Computers & Security最新文献_第6页

D-VGAEAD: A dual-decoder variational graph autoencoder for anomaly detection based on attribute networks 一种基于属性网络的双解码器变分图自编码器

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-12-01 DOI: 10.1016/j.cose.2025.104784

Haonan Li , Yifan Liu , Yi Liu , Fan Feng , Zhenpeng Liu

Purpose: This study proposes an unsupervised anomaly detection approach, called Dual Decoding Variational Graph Autoencoders (D-VGAEAD), to overcome limitations of traditional methods, such as their inability to effectively handle complex high-dimensional data, insufficient learning of attributed networks, risk of overfitting in autoencoder-based anomaly detection, and scarcity of reliable samples in supervised learning datasets. Methods: Two separate decoders are introduced in the model to reconstruct the adjacency matrix and node features, respectively. By capturing the interplay between graph structure and node features, this design enhances anomaly detection performance on graph-structured data. The objective function combines the reconstruction errors of both the adjacency matrix and node features, thereby improving the encoder’s latent variable representation. To mitigate overfitting, KL divergence and adversarial computations of reconstruction errors are incorporated, which together maximize the variational lower bound. Results: Experiments were conducted by injecting anomalies into six benchmark datasets, and the model was further deployed and evaluated on two real-world network attack datasets. The performance of the D-VGAEAD model in anomaly detection tasks was comprehensively assessed and compared with several state-of-the-art methods. The time overhead analysis was carried out, showing that the model achieves an average detection latency of 6.24 ms on network attack datasets under the GPU. The experimental results demonstrate that the proposed model effectively integrates both graph structural information and node attribute features, achieving optimal detection performance on datasets characterized by prominent attribute patterns and well-defined graph relationships. Conclusion: In anomaly detection tasks, training the model by considering both network structure information and node feature information is crucial. Integrating the adjacency matrix and node features through a network and amplifying the differences between anomalies and normal data via a differential network can significantly enhance the performance of anomaly detection. Further targeted feature design may improve detection of stealthy or low-visibility threats while showing promise in network security.

目的：本文提出了一种无监督异常检测方法，称为双解码变分图自编码器（D-VGAEAD），以克服传统方法的局限性，例如它们无法有效处理复杂的高维数据，属性网络学习不足，基于自编码器的异常检测存在过拟合风险，以及监督学习数据集缺乏可靠样本。方法：在模型中引入两个独立的解码器，分别重构邻接矩阵和节点特征。通过捕获图结构和节点特征之间的相互作用，提高了对图结构数据的异常检测性能。目标函数结合了邻接矩阵和节点特征的重构误差，从而提高了编码器的潜在变量表示。为了减轻过拟合，将KL散度和重构误差的对抗计算结合起来，使变分下界最大化。结果：通过在6个基准数据集中注入异常进行了实验，并在2个真实网络攻击数据集上进一步部署和评估了模型。全面评估了D-VGAEAD模型在异常检测任务中的性能，并与几种最新方法进行了比较。时间开销分析表明，该模型在GPU下对网络攻击数据集的平均检测延迟为6.24 ms。实验结果表明，该模型有效地融合了图的结构信息和节点属性特征，对属性模式突出、图关系良好的数据集实现了最佳的检测性能。结论：在异常检测任务中，同时考虑网络结构信息和节点特征信息的模型训练至关重要。通过网络整合邻接矩阵和节点特征，通过差分网络放大异常与正常数据之间的差异，可以显著提高异常检测的性能。进一步有针对性的特征设计可能会提高对隐形或低可见性威胁的检测，同时在网络安全方面显示出希望。

{"title":"D-VGAEAD: A dual-decoder variational graph autoencoder for anomaly detection based on attribute networks","authors":"Haonan Li , Yifan Liu , Yi Liu , Fan Feng , Zhenpeng Liu","doi":"10.1016/j.cose.2025.104784","DOIUrl":"10.1016/j.cose.2025.104784","url":null,"abstract":"<div><div><strong>Purpose:</strong> This study proposes an unsupervised anomaly detection approach, called Dual Decoding Variational Graph Autoencoders (D-VGAEAD), to overcome limitations of traditional methods, such as their inability to effectively handle complex high-dimensional data, insufficient learning of attributed networks, risk of overfitting in autoencoder-based anomaly detection, and scarcity of reliable samples in supervised learning datasets. <strong>Methods:</strong> Two separate decoders are introduced in the model to reconstruct the adjacency matrix and node features, respectively. By capturing the interplay between graph structure and node features, this design enhances anomaly detection performance on graph-structured data. The objective function combines the reconstruction errors of both the adjacency matrix and node features, thereby improving the encoder’s latent variable representation. To mitigate overfitting, KL divergence and adversarial computations of reconstruction errors are incorporated, which together maximize the variational lower bound. <strong>Results:</strong> Experiments were conducted by injecting anomalies into six benchmark datasets, and the model was further deployed and evaluated on two real-world network attack datasets. The performance of the D-VGAEAD model in anomaly detection tasks was comprehensively assessed and compared with several state-of-the-art methods. The time overhead analysis was carried out, showing that the model achieves an average detection latency of 6.24 ms on network attack datasets under the GPU. The experimental results demonstrate that the proposed model effectively integrates both graph structural information and node attribute features, achieving optimal detection performance on datasets characterized by prominent attribute patterns and well-defined graph relationships. <strong>Conclusion:</strong> In anomaly detection tasks, training the model by considering both network structure information and node feature information is crucial. Integrating the adjacency matrix and node features through a network and amplifying the differences between anomalies and normal data via a differential network can significantly enhance the performance of anomaly detection. Further targeted feature design may improve detection of stealthy or low-visibility threats while showing promise in network security.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104784"},"PeriodicalIF":5.4,"publicationDate":"2025-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145685328","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DID-TUF: Secure decentralized identifier management using trustless registries DID-TUF：使用无信任注册中心的安全分散标识符管理

