Computers & Security最新文献_第9页

Obfuscation detection using matrix complexity features of binary grayscale images 基于矩阵复杂度特征的二值灰度图像混淆检测

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-08 DOI: 10.1016/j.cose.2025.104746

Sebastian Raubitzek , Sebastian Schrittwieser , Caroline König , Patrick Felbauer , Kevin Mallinger , Andreas Ekelhart , Edgar Weippl

Malware that conceals its behaviour through code obfuscation remains a central challenge for automated detection. This work introduced a novel approach for detecting the presence of obfuscation and identifying specific techniques. We transform binary code into grayscale images by mapping its bytes to a pixel intensity and apply singular value decomposition (SVD) to extract 18 matrix-complexity metrics that reflect structural changes introduced by an obfuscation. Using this approach, we evaluate eight Tigress obfuscation techniques on whether they leave a distinct spectral signature that can be classified. To obtain statistically robust results, we employ an ensemble of 100 independently tuned ExtraTrees models trained on different stratified 80/20 splits. The ensemble achieves average accuracies of 0.99 for detecting obfuscation, 0.94 for obfuscation type attribution, and 0.93 for identifying specific techniques. Feature-importance rankings and per-metric distribution plots make the results interpretable and transferable. The contributions of this study are (i) a reproducible pipeline for classifying obfuscated binaries, (ii) a detailed analysis of how obfuscation alters binary structure and its image representation, and (iii) actionable insight into which SVD metrics are most indicative of each transformation.

通过代码混淆隐藏其行为的恶意软件仍然是自动检测的核心挑战。这项工作介绍了一种新的方法来检测混淆的存在和识别特定的技术。我们通过将二进制代码的字节映射到像素强度来将其转换为灰度图像，并应用奇异值分解（SVD）来提取18个矩阵复杂度指标，这些指标反映了由混淆引入的结构变化。使用这种方法，我们评估了八种虎妞混淆技术，看它们是否留下了可以分类的独特光谱特征。为了获得统计上稳健的结果，我们采用了100个独立调优的extratree模型的集合，这些模型在不同的分层80/20分割上训练。集成检测混淆的平均准确率为0.99，混淆类型归因的平均准确率为0.94，识别特定技术的平均准确率为0.93。特征重要性排序和每度量分布图使结果具有可解释性和可转移性。本研究的贡献是：(i)对混淆二进制进行分类的可重复管道，（ii）对混淆如何改变二进制结构及其图像表示的详细分析，以及（iii）对哪种SVD指标最能指示每种转换的可操作见解。

{"title":"Obfuscation detection using matrix complexity features of binary grayscale images","authors":"Sebastian Raubitzek , Sebastian Schrittwieser , Caroline König , Patrick Felbauer , Kevin Mallinger , Andreas Ekelhart , Edgar Weippl","doi":"10.1016/j.cose.2025.104746","DOIUrl":"10.1016/j.cose.2025.104746","url":null,"abstract":"<div><div>Malware that conceals its behaviour through code obfuscation remains a central challenge for automated detection. This work introduced a novel approach for detecting the presence of obfuscation and identifying specific techniques. We transform binary code into grayscale images by mapping its bytes to a pixel intensity and apply singular value decomposition (SVD) to extract 18 matrix-complexity metrics that reflect structural changes introduced by an obfuscation. Using this approach, we evaluate eight Tigress obfuscation techniques on whether they leave a distinct spectral signature that can be classified. To obtain statistically robust results, we employ an ensemble of 100 independently tuned ExtraTrees models trained on different stratified 80/20 splits. The ensemble achieves average accuracies of 0.99 for detecting obfuscation, 0.94 for obfuscation type attribution, and 0.93 for identifying specific techniques. Feature-importance rankings and per-metric distribution plots make the results interpretable and transferable. The contributions of this study are (i) a reproducible pipeline for classifying obfuscated binaries, (ii) a detailed analysis of how obfuscation alters binary structure and its image representation, and (iii) actionable insight into which SVD metrics are most indicative of each transformation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104746"},"PeriodicalIF":5.4,"publicationDate":"2025-11-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145500195","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Dynamic soft isolation and restricted eviction for cache side channel attack defense 缓存侧信道攻击防御的动态软隔离和限制驱逐

