解决方案。此外，我们发现安全解决方案考虑的大多数ISO/IEC 25010安全特性目前都低于TRL 6，这表明它们远低于部署准备级别。因此，我们建议开发几种支持性过渡技术，将原型开发转向系统验证和部署，以避免技术“死亡之谷”，例如针对农业的入侵检测公共数据集和大规模物联网农业测试平台，以验证不同层安全解决方案的互操作性和透明度。这项系统的测绘研究，连同TRL评估和ISO 25010标准测绘，是同类研究中的第一个，旨在为基于物联网的智能农场提供安全技术现状的标准化比较，为未来的研究和发展定义明确的路线图。它为智能农业的多学科利益相关者提供了一个通用术语，以区分理论安全概念和准备部署的解决方案，促进投资、部署和商业化的关键决策。

{"title":"Systematic mapping study to assess security landscape for IoT-based smart farming systems","authors":"Farzana Zahid , Xiao Chen , Shaleeza Sohail , Boyang Li , Melanie Po-Leen Ooi","doi":"10.1016/j.cose.2025.104790","DOIUrl":"10.1016/j.cose.2025.104790","url":null,"abstract":"<div><div>Smart farming systems sit at the intersection between three rapidly and independently advancing fields of IoT, Security, and Machine Learning. Its full realisation has tremendous positive impacts on food production; yet agricultural settings come with unique challenges that inhibit the rapid deployment of such state-of-the-art technologies. In this paper, we systematically study the current state of security for IoT-based smart farming research and development landscape and assess the proposed security solutions through the lens of technology readiness levels (TRL) and ISO/IEC 25010 security product evaluation framework. By analysing forty-eight primary studies, we identified the top security technologies under development, the critical security threats being addressed, and the most popularly used machine learning-based security solutions. Furthermore, we found that most of the ISO/IEC 25010 security characteristics considered by the security solutions are currently below TRL 6, indicating that they are well below the deployment readiness levels. Therefore, we recommend several supporting transitional technologies be developed to move the prototype development towards system validation and deployment to avoid the technology “valley of death”, such as farming-specific intrusion detection public datasets and large-scale IoT agriculture testbeds to validate the interoperability and transparency of security solutions at different layers. This systematic mapping study, together with a TRL assessment and ISO 25010 standard mapping, is the first of its kind, intending to provide a standardised comparison of the current state of security technologies for IoT-based smart farms to define a clear roadmap for future research and development. It provides a common terminology for the multidisciplinary stakeholders of smart farming to distinguish between theoretical security concepts and ready-to-deploy solutions, facilitating crucial decisions for investment, deployment, and commercialisation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104790"},"PeriodicalIF":5.4,"publicationDate":"2025-12-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145738646","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A unified modeling framework for automated penetration testing 用于自动化渗透测试的统一建模框架

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-12-02 DOI: 10.1016/j.cose.2025.104787

Yunfei Wang , Shixuan Liu , Wenhao Wang , Changling Zhou , Chao Zhang , Jiandong Jin , Cheng Zhu

Recent advancements in AI-integrated automated penetration testing (AutoPT) methodologies demonstrate that agent training based on simulation modeling can significantly enhance cost-efficiency while reducing feedback latency. However, despite the growing body of AutoPT research, a critical gap remains: the absence of a unified framework for simulation modeling methods. This paper systematically reviews and synthesizes existing techniques, proposing MDCPM to categorize studies based on their objectives, network simulation complexity, technical and tactical operation dependencies, and scenario feedback and variation. To address the lack of a unified method for multi-dimensional, multi-level simulation modeling, especially in dynamic environments, we propose AutoPT-Sim, a novel policy-automation-driven framework capable of simulating arbitrary sub-dimensional element across three key dimensions. AutoPT-Sim offers a holistic approach to modeling network environments, attackers, and defenders, overcoming the limitations of static and linear modeling techniques. Furthermore, we contribute a standardized network environment dataset and a network generator tool capable of generating networks of diverse sizes. By seamlessly integrating such datasets, AutoPT-Sim enables diverse simulation modeling levels for policy automation in MDCPM, while the network generator empowers researchers to create customized target network data, supporting tailored experimentation.

