Computers & Security最新文献_第9页

ExMOP: Extensible protocol reverse engineering framework based on Multi-objective OPtimization ExMOP：基于多目标优化的可扩展协议逆向工程框架

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2026-02-01 Epub Date: 2025-11-20 DOI: 10.1016/j.cose.2025.104758

Tao Huang , Yansong Gao , Boyu Kuang , Zhi Zhang , Zhanfeng Wang , Hyoungshick Kim , Anmin Fu

Protocol Reverse Engineering (PRE) has become the foundation of numerous downstream security analyses, including vulnerability mining and intrusion detection. As the mainstream PRE technique, network trace-based PRE methods utilize various protocol features (e.g., specific features or universal features) to identify fields and their semantics. However, the inherent limitations of these features consequently constrain the performance of these PRE methods, compromising their generalizability or effectiveness. To address this, we propose an Extensible Protocol Reverse Engineering Framework Based on Multi-objective OPtimization (ExMOP) that flexibly incorporates multiple basic feature rules while synergistically integrating their complementary advantages to enhance protocol field segmentation performance. Each basic feature rule can be easily formalized as an optimization objective function, transforming the protocol field segmentation problem into a constrained multi-objective optimization model. We employ the Differential Evolution (DE) algorithm to solve this model, deriving the optimal field segmentation strategy. Ultimately, we conduct comprehensive experiments on publicly available datasets of multiple Internet protocols and industrial protocols. ExMOP demonstrates superior performance across all evaluation metrics (including 81 % precision, 81 % recall, 86 % accuracy, 80 % F1-score, 11 % FPR, and 60 % Perfection), significantly outperforming state-of-the-art methods, including NEMESYS (Usenix Security ’2018), AWRE (Usenix Security ’2019), NetPlier (NDSS ’2021), and BinaryInferno (NDSS ’2023). Furthermore, experiments affirm that expanding higher-efficiency feature rules can significantly enhance ExMOP’s performance in terms of accuracy, convergence, and stability.

协议逆向工程（PRE）已经成为许多下游安全分析的基础，包括漏洞挖掘和入侵检测。作为主流的PRE技术，基于网络跟踪的PRE方法利用各种协议特征（如特定特征或通用特征）来识别字段及其语义。然而，这些特性的固有局限性限制了这些PRE方法的性能，损害了它们的泛化性或有效性。为了解决这一问题，我们提出了一种基于多目标优化的可扩展协议逆向工程框架（ExMOP），该框架灵活地融合多个基本特征规则，同时协同整合它们的互补优势，以提高协议字段分割性能。每个基本特征规则都可以很容易地形式化为一个优化目标函数，将协议字段分割问题转化为一个有约束的多目标优化模型。我们采用差分进化（DE）算法对该模型进行求解，得到最优的场分割策略。最终，我们在多种互联网协议和工业协议的公开可用数据集上进行了全面的实验。ExMOP在所有评估指标（包括81%的精度、81%的召回率、86%的准确度、80%的f1得分、11%的FPR和60%的完美）上表现优异，显著优于最先进的方法，包括NEMESYS （Usenix Security ' 2018）、AWRE （Usenix Security ' 2019）、NetPlier （NDSS ' 2021）和BinaryInferno （NDSS ' 2023）。此外，实验证实，扩展更高效的特征规则可以显著提高ExMOP在精度、收敛性和稳定性方面的性能。