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-07 DOI: 10.1016/j.cose.2025.104753

Chuan Lu, Senlin Luo, Limin Pan

Cache side channel attack seriously threatens microarchitectural security. A key challenge in mitigating such attack lies in analyzing behavioral characteristics and intentions at different stages. Existing methods utilize static isolation domains to prevent data eviction between attackers and victims. The number of isolation domains is constrained by cache size, making protection insufficient processes when the number of protected processes exceeds this limit. Moreover, the capacity and location of isolation domains cannot be dynamically adjusted according to the process demand, leading to either underutilized cache lines or excessive evictions, both of which degrade performance. Therefore, a Dynamic Soft Isolation and Restricted Eviction for Cache Side Channel Attack Defense (DSI-RE) is proposed. DSI-RE introduces a dynamic soft isolation method with flexible isolation boundaries, which dynamically adjusts the number, capacity and location of isolation domains based on process demands by domain labels, enhancing cache utilization and operational efficiency. Additionally, a restricted eviction with intent-aware is proposed, which detects the attack behavior across different attack stage, and imposes different restrictions on the replacement algorithm to prevent sensitive evictions. Extensive experimental results show that DSI-RE outperforms the state-of-the-art methods. The proposed method novelly identifies the key behavioral intent during an attack and blocks the attack by introducing minor restrictions in attack process.

缓存侧通道攻击严重威胁微架构安全。减轻此类攻击的一个关键挑战在于分析不同阶段的行为特征和意图。现有方法利用静态隔离域来防止攻击者和受害者之间的数据驱逐。隔离域的数量受缓存大小的限制，当受保护的进程数量超过此限制时，将导致保护进程不足。此外，隔离域的容量和位置不能根据进程需求动态调整，导致缓存线利用率不足或过多的驱逐，这两种情况都会降低性能。为此，提出了一种用于缓存侧信道攻击防御（DSI-RE）的动态软隔离和受限驱逐方法。DSI-RE引入了具有灵活隔离边界的动态软隔离方法，通过域标签根据进程需求动态调整隔离域的数量、容量和位置，提高了缓存利用率和运行效率。此外，提出了一种具有意图感知的受限驱逐算法，该算法在不同的攻击阶段检测攻击行为，并对替换算法施加不同的限制以防止敏感驱逐。大量的实验结果表明，DSI-RE优于最先进的方法。该方法新颖地识别攻击过程中的关键行为意图，并通过在攻击过程中引入次要限制来阻止攻击。

{"title":"Dynamic soft isolation and restricted eviction for cache side channel attack defense","authors":"Chuan Lu, Senlin Luo, Limin Pan","doi":"10.1016/j.cose.2025.104753","DOIUrl":"10.1016/j.cose.2025.104753","url":null,"abstract":"<div><div>Cache side channel attack seriously threatens microarchitectural security. A key challenge in mitigating such attack lies in analyzing behavioral characteristics and intentions at different stages. Existing methods utilize static isolation domains to prevent data eviction between attackers and victims. The number of isolation domains is constrained by cache size, making protection insufficient processes when the number of protected processes exceeds this limit. Moreover, the capacity and location of isolation domains cannot be dynamically adjusted according to the process demand, leading to either underutilized cache lines or excessive evictions, both of which degrade performance. Therefore, a <strong><u>D</u></strong>ynamic <strong><u>S</u></strong>oft <strong><u>I</u></strong>solation and <strong><u>R</u></strong>estricted <strong><u>E</u></strong>viction for Cache Side Channel Attack Defense (DSI-RE) is proposed. DSI-RE introduces a dynamic soft isolation method with flexible isolation boundaries, which dynamically adjusts the number, capacity and location of isolation domains based on process demands by domain labels, enhancing cache utilization and operational efficiency. Additionally, a restricted eviction with intent-aware is proposed, which detects the attack behavior across different attack stage, and imposes different restrictions on the replacement algorithm to prevent sensitive evictions. Extensive experimental results show that DSI-RE outperforms the state-of-the-art methods. The proposed method novelly identifies the key behavioral intent during an attack and blocks the attack by introducing minor restrictions in attack process.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104753"},"PeriodicalIF":5.4,"publicationDate":"2025-11-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145529096","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

