Computers & Security最新文献_第7页

Temporal-spatial feature fusion based intrusion detection system for in-vehicle networks 基于时空特征融合的车载网络入侵检测系统

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-21 DOI: 10.1016/j.cose.2025.104781

Zhihua Yin , Zixuan Li , Youtong Zhang , Jianxi Li , Dong Liu , Hongqian Wei

As a typical cyber-physical system, the in-vehicle network is evolving from an information silo into a mobile interconnection terminal. The controller area networks (CAN), serving as the real-time communication medium between automotive electronic control units (ECUs), encounter significant security challenges due to the absence of essential identity authentication and encryption mechanisms. The intrusion detection systems (IDSs) for CAN provide threat alerts but struggles to effectively identifying same origin method execution (SOME) attacks due to their frame homology and high concealment characteristics. To this end, a temporal-spatial feature fusion based IDS (TSFF-IDS) is developed. First, a comprehensive analysis is conducted on the temporal and spatial characteristics of CAN bus traffic. On this basis, a hybrid model integrating bidirectional long short-term memory (BiLSTM) networks and convolutional neural networks (CNN) is proposed to automatically extract the temporal and spatial features in parallel. A two-layer attention network is introduced to measure the distinct contributions of temporal-spatial features and recognize crucial features. Finally, the features are weighted fused to detect potential anomalies. To validate the effectiveness of the proposed method, comprehensive experiments have been conducted and the results show that the proposed TSFF-IDS exhibits superior identification capability and high adaptability compared to state-of-the-art schemes.

车载网络作为一种典型的信息物理系统，正从信息孤岛向移动互联终端发展。控制器局域网（CAN）作为汽车电子控制单元（ecu）之间的实时通信媒介，由于缺乏必要的身份认证和加密机制，面临着重大的安全挑战。CAN的入侵检测系统提供威胁警报，但由于其帧同源性和高隐蔽性的特点，难以有效识别同源方法执行（same origin method execution， SOME）攻击。为此，提出了一种基于时空特征融合的入侵检测系统（TSFF-IDS）。首先，对CAN总线流量的时空特征进行了全面分析。在此基础上，提出了一种双向长短期记忆（BiLSTM）网络与卷积神经网络（CNN）相结合的混合模型，用于自动并行提取时空特征。引入两层注意力网络来衡量时空特征的不同贡献，识别关键特征。最后，对特征进行加权融合，检测潜在异常。为了验证该方法的有效性，进行了全面的实验，结果表明，与现有方案相比，所提出的TSFF-IDS具有更好的识别能力和较高的适应性。

{"title":"Temporal-spatial feature fusion based intrusion detection system for in-vehicle networks","authors":"Zhihua Yin , Zixuan Li , Youtong Zhang , Jianxi Li , Dong Liu , Hongqian Wei","doi":"10.1016/j.cose.2025.104781","DOIUrl":"10.1016/j.cose.2025.104781","url":null,"abstract":"<div><div>As a typical cyber-physical system, the in-vehicle network is evolving from an information silo into a mobile interconnection terminal. The controller area networks (CAN), serving as the real-time communication medium between automotive electronic control units (ECUs), encounter significant security challenges due to the absence of essential identity authentication and encryption mechanisms. The intrusion detection systems (IDSs) for CAN provide threat alerts but struggles to effectively identifying same origin method execution (SOME) attacks due to their frame homology and high concealment characteristics. To this end, a temporal-spatial feature fusion based IDS (TSFF-IDS) is developed. First, a comprehensive analysis is conducted on the temporal and spatial characteristics of CAN bus traffic. On this basis, a hybrid model integrating bidirectional long short-term memory (BiLSTM) networks and convolutional neural networks (CNN) is proposed to automatically extract the temporal and spatial features in parallel. A two-layer attention network is introduced to measure the distinct contributions of temporal-spatial features and recognize crucial features. Finally, the features are weighted fused to detect potential anomalies. To validate the effectiveness of the proposed method, comprehensive experiments have been conducted and the results show that the proposed TSFF-IDS exhibits superior identification capability and high adaptability compared to state-of-the-art schemes.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104781"},"PeriodicalIF":5.4,"publicationDate":"2025-11-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145693747","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

ExMOP: Extensible protocol reverse engineering framework based on Multi-objective OPtimization ExMOP：基于多目标优化的可扩展协议逆向工程框架

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-20 DOI: 10.1016/j.cose.2025.104758

Tao Huang , Yansong Gao , Boyu Kuang , Zhi Zhang , Zhanfeng Wang , Hyoungshick Kim , Anmin Fu