人工智能集成自动渗透测试（AutoPT）方法的最新进展表明，基于仿真建模的智能体训练可以显著提高成本效率，同时减少反馈延迟。然而，尽管对自动驾驶的研究越来越多，但一个关键的差距仍然存在：缺乏统一的仿真建模方法框架。本文系统回顾和综合现有技术，提出MDCPM，根据研究目标、网络仿真复杂性、技战术操作依赖性、场景反馈和变化对研究进行分类。为了解决多维、多层次仿真建模缺乏统一方法的问题，特别是在动态环境中，我们提出了AutoPT-Sim，这是一种新颖的策略自动化驱动框架，能够跨三个关键维度模拟任意子维度元素。AutoPT-Sim提供了一种全面的方法来建模网络环境，攻击者和防御者，克服了静态和线性建模技术的局限性。此外，我们还提供了一个标准化的网络环境数据集和一个能够生成不同大小网络的网络生成器工具。通过无缝集成这些数据集，AutoPT-Sim为MDCPM中的策略自动化提供了不同的仿真建模级别，而网络生成器使研究人员能够创建定制的目标网络数据，支持量身定制的实验。

{"title":"A unified modeling framework for automated penetration testing","authors":"Yunfei Wang , Shixuan Liu , Wenhao Wang , Changling Zhou , Chao Zhang , Jiandong Jin , Cheng Zhu","doi":"10.1016/j.cose.2025.104787","DOIUrl":"10.1016/j.cose.2025.104787","url":null,"abstract":"<div><div>Recent advancements in AI-integrated automated penetration testing (AutoPT) methodologies demonstrate that agent training based on simulation modeling can significantly enhance cost-efficiency while reducing feedback latency. However, despite the growing body of AutoPT research, a critical gap remains: the absence of a unified framework for simulation modeling methods. This paper systematically reviews and synthesizes existing techniques, proposing MDCPM to categorize studies based on their objectives, network simulation complexity, technical and tactical operation dependencies, and scenario feedback and variation. To address the lack of a unified method for multi-dimensional, multi-level simulation modeling, especially in dynamic environments, we propose AutoPT-Sim, a novel policy-automation-driven framework capable of simulating arbitrary sub-dimensional element across three key dimensions. AutoPT-Sim offers a holistic approach to modeling network environments, attackers, and defenders, overcoming the limitations of static and linear modeling techniques. Furthermore, we contribute a standardized network environment dataset and a network generator tool capable of generating networks of diverse sizes. By seamlessly integrating such datasets, AutoPT-Sim enables diverse simulation modeling levels for policy automation in MDCPM, while the network generator empowers researchers to create customized target network data, supporting tailored experimentation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104787"},"PeriodicalIF":5.4,"publicationDate":"2025-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145685331","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

D-VGAEAD: A dual-decoder variational graph autoencoder for anomaly detection based on attribute networks 一种基于属性网络的双解码器变分图自编码器

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-12-01 DOI: 10.1016/j.cose.2025.104784

Haonan Li , Yifan Liu , Yi Liu , Fan Feng , Zhenpeng Liu

Purpose: This study proposes an unsupervised anomaly detection approach, called Dual Decoding Variational Graph Autoencoders (D-VGAEAD), to overcome limitations of traditional methods, such as their inability to effectively handle complex high-dimensional data, insufficient learning of attributed networks, risk of overfitting in autoencoder-based anomaly detection, and scarcity of reliable samples in supervised learning datasets. Methods: Two separate decoders are introduced in the model to reconstruct the adjacency matrix and node features, respectively. By capturing the interplay between graph structure and node features, this design enhances anomaly detection performance on graph-structured data. The objective function combines the reconstruction errors of both the adjacency matrix and node features, thereby improving the encoder’s latent variable representation. To mitigate overfitting, KL divergence and adversarial computations of reconstruction errors are incorporated, which together maximize the variational lower bound. Results: Experiments were conducted by injecting anomalies into six benchmark datasets, and the model was further deployed and evaluated on two real-world network attack datasets. The performance of the D-VGAEAD model in anomaly detection tasks was comprehensively assessed and compared with several state-of-the-art methods. The time overhead analysis was carried out, showing that the model achieves an average detection latency of 6.24 ms on network attack datasets under the GPU. The experimental results demonstrate that the proposed model effectively integrates both graph structural information and node attribute features, achieving optimal detection performance on datasets characterized by prominent attribute patterns and well-defined graph relationships. Conclusion: In anomaly detection tasks, training the model by considering both network structure information and node feature information is crucial. Integrating the adjacency matrix and node features through a network and amplifying the differences between anomalies and normal data via a differential network can significantly enhance the performance of anomaly detection. Further targeted feature design may improve detection of stealthy or low-visibility threats while showing promise in network security.