SigOverlay: A security evaluation model based on reference signals SigOverlay：基于参考信号的安全评估模型

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-05 DOI: 10.1016/j.cose.2025.104750

Shi Hu , Shan Wang , Jian Wang, Quan Peng, Jingyu Tang, Jingni Chen

The integration of satellite and terrestrial networks effectively addresses geographical limitations, providing extensive and seamless connectivity. Despite robust security measures implemented in both terrestrial networks and satellite communication systems, certain inherent vulnerabilities in LTE/5G protocols can still be exploited, potentially compromising security. In this paper, we propose a security evaluation model, SigOverlay, which targets both terrestrial cellular networks and satellite communication networks. By exploiting the inherent openness of the Physical Broadcast Channel, SigOverlay can stealthily disrupt regular communication without incurring substantial additional power consumption. Experiments with commercial software-defined radios demonstrated the feasibility and effectiveness of this strategy, revealing security risks in integrated satellite-terrestrial networks.

卫星和地面网络的融合有效地解决了地理限制，提供了广泛和无缝的连接。尽管在地面网络和卫星通信系统中实施了强大的安全措施，但LTE/5G协议中的某些固有漏洞仍可能被利用，从而可能危及安全。在本文中，我们提出了一个安全评估模型，SigOverlay，它同时针对地面蜂窝网络和卫星通信网络。通过利用物理广播信道固有的开放性，SigOverlay可以在不引起大量额外功耗的情况下秘密地中断常规通信。商用软件定义无线电的实验证明了该策略的可行性和有效性，揭示了卫星-地面综合网络的安全风险。

引用次数: 0

Reassessing information security perceptions following a data breach announcement: The role of post-breach management in firm-specific risk 数据泄露公告后信息安全观念的重新评估：泄露后管理在公司特定风险中的作用

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-05 DOI: 10.1016/j.cose.2025.104752

Faheem Ahmed Shaikh , Damien Joseph , Eugene Kang

Public announcements of data breaches often lead to short-lived negative stock price reactions, raising questions about firms’ incentives for sustained cybersecurity improvements. This study applies legitimacy theory to examine how investor perceptions of a firm’s security practices—termed information security legitimacy—shape firm-specific risk after such announcements. Analyzing media sentiment following 485 U.S. data breach announcements, we find that firms with stronger information security legitimacy experience significantly lower firm-specific risk over six months. Additionally, shorter delays in public breach announcements strengthen this risk reduction. By linking data breach announcements with post-breach management, this study offers a unified framework showing how proactive security actions and timely communication mitigate long-term financial risk. These findings provide actionable guidance for security managers to prioritize rapid disclosure and strategic legitimacy management, advancing theory on stakeholder perceptions in cybersecurity.

数据泄露的公开公告通常会导致短期的负面股价反应，引发人们对公司持续改进网络安全的动机的质疑。本研究运用合法性理论来检验投资者对公司安全实践（称为信息安全合法性）的看法如何在此类公告后塑造公司特定风险。我们分析了485个美国数据泄露公告后的媒体情绪，发现信息安全合法性较强的公司在六个月内的公司特定风险显著降低。此外，更短的公开违规公告延迟加强了这种风险降低。通过将数据泄露公告与泄露后管理联系起来，本研究提供了一个统一的框架，展示了主动安全行动和及时沟通如何降低长期财务风险。这些发现为安全管理人员优先考虑快速披露和战略合法性管理提供了可操作的指导，推进了利益相关者在网络安全方面的认知理论。