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-29 DOI: 10.1016/j.cose.2025.104780

Bander A. Alzahrani

Decentralized Identifiers (DIDs) represent a novel and transformative approach to digital identity management, offering a decentralized alternative to traditional systems that rely on centralized authorities. Unlike conventional identity frameworks, which are typically governed by third-party providers such as certificate authorities or identity federations, DIDs empower individuals, organizations, and devices to create, control, and manage their identifiers independently, ensuring enhanced privacy, autonomy, and resistance to censorship. In this paper, a DID method is introduced that leverages The Update Framework (TUF) to enable secure and efficient dissemination of DID documents through a trustless registry model. This method blends the strengths of registry-based and registry-less approaches to enhance the resilience and security of decentralized identity systems. Our solution is robust against a wide range of attacks while maintaining a small overhead. It is also agnostic to the DID document storage method and provides an auditable trail of updates. Our proof-of-concept implementation demonstrates that DID creation, update, and resolution operations incur minimal computational overhead, confirming the practicality and efficiency of our approach.

去中心化标识符（did）代表了数字身份管理的一种新颖的变革性方法，为依赖中心化权威的传统系统提供了一种去中心化的替代方案。与通常由证书颁发机构或身份联合等第三方提供商管理的传统身份框架不同，did使个人、组织和设备能够独立地创建、控制和管理其标识符，从而确保增强的隐私性、自主性和对审查的抵抗力。本文介绍了一种DID方法，该方法利用更新框架（TUF）通过无信任注册表模型实现DID文档的安全有效传播。该方法融合了基于注册表和无注册表方法的优势，以增强去中心化身份系统的弹性和安全性。我们的解决方案对各种各样的攻击都很健壮，同时开销很小。它也与DID文档存储方法无关，并提供可审计的更新跟踪。我们的概念验证实现表明，DID的创建、更新和解析操作会产生最小的计算开销，从而证实了我们方法的实用性和效率。

{"title":"DID-TUF: Secure decentralized identifier management using trustless registries","authors":"Bander A. Alzahrani","doi":"10.1016/j.cose.2025.104780","DOIUrl":"10.1016/j.cose.2025.104780","url":null,"abstract":"<div><div>Decentralized Identifiers (DIDs) represent a novel and transformative approach to digital identity management, offering a decentralized alternative to traditional systems that rely on centralized authorities. Unlike conventional identity frameworks, which are typically governed by third-party providers such as certificate authorities or identity federations, DIDs empower individuals, organizations, and devices to create, control, and manage their identifiers independently, ensuring enhanced privacy, autonomy, and resistance to censorship. In this paper, a DID method is introduced that leverages The Update Framework (TUF) to enable secure and efficient dissemination of DID documents through a trustless registry model. This method blends the strengths of registry-based and registry-less approaches to enhance the resilience and security of decentralized identity systems. Our solution is robust against a wide range of attacks while maintaining a small overhead. It is also agnostic to the DID document storage method and provides an auditable trail of updates. Our proof-of-concept implementation demonstrates that DID creation, update, and resolution operations incur minimal computational overhead, confirming the practicality and efficiency of our approach.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104780"},"PeriodicalIF":5.4,"publicationDate":"2025-11-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145685329","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Vaccine: Injection vulnerabilities mitigation through dynamic process control with eBPF 疫苗：通过eBPF动态过程控制缓解注射漏洞

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-27 DOI: 10.1016/j.cose.2025.104788

Hanyu Wang , Aimin Yu , Lifang Xiao , Lixin Zhao , Xu Cao , Dan Meng

Injection vulnerabilities are becoming increasingly prevalent and pose a significant threat to system security. A great deal of work highly depends on the patches for defense against these vulnerabilities. However, there is often a delay between the discovery of the vulnerabilities and the release of the corresponding patches, which leaves systems exposed to potential attacks. To address this issue, it is essential to build a vulnerability-tolerant mechanism that aims to inhibit the execution of injected payloads even when vulnerabilities are exploited. Our insight is that most of the injection vulnerabilities in operating systems can be mitigated through dynamic process control, inhibiting their ability to execute attacks. Based on this observation, we present Vaccine, a method for mitigating injection vulnerabilities by restricting attacks through dynamic process control using eBPF. Vaccine leverages process-level behavioral deviations to determine process permissions for control. By dynamically modifying process memory space to modify process permissions, Vaccine restricts the execution of injected payloads, effectively preventing attacks dynamically, hence mitigating injection vulnerabilities. The experimental results indicate that the Vaccine mitigates injection attacks exploiting 40 injection vulnerabilities. We demonstrate the behavioral deviations between processes to prove the feasibility of process-based permission control. Notably, Vaccine reduces the impact on benign behaviors by 32 % to 78 % than an advanced tool through fine-grained and dynamic control. Furthermore, it incurs low latency loss and overhead compared to three behavioral analysis methods. These results further demonstrate its practical defense against injection vulnerabilities.