目的：本文提出了一种无监督异常检测方法，称为双解码变分图自编码器（D-VGAEAD），以克服传统方法的局限性，例如它们无法有效处理复杂的高维数据，属性网络学习不足，基于自编码器的异常检测存在过拟合风险，以及监督学习数据集缺乏可靠样本。方法：在模型中引入两个独立的解码器，分别重构邻接矩阵和节点特征。通过捕获图结构和节点特征之间的相互作用，提高了对图结构数据的异常检测性能。目标函数结合了邻接矩阵和节点特征的重构误差，从而提高了编码器的潜在变量表示。为了减轻过拟合，将KL散度和重构误差的对抗计算结合起来，使变分下界最大化。结果：通过在6个基准数据集中注入异常进行了实验，并在2个真实网络攻击数据集上进一步部署和评估了模型。全面评估了D-VGAEAD模型在异常检测任务中的性能，并与几种最新方法进行了比较。时间开销分析表明，该模型在GPU下对网络攻击数据集的平均检测延迟为6.24 ms。实验结果表明，该模型有效地融合了图的结构信息和节点属性特征，对属性模式突出、图关系良好的数据集实现了最佳的检测性能。结论：在异常检测任务中，同时考虑网络结构信息和节点特征信息的模型训练至关重要。通过网络整合邻接矩阵和节点特征，通过差分网络放大异常与正常数据之间的差异，可以显著提高异常检测的性能。进一步有针对性的特征设计可能会提高对隐形或低可见性威胁的检测，同时在网络安全方面显示出希望。

{"title":"D-VGAEAD: A dual-decoder variational graph autoencoder for anomaly detection based on attribute networks","authors":"Haonan Li , Yifan Liu , Yi Liu , Fan Feng , Zhenpeng Liu","doi":"10.1016/j.cose.2025.104784","DOIUrl":"10.1016/j.cose.2025.104784","url":null,"abstract":"<div><div><strong>Purpose:</strong> This study proposes an unsupervised anomaly detection approach, called Dual Decoding Variational Graph Autoencoders (D-VGAEAD), to overcome limitations of traditional methods, such as their inability to effectively handle complex high-dimensional data, insufficient learning of attributed networks, risk of overfitting in autoencoder-based anomaly detection, and scarcity of reliable samples in supervised learning datasets. <strong>Methods:</strong> Two separate decoders are introduced in the model to reconstruct the adjacency matrix and node features, respectively. By capturing the interplay between graph structure and node features, this design enhances anomaly detection performance on graph-structured data. The objective function combines the reconstruction errors of both the adjacency matrix and node features, thereby improving the encoder’s latent variable representation. To mitigate overfitting, KL divergence and adversarial computations of reconstruction errors are incorporated, which together maximize the variational lower bound. <strong>Results:</strong> Experiments were conducted by injecting anomalies into six benchmark datasets, and the model was further deployed and evaluated on two real-world network attack datasets. The performance of the D-VGAEAD model in anomaly detection tasks was comprehensively assessed and compared with several state-of-the-art methods. The time overhead analysis was carried out, showing that the model achieves an average detection latency of 6.24 ms on network attack datasets under the GPU. The experimental results demonstrate that the proposed model effectively integrates both graph structural information and node attribute features, achieving optimal detection performance on datasets characterized by prominent attribute patterns and well-defined graph relationships. <strong>Conclusion:</strong> In anomaly detection tasks, training the model by considering both network structure information and node feature information is crucial. Integrating the adjacency matrix and node features through a network and amplifying the differences between anomalies and normal data via a differential network can significantly enhance the performance of anomaly detection. Further targeted feature design may improve detection of stealthy or low-visibility threats while showing promise in network security.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104784"},"PeriodicalIF":5.4,"publicationDate":"2025-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145685328","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DID-TUF: Secure decentralized identifier management using trustless registries DID-TUF：使用无信任注册中心的安全分散标识符管理