{"title":"Reassessing information security perceptions following a data breach announcement: The role of post-breach management in firm-specific risk","authors":"Faheem Ahmed Shaikh , Damien Joseph , Eugene Kang","doi":"10.1016/j.cose.2025.104752","DOIUrl":"10.1016/j.cose.2025.104752","url":null,"abstract":"<div><div>Public announcements of data breaches often lead to short-lived negative stock price reactions, raising questions about firms’ incentives for sustained cybersecurity improvements. This study applies legitimacy theory to examine how investor perceptions of a firm’s security practices—termed information security legitimacy—shape firm-specific risk after such announcements. Analyzing media sentiment following 485 U.S. data breach announcements, we find that firms with stronger information security legitimacy experience significantly lower firm-specific risk over six months. Additionally, shorter delays in public breach announcements strengthen this risk reduction. By linking data breach announcements with post-breach management, this study offers a unified framework showing how proactive security actions and timely communication mitigate long-term financial risk. These findings provide actionable guidance for security managers to prioritize rapid disclosure and strategic legitimacy management, advancing theory on stakeholder perceptions in cybersecurity.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104752"},"PeriodicalIF":5.4,"publicationDate":"2025-11-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145500194","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Secure multi-cloud collaboration using data leakage free attribute-based access control policies 使用无数据泄漏的基于属性的访问控制策略来保护多云协作

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-11-04 DOI: 10.1016/j.cose.2025.104736

John C. John , Arobinda Gupta , Shamik Sural

With an increase in the diversity and complexity of requirements from organizations for cloud computing, there is a growing need for integrating the services of multiple cloud providers. In such multi-cloud systems, data leakage is considered to be a major security concern, which is caused by illegitimate actions of malicious users often acting in collusion. The possibility of data leakage in such environments is characterized by the number of interoperations as well as the trustworthiness of users on the collaborating clouds. In this paper, we address the problem of secure multi-cloud collaboration from an Attribute-based Access Control (ABAC) policy management perspective. In particular, we define a problem that aims to formulate ABAC policy rules for establishing a high degree of inter-cloud accesses while eliminating potential paths for data leakage. A data leakage free ABAC policy generation algorithm is proposed that first determines the likelihood of data leakage and then attempts to maximize inter-cloud collaborations. We also pose several variants of the problem by imposing additional meaningful constraints on the nature of accesses. Experimental results on several large data sets show the efficacy of the proposed approach.

随着组织对云计算需求的多样性和复杂性的增加，越来越需要集成多个云提供商的服务。在这种多云系统中，数据泄露被认为是一个主要的安全问题，这是由于恶意用户的非法行为经常相互勾结造成的。在这种环境中，数据泄露的可能性取决于互操作的数量以及协作云上用户的可信度。在本文中，我们从基于属性的访问控制（ABAC）策略管理的角度解决了安全多云协作的问题。特别是，我们定义了一个问题，旨在制定ABAC策略规则，以建立高度的云间访问，同时消除潜在的数据泄漏路径。提出了一种无数据泄漏的ABAC策略生成算法，该算法首先确定数据泄漏的可能性，然后尝试最大化云间协作。通过对访问的性质施加额外的有意义的约束，我们还提出了该问题的几个变体。在多个大型数据集上的实验结果表明了该方法的有效性。

{"title":"Secure multi-cloud collaboration using data leakage free attribute-based access control policies","authors":"John C. John , Arobinda Gupta , Shamik Sural","doi":"10.1016/j.cose.2025.104736","DOIUrl":"10.1016/j.cose.2025.104736","url":null,"abstract":"<div><div>With an increase in the diversity and complexity of requirements from organizations for cloud computing, there is a growing need for integrating the services of multiple cloud providers. In such multi-cloud systems, data leakage is considered to be a major security concern, which is caused by illegitimate actions of malicious users often acting in collusion. The possibility of data leakage in such environments is characterized by the number of interoperations as well as the trustworthiness of users on the collaborating clouds. In this paper, we address the problem of secure multi-cloud collaboration from an Attribute-based Access Control (ABAC) policy management perspective. In particular, we define a problem that aims to formulate ABAC policy rules for establishing a high degree of inter-cloud accesses while eliminating potential paths for data leakage. A data leakage free ABAC policy generation algorithm is proposed that first determines the likelihood of data leakage and then attempts to maximize inter-cloud collaborations. We also pose several variants of the problem by imposing additional meaningful constraints on the nature of accesses. Experimental results on several large data sets show the efficacy of the proposed approach.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104736"},"PeriodicalIF":5.4,"publicationDate":"2025-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145529097","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