Protocol Reverse Engineering (PRE) has become the foundation of numerous downstream security analyses, including vulnerability mining and intrusion detection. As the mainstream PRE technique, network trace-based PRE methods utilize various protocol features (e.g., specific features or universal features) to identify fields and their semantics. However, the inherent limitations of these features consequently constrain the performance of these PRE methods, compromising their generalizability or effectiveness. To address this, we propose an Extensible Protocol Reverse Engineering Framework Based on Multi-objective OPtimization (ExMOP) that flexibly incorporates multiple basic feature rules while synergistically integrating their complementary advantages to enhance protocol field segmentation performance. Each basic feature rule can be easily formalized as an optimization objective function, transforming the protocol field segmentation problem into a constrained multi-objective optimization model. We employ the Differential Evolution (DE) algorithm to solve this model, deriving the optimal field segmentation strategy. Ultimately, we conduct comprehensive experiments on publicly available datasets of multiple Internet protocols and industrial protocols. ExMOP demonstrates superior performance across all evaluation metrics (including 81 % precision, 81 % recall, 86 % accuracy, 80 % F1-score, 11 % FPR, and 60 % Perfection), significantly outperforming state-of-the-art methods, including NEMESYS (Usenix Security ’2018), AWRE (Usenix Security ’2019), NetPlier (NDSS ’2021), and BinaryInferno (NDSS ’2023). Furthermore, experiments affirm that expanding higher-efficiency feature rules can significantly enhance ExMOP’s performance in terms of accuracy, convergence, and stability.

协议逆向工程（PRE）已经成为许多下游安全分析的基础，包括漏洞挖掘和入侵检测。作为主流的PRE技术，基于网络跟踪的PRE方法利用各种协议特征（如特定特征或通用特征）来识别字段及其语义。然而，这些特性的固有局限性限制了这些PRE方法的性能，损害了它们的泛化性或有效性。为了解决这一问题，我们提出了一种基于多目标优化的可扩展协议逆向工程框架（ExMOP），该框架灵活地融合多个基本特征规则，同时协同整合它们的互补优势，以提高协议字段分割性能。每个基本特征规则都可以很容易地形式化为一个优化目标函数，将协议字段分割问题转化为一个有约束的多目标优化模型。我们采用差分进化（DE）算法对该模型进行求解，得到最优的场分割策略。最终，我们在多种互联网协议和工业协议的公开可用数据集上进行了全面的实验。ExMOP在所有评估指标（包括81%的精度、81%的召回率、86%的准确度、80%的f1得分、11%的FPR和60%的完美）上表现优异，显著优于最先进的方法，包括NEMESYS （Usenix Security ' 2018）、AWRE （Usenix Security ' 2019）、NetPlier （NDSS ' 2021）和BinaryInferno （NDSS ' 2023）。此外，实验证实，扩展更高效的特征规则可以显著提高ExMOP在精度、收敛性和稳定性方面的性能。

{"title":"ExMOP: Extensible protocol reverse engineering framework based on Multi-objective OPtimization","authors":"Tao Huang , Yansong Gao , Boyu Kuang , Zhi Zhang , Zhanfeng Wang , Hyoungshick Kim , Anmin Fu","doi":"10.1016/j.cose.2025.104758","DOIUrl":"10.1016/j.cose.2025.104758","url":null,"abstract":"<div><div>Protocol Reverse Engineering (PRE) has become the foundation of numerous downstream security analyses, including vulnerability mining and intrusion detection. As the mainstream PRE technique, network trace-based PRE methods utilize various protocol features (e.g., specific features or universal features) to identify fields and their semantics. However, the inherent limitations of these features consequently constrain the performance of these PRE methods, compromising their generalizability or effectiveness. To address this, we propose an <u>Ex</u>tensible Protocol Reverse Engineering Framework Based on <u>M</u>ulti-objective <u>OP</u>timization (ExMOP) that flexibly incorporates multiple basic feature rules while synergistically integrating their complementary advantages to enhance protocol field segmentation performance. Each basic feature rule can be easily formalized as an optimization objective function, transforming the protocol field segmentation problem into a constrained multi-objective optimization model. We employ the Differential Evolution (DE) algorithm to solve this model, deriving the optimal field segmentation strategy. Ultimately, we conduct comprehensive experiments on publicly available datasets of multiple Internet protocols and industrial protocols. ExMOP demonstrates superior performance across all evaluation metrics (including 81 % precision, 81 % recall, 86 % accuracy, 80 % F1-score, 11 % FPR, and 60 % Perfection), significantly outperforming state-of-the-art methods, including NEMESYS (Usenix Security ’2018), AWRE (Usenix Security ’2019), NetPlier (NDSS ’2021), and BinaryInferno (NDSS ’2023). Furthermore, experiments affirm that expanding higher-efficiency feature rules can significantly enhance ExMOP’s performance in terms of accuracy, convergence, and stability.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104758"},"PeriodicalIF":5.4,"publicationDate":"2025-11-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145624656","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Optimizing IDS rule placement via set covering with capacity constraints 通过带容量约束的集覆盖优化IDS规则放置