{"title":"ExMOP: Extensible protocol reverse engineering framework based on Multi-objective OPtimization","authors":"Tao Huang , Yansong Gao , Boyu Kuang , Zhi Zhang , Zhanfeng Wang , Hyoungshick Kim , Anmin Fu","doi":"10.1016/j.cose.2025.104758","DOIUrl":"10.1016/j.cose.2025.104758","url":null,"abstract":"<div><div>Protocol Reverse Engineering (PRE) has become the foundation of numerous downstream security analyses, including vulnerability mining and intrusion detection. As the mainstream PRE technique, network trace-based PRE methods utilize various protocol features (e.g., specific features or universal features) to identify fields and their semantics. However, the inherent limitations of these features consequently constrain the performance of these PRE methods, compromising their generalizability or effectiveness. To address this, we propose an <u>Ex</u>tensible Protocol Reverse Engineering Framework Based on <u>M</u>ulti-objective <u>OP</u>timization (ExMOP) that flexibly incorporates multiple basic feature rules while synergistically integrating their complementary advantages to enhance protocol field segmentation performance. Each basic feature rule can be easily formalized as an optimization objective function, transforming the protocol field segmentation problem into a constrained multi-objective optimization model. We employ the Differential Evolution (DE) algorithm to solve this model, deriving the optimal field segmentation strategy. Ultimately, we conduct comprehensive experiments on publicly available datasets of multiple Internet protocols and industrial protocols. ExMOP demonstrates superior performance across all evaluation metrics (including 81 % precision, 81 % recall, 86 % accuracy, 80 % F1-score, 11 % FPR, and 60 % Perfection), significantly outperforming state-of-the-art methods, including NEMESYS (Usenix Security ’2018), AWRE (Usenix Security ’2019), NetPlier (NDSS ’2021), and BinaryInferno (NDSS ’2023). Furthermore, experiments affirm that expanding higher-efficiency feature rules can significantly enhance ExMOP’s performance in terms of accuracy, convergence, and stability.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104758"},"PeriodicalIF":5.4,"publicationDate":"2026-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145624656","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Towards a formal verification of secure vehicle software updates 迈向正式验证安全的车载软件更新

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2026-02-01 Epub Date: 2025-11-11 DOI: 10.1016/j.cose.2025.104751

Martin Slind Hagen , Emil Lundqvist , Alex Phu , Yenan Wang , Kim Strandberg , Elad Michael Schiller

With the rise of software-defined vehicles (SDVs), where software governs most vehicle functions alongside enhanced connectivity, the need for secure software updates has become increasingly critical. Software vulnerabilities can severely impact safety, the economy, and society. In response to this challenge, Strandberg et al. [escar Europe, 2021] introduced the Unified Software Update Framework (UniSUF), designed to provide a secure update framework that integrates seamlessly with existing vehicular infrastructures. Although UniSUF has previously been evaluated regarding cybersecurity, these assessments have not employed formal verification methods. To bridge this gap, we perform a formal security analysis of UniSUF. We model UniSUF’s architecture and assumptions to reflect real-world automotive systems and develop a ProVerif-based framework that formally verifies UniSUF’s compliance with essential security requirements — confidentiality, integrity, authenticity, freshness, order, and liveness —demonstrating their satisfiability through symbolic execution. Our results demonstrate that UniSUF adheres to the specified security guarantees, ensuring the correctness and reliability of its security framework.

随着软件定义车辆（sdv）的兴起，软件控制着大多数车辆功能以及增强的连接性，对安全软件更新的需求变得越来越重要。软件漏洞会严重影响安全、经济和社会。为了应对这一挑战，Strandberg等人[escar Europe， 2021]推出了统一软件更新框架（UniSUF），旨在提供与现有车辆基础设施无缝集成的安全更新框架。虽然联黎部队以前曾就网络安全问题进行评估，但这些评估并未采用正式的核查方法。为了弥补这一差距，我们对联苏部队进行了正式的安全分析。我们对UniSUF的架构和假设进行建模，以反映现实世界的汽车系统，并开发一个基于proverif的框架，正式验证UniSUF是否符合基本的安全要求——保密性、完整性、真实性、新鲜度、秩序和活力——并通过象征性执行展示其可满意度。我们的结果表明，联苏部队遵守了规定的安全保障，确保了其安全框架的正确性和可靠性。