FirmUpdate: Automated multi-phase static analysis for detecting firmware update vulnerabilities in IoT Linux-based firmware FirmUpdate：自动多阶段静态分析，用于检测物联网linux固件中的固件更新漏洞

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-10-31 DOI: 10.1016/j.cose.2025.104735

Jian Zhang, Ping Chen

With the widespread deployment of IoT devices, firmware update process becomes the main target of malicious attack, which could cause large-scale devices bricking, critical information leakage, and vulnerability propagation through supply chain. Due to the complexity of firmware update process and implementation flaws, there are multiple types of firmware update vulnerabilities in each phase of firmware update process. Current studies cannot effectively detect these vulnerabilities through an automatic approach. Therefore, we propose FirmUpdate in this paper, an automated static firmware update vulnerability detection approach, which could recover the entire firmware update process and detect vulnerabilities in each phase of the firmware update process. FirmUpdate first constructs UG (Update Graph) to abstract the firmware update process into flow chat. Then, performs unsafe verification discovery and update-related taint analysis on UG. With these two methods, FirmUpdate could automatically detect firmware update vulnerabilities, including firmware verification, buffer overflow, and command injection vulnerabilities. FirmUpdate performs vulnerability detection in a firmware set that contains 131 firmware images from 7 vendors. The TPR (True Positive Rate) of vulnerability detection is 89.3 %. FirmUpdate detected 12 0-day vulnerabilities that had been assigned CVE ID, covering firmware verification, buffer overflow, and command injection vulnerabilities. Therefore, FirmUpdate provides an automated static approach to detect firmware update vulnerabilities, which could help IoT device vendors identify and fix vulnerabilities.

随着物联网设备的广泛部署，固件更新过程成为恶意攻击的主要目标，可能导致大规模的设备阻塞、关键信息泄露和漏洞在供应链中的传播。由于固件更新过程的复杂性和实现缺陷，固件更新过程的每个阶段都存在多种类型的固件更新漏洞。目前的研究无法通过自动方法有效地检测这些漏洞。因此，我们在本文中提出了一种自动化的静态固件更新漏洞检测方法FirmUpdate，它可以恢复整个固件更新过程，并在固件更新过程的每个阶段检测漏洞。FirmUpdate首先构造UG（更新图）将固件更新过程抽象为流聊天。然后，在UG上执行不安全验证发现和更新相关的污染分析。通过这两种方法，FirmUpdate可以自动检测固件更新漏洞，包括固件验证、缓冲区溢出和命令注入漏洞。FirmUpdate在包含来自7家供应商的131个固件映像的固件集中执行漏洞检测。漏洞检测的真阳性率（TPR）为89.3%。FirmUpdate检测到12个已分配CVE ID的0天漏洞，包括固件验证，缓冲区溢出和命令注入漏洞。因此，FirmUpdate提供了一种自动的静态方法来检测固件更新漏洞，这可以帮助物联网设备供应商识别和修复漏洞。