注入漏洞越来越普遍，对系统安全构成了重大威胁。大量的工作高度依赖于防御这些漏洞的补丁。然而，在漏洞的发现和相应补丁的发布之间通常存在延迟，这使得系统暴露于潜在的攻击之下。为了解决这个问题，必须构建一个容错机制，即使在漏洞被利用的情况下，也要抑制注入有效载荷的执行。我们的见解是，操作系统中的大多数注入漏洞可以通过动态进程控制来缓解，从而抑制它们执行攻击的能力。基于这一观察，我们提出了Vaccine，一种通过eBPF动态过程控制限制攻击来减轻注射漏洞的方法。Vaccine利用过程级的行为偏差来确定需要控制的过程权限。通过动态修改进程内存空间来修改进程权限，限制注入有效载荷的执行，有效地动态防止攻击，从而减少注入漏洞。实验结果表明，该疫苗可有效缓解利用40个注射漏洞的注射攻击。我们演示了进程之间的行为偏差，以证明基于进程的权限控制的可行性。值得注意的是，通过细粒度和动态控制，与高级工具相比，疫苗对良性行为的影响减少了32%至78%。此外，与三种行为分析方法相比，它会产生较低的延迟损失和开销。这些结果进一步证明了它对注入漏洞的实际防御。

{"title":"Vaccine: Injection vulnerabilities mitigation through dynamic process control with eBPF","authors":"Hanyu Wang , Aimin Yu , Lifang Xiao , Lixin Zhao , Xu Cao , Dan Meng","doi":"10.1016/j.cose.2025.104788","DOIUrl":"10.1016/j.cose.2025.104788","url":null,"abstract":"<div><div>Injection vulnerabilities are becoming increasingly prevalent and pose a significant threat to system security. A great deal of work highly depends on the patches for defense against these vulnerabilities. However, there is often a delay between the discovery of the vulnerabilities and the release of the corresponding patches, which leaves systems exposed to potential attacks. To address this issue, it is essential to build a vulnerability-tolerant mechanism that aims to inhibit the execution of injected payloads even when vulnerabilities are exploited. Our insight is that most of the injection vulnerabilities in operating systems can be mitigated through dynamic process control, inhibiting their ability to execute attacks. Based on this observation, we present Vaccine, a method for mitigating injection vulnerabilities by restricting attacks through dynamic process control using eBPF. Vaccine leverages process-level behavioral deviations to determine process permissions for control. By dynamically modifying process memory space to modify process permissions, Vaccine restricts the execution of injected payloads, effectively preventing attacks dynamically, hence mitigating injection vulnerabilities. The experimental results indicate that the Vaccine mitigates injection attacks exploiting 40 injection vulnerabilities. We demonstrate the behavioral deviations between processes to prove the feasibility of process-based permission control. Notably, Vaccine reduces the impact on benign behaviors by 32 % to 78 % than an advanced tool through fine-grained and dynamic control. Furthermore, it incurs low latency loss and overhead compared to three behavioral analysis methods. These results further demonstrate its practical defense against injection vulnerabilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104788"},"PeriodicalIF":5.4,"publicationDate":"2025-11-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145658453","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

BotPro: Data-driven tracking & profiling of IoT botnets in the wild BotPro：数据驱动的物联网僵尸网络跟踪和分析

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-26 DOI: 10.1016/j.cose.2025.104778

Hatem A. Almazarqi , Mathew Woodyard , Angelos K. Marnerides

The incorporation of the IoT into modern sociotechnical systems, alongside the rapid manufacturing of IoT devices with minimal embedded security, has significantly altered the cyber threat landscape. Consequently, modern cyberattacks now exploit compromised IoT devices to launch large-scale volumetric assaults or sophisticated advanced persistent threats (APTs) via carefully coordinated IoT botnets. Given the ever-changing structural dynamics of these botnets, tracking their activities presents significant challenges since malicious actors frequently adapt and employ new evasion techniques to expand their networks. This study introduces BotPro, a novel open-source tool built on a data-driven framework that captures and attributes the behavioural characteristics of IoT botnets. BotPro integrates honeypot telemetry, CTI feeds, and Internet topology data to profile scanning, infection, and propagation patterns, as well as cluster payloads to identify malware variants and assess AS-level risk exposure. Through a macroscopic measurement study spanning three years with 40 globally distributed honeypots covering 193 countries and 16K ASes, we show that BotPro can quantify the tolerance of Autonomous Systems (ASes) as a function of botnet scanning and propagation properties. Our clustering evaluation achieved a Silhouette score of 0.54 with low Davies-Bouldin index values, confirming the coherence and separation of identified botnet groups. Hence, our findings provide substantial context to security experts and network operators for effectively designing and implementing next-generation defence and mitigation measures against current and future IoT botnets.

物联网与现代社会技术系统的结合，以及物联网设备的快速制造与最低限度的嵌入式安全性，极大地改变了网络威胁格局。因此，现代网络攻击现在利用受损的物联网设备，通过精心协调的物联网僵尸网络发起大规模容量攻击或复杂的高级持续威胁（apt）。鉴于这些僵尸网络不断变化的结构动态，跟踪其活动提出了重大挑战，因为恶意行为者经常适应并采用新的逃避技术来扩展其网络。本研究介绍了BotPro，这是一种基于数据驱动框架的新型开源工具，用于捕获和属性物联网僵尸网络的行为特征。BotPro集成了蜜罐遥测、CTI馈送和互联网拓扑数据，以分析扫描、感染和传播模式，以及集群有效负载，以识别恶意软件变体并评估as级风险暴露。通过对覆盖193个国家和16K个僵尸网络的40个全球分布蜜罐进行为期三年的宏观测量研究，我们表明BotPro可以量化自治系统（ase）的容忍度，作为僵尸网络扫描和传播特性的函数。我们的聚类评估获得了0.54的剪影得分，戴维斯-博尔丁指数值较低，证实了识别的僵尸网络组的一致性和分离性。因此，我们的研究结果为安全专家和网络运营商有效设计和实施针对当前和未来物联网僵尸网络的下一代防御和缓解措施提供了大量背景。