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-17 DOI: 10.1016/j.cose.2025.104748

Arka Ghosh , Domenico Ditale , Massimiliano Albanese , Preetam Mukherjee

Intrusion Detection Systems (IDSs) are essential for identifying and mitigating cyber threats in modern network infrastructures. Although prior work has extensively explored the optimal placement of IDS sensors across networks, optimizing the deployment of detection rules across multiple IDS instances remains a mostly underexplored area. This paper addresses rule deployment by formulating it as a set covering problem with capacity constraints. We seek to minimize the number of rule deployments required to detect potential exploits of all known vulnerabilities while ensuring that no IDS exceeds its inspection capacity. Our model considers the statistical properties of network traffic, enabling the system to account for load surges and reduce the number of packets not inspected by an IDS under high-traffic conditions, such as during Distributed Denial-of-Service attacks. To solve the optimization problem, we introduce a backtracking algorithm enhanced with a priority queue, which efficiently balances rule coverage and capacity constraints. We validate our approach using the CSE-CIC-IDS2017 dataset and a simulated multi-IDS environment. Experimental results demonstrate that our method significantly reduces the number of uninspected packets, while maximizing vulnerability coverage, and outperforms typical rule deployment strategies. This work highlights the critical role of intelligent rule placement in enhancing IDS performance and paves the way for future adaptive and scalable detection systems.

入侵检测系统（ids）对于识别和减轻现代网络基础设施中的网络威胁至关重要。尽管之前的工作已经广泛探索了IDS传感器在网络中的最佳布局，但在多个IDS实例中优化检测规则的部署仍然是一个未充分探索的领域。本文通过将规则部署表述为具有容量约束的集合覆盖问题来解决规则部署。我们力求减少检测所有已知漏洞的潜在利用所需的规则部署数量，同时确保没有任何IDS超出其检查能力。我们的模型考虑了网络流量的统计特性，使系统能够考虑负载激增，并减少在高流量条件下（例如在分布式拒绝服务攻击期间）不被IDS检查的数据包数量。为了解决优化问题，我们引入了一种增强了优先队列的回溯算法，该算法有效地平衡了规则覆盖和容量约束。我们使用CSE-CIC-IDS2017数据集和模拟的多ids环境验证了我们的方法。实验结果表明，该方法显著减少了未检查数据包的数量，同时最大限度地提高了漏洞覆盖率，并且优于典型的规则部署策略。这项工作强调了智能规则放置在提高IDS性能方面的关键作用，并为未来的自适应和可扩展检测系统铺平了道路。

{"title":"Optimizing IDS rule placement via set covering with capacity constraints","authors":"Arka Ghosh , Domenico Ditale , Massimiliano Albanese , Preetam Mukherjee","doi":"10.1016/j.cose.2025.104748","DOIUrl":"10.1016/j.cose.2025.104748","url":null,"abstract":"<div><div>Intrusion Detection Systems (IDSs) are essential for identifying and mitigating cyber threats in modern network infrastructures. Although prior work has extensively explored the optimal placement of IDS sensors across networks, optimizing the deployment of detection rules across multiple IDS instances remains a mostly underexplored area. This paper addresses rule deployment by formulating it as a set covering problem with capacity constraints. We seek to minimize the number of rule deployments required to detect potential exploits of all known vulnerabilities while ensuring that no IDS exceeds its inspection capacity. Our model considers the statistical properties of network traffic, enabling the system to account for load surges and reduce the number of packets not inspected by an IDS under high-traffic conditions, such as during Distributed Denial-of-Service attacks. To solve the optimization problem, we introduce a backtracking algorithm enhanced with a priority queue, which efficiently balances rule coverage and capacity constraints. We validate our approach using the CSE-CIC-IDS2017 dataset and a simulated multi-IDS environment. Experimental results demonstrate that our method significantly reduces the number of uninspected packets, while maximizing vulnerability coverage, and outperforms typical rule deployment strategies. This work highlights the critical role of intelligent rule placement in enhancing IDS performance and paves the way for future adaptive and scalable detection systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104748"},"PeriodicalIF":5.4,"publicationDate":"2025-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145579994","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Human-centric security for smart homes: A scoping review 以人为中心的智能家居安全：范围审查

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-17 DOI: 10.1016/j.cose.2025.104762

Wanling Cai , Liliana Pasquale , Kushal Ramkumar , John McCarthy , Bashar Nuseibeh , Gavin Doherty

Smart home technologies, like cameras, door locks, and speakers, are increasingly used in our everyday lives. However, their continuous data collection and internet connectivity pose various security risks. While research on smart home security has mainly focused on technological aspects, human experience and societal factors also play a crucial role. Various human and social factors, such as user experience with smart home devices, security design processes, and government regulations, are intertwined and influence each other, affecting smart home security. It is therefore important to understand and consider these interconnected factors in technology design to secure homes that contain increasingly connected devices. This scoping review provides an overview of current human-centered studies (N=102) on smart home security, which aims to help researchers and practitioners better navigate this field. We present a conceptual framework that outlines key challenges in ensuring smart home security with a synthesis of insights on contributing human factors. We then summarize general security design principles and map existing user-centred security approaches in smart homes, and highlight research directions for future investigation. Beyond mapping existing studies, the review reveals a growing emphasis on engaging multiple stakeholders, especially smart home users, in shaping human-centered security.