{"title":"Towards a formal verification of secure vehicle software updates","authors":"Martin Slind Hagen , Emil Lundqvist , Alex Phu , Yenan Wang , Kim Strandberg , Elad Michael Schiller","doi":"10.1016/j.cose.2025.104751","DOIUrl":"10.1016/j.cose.2025.104751","url":null,"abstract":"<div><div>With the rise of software-defined vehicles (SDVs), where software governs most vehicle functions alongside enhanced connectivity, the need for secure software updates has become increasingly critical. Software vulnerabilities can severely impact safety, the economy, and society. In response to this challenge, Strandberg et al. [escar Europe, 2021] introduced the Unified Software Update Framework (UniSUF), designed to provide a secure update framework that integrates seamlessly with existing vehicular infrastructures. Although UniSUF has previously been evaluated regarding cybersecurity, these assessments have not employed formal verification methods. To bridge this gap, we perform a formal security analysis of UniSUF. We model UniSUF’s architecture and assumptions to reflect real-world automotive systems and develop a ProVerif-based framework that formally verifies UniSUF’s compliance with essential security requirements — confidentiality, integrity, authenticity, freshness, order, and liveness —demonstrating their satisfiability through symbolic execution. Our results demonstrate that UniSUF adheres to the specified security guarantees, ensuring the correctness and reliability of its security framework.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104751"},"PeriodicalIF":5.4,"publicationDate":"2026-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145694093","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

SecTracer: A framework for uncovering the root causes of network intrusions via security provenance SecTracer：通过安全来源发现网络入侵的根本原因的框架

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2026-02-01 Epub Date: 2025-11-17 DOI: 10.1016/j.cose.2025.104760

Seunghyeon Lee , Hyunmin Seo , Hwanjo Heo , Anduo Wang , Seungwon Shin , Jinwoo Kim

Modern enterprise networks comprise diverse and heterogeneous systems that support a wide range of services, making it challenging for administrators to track and analyze sophisticated attacks such as advanced persistent threats (APTs), which often exploit multiple vectors. To address this challenge, we introduce the concept of network-level security provenance, which enables the systematic establishment of causal relationships across hosts at the network level, facilitating the accurate identification of the root causes of security incidents. Building on this concept, we present SecTracer as a framework for a network-wide provenance analysis. SecTracer offers three main contributions: (i) comprehensive and efficient forensic data collection in enterprise networks via software-defined networking (SDN), (ii) reconstruction of attack histories through provenance graphs to provide a clear and interpretable view of intrusions, and (iii) proactive attack prediction using probabilistic models. We evaluated the effectiveness and efficiency of SecTracer through a real-world APT simulation, demonstrating its capability to enhance threat mitigation while introducing less than 1 % network throughput overhead and negligible latency impact.

现代企业网络包含多种异构系统，这些系统支持广泛的服务，这使得管理员很难跟踪和分析复杂的攻击，例如高级持久威胁（apt），这些攻击通常利用多个向量。为了应对这一挑战，我们引入了网络级安全溯源的概念，它可以在网络级系统地建立跨主机的因果关系，从而有助于准确识别安全事件的根本原因。在这个概念的基础上，我们提出了SecTracer作为一个框架，用于整个网络的来源分析。SecTracer提供了三个主要贡献：(i)通过软件定义网络（SDN）在企业网络中全面有效地收集取证数据；（ii）通过来源图重建攻击历史，以提供清晰且可解释的入侵视图；（iii）使用概率模型进行主动攻击预测。我们通过真实世界的APT模拟评估了SecTracer的有效性和效率，展示了其增强威胁缓解的能力，同时引入不到1%的网络吞吐量开销和可忽略的延迟影响。

{"title":"SecTracer: A framework for uncovering the root causes of network intrusions via security provenance","authors":"Seunghyeon Lee , Hyunmin Seo , Hwanjo Heo , Anduo Wang , Seungwon Shin , Jinwoo Kim","doi":"10.1016/j.cose.2025.104760","DOIUrl":"10.1016/j.cose.2025.104760","url":null,"abstract":"<div><div>Modern enterprise networks comprise diverse and heterogeneous systems that support a wide range of services, making it challenging for administrators to track and analyze sophisticated attacks such as advanced persistent threats (APTs), which often exploit multiple vectors. To address this challenge, we introduce the concept of <em>network-level security provenance</em>, which enables the systematic establishment of causal relationships across hosts at the network level, facilitating the accurate identification of the root causes of security incidents. Building on this concept, we present <span>SecTracer</span> as a framework for a network-wide provenance analysis. <span>SecTracer</span> offers three main contributions: (i) comprehensive and efficient forensic data collection in enterprise networks via software-defined networking (SDN), (ii) reconstruction of attack histories through provenance graphs to provide a clear and interpretable view of intrusions, and (iii) proactive attack prediction using probabilistic models. We evaluated the effectiveness and efficiency of <span>SecTracer</span> through a real-world APT simulation, demonstrating its capability to enhance threat mitigation while introducing less than 1 % network throughput overhead and negligible latency impact.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104760"},"PeriodicalIF":5.4,"publicationDate":"2026-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145624648","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