{"title":"BotPro: Data-driven tracking & profiling of IoT botnets in the wild","authors":"Hatem A. Almazarqi , Mathew Woodyard , Angelos K. Marnerides","doi":"10.1016/j.cose.2025.104778","DOIUrl":"10.1016/j.cose.2025.104778","url":null,"abstract":"<div><div>The incorporation of the IoT into modern sociotechnical systems, alongside the rapid manufacturing of IoT devices with minimal embedded security, has significantly altered the cyber threat landscape. Consequently, modern cyberattacks now exploit compromised IoT devices to launch large-scale volumetric assaults or sophisticated advanced persistent threats (APTs) via carefully coordinated IoT botnets. Given the ever-changing structural dynamics of these botnets, tracking their activities presents significant challenges since malicious actors frequently adapt and employ new evasion techniques to expand their networks. This study introduces BotPro, a novel open-source tool built on a data-driven framework that captures and attributes the behavioural characteristics of IoT botnets. BotPro integrates honeypot telemetry, CTI feeds, and Internet topology data to profile scanning, infection, and propagation patterns, as well as cluster payloads to identify malware variants and assess AS-level risk exposure. Through a macroscopic measurement study spanning three years with 40 globally distributed honeypots covering 193 countries and 16K ASes, we show that BotPro can quantify the tolerance of Autonomous Systems (ASes) as a function of botnet scanning and propagation properties. Our clustering evaluation achieved a Silhouette score of 0.54 with low Davies-Bouldin index values, confirming the coherence and separation of identified botnet groups. Hence, our findings provide substantial context to security experts and network operators for effectively designing and implementing next-generation defence and mitigation measures against current and future IoT botnets.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104778"},"PeriodicalIF":5.4,"publicationDate":"2025-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145738657","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

MDDB-AETB: Malicious domain detection boosting based on alignment with encrypted traffic behavior in restricted scenarios mdb - aetb：在受限场景中，基于与加密流量行为的一致性来增强恶意域检测

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-26 DOI: 10.1016/j.cose.2025.104785

Mengrui Cao , Gaopeng Gou , Junzheng Shi , Gang Xiong , Zhen Li , Jiayu Li

Malicious domain detection is a key challenge in network security. Traditional methods cannot achieve effective malicious domain detection in real-world limited scenarios with limited labeled data and insufficient domain relationships, which we focus on in this paper. Based on the insight that domains with similar encrypted traffic behavior are expected to share similar representations in the embedding space, we propose MDDB-AETB, boosting malicious domain detection based on alignment with encrypted traffic behavior. We extract text and behavior features from TLS messages of encrypted traffic. For behavior features, we measure the similarity of statistical features as self-supervised learning labels. With these labels, we fine-tune the pre-trained model whose input is domain text, getting an optimized embedding representation model. The loss function for fine-tuning combines mean square error (MSE) loss and contrastive loss to capture the subtle behavior of encrypted traffic, enhancing its detection capability. We evaluate MDDB-AETB against three state-of-the-art baselines, the results show that MDDB-AETB consistently achieves the best performance across all test set proportions, reaching up to 99 % F1-score while maintaining stable advantages even under limited training data.

恶意域检测是网络安全中的一个关键问题。传统的恶意域检测方法无法在有限的标记数据和不充分的域关系下实现有效的恶意域检测，这是本文研究的重点。基于具有相似加密流量行为的域有望在嵌入空间中共享相似的表示，我们提出了MDDB-AETB，基于与加密流量行为的一致性来增强恶意域检测。我们从加密流量的TLS消息中提取文本和行为特征。对于行为特征，我们测量统计特征的相似性作为自监督学习标签。利用这些标签对输入为域文本的预训练模型进行微调，得到优化的嵌入表示模型。用于微调的损失函数结合了均方误差（MSE）损失和对比损失来捕捉加密流量的细微行为，增强了其检测能力。我们根据三个最先进的基线对MDDB-AETB进行了评估，结果表明MDDB-AETB在所有测试集比例中始终保持最佳性能，达到99%的f1分数，即使在有限的训练数据下也保持稳定的优势。

{"title":"MDDB-AETB: Malicious domain detection boosting based on alignment with encrypted traffic behavior in restricted scenarios","authors":"Mengrui Cao , Gaopeng Gou , Junzheng Shi , Gang Xiong , Zhen Li , Jiayu Li","doi":"10.1016/j.cose.2025.104785","DOIUrl":"10.1016/j.cose.2025.104785","url":null,"abstract":"<div><div>Malicious domain detection is a key challenge in network security. Traditional methods cannot achieve effective malicious domain detection in real-world limited scenarios with limited labeled data and insufficient domain relationships, which we focus on in this paper. Based on the insight that domains with similar encrypted traffic behavior are expected to share similar representations in the embedding space, we propose MDDB-AETB, <strong>b</strong>oosting <strong>m</strong>alicious <strong>d</strong>omain <strong>d</strong>etection based on <strong>a</strong>lignment with <strong>e</strong>ncrypted <strong>t</strong>raffic <strong>b</strong>ehavior. We extract text and behavior features from TLS messages of encrypted traffic. For behavior features, we measure the similarity of statistical features as self-supervised learning labels. With these labels, we fine-tune the pre-trained model whose input is domain text, getting an optimized embedding representation model. The loss function for fine-tuning combines mean square error (MSE) loss and contrastive loss to capture the subtle behavior of encrypted traffic, enhancing its detection capability. We evaluate MDDB-AETB against three state-of-the-art baselines, the results show that MDDB-AETB consistently achieves the best performance across all test set proportions, reaching up to 99 % F1-score while maintaining stable advantages even under limited training data.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104785"},"PeriodicalIF":5.4,"publicationDate":"2025-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145658452","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