智能家居技术，如摄像头、门锁和扬声器，越来越多地应用于我们的日常生活中。然而，它们持续的数据收集和互联网连接带来了各种安全风险。虽然对智能家居安全的研究主要集中在技术方面，但人的经验和社会因素也起着至关重要的作用。智能家居设备的用户体验、安全设计过程、政府法规等各种人为因素和社会因素相互交织，相互影响，影响智能家居安全。因此，在技术设计中理解和考虑这些相互关联的因素是很重要的，以确保包含越来越多连接设备的家庭安全。本综述概述了当前以人为中心的智能家居安全研究（N=102），旨在帮助研究人员和从业者更好地驾驭这一领域。我们提出了一个概念框架，概述了确保智能家居安全的关键挑战，并综合了对人为因素的见解。然后，我们总结了一般的安全设计原则，并绘制了智能家居中现有的以用户为中心的安全方法，并强调了未来调查的研究方向。除了绘制现有研究之外，该审查还显示，在塑造以人为本的安全方面，越来越强调让多个利益相关者（尤其是智能家居用户）参与进来。

{"title":"Human-centric security for smart homes: A scoping review","authors":"Wanling Cai , Liliana Pasquale , Kushal Ramkumar , John McCarthy , Bashar Nuseibeh , Gavin Doherty","doi":"10.1016/j.cose.2025.104762","DOIUrl":"10.1016/j.cose.2025.104762","url":null,"abstract":"<div><div>Smart home technologies, like cameras, door locks, and speakers, are increasingly used in our everyday lives. However, their continuous data collection and internet connectivity pose various security risks. While research on smart home security has mainly focused on technological aspects, human experience and societal factors also play a crucial role. Various human and social factors, such as user experience with smart home devices, security design processes, and government regulations, are intertwined and influence each other, affecting smart home security. It is therefore important to understand and consider these interconnected factors in technology design to secure homes that contain increasingly connected devices. This scoping review provides an overview of current human-centered studies (N=102) on smart home security, which aims to help researchers and practitioners better navigate this field. We present a conceptual framework that outlines key challenges in ensuring smart home security with a synthesis of insights on contributing human factors. We then summarize general security design principles and map existing user-centred security approaches in smart homes, and highlight research directions for future investigation. Beyond mapping existing studies, the review reveals a growing emphasis on engaging multiple stakeholders, especially smart home users, in shaping human-centered security.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104762"},"PeriodicalIF":5.4,"publicationDate":"2025-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145738726","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Technostress and information security – A review and research agenda of security-related stress 技术压力和信息安全-安全相关压力的回顾和研究议程

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-17 DOI: 10.1016/j.cose.2025.104776

Antony Mullins, Nik Thompson

Technostress is a growing concern for organisations, given the negative impacts of stress on employees' job satisfaction, productivity, and intention to comply with or violate policies. Security-related stress (SRS), a dimension of technostress, addresses how security-related activities, such as information technology compliance, can impact an individual's stress. Addressing security-related stress research is vital, given it can help identify factors that can both enhance employee well-being and strengthen an organisation's security posture. In this paper, we systematically review the literature from the past two decades addressing security-related stress and identify twenty-seven relevant studies for analysis. We make contributions in three areas. Firstly, we discover the predominant theoretical frameworks and models that address security-related stress while examining key factors and constructs that examine security-related stress. Secondly, we describe how security-related stress is measured and what interventions have proven effective in reducing it. Finally, based on our comprehensive analysis, we present a research agenda to inform future research directions of security-related stress.

鉴于压力对员工的工作满意度、生产力以及遵守或违反政策的意图的负面影响，技术压力越来越受到组织的关注。安全相关压力（SRS）是技术压力的一个维度，涉及与安全相关的活动（如信息技术遵从性）如何影响个人的压力。解决与安全相关的压力研究是至关重要的，因为它可以帮助确定既能提高员工幸福感又能加强组织安全态势的因素。在本文中，我们系统地回顾了过去二十年来关于安全相关压力的文献，并确定了27项相关研究进行分析。我们在三个方面作出贡献。首先，我们发现了解决安全相关压力的主要理论框架和模型，同时研究了检查安全相关压力的关键因素和结构。其次，我们描述了与安全相关的压力是如何测量的，以及哪些干预措施被证明是有效的。最后，在综合分析的基础上，提出了安全相关应力的研究方向。