ICloud: An intrusion detection and dynamic defense mechanism for cloud environments ICloud：针对云环境的入侵检测和动态防御机制

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2026-02-01 Epub Date: 2025-11-15 DOI: 10.1016/j.cose.2025.104755

Yuxiang Ma, Tao Chen, Jiaqi Lin, Ying Cao

With the development of artificial intelligence (AI), cloud environments are becoming increasingly important. However, cloud environment networks are at risk of various network attacks. Therefore, it is crucial to detect abnormal traffic in cloud environment networks. With the continuous development of network technology, the diversity of cloud environment network traffic continues to increase (intra-class diversity), and the boundary between malicious and benign behaviors becomes more blurred (inter-class similarity), leading to false detection. At the same time, most game theory defense deception methods for cloud environment networks assume that the attacker and defender maintain consistent views under uncertainty. In fact, the attacker and defender have different views on the same game. To address the above issues, we propose an intrusion detection and dynamic defense mechanism for cloud environments. To address the challenges brought by intra-class diversity and inter-class similarity, we propose an intrusion detection system (IDS) based on contrastive learning, which can make correct decisions when classifying samples of different categories. To identify traffic more accurately, this paper proposes an improved lightweight ResNet-34 model (IResNet34). To address the challenge that the attacker and defender have different views on the same game, we propose a hypergame model involving multiple attackers and defenders. The attacker cannot obtain complete game information through defensive deception technology, resulting in attack failure. In addition, we propose an adaptive defense strategy selection method based on machine learning, which automatically selects the best defense strategy based on the game record. The output of dynamic defense will be fed back to the intrusion detection module to reduce the false alarm rate. Finally, experiments verified that the method based on contrastive learning proposed in this paper can achieve high detection accuracy in the real world and benchmark datasets, and the dynamic defense method can effectively reduce the false positive rate (FPR) of IDS.

随着人工智能（AI）的发展，云环境变得越来越重要。然而，云环境网络面临着各种网络攻击的风险。因此，检测云环境网络中的异常流量至关重要。随着网络技术的不断发展，云环境网络流量的多样性不断增加（类内多样性），恶意与良性行为的界限越来越模糊（类间相似性），导致误检。同时，大多数针对云环境网络的博弈论防御欺骗方法都假设攻击者和防御者在不确定性下保持一致的观点。事实上，攻击者和防守者对同一场比赛有着不同的看法。针对上述问题，提出了一种云环境下的入侵检测与动态防御机制。针对类内多样性和类间相似性带来的挑战，提出了一种基于对比学习的入侵检测系统（IDS），该系统在分类不同类别的样本时能够做出正确的决策。为了更准确地识别流量，本文提出了一种改进的轻量级ResNet-34模型（IResNet34）。为了解决攻击者和防御者对同一博弈有不同看法的挑战，我们提出了一个涉及多个攻击者和防御者的超博弈模型。攻击者无法通过防御欺骗技术获取完整的博弈信息，导致攻击失败。此外，我们提出了一种基于机器学习的自适应防御策略选择方法，该方法根据比赛记录自动选择最佳防御策略。动态防御的输出将反馈给入侵检测模块，以降低误报率。最后，实验验证了本文提出的基于对比学习的方法在真实世界和基准数据集上都能达到较高的检测精度，动态防御方法能有效降低入侵检测的误报率（FPR）。