AURA-XR: A risk-based methodology for the optimal selection of user authentication mechanisms in extended reality AURA-XR：用于在扩展现实中对用户身份验证机制进行最佳选择的基于风险的方法

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-25 DOI: 10.1016/j.cose.2025.104779

Christina Katsini, Gregory Epiphaniou, Carsten Maple

The increasing adoption of Extended Reality (XR) technologies brings immersive interfaces into critical domains like healthcare and manufacturing. However, deciding how to protect users in these environments remains an open challenge. Although prior research explores individual authentication mechanisms, existing selection methods ignore context-specific constraints, environmental factors, and user perceptions central to XR. To address this, we conducted a qualitative study with usable-security experts to uncover key design considerations that current approaches overlook. Next, we mapped well-known selection methodologies against these considerations and identified important mismatches. In response, we developed AURA-XR, a risk-based framework integrating stakeholder perceptions, environmental and scenario-specific constraints, and risk assessment into a decision model. We demonstrate that AURA-XR supports context-sensitive, multi-objective authentication decisions tailored to this emerging domain. By filling a methodological gap, AURA-XR advances adaptive, privacy-aware, human-centred security in immersive systems, opening new routes for robust, situationally informed authentication in XR.

扩展现实（XR）技术的日益普及将沉浸式界面带入了医疗保健和制造业等关键领域。然而，决定如何在这些环境中保护用户仍然是一个悬而未决的挑战。尽管先前的研究探索了个人身份验证机制，但现有的选择方法忽略了特定于上下文的约束、环境因素和用户感知，这些都是XR的核心。为了解决这个问题，我们与可用性安全专家进行了定性研究，以揭示当前方法忽略的关键设计考虑因素。接下来，我们将众所周知的选择方法映射到这些考虑因素中，并识别出重要的不匹配。作为回应，我们开发了AURA-XR，这是一个基于风险的框架，将利益相关者的感知、环境和特定场景的约束以及风险评估集成到一个决策模型中。我们证明了AURA-XR支持为这个新兴领域量身定制的上下文敏感的多目标身份验证决策。通过填补方法上的空白，AURA-XR在沉浸式系统中推进了自适应、隐私感知、以人为中心的安全性，为XR中健壮的、情境知情的身份验证开辟了新的途径。

{"title":"AURA-XR: A risk-based methodology for the optimal selection of user authentication mechanisms in extended reality","authors":"Christina Katsini, Gregory Epiphaniou, Carsten Maple","doi":"10.1016/j.cose.2025.104779","DOIUrl":"10.1016/j.cose.2025.104779","url":null,"abstract":"<div><div>The increasing adoption of Extended Reality (XR) technologies brings immersive interfaces into critical domains like healthcare and manufacturing. However, deciding how to protect users in these environments remains an open challenge. Although prior research explores individual authentication mechanisms, existing selection methods ignore context-specific constraints, environmental factors, and user perceptions central to XR. To address this, we conducted a qualitative study with usable-security experts to uncover key design considerations that current approaches overlook. Next, we mapped well-known selection methodologies against these considerations and identified important mismatches. In response, we developed AURA-XR, a risk-based framework integrating stakeholder perceptions, environmental and scenario-specific constraints, and risk assessment into a decision model. We demonstrate that AURA-XR supports context-sensitive, multi-objective authentication decisions tailored to this emerging domain. By filling a methodological gap, AURA-XR advances adaptive, privacy-aware, human-centred security in immersive systems, opening new routes for robust, situationally informed authentication in XR.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104779"},"PeriodicalIF":5.4,"publicationDate":"2025-11-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145658451","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

An evaluation framework for network IDS/IPS datasets: Leveraging MITRE ATT&CK and industry relevance metrics 网络IDS/IPS数据集的评估框架：利用MITRE攻击与攻击和行业相关指标

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-23 DOI: 10.1016/j.cose.2025.104777

Adrita Rahman Tory , Khondokar Fida Hasan

The performance of Machine Learning (ML) and Deep Learning (DL)-based Intrusion Detection and Prevention Systems (IDS/IPS) is critically dependent on the relevance and quality of the datasets used for training and evaluation. However, current AI model evaluation practices for developing IDS/IPS focus predominantly on accuracy metrics, often overlooking whether datasets represent industry-specific threats. To address this gap, we introduce a novel multi-dimensional framework that integrates the MITRE ATT&CK knowledge base for threat intelligence and employs five complementary metrics that together provide a comprehensive assessment of dataset suitability. Methodologically, this framework combines threat intelligence, natural language processing, and quantitative analysis to assess the suitability of datasets for specific industry contexts. Applying this framework to nine publicly available IDS/IPS datasets reveals significant gaps in threat coverage, particularly in the healthcare, energy, and financial sectors. In particular, recent datasets (e.g., CIC-IoMT, CIC-UNSW-NB15) align better with sector-specific threats, whereas others, like CICIoV-24, underperform despite their recency. Our findings provide a standardized, interpretable approach for selecting datasets aligned with sector-specific operational requirements, ultimately enhancing the real-world effectiveness of AI-driven IDS/IPS deployments. The efficiency and practicality of the framework are validated through deployment in a real-world case study, underscoring its capacity to inform dataset selection and enhance the effectiveness of AI-driven IDS/IPS in operational environments.