{"title":"Technostress and information security – A review and research agenda of security-related stress","authors":"Antony Mullins, Nik Thompson","doi":"10.1016/j.cose.2025.104776","DOIUrl":"10.1016/j.cose.2025.104776","url":null,"abstract":"<div><div>Technostress is a growing concern for organisations, given the negative impacts of stress on employees' job satisfaction, productivity, and intention to comply with or violate policies. Security-related stress (SRS), a dimension of technostress, addresses how security-related activities, such as information technology compliance, can impact an individual's stress. Addressing security-related stress research is vital, given it can help identify factors that can both enhance employee well-being and strengthen an organisation's security posture. In this paper, we systematically review the literature from the past two decades addressing security-related stress and identify twenty-seven relevant studies for analysis. We make contributions in three areas. Firstly, we discover the predominant theoretical frameworks and models that address security-related stress while examining key factors and constructs that examine security-related stress. Secondly, we describe how security-related stress is measured and what interventions have proven effective in reducing it. Finally, based on our comprehensive analysis, we present a research agenda to inform future research directions of security-related stress.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104776"},"PeriodicalIF":5.4,"publicationDate":"2025-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145624650","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A formal approach for security pattern enforcement in software architecture 一种在软件体系结构中实施安全模式的正式方法

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-17 DOI: 10.1016/j.cose.2025.104749

Quentin Rouland , Kamel Adi , Omer Nguena Timo , Luigi Logrippo

The use of security patterns has been recognized as effective in mitigating vulnerabilities in software systems. However, it is still not well understood how they can be applied systematically and effectively in concrete systems to achieve the best results. We present a formal approach based on the Alloy model checker to detect information disclosure vulnerabilities and enforce appropriate security patterns automatically. The approach helps improve the overall security posture of software systems while reducing the dependence on manual security analysis. We demonstrate the usability of our approach through the use case of a Smart Meter Gateway. The proposed approach is generic and constitutes a significant advancement toward systematic methods for designing secure software systems.

安全模式的使用在减轻软件系统中的漏洞方面被认为是有效的。然而，如何将它们系统有效地应用于具体系统中，以达到最佳效果，仍未得到很好的理解。我们提出了一种基于Alloy模型检查器的正式方法来检测信息披露漏洞并自动执行适当的安全模式。该方法有助于提高软件系统的整体安全状态，同时减少对人工安全分析的依赖。我们通过智能电表网关的用例展示了我们方法的可用性。所提出的方法是通用的，并且构成了设计安全软件系统的系统化方法的重大进步。

引用次数: 0

SecTracer: A framework for uncovering the root causes of network intrusions via security provenance SecTracer：通过安全来源发现网络入侵的根本原因的框架

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-17 DOI: 10.1016/j.cose.2025.104760

Seunghyeon Lee , Hyunmin Seo , Hwanjo Heo , Anduo Wang , Seungwon Shin , Jinwoo Kim

Modern enterprise networks comprise diverse and heterogeneous systems that support a wide range of services, making it challenging for administrators to track and analyze sophisticated attacks such as advanced persistent threats (APTs), which often exploit multiple vectors. To address this challenge, we introduce the concept of network-level security provenance, which enables the systematic establishment of causal relationships across hosts at the network level, facilitating the accurate identification of the root causes of security incidents. Building on this concept, we present SecTracer as a framework for a network-wide provenance analysis. SecTracer offers three main contributions: (i) comprehensive and efficient forensic data collection in enterprise networks via software-defined networking (SDN), (ii) reconstruction of attack histories through provenance graphs to provide a clear and interpretable view of intrusions, and (iii) proactive attack prediction using probabilistic models. We evaluated the effectiveness and efficiency of SecTracer through a real-world APT simulation, demonstrating its capability to enhance threat mitigation while introducing less than 1 % network throughput overhead and negligible latency impact.

现代企业网络包含多种异构系统，这些系统支持广泛的服务，这使得管理员很难跟踪和分析复杂的攻击，例如高级持久威胁（apt），这些攻击通常利用多个向量。为了应对这一挑战，我们引入了网络级安全溯源的概念，它可以在网络级系统地建立跨主机的因果关系，从而有助于准确识别安全事件的根本原因。在这个概念的基础上，我们提出了SecTracer作为一个框架，用于整个网络的来源分析。SecTracer提供了三个主要贡献：(i)通过软件定义网络（SDN）在企业网络中全面有效地收集取证数据；（ii）通过来源图重建攻击历史，以提供清晰且可解释的入侵视图；（iii）使用概率模型进行主动攻击预测。我们通过真实世界的APT模拟评估了SecTracer的有效性和效率，展示了其增强威胁缓解的能力，同时引入不到1%的网络吞吐量开销和可忽略的延迟影响。