{"title":"ICloud: An intrusion detection and dynamic defense mechanism for cloud environments","authors":"Yuxiang Ma, Tao Chen, Jiaqi Lin, Ying Cao","doi":"10.1016/j.cose.2025.104755","DOIUrl":"10.1016/j.cose.2025.104755","url":null,"abstract":"<div><div>With the development of artificial intelligence (AI), cloud environments are becoming increasingly important. However, cloud environment networks are at risk of various network attacks. Therefore, it is crucial to detect abnormal traffic in cloud environment networks. With the continuous development of network technology, the diversity of cloud environment network traffic continues to increase (intra-class diversity), and the boundary between malicious and benign behaviors becomes more blurred (inter-class similarity), leading to false detection. At the same time, most game theory defense deception methods for cloud environment networks assume that the attacker and defender maintain consistent views under uncertainty. In fact, the attacker and defender have different views on the same game. To address the above issues, we propose an intrusion detection and dynamic defense mechanism for cloud environments. To address the challenges brought by intra-class diversity and inter-class similarity, we propose an intrusion detection system (IDS) based on contrastive learning, which can make correct decisions when classifying samples of different categories. To identify traffic more accurately, this paper proposes an improved lightweight ResNet-34 model (IResNet34). To address the challenge that the attacker and defender have different views on the same game, we propose a hypergame model involving multiple attackers and defenders. The attacker cannot obtain complete game information through defensive deception technology, resulting in attack failure. In addition, we propose an adaptive defense strategy selection method based on machine learning, which automatically selects the best defense strategy based on the game record. The output of dynamic defense will be fed back to the intrusion detection module to reduce the false alarm rate. Finally, experiments verified that the method based on contrastive learning proposed in this paper can achieve high detection accuracy in the real world and benchmark datasets, and the dynamic defense method can effectively reduce the false positive rate (FPR) of IDS.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104755"},"PeriodicalIF":5.4,"publicationDate":"2026-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145624651","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Obfuscation detection using matrix complexity features of binary grayscale images 基于矩阵复杂度特征的二值灰度图像混淆检测

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2026-02-01 Epub Date: 2025-11-08 DOI: 10.1016/j.cose.2025.104746

Sebastian Raubitzek , Sebastian Schrittwieser , Caroline König , Patrick Felbauer , Kevin Mallinger , Andreas Ekelhart , Edgar Weippl

Malware that conceals its behaviour through code obfuscation remains a central challenge for automated detection. This work introduced a novel approach for detecting the presence of obfuscation and identifying specific techniques. We transform binary code into grayscale images by mapping its bytes to a pixel intensity and apply singular value decomposition (SVD) to extract 18 matrix-complexity metrics that reflect structural changes introduced by an obfuscation. Using this approach, we evaluate eight Tigress obfuscation techniques on whether they leave a distinct spectral signature that can be classified. To obtain statistically robust results, we employ an ensemble of 100 independently tuned ExtraTrees models trained on different stratified 80/20 splits. The ensemble achieves average accuracies of 0.99 for detecting obfuscation, 0.94 for obfuscation type attribution, and 0.93 for identifying specific techniques. Feature-importance rankings and per-metric distribution plots make the results interpretable and transferable. The contributions of this study are (i) a reproducible pipeline for classifying obfuscated binaries, (ii) a detailed analysis of how obfuscation alters binary structure and its image representation, and (iii) actionable insight into which SVD metrics are most indicative of each transformation.

通过代码混淆隐藏其行为的恶意软件仍然是自动检测的核心挑战。这项工作介绍了一种新的方法来检测混淆的存在和识别特定的技术。我们通过将二进制代码的字节映射到像素强度来将其转换为灰度图像，并应用奇异值分解（SVD）来提取18个矩阵复杂度指标，这些指标反映了由混淆引入的结构变化。使用这种方法，我们评估了八种虎妞混淆技术，看它们是否留下了可以分类的独特光谱特征。为了获得统计上稳健的结果，我们采用了100个独立调优的extratree模型的集合，这些模型在不同的分层80/20分割上训练。集成检测混淆的平均准确率为0.99，混淆类型归因的平均准确率为0.94，识别特定技术的平均准确率为0.93。特征重要性排序和每度量分布图使结果具有可解释性和可转移性。本研究的贡献是：(i)对混淆二进制进行分类的可重复管道，（ii）对混淆如何改变二进制结构及其图像表示的详细分析，以及（iii）对哪种SVD指标最能指示每种转换的可操作见解。