基于机器学习（ML）和深度学习（DL）的入侵检测和防御系统（IDS/IPS）的性能严重依赖于用于训练和评估的数据集的相关性和质量。然而，目前用于开发IDS/IPS的人工智能模型评估实践主要集中在准确性指标上，通常忽略了数据集是否代表行业特定的威胁。为了解决这一差距，我们引入了一个新的多维框架，该框架集成了MITRE ATT&；CK知识库，用于威胁情报，并采用五个互补指标，共同提供数据集适用性的全面评估。在方法上，该框架结合了威胁情报、自然语言处理和定量分析，以评估特定行业背景下数据集的适用性。将此框架应用于9个公开可用的IDS/IPS数据集，可以发现威胁覆盖方面存在重大差距，特别是在医疗保健、能源和金融部门。特别是，最近的数据集（例如，CIC-IoMT, CIC-UNSW-NB15）与特定行业的威胁更一致，而其他数据集，如CICIoV-24，尽管最近，但表现不佳。我们的研究结果为选择符合特定行业操作要求的数据集提供了一种标准化的、可解释的方法，最终提高了人工智能驱动的IDS/IPS部署在现实世界中的有效性。通过在现实世界的案例研究中部署，该框架的效率和实用性得到了验证，强调了其为数据集选择提供信息的能力，并提高了人工智能驱动的IDS/IPS在作战环境中的有效性。

{"title":"An evaluation framework for network IDS/IPS datasets: Leveraging MITRE ATT&CK and industry relevance metrics","authors":"Adrita Rahman Tory , Khondokar Fida Hasan","doi":"10.1016/j.cose.2025.104777","DOIUrl":"10.1016/j.cose.2025.104777","url":null,"abstract":"<div><div>The performance of Machine Learning (ML) and Deep Learning (DL)-based Intrusion Detection and Prevention Systems (IDS/IPS) is critically dependent on the relevance and quality of the datasets used for training and evaluation. However, current AI model evaluation practices for developing IDS/IPS focus predominantly on accuracy metrics, often overlooking whether datasets represent industry-specific threats. To address this gap, we introduce a novel multi-dimensional framework that integrates the MITRE ATT&CK knowledge base for threat intelligence and employs five complementary metrics that together provide a comprehensive assessment of dataset suitability. Methodologically, this framework combines threat intelligence, natural language processing, and quantitative analysis to assess the suitability of datasets for specific industry contexts. Applying this framework to nine publicly available IDS/IPS datasets reveals significant gaps in threat coverage, particularly in the healthcare, energy, and financial sectors. In particular, recent datasets (e.g., CIC-IoMT, CIC-UNSW-NB15) align better with sector-specific threats, whereas others, like CICIoV-24, underperform despite their recency. Our findings provide a standardized, interpretable approach for selecting datasets aligned with sector-specific operational requirements, ultimately enhancing the real-world effectiveness of AI-driven IDS/IPS deployments. The efficiency and practicality of the framework are validated through deployment in a real-world case study, underscoring its capacity to inform dataset selection and enhance the effectiveness of AI-driven IDS/IPS in operational environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104777"},"PeriodicalIF":5.4,"publicationDate":"2025-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145694034","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

SETPA: Structural evasion techniques for PDF malware detection systems PDF恶意软件检测系统的结构规避技术

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-22 DOI: 10.1016/j.cose.2025.104775

Nasir Iqbal , Faisal Bashir Hussain , Hassan Jalil Hadi , Naveed Ahmad , Ali Shoker

Portable Document Format (PDF) is widely used because of its cross-platform compatibility, document integrity, and security features. However, their structural vulnerabilities make them a prime target for malware attacks. Machine-learning-based detection systems often struggle with feature engineering, dataset diversity, and robustness against adversarial attacks. These limitations result in high false positives, disruption of benign processes, and false negatives, enabling adversarial malware to evade detection. To address these challenges, this study introduces Structural Evasion Techniques for PDF Augmentation (SETPA), a novel evasion framework designed to bypass PDF malware detection systems. SETPA employs eight structural techniques, such as empty object streams, fake XREF table entries, and benign metadata, to obfuscate malicious content while preserving file functionality.Comprehensive experiments conducted on two leading detection models, PDFRate v2.0 and Hidost, demonstrate that SETPA consistently outperforms a Deep Reinforcement Learning (DRL)-based evasion framework. SETPA achieves evasion success rates that are 6 % to 10 % higher, and reduces average detection accuracy by 58 % to 80 %. These results confirm SETPA’s robust and reliable evasion performance across various detection systems. The findings highlight SETPA’s capability to exploit structural vulnerabilities in PDF detectors and underscore the need for adaptive, behavior-aware defense mechanisms that can counter entropy-driven structural evasions in emerging cyber threats.