{"title":"SecTracer: A framework for uncovering the root causes of network intrusions via security provenance","authors":"Seunghyeon Lee , Hyunmin Seo , Hwanjo Heo , Anduo Wang , Seungwon Shin , Jinwoo Kim","doi":"10.1016/j.cose.2025.104760","DOIUrl":"10.1016/j.cose.2025.104760","url":null,"abstract":"<div><div>Modern enterprise networks comprise diverse and heterogeneous systems that support a wide range of services, making it challenging for administrators to track and analyze sophisticated attacks such as advanced persistent threats (APTs), which often exploit multiple vectors. To address this challenge, we introduce the concept of <em>network-level security provenance</em>, which enables the systematic establishment of causal relationships across hosts at the network level, facilitating the accurate identification of the root causes of security incidents. Building on this concept, we present <span>SecTracer</span> as a framework for a network-wide provenance analysis. <span>SecTracer</span> offers three main contributions: (i) comprehensive and efficient forensic data collection in enterprise networks via software-defined networking (SDN), (ii) reconstruction of attack histories through provenance graphs to provide a clear and interpretable view of intrusions, and (iii) proactive attack prediction using probabilistic models. We evaluated the effectiveness and efficiency of <span>SecTracer</span> through a real-world APT simulation, demonstrating its capability to enhance threat mitigation while introducing less than 1 % network throughput overhead and negligible latency impact.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104760"},"PeriodicalIF":5.4,"publicationDate":"2025-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145624648","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Certification as a compensation mechanism for weak regulation? Exploring the diffusion of the international standard ISO/IEC 27001 for information security management 认证作为监管不力的补偿机制？探讨资讯安全管理的国际标准ISO/IEC 27001的推广

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-16 DOI: 10.1016/j.cose.2025.104774

Mona Mirtsch , Jakob Pohlisch , Knut Blind

Safeguarding information security has become a key managerial responsibility. The standard “Information security, cybersecurity and privacy protection - Information security management systems - Requirements” (ISO/IEC 27001) specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It provides a systematic approach to managing sensitive information, ensuring its confidentiality, integrity, and availability through risk management and security controls. While the number of valid certifications has grown significantly over time, adoption rates vary widely across countries. Drawing on signaling theory, we present the first comprehensive global study of ISO/IEC 27001 diffusion, with a particular focus on the influence of regulatory frameworks and international trade. Based on regression analyses covering 128 countries having implemented ISO/IEC 27001 between 2006 and 2017, our findings suggest that organizations may use ISO/IEC 27001 certification as a signaling mechanism, especially in environments with less stringent regulatory frameworks.

保障信息安全已成为一项重要的管理责任。标准“信息安全、网络安全和隐私保护——信息安全管理体系——要求”（ISO/IEC 27001）规定了建立、实施、维护和持续改进信息安全管理体系（ISMS）的要求。它提供了一种系统的方法来管理敏感信息，通过风险管理和安全控制确保其机密性、完整性和可用性。虽然随着时间的推移，有效认证的数量显著增加，但各国的采用率差异很大。利用信号理论，我们提出了ISO/IEC 27001扩散的第一个全面的全球研究，特别关注监管框架和国际贸易的影响。基于对2006年至2017年间实施ISO/IEC 27001的128个国家的回归分析，我们的研究结果表明，组织可能会将ISO/IEC 27001认证作为一种信号机制，特别是在监管框架不太严格的环境中。

{"title":"Certification as a compensation mechanism for weak regulation? Exploring the diffusion of the international standard ISO/IEC 27001 for information security management","authors":"Mona Mirtsch , Jakob Pohlisch , Knut Blind","doi":"10.1016/j.cose.2025.104774","DOIUrl":"10.1016/j.cose.2025.104774","url":null,"abstract":"<div><div>Safeguarding information security has become a key managerial responsibility. The standard “Information security, cybersecurity and privacy protection - Information security management systems - Requirements” (ISO/IEC 27001) specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It provides a systematic approach to managing sensitive information, ensuring its confidentiality, integrity, and availability through risk management and security controls. While the number of valid certifications has grown significantly over time, adoption rates vary widely across countries. Drawing on signaling theory, we present the first comprehensive global study of ISO/IEC 27001 diffusion, with a particular focus on the influence of regulatory frameworks and international trade. Based on regression analyses covering 128 countries having implemented ISO/IEC 27001 between 2006 and 2017, our findings suggest that organizations may use ISO/IEC 27001 certification as a signaling mechanism, especially in environments with less stringent regulatory frameworks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"162 ","pages":"Article 104774"},"PeriodicalIF":5.4,"publicationDate":"2025-11-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145685327","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Integration of emerging technologies in cybersecurity for healthcare: A systematic review 医疗网络安全新兴技术的整合：系统综述

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-15 DOI: 10.1016/j.cose.2025.104763