{"title":"FirmUpdate: Automated multi-phase static analysis for detecting firmware update vulnerabilities in IoT Linux-based firmware","authors":"Jian Zhang, Ping Chen","doi":"10.1016/j.cose.2025.104735","DOIUrl":"10.1016/j.cose.2025.104735","url":null,"abstract":"<div><div>With the widespread deployment of IoT devices, firmware update process becomes the main target of malicious attack, which could cause large-scale devices bricking, critical information leakage, and vulnerability propagation through supply chain. Due to the complexity of firmware update process and implementation flaws, there are multiple types of firmware update vulnerabilities in each phase of firmware update process. Current studies cannot effectively detect these vulnerabilities through an automatic approach. Therefore, we propose FirmUpdate in this paper, an automated static firmware update vulnerability detection approach, which could recover the entire firmware update process and detect vulnerabilities in each phase of the firmware update process. FirmUpdate first constructs UG (Update Graph) to abstract the firmware update process into flow chat. Then, performs unsafe verification discovery and update-related taint analysis on UG. With these two methods, FirmUpdate could automatically detect firmware update vulnerabilities, including firmware verification, buffer overflow, and command injection vulnerabilities. FirmUpdate performs vulnerability detection in a firmware set that contains 131 firmware images from 7 vendors. The TPR (True Positive Rate) of vulnerability detection is 89.3 %. FirmUpdate detected 12 0-day vulnerabilities that had been assigned CVE ID, covering firmware verification, buffer overflow, and command injection vulnerabilities. Therefore, FirmUpdate provides an automated static approach to detect firmware update vulnerabilities, which could help IoT device vendors identify and fix vulnerabilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104735"},"PeriodicalIF":5.4,"publicationDate":"2025-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145520266","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Evaluating cyber attacks on central banks – identification of trends in cyber threat landscape 评估对央行的网络攻击——识别网络威胁形势的趋势

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-10-30 DOI: 10.1016/j.cose.2025.104742

Paweł Smaga

This study identifies main characteristics of cyber attacks on 63 central banks, based on the analysis of 84 case studies of attacks, which occurred from 2010 to 2025. Combining data on attacks from numerous publicly available databases and using the framework of rational choice and routine activity theories, reveals a rise in frequency of attacks over time, often part of broader offensives on financial institutions. In line with political risk theory, politically motivated hacktivists, by launching DDoS, were behind half the attacks (54,8 %), while financially motivated criminals, using diverse attack vectors, were responsible for one-fifth (19 %). Despite the attacks having no systemic consequences, detailed data remains scarce, which hinders research. Results point to actionable policy implications for enhancing central banks’ cyber resilience in form of both preventative and reactive strategies.

本研究通过对2010年至2025年间84起网络攻击案例的分析，确定了针对63家央行的网络攻击的主要特征。结合来自众多公开可用数据库的攻击数据，并使用理性选择和常规活动理论的框架，揭示了攻击频率随着时间的推移而上升，通常是针对金融机构的更广泛攻击的一部分。根据政治风险理论，有一半的攻击是出于政治动机的黑客分子发起的DDoS攻击（54.8%），而有经济动机的犯罪分子使用各种攻击媒介，占五分之一（19%）。尽管这些攻击没有造成系统性后果，但详细的数据仍然稀缺，这阻碍了研究。研究结果指出了以预防性和反应性战略的形式加强央行网络弹性的可操作政策含义。

引用次数: 0

Improving the transferability of targeted adversarial examples by style-agnostic attack 通过风格不可知攻击提高目标对抗性示例的可转移性

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-10-30 DOI: 10.1016/j.cose.2025.104744

Wei Zhou , Zimin Mao , Shuijun Yin , Hanwen Zhang , Zhicheng Huang , Heng Li , Tiejun Wu , Wei Yuan

Recently transfer-based black-box adversarial attacks have garnered increasing attention owing to their high practicality. However, targeted attacks suffer low transfer success rates, especially when overfitting to their source model. In this paper, we observe that perturbations with higher generalization across different styles of images tend to have higher targeted transferability. Therefore, we propose a Style-Agnostic Attack (SAA) to enhance the transferability of targeted adversarial examples. Specifically, SAA introduces a content consistency loss that stimulates the learned perturbations to be style-agnostic by aligning the content features of the adversarially perturbed original and stylized images. Accordingly, SAA enhances the generalization of adversarial perturbations across different stylized images, thereby enhancing the transferability of targeted attacks. Our experiments demonstrate that SAA significantly improves the targeted transferability of adversarial examples. Furthermore, SAA is a generalizable approach that can be readily integrated with existing adversarial attacks to further enhance targeted transferability.