可移植文档格式（Portable Document Format， PDF）因其跨平台兼容性、文档完整性和安全特性而被广泛使用。然而，它们的结构漏洞使它们成为恶意软件攻击的主要目标。基于机器学习的检测系统经常在特征工程、数据集多样性和对对抗性攻击的鲁棒性方面挣扎。这些限制导致高假阳性、良性进程中断和假阴性，使对抗性恶意软件逃避检测。为了解决这些挑战，本研究引入了PDF增强的结构规避技术（SETPA），这是一种新的规避框架，旨在绕过PDF恶意软件检测系统。SETPA采用八种结构技术，例如空对象流、假XREF表项和良性元数据，在保留文件功能的同时混淆恶意内容。在两种领先的检测模型PDFRate v2.0和Hidost上进行的综合实验表明，SETPA始终优于基于深度强化学习（DRL）的逃避框架。SETPA的规避成功率提高了6%到10%，平均检测准确率降低了58%到80%。这些结果证实了SETPA在各种探测系统中的稳健和可靠的规避性能。研究结果强调了SETPA利用PDF探测器结构漏洞的能力，并强调了对自适应、行为感知防御机制的需求，该机制可以对抗新兴网络威胁中熵驱动的结构逃避。

{"title":"SETPA: Structural evasion techniques for PDF malware detection systems","authors":"Nasir Iqbal , Faisal Bashir Hussain , Hassan Jalil Hadi , Naveed Ahmad , Ali Shoker","doi":"10.1016/j.cose.2025.104775","DOIUrl":"10.1016/j.cose.2025.104775","url":null,"abstract":"<div><div>Portable Document Format (PDF) is widely used because of its cross-platform compatibility, document integrity, and security features. However, their structural vulnerabilities make them a prime target for malware attacks. Machine-learning-based detection systems often struggle with feature engineering, dataset diversity, and robustness against adversarial attacks. These limitations result in high false positives, disruption of benign processes, and false negatives, enabling adversarial malware to evade detection. To address these challenges, this study introduces Structural Evasion Techniques for PDF Augmentation (SETPA), a novel evasion framework designed to bypass PDF malware detection systems. SETPA employs eight structural techniques, such as empty object streams, fake XREF table entries, and benign metadata, to obfuscate malicious content while preserving file functionality.Comprehensive experiments conducted on two leading detection models, PDFRate v2.0 and Hidost, demonstrate that SETPA consistently outperforms a Deep Reinforcement Learning (DRL)-based evasion framework. SETPA achieves evasion success rates that are 6 % to 10 % higher, and reduces average detection accuracy by 58 % to 80 %. These results confirm SETPA’s robust and reliable evasion performance across various detection systems. The findings highlight SETPA’s capability to exploit structural vulnerabilities in PDF detectors and underscore the need for adaptive, behavior-aware defense mechanisms that can counter entropy-driven structural evasions in emerging cyber threats.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104775"},"PeriodicalIF":5.4,"publicationDate":"2025-11-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145624654","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Intrusion detection algorithm based on multi-scale feature fusion 基于多尺度特征融合的入侵检测算法

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-22 DOI: 10.1016/j.cose.2025.104783

Jinxian Zhao, Haidong Hou, Liang Chang

Network intrusion detection plays a crucial role in ensuring cybersecurity by promptly mitigating network attacks. However, existing deep learning methods have limited capabilities in capture network attack features and address class imbalances, resulting in low classification accuracy. This paper proposes a deep-learning intrusion detection model named FLSPPMRXt, which is built upon ResNeXt50. It enhances feature capture by improving the backbone convolution and introducing a multi-scale feature fusion module, including the Soft Pool layer. Meanwhile, focal loss is employed as the loss function to effectively mitigate the impact of class imbalance on classification accuracy. Furthermore, this method proposes a data visualization processing algorithm to provide an image representation that is more consistent with the feature nearest neighbor distribution. Experimental results show that the FLSPPMRXt model achieves 93.3 % and 95.2 % in overall classification accuracy and F1 score on UNSW_NB15 dataset, respectively. Compared with existing algorithms, such as the 2DCNN and RNN models, the method demonstrates superior network intrusion detection performance.

网络入侵检测能够及时缓解网络攻击，对保障网络安全起着至关重要的作用。然而，现有的深度学习方法在捕获网络攻击特征和解决类不平衡方面的能力有限，导致分类精度较低。本文提出了一种基于ResNeXt50的深度学习入侵检测模型FLSPPMRXt。该算法通过改进主干卷积和引入包括软池层在内的多尺度特征融合模块来增强特征捕获。同时，采用焦点损失作为损失函数，有效缓解了类不平衡对分类精度的影响。此外，该方法提出了一种数据可视化处理算法，以提供更符合特征最近邻分布的图像表示。实验结果表明，FLSPPMRXt模型在UNSW_NB15数据集上的总体分类准确率和F1分数分别达到93.3%和95.2%。与现有的2DCNN和RNN模型相比，该方法具有更好的网络入侵检测性能。

{"title":"Intrusion detection algorithm based on multi-scale feature fusion","authors":"Jinxian Zhao, Haidong Hou, Liang Chang","doi":"10.1016/j.cose.2025.104783","DOIUrl":"10.1016/j.cose.2025.104783","url":null,"abstract":"<div><div>Network intrusion detection plays a crucial role in ensuring cybersecurity by promptly mitigating network attacks. However, existing deep learning methods have limited capabilities in capture network attack features and address class imbalances, resulting in low classification accuracy. This paper proposes a deep-learning intrusion detection model named FLSPPMRXt, which is built upon ResNeXt50. It enhances feature capture by improving the backbone convolution and introducing a multi-scale feature fusion module, including the Soft Pool layer. Meanwhile, focal loss is employed as the loss function to effectively mitigate the impact of class imbalance on classification accuracy. Furthermore, this method proposes a data visualization processing algorithm to provide an image representation that is more consistent with the feature nearest neighbor distribution. Experimental results show that the FLSPPMRXt model achieves 93.3 % and 95.2 % in overall classification accuracy and F1 score on UNSW_NB15 dataset, respectively. Compared with existing algorithms, such as the 2DCNN and RNN models, the method demonstrates superior network intrusion detection performance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104783"},"PeriodicalIF":5.4,"publicationDate":"2025-11-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145624647","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