{"title":"Obfuscation detection using matrix complexity features of binary grayscale images","authors":"Sebastian Raubitzek , Sebastian Schrittwieser , Caroline König , Patrick Felbauer , Kevin Mallinger , Andreas Ekelhart , Edgar Weippl","doi":"10.1016/j.cose.2025.104746","DOIUrl":"10.1016/j.cose.2025.104746","url":null,"abstract":"<div><div>Malware that conceals its behaviour through code obfuscation remains a central challenge for automated detection. This work introduced a novel approach for detecting the presence of obfuscation and identifying specific techniques. We transform binary code into grayscale images by mapping its bytes to a pixel intensity and apply singular value decomposition (SVD) to extract 18 matrix-complexity metrics that reflect structural changes introduced by an obfuscation. Using this approach, we evaluate eight Tigress obfuscation techniques on whether they leave a distinct spectral signature that can be classified. To obtain statistically robust results, we employ an ensemble of 100 independently tuned ExtraTrees models trained on different stratified 80/20 splits. The ensemble achieves average accuracies of 0.99 for detecting obfuscation, 0.94 for obfuscation type attribution, and 0.93 for identifying specific techniques. Feature-importance rankings and per-metric distribution plots make the results interpretable and transferable. The contributions of this study are (i) a reproducible pipeline for classifying obfuscated binaries, (ii) a detailed analysis of how obfuscation alters binary structure and its image representation, and (iii) actionable insight into which SVD metrics are most indicative of each transformation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104746"},"PeriodicalIF":5.4,"publicationDate":"2026-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145500195","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

TFCNet: Based on time-frequency domain and multi-channel analysis for Network security situation prediction TFCNet：基于时频域和多通道分析的网络安全态势预测

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2026-02-01 Epub Date: 2025-11-22 DOI: 10.1016/j.cose.2025.104782

Shengcai Zhang, Fanchang Zeng, Huiju Yi, Zhiying Fu, Dezhi An

The rapid development of internet technology has given rise to various security threats for cyberspace. Network Security Situation Prediction (NSSP) is proactive defence technology that can predict future network development trends based on historical attack information. As traditional passive defence methods are inadequate against modern network traffic attacks, NSSP based on proactive defence has become crucial. The time-frequency domain features in network traffic contain a lot of useful information that can enhance the accuracy of model predictions. However, existing studies has not approached NSSP from the perspective of time-frequency domain feature fusion. Therefore, this paper presents TFCNet, an improved iTransformer model that incorporates time-frequency domain feature fusion to enhance NSSP performance. Firstly, Variational Mode Decomposition (VMD) is applied to reduce the non-stationarity of network traffic data. Subsequently, by fusing the time-frequency domain features of the network traffic data, frequency-domain features are extracted across multiple channels to further enhance feature extraction and obtain richer time-frequency information of the network traffic. Experimental results on the three network security datasets NSL-KDD, UNSW-NB15, and CSE-CIC-IDS2018 indicate that TFCNet achieves the best predictive performance compared with nine other mainstream prediction methods. Compared with the iTransformer model, TFCNet reduces the Mean Squared Error (MSE) and Mean Absolute Error (MAE) by an average of 36.5 % and 23 %, respectively. In addition, efficiency evaluation results of the model demonstrates that TFCNet an effective balance between predictive performance and computational efficiency, which verifies the feasibility of TFCNet in NSSP.

互联网技术的快速发展给网络空间带来了各种安全威胁。网络安全态势预测（NSSP）是一种基于历史攻击信息预测未来网络发展趋势的主动防御技术。传统的被动防御方法已不足以抵御现代网络流量攻击，基于主动防御的网络安全策略已变得至关重要。网络流量的时频域特征包含了大量有用的信息，可以提高模型预测的准确性。然而，现有的研究还没有从时频域特征融合的角度来探讨NSSP。因此，本文提出了一种改进的ittransformer模型TFCNet，该模型结合了时频域特征融合来提高NSSP的性能。首先，利用变分模态分解（VMD）降低网络流量数据的非平稳性；随后，通过融合网络流量数据的时频域特征，跨多通道提取频域特征，进一步增强特征提取，获得更丰富的网络流量时频信息。在NSL-KDD、UNSW-NB15和CSE-CIC-IDS2018三个网络安全数据集上的实验结果表明，与其他九种主流预测方法相比，TFCNet的预测性能最好。与ittransformer模型相比，TFCNet模型的均方误差（MSE）和平均绝对误差（MAE）分别平均降低了36.5%和23%。此外，模型的效率评价结果表明，TFCNet在预测性能和计算效率之间取得了有效的平衡，验证了TFCNet在NSSP中的可行性。