近年来，基于传输的黑盒对抗攻击因其高实用性而受到越来越多的关注。然而，目标攻击的传输成功率很低，尤其是在过度拟合其源模型时。在本文中，我们观察到在不同风格的图像上具有较高泛化程度的扰动往往具有较高的目标可转移性。因此，我们提出了一种风格不可知论攻击（SAA）来增强目标对抗示例的可转移性。具体来说，SAA引入了内容一致性损失，通过对齐对抗性扰动的原始图像和风格化图像的内容特征，刺激学习扰动成为风格无关的。因此，SAA增强了不同风格化图像对抗性扰动的泛化，从而增强了目标攻击的可转移性。我们的实验表明，SAA显著提高了对抗性示例的目标可转移性。此外，SAA是一种可推广的方法，可以很容易地与现有的对抗性攻击集成，以进一步增强目标可转移性。

{"title":"Improving the transferability of targeted adversarial examples by style-agnostic attack","authors":"Wei Zhou , Zimin Mao , Shuijun Yin , Hanwen Zhang , Zhicheng Huang , Heng Li , Tiejun Wu , Wei Yuan","doi":"10.1016/j.cose.2025.104744","DOIUrl":"10.1016/j.cose.2025.104744","url":null,"abstract":"<div><div>Recently transfer-based black-box adversarial attacks have garnered increasing attention owing to their high practicality. However, targeted attacks suffer low transfer success rates, especially when overfitting to their source model. In this paper, we observe that perturbations with higher generalization across different styles of images tend to have higher targeted transferability. Therefore, we propose a Style-Agnostic Attack (SAA) to enhance the transferability of targeted adversarial examples. Specifically, SAA introduces a content consistency loss that stimulates the learned perturbations to be style-agnostic by aligning the content features of the adversarially perturbed original and stylized images. Accordingly, SAA enhances the generalization of adversarial perturbations across different stylized images, thereby enhancing the transferability of targeted attacks. Our experiments demonstrate that SAA significantly improves the targeted transferability of adversarial examples. Furthermore, SAA is a generalizable approach that can be readily integrated with existing adversarial attacks to further enhance targeted transferability.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104744"},"PeriodicalIF":5.4,"publicationDate":"2025-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145467667","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Race against time: investigating the factors that influence web race condition exploits 与时间赛跑：调查影响网络竞争状况的因素

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-10-29 DOI: 10.1016/j.cose.2025.104740

Federico Loi , Lorenzo Pisu , Leonardo Regano , Davide Maiorca , Giorgio Giacinto

Race conditions (RC) pose a critical security threat to web applications by exploiting the non-deterministic behavior of multithreaded request handling. This can lead to unpredictable outcomes such as data corruption, Time of Check to Time of Use (TOCTOU) vulnerabilities, and deadlocks. While previous research has identified poor design practices that contribute to RC vulnerabilities, no existing studies have explored the factors that influence the severity or impact of race conditions. This paper introduces a comprehensive methodology for testing and quantifying how different variables affect the exploitability of race conditions in vulnerable web servers, providing a framework for future research to investigate this issue more thoroughly.

In addition, we present an experimental evaluation of our methodology under various conditions. Specifically, we examine six RC exploitation tools using four different attack techniques across both HTTP/1.1 and HTTP/2 protocols. To provide a complete overview of race conditions across all HTTP versions, we also introduce the first race condition attack tool for HTTP/3, named QUICker. Furthermore, we assess how the choice of database management systems and programming languages used in web application deployment can affect susceptibility to race condition attacks. This study offers key insights into how these factors influence the exploitability of RC vulnerabilities.