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-29 DOI: 10.1016/j.cose.2025.104780

Bander A. Alzahrani

Decentralized Identifiers (DIDs) represent a novel and transformative approach to digital identity management, offering a decentralized alternative to traditional systems that rely on centralized authorities. Unlike conventional identity frameworks, which are typically governed by third-party providers such as certificate authorities or identity federations, DIDs empower individuals, organizations, and devices to create, control, and manage their identifiers independently, ensuring enhanced privacy, autonomy, and resistance to censorship. In this paper, a DID method is introduced that leverages The Update Framework (TUF) to enable secure and efficient dissemination of DID documents through a trustless registry model. This method blends the strengths of registry-based and registry-less approaches to enhance the resilience and security of decentralized identity systems. Our solution is robust against a wide range of attacks while maintaining a small overhead. It is also agnostic to the DID document storage method and provides an auditable trail of updates. Our proof-of-concept implementation demonstrates that DID creation, update, and resolution operations incur minimal computational overhead, confirming the practicality and efficiency of our approach.

去中心化标识符（did）代表了数字身份管理的一种新颖的变革性方法，为依赖中心化权威的传统系统提供了一种去中心化的替代方案。与通常由证书颁发机构或身份联合等第三方提供商管理的传统身份框架不同，did使个人、组织和设备能够独立地创建、控制和管理其标识符，从而确保增强的隐私性、自主性和对审查的抵抗力。本文介绍了一种DID方法，该方法利用更新框架（TUF）通过无信任注册表模型实现DID文档的安全有效传播。该方法融合了基于注册表和无注册表方法的优势，以增强去中心化身份系统的弹性和安全性。我们的解决方案对各种各样的攻击都很健壮，同时开销很小。它也与DID文档存储方法无关，并提供可审计的更新跟踪。我们的概念验证实现表明，DID的创建、更新和解析操作会产生最小的计算开销，从而证实了我们方法的实用性和效率。

{"title":"DID-TUF: Secure decentralized identifier management using trustless registries","authors":"Bander A. Alzahrani","doi":"10.1016/j.cose.2025.104780","DOIUrl":"10.1016/j.cose.2025.104780","url":null,"abstract":"<div><div>Decentralized Identifiers (DIDs) represent a novel and transformative approach to digital identity management, offering a decentralized alternative to traditional systems that rely on centralized authorities. Unlike conventional identity frameworks, which are typically governed by third-party providers such as certificate authorities or identity federations, DIDs empower individuals, organizations, and devices to create, control, and manage their identifiers independently, ensuring enhanced privacy, autonomy, and resistance to censorship. In this paper, a DID method is introduced that leverages The Update Framework (TUF) to enable secure and efficient dissemination of DID documents through a trustless registry model. This method blends the strengths of registry-based and registry-less approaches to enhance the resilience and security of decentralized identity systems. Our solution is robust against a wide range of attacks while maintaining a small overhead. It is also agnostic to the DID document storage method and provides an auditable trail of updates. Our proof-of-concept implementation demonstrates that DID creation, update, and resolution operations incur minimal computational overhead, confirming the practicality and efficiency of our approach.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104780"},"PeriodicalIF":5.4,"publicationDate":"2025-11-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145685329","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Vaccine: Injection vulnerabilities mitigation through dynamic process control with eBPF 疫苗：通过eBPF动态过程控制缓解注射漏洞

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-27 DOI: 10.1016/j.cose.2025.104788