Dwibik Patra, Narendran Rajagopalan

The integration of Internet of Medical Things (IoMT) devices into healthcare has enhanced clinical services but also widened the attack surface, exposing systems to ransomware, data exfiltration, and protocol spoofing. Conventional security mechanisms often fall short in addressing such diverse and evolving threats. This review examines the role of hybrid approaches that combine machine learning (ML) and deep learning (DL) models with metaheuristic optimization techniques in strengthening healthcare cybersecurity. Techniques such as Genetic Algorithms, Particle Swarm Optimization, and Ant Colony Optimization are assessed for their capacity to fine-tune learning models, improve detection accuracy, and enhance adaptability against complex attack patterns. Evidence from recent studies demonstrates that these hybrid solutions achieve higher resilience and better handling of imbalanced or dynamic datasets compared with traditional methods. However, challenges persist in achieving interpretability, ensuring real-time processing, and maintaining compliance with regulatory frameworks, including HIPAA and GDPR. The review highlights how explainable AI methods such as SHAP and LIME, alongside multi-objective optimization frameworks such as NSGA-II, contribute to balancing accuracy, latency, and privacy requirements. Applications discussed include intrusion detection in hospital networks, protection of IoMT infrastructures, and safeguarding of electronic health records. The paper concludes by identifying open research challenges and proposing a roadmap for developing lightweight, interpretable, and regulation-aware AI solutions tailored to the specific needs of healthcare cybersecurity.

医疗物联网（IoMT）设备与医疗保健的集成增强了临床服务，但也扩大了攻击面，使系统暴露于勒索软件、数据泄露和协议欺骗之下。传统的安全机制在应对这些多样化和不断演变的威胁方面往往存在不足。本文综述了结合机器学习（ML）和深度学习（DL）模型与元启发式优化技术的混合方法在加强医疗保健网络安全中的作用。遗传算法、粒子群优化和蚁群优化等技术被评估为微调学习模型、提高检测准确性和增强对复杂攻击模式的适应性的能力。最近的研究表明，与传统方法相比，这些混合解决方案具有更高的弹性和更好的处理不平衡或动态数据集的能力。然而，在实现可解释性、确保实时处理和维护法规框架（包括HIPAA和GDPR）的合规性方面仍然存在挑战。该综述强调了可解释的AI方法（如SHAP和LIME）以及多目标优化框架（如NSGA-II）如何有助于平衡准确性、延迟和隐私要求。讨论的应用包括医院网络中的入侵检测、IoMT基础设施的保护以及电子健康记录的保护。本文最后确定了开放的研究挑战，并提出了针对医疗保健网络安全的特定需求开发轻量级、可解释和监管意识的人工智能解决方案的路线图。

{"title":"Integration of emerging technologies in cybersecurity for healthcare: A systematic review","authors":"Dwibik Patra, Narendran Rajagopalan","doi":"10.1016/j.cose.2025.104763","DOIUrl":"10.1016/j.cose.2025.104763","url":null,"abstract":"<div><div>The integration of Internet of Medical Things (IoMT) devices into healthcare has enhanced clinical services but also widened the attack surface, exposing systems to ransomware, data exfiltration, and protocol spoofing. Conventional security mechanisms often fall short in addressing such diverse and evolving threats. This review examines the role of hybrid approaches that combine machine learning (ML) and deep learning (DL) models with metaheuristic optimization techniques in strengthening healthcare cybersecurity. Techniques such as Genetic Algorithms, Particle Swarm Optimization, and Ant Colony Optimization are assessed for their capacity to fine-tune learning models, improve detection accuracy, and enhance adaptability against complex attack patterns. Evidence from recent studies demonstrates that these hybrid solutions achieve higher resilience and better handling of imbalanced or dynamic datasets compared with traditional methods. However, challenges persist in achieving interpretability, ensuring real-time processing, and maintaining compliance with regulatory frameworks, including HIPAA and GDPR. The review highlights how explainable AI methods such as SHAP and LIME, alongside multi-objective optimization frameworks such as NSGA-II, contribute to balancing accuracy, latency, and privacy requirements. Applications discussed include intrusion detection in hospital networks, protection of IoMT infrastructures, and safeguarding of electronic health records. The paper concludes by identifying open research challenges and proposing a roadmap for developing lightweight, interpretable, and regulation-aware AI solutions tailored to the specific needs of healthcare cybersecurity.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104763"},"PeriodicalIF":5.4,"publicationDate":"2025-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145624653","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

ICloud: An intrusion detection and dynamic defense mechanism for cloud environments ICloud：针对云环境的入侵检测和动态防御机制

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-15 DOI: 10.1016/j.cose.2025.104755