竞态条件（RC）利用多线程请求处理的不确定性行为，对web应用程序构成严重的安全威胁。这可能导致不可预测的结果，如数据损坏、检查时间到使用时间漏洞和死锁。虽然以前的研究已经确定了导致RC漏洞的不良设计实践，但没有现有的研究探索影响竞争条件严重性或影响的因素。本文介绍了一种全面的方法，用于测试和量化不同变量如何影响易受攻击的web服务器中竞争条件的利用，为未来的研究提供了一个框架，以更彻底地调查这个问题。此外，我们提出了我们的方法在各种条件下的实验评估。具体来说，我们研究了六种使用HTTP/1.1和HTTP/2协议中四种不同攻击技术的RC利用工具。为了全面了解所有HTTP版本的竞争条件，我们还介绍了HTTP/3的第一个竞争条件攻击工具，名为faster。此外，我们评估了在web应用程序部署中使用的数据库管理系统和编程语言的选择如何影响对竞争条件攻击的易感性。这项研究为这些因素如何影响RC漏洞的可利用性提供了关键见解。

{"title":"Race against time: investigating the factors that influence web race condition exploits","authors":"Federico Loi , Lorenzo Pisu , Leonardo Regano , Davide Maiorca , Giorgio Giacinto","doi":"10.1016/j.cose.2025.104740","DOIUrl":"10.1016/j.cose.2025.104740","url":null,"abstract":"<div><div>Race conditions (RC) pose a critical security threat to web applications by exploiting the non-deterministic behavior of multithreaded request handling. This can lead to unpredictable outcomes such as data corruption, Time of Check to Time of Use (TOCTOU) vulnerabilities, and deadlocks. While previous research has identified poor design practices that contribute to RC vulnerabilities, no existing studies have explored the factors that influence the severity or impact of race conditions. This paper introduces a comprehensive methodology for testing and quantifying how different variables affect the exploitability of race conditions in vulnerable web servers, providing a framework for future research to investigate this issue more thoroughly.</div><div>In addition, we present an experimental evaluation of our methodology under various conditions. Specifically, we examine six RC exploitation tools using four different attack techniques across both HTTP/1.1 and HTTP/2 protocols. To provide a complete overview of race conditions across all HTTP versions, we also introduce the first race condition attack tool for HTTP/3, named QUICker. Furthermore, we assess how the choice of database management systems and programming languages used in web application deployment can affect susceptibility to race condition attacks. This study offers key insights into how these factors influence the exploitability of RC vulnerabilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104740"},"PeriodicalIF":5.4,"publicationDate":"2025-10-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145467668","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A survey of internet censorship and its measurement: Methodology, trends, and challenges 互联网审查及其测量的调查：方法、趋势和挑战

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2025-10-29 DOI: 10.1016/j.cose.2025.104732

Steffen Wendzel , Simon Volpert , Sebastian Zillien , Julia Lenz , Philip Rünz , Luca Caviglione

Internet censorship limits the access of nodes residing within a specific network environment to the public Internet, and vice versa. During the last decade, techniques for conducting Internet censorship have been developed further. Consequently, methodology for measuring Internet censorship had been improved as well.

In this paper, we firstly provide a survey of network-level Internet censorship techniques. Secondly, we survey censorship measurement methodology. We further cover the censorship of circumvention tools and its measurement, as well as available datasets. In cases where it is beneficial, we bridge the terminology and taxonomy of Internet censorship with related domains, namely traffic obfuscation and information hiding. We further extend the technical perspective with recent trends and challenges, including human aspects of Internet censorship.

互联网审查限制了驻留在特定网络环境中的节点对公共互联网的访问，反之亦然。在过去十年中，进行互联网审查的技术得到了进一步发展。因此，衡量互联网审查的方法也得到了改进。在本文中，我们首先概述了网络级互联网审查技术。其次，我们考察了审查的度量方法。我们进一步介绍了对翻墙工具及其测量的审查，以及可用的数据集。在有益的情况下，我们将互联网审查的术语和分类与相关领域联系起来，即流量混淆和信息隐藏。我们进一步扩展了技术视角，介绍了最近的趋势和挑战，包括互联网审查的人为方面。

引用次数: 0