TFCNet: Based on time-frequency domain and multi-channel analysis for Network security situation prediction TFCNet：基于时频域和多通道分析的网络安全态势预测

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-22 DOI: 10.1016/j.cose.2025.104782

Shengcai Zhang, Fanchang Zeng, Huiju Yi, Zhiying Fu, Dezhi An

The rapid development of internet technology has given rise to various security threats for cyberspace. Network Security Situation Prediction (NSSP) is proactive defence technology that can predict future network development trends based on historical attack information. As traditional passive defence methods are inadequate against modern network traffic attacks, NSSP based on proactive defence has become crucial. The time-frequency domain features in network traffic contain a lot of useful information that can enhance the accuracy of model predictions. However, existing studies has not approached NSSP from the perspective of time-frequency domain feature fusion. Therefore, this paper presents TFCNet, an improved iTransformer model that incorporates time-frequency domain feature fusion to enhance NSSP performance. Firstly, Variational Mode Decomposition (VMD) is applied to reduce the non-stationarity of network traffic data. Subsequently, by fusing the time-frequency domain features of the network traffic data, frequency-domain features are extracted across multiple channels to further enhance feature extraction and obtain richer time-frequency information of the network traffic. Experimental results on the three network security datasets NSL-KDD, UNSW-NB15, and CSE-CIC-IDS2018 indicate that TFCNet achieves the best predictive performance compared with nine other mainstream prediction methods. Compared with the iTransformer model, TFCNet reduces the Mean Squared Error (MSE) and Mean Absolute Error (MAE) by an average of 36.5 % and 23 %, respectively. In addition, efficiency evaluation results of the model demonstrates that TFCNet an effective balance between predictive performance and computational efficiency, which verifies the feasibility of TFCNet in NSSP.

互联网技术的快速发展给网络空间带来了各种安全威胁。网络安全态势预测（NSSP）是一种基于历史攻击信息预测未来网络发展趋势的主动防御技术。传统的被动防御方法已不足以抵御现代网络流量攻击，基于主动防御的网络安全策略已变得至关重要。网络流量的时频域特征包含了大量有用的信息，可以提高模型预测的准确性。然而，现有的研究还没有从时频域特征融合的角度来探讨NSSP。因此，本文提出了一种改进的ittransformer模型TFCNet，该模型结合了时频域特征融合来提高NSSP的性能。首先，利用变分模态分解（VMD）降低网络流量数据的非平稳性；随后，通过融合网络流量数据的时频域特征，跨多通道提取频域特征，进一步增强特征提取，获得更丰富的网络流量时频信息。在NSL-KDD、UNSW-NB15和CSE-CIC-IDS2018三个网络安全数据集上的实验结果表明，与其他九种主流预测方法相比，TFCNet的预测性能最好。与ittransformer模型相比，TFCNet模型的均方误差（MSE）和平均绝对误差（MAE）分别平均降低了36.5%和23%。此外，模型的效率评价结果表明，TFCNet在预测性能和计算效率之间取得了有效的平衡，验证了TFCNet在NSSP中的可行性。

{"title":"TFCNet: Based on time-frequency domain and multi-channel analysis for Network security situation prediction","authors":"Shengcai Zhang, Fanchang Zeng, Huiju Yi, Zhiying Fu, Dezhi An","doi":"10.1016/j.cose.2025.104782","DOIUrl":"10.1016/j.cose.2025.104782","url":null,"abstract":"<div><div>The rapid development of internet technology has given rise to various security threats for cyberspace. Network Security Situation Prediction (NSSP) is proactive defence technology that can predict future network development trends based on historical attack information. As traditional passive defence methods are inadequate against modern network traffic attacks, NSSP based on proactive defence has become crucial. The time-frequency domain features in network traffic contain a lot of useful information that can enhance the accuracy of model predictions. However, existing studies has not approached NSSP from the perspective of time-frequency domain feature fusion. Therefore, this paper presents TFCNet, an improved iTransformer model that incorporates time-frequency domain feature fusion to enhance NSSP performance. Firstly, Variational Mode Decomposition (VMD) is applied to reduce the non-stationarity of network traffic data. Subsequently, by fusing the time-frequency domain features of the network traffic data, frequency-domain features are extracted across multiple channels to further enhance feature extraction and obtain richer time-frequency information of the network traffic. Experimental results on the three network security datasets NSL-KDD, UNSW-NB15, and CSE-CIC-IDS2018 indicate that TFCNet achieves the best predictive performance compared with nine other mainstream prediction methods. Compared with the iTransformer model, TFCNet reduces the Mean Squared Error (MSE) and Mean Absolute Error (MAE) by an average of 36.5 % and 23 %, respectively. In addition, efficiency evaluation results of the model demonstrates that TFCNet an effective balance between predictive performance and computational efficiency, which verifies the feasibility of TFCNet in NSSP.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104782"},"PeriodicalIF":5.4,"publicationDate":"2025-11-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145694035","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0