Hanyu Wang , Aimin Yu , Lifang Xiao , Lixin Zhao , Xu Cao , Dan Meng

Injection vulnerabilities are becoming increasingly prevalent and pose a significant threat to system security. A great deal of work highly depends on the patches for defense against these vulnerabilities. However, there is often a delay between the discovery of the vulnerabilities and the release of the corresponding patches, which leaves systems exposed to potential attacks. To address this issue, it is essential to build a vulnerability-tolerant mechanism that aims to inhibit the execution of injected payloads even when vulnerabilities are exploited. Our insight is that most of the injection vulnerabilities in operating systems can be mitigated through dynamic process control, inhibiting their ability to execute attacks. Based on this observation, we present Vaccine, a method for mitigating injection vulnerabilities by restricting attacks through dynamic process control using eBPF. Vaccine leverages process-level behavioral deviations to determine process permissions for control. By dynamically modifying process memory space to modify process permissions, Vaccine restricts the execution of injected payloads, effectively preventing attacks dynamically, hence mitigating injection vulnerabilities. The experimental results indicate that the Vaccine mitigates injection attacks exploiting 40 injection vulnerabilities. We demonstrate the behavioral deviations between processes to prove the feasibility of process-based permission control. Notably, Vaccine reduces the impact on benign behaviors by 32 % to 78 % than an advanced tool through fine-grained and dynamic control. Furthermore, it incurs low latency loss and overhead compared to three behavioral analysis methods. These results further demonstrate its practical defense against injection vulnerabilities.

注入漏洞越来越普遍，对系统安全构成了重大威胁。大量的工作高度依赖于防御这些漏洞的补丁。然而，在漏洞的发现和相应补丁的发布之间通常存在延迟，这使得系统暴露于潜在的攻击之下。为了解决这个问题，必须构建一个容错机制，即使在漏洞被利用的情况下，也要抑制注入有效载荷的执行。我们的见解是，操作系统中的大多数注入漏洞可以通过动态进程控制来缓解，从而抑制它们执行攻击的能力。基于这一观察，我们提出了Vaccine，一种通过eBPF动态过程控制限制攻击来减轻注射漏洞的方法。Vaccine利用过程级的行为偏差来确定需要控制的过程权限。通过动态修改进程内存空间来修改进程权限，限制注入有效载荷的执行，有效地动态防止攻击，从而减少注入漏洞。实验结果表明，该疫苗可有效缓解利用40个注射漏洞的注射攻击。我们演示了进程之间的行为偏差，以证明基于进程的权限控制的可行性。值得注意的是，通过细粒度和动态控制，与高级工具相比，疫苗对良性行为的影响减少了32%至78%。此外，与三种行为分析方法相比，它会产生较低的延迟损失和开销。这些结果进一步证明了它对注入漏洞的实际防御。

{"title":"Vaccine: Injection vulnerabilities mitigation through dynamic process control with eBPF","authors":"Hanyu Wang , Aimin Yu , Lifang Xiao , Lixin Zhao , Xu Cao , Dan Meng","doi":"10.1016/j.cose.2025.104788","DOIUrl":"10.1016/j.cose.2025.104788","url":null,"abstract":"<div><div>Injection vulnerabilities are becoming increasingly prevalent and pose a significant threat to system security. A great deal of work highly depends on the patches for defense against these vulnerabilities. However, there is often a delay between the discovery of the vulnerabilities and the release of the corresponding patches, which leaves systems exposed to potential attacks. To address this issue, it is essential to build a vulnerability-tolerant mechanism that aims to inhibit the execution of injected payloads even when vulnerabilities are exploited. Our insight is that most of the injection vulnerabilities in operating systems can be mitigated through dynamic process control, inhibiting their ability to execute attacks. Based on this observation, we present Vaccine, a method for mitigating injection vulnerabilities by restricting attacks through dynamic process control using eBPF. Vaccine leverages process-level behavioral deviations to determine process permissions for control. By dynamically modifying process memory space to modify process permissions, Vaccine restricts the execution of injected payloads, effectively preventing attacks dynamically, hence mitigating injection vulnerabilities. The experimental results indicate that the Vaccine mitigates injection attacks exploiting 40 injection vulnerabilities. We demonstrate the behavioral deviations between processes to prove the feasibility of process-based permission control. Notably, Vaccine reduces the impact on benign behaviors by 32 % to 78 % than an advanced tool through fine-grained and dynamic control. Furthermore, it incurs low latency loss and overhead compared to three behavioral analysis methods. These results further demonstrate its practical defense against injection vulnerabilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104788"},"PeriodicalIF":5.4,"publicationDate":"2025-11-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145658453","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0