Yuxiang Ma, Tao Chen, Jiaqi Lin, Ying Cao

With the development of artificial intelligence (AI), cloud environments are becoming increasingly important. However, cloud environment networks are at risk of various network attacks. Therefore, it is crucial to detect abnormal traffic in cloud environment networks. With the continuous development of network technology, the diversity of cloud environment network traffic continues to increase (intra-class diversity), and the boundary between malicious and benign behaviors becomes more blurred (inter-class similarity), leading to false detection. At the same time, most game theory defense deception methods for cloud environment networks assume that the attacker and defender maintain consistent views under uncertainty. In fact, the attacker and defender have different views on the same game. To address the above issues, we propose an intrusion detection and dynamic defense mechanism for cloud environments. To address the challenges brought by intra-class diversity and inter-class similarity, we propose an intrusion detection system (IDS) based on contrastive learning, which can make correct decisions when classifying samples of different categories. To identify traffic more accurately, this paper proposes an improved lightweight ResNet-34 model (IResNet34). To address the challenge that the attacker and defender have different views on the same game, we propose a hypergame model involving multiple attackers and defenders. The attacker cannot obtain complete game information through defensive deception technology, resulting in attack failure. In addition, we propose an adaptive defense strategy selection method based on machine learning, which automatically selects the best defense strategy based on the game record. The output of dynamic defense will be fed back to the intrusion detection module to reduce the false alarm rate. Finally, experiments verified that the method based on contrastive learning proposed in this paper can achieve high detection accuracy in the real world and benchmark datasets, and the dynamic defense method can effectively reduce the false positive rate (FPR) of IDS.

随着人工智能（AI）的发展，云环境变得越来越重要。然而，云环境网络面临着各种网络攻击的风险。因此，检测云环境网络中的异常流量至关重要。随着网络技术的不断发展，云环境网络流量的多样性不断增加（类内多样性），恶意与良性行为的界限越来越模糊（类间相似性），导致误检。同时，大多数针对云环境网络的博弈论防御欺骗方法都假设攻击者和防御者在不确定性下保持一致的观点。事实上，攻击者和防守者对同一场比赛有着不同的看法。针对上述问题，提出了一种云环境下的入侵检测与动态防御机制。针对类内多样性和类间相似性带来的挑战，提出了一种基于对比学习的入侵检测系统（IDS），该系统在分类不同类别的样本时能够做出正确的决策。为了更准确地识别流量，本文提出了一种改进的轻量级ResNet-34模型（IResNet34）。为了解决攻击者和防御者对同一博弈有不同看法的挑战，我们提出了一个涉及多个攻击者和防御者的超博弈模型。攻击者无法通过防御欺骗技术获取完整的博弈信息，导致攻击失败。此外，我们提出了一种基于机器学习的自适应防御策略选择方法，该方法根据比赛记录自动选择最佳防御策略。动态防御的输出将反馈给入侵检测模块，以降低误报率。最后，实验验证了本文提出的基于对比学习的方法在真实世界和基准数据集上都能达到较高的检测精度，动态防御方法能有效降低入侵检测的误报率（FPR）。

{"title":"ICloud: An intrusion detection and dynamic defense mechanism for cloud environments","authors":"Yuxiang Ma, Tao Chen, Jiaqi Lin, Ying Cao","doi":"10.1016/j.cose.2025.104755","DOIUrl":"10.1016/j.cose.2025.104755","url":null,"abstract":"<div><div>With the development of artificial intelligence (AI), cloud environments are becoming increasingly important. However, cloud environment networks are at risk of various network attacks. Therefore, it is crucial to detect abnormal traffic in cloud environment networks. With the continuous development of network technology, the diversity of cloud environment network traffic continues to increase (intra-class diversity), and the boundary between malicious and benign behaviors becomes more blurred (inter-class similarity), leading to false detection. At the same time, most game theory defense deception methods for cloud environment networks assume that the attacker and defender maintain consistent views under uncertainty. In fact, the attacker and defender have different views on the same game. To address the above issues, we propose an intrusion detection and dynamic defense mechanism for cloud environments. To address the challenges brought by intra-class diversity and inter-class similarity, we propose an intrusion detection system (IDS) based on contrastive learning, which can make correct decisions when classifying samples of different categories. To identify traffic more accurately, this paper proposes an improved lightweight ResNet-34 model (IResNet34). To address the challenge that the attacker and defender have different views on the same game, we propose a hypergame model involving multiple attackers and defenders. The attacker cannot obtain complete game information through defensive deception technology, resulting in attack failure. In addition, we propose an adaptive defense strategy selection method based on machine learning, which automatically selects the best defense strategy based on the game record. The output of dynamic defense will be fed back to the intrusion detection module to reduce the false alarm rate. Finally, experiments verified that the method based on contrastive learning proposed in this paper can achieve high detection accuracy in the real world and benchmark datasets, and the dynamic defense method can effectively reduce the false positive rate (FPR) of IDS.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104755"},"PeriodicalIF":5.4,"publicationDate":"2025-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145624651","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0