{"title":"TFCNet: Based on time-frequency domain and multi-channel analysis for Network security situation prediction","authors":"Shengcai Zhang, Fanchang Zeng, Huiju Yi, Zhiying Fu, Dezhi An","doi":"10.1016/j.cose.2025.104782","DOIUrl":"10.1016/j.cose.2025.104782","url":null,"abstract":"<div><div>The rapid development of internet technology has given rise to various security threats for cyberspace. Network Security Situation Prediction (NSSP) is proactive defence technology that can predict future network development trends based on historical attack information. As traditional passive defence methods are inadequate against modern network traffic attacks, NSSP based on proactive defence has become crucial. The time-frequency domain features in network traffic contain a lot of useful information that can enhance the accuracy of model predictions. However, existing studies has not approached NSSP from the perspective of time-frequency domain feature fusion. Therefore, this paper presents TFCNet, an improved iTransformer model that incorporates time-frequency domain feature fusion to enhance NSSP performance. Firstly, Variational Mode Decomposition (VMD) is applied to reduce the non-stationarity of network traffic data. Subsequently, by fusing the time-frequency domain features of the network traffic data, frequency-domain features are extracted across multiple channels to further enhance feature extraction and obtain richer time-frequency information of the network traffic. Experimental results on the three network security datasets NSL-KDD, UNSW-NB15, and CSE-CIC-IDS2018 indicate that TFCNet achieves the best predictive performance compared with nine other mainstream prediction methods. Compared with the iTransformer model, TFCNet reduces the Mean Squared Error (MSE) and Mean Absolute Error (MAE) by an average of 36.5 % and 23 %, respectively. In addition, efficiency evaluation results of the model demonstrates that TFCNet an effective balance between predictive performance and computational efficiency, which verifies the feasibility of TFCNet in NSSP.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104782"},"PeriodicalIF":5.4,"publicationDate":"2026-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145694035","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

An evaluation framework for network IDS/IPS datasets: Leveraging MITRE ATT&CK and industry relevance metrics 网络IDS/IPS数据集的评估框架：利用MITRE攻击与攻击和行业相关指标

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2026-02-01 Epub Date: 2025-11-23 DOI: 10.1016/j.cose.2025.104777

Adrita Rahman Tory , Khondokar Fida Hasan

The performance of Machine Learning (ML) and Deep Learning (DL)-based Intrusion Detection and Prevention Systems (IDS/IPS) is critically dependent on the relevance and quality of the datasets used for training and evaluation. However, current AI model evaluation practices for developing IDS/IPS focus predominantly on accuracy metrics, often overlooking whether datasets represent industry-specific threats. To address this gap, we introduce a novel multi-dimensional framework that integrates the MITRE ATT&CK knowledge base for threat intelligence and employs five complementary metrics that together provide a comprehensive assessment of dataset suitability. Methodologically, this framework combines threat intelligence, natural language processing, and quantitative analysis to assess the suitability of datasets for specific industry contexts. Applying this framework to nine publicly available IDS/IPS datasets reveals significant gaps in threat coverage, particularly in the healthcare, energy, and financial sectors. In particular, recent datasets (e.g., CIC-IoMT, CIC-UNSW-NB15) align better with sector-specific threats, whereas others, like CICIoV-24, underperform despite their recency. Our findings provide a standardized, interpretable approach for selecting datasets aligned with sector-specific operational requirements, ultimately enhancing the real-world effectiveness of AI-driven IDS/IPS deployments. The efficiency and practicality of the framework are validated through deployment in a real-world case study, underscoring its capacity to inform dataset selection and enhance the effectiveness of AI-driven IDS/IPS in operational environments.

基于机器学习（ML）和深度学习（DL）的入侵检测和防御系统（IDS/IPS）的性能严重依赖于用于训练和评估的数据集的相关性和质量。然而，目前用于开发IDS/IPS的人工智能模型评估实践主要集中在准确性指标上，通常忽略了数据集是否代表行业特定的威胁。为了解决这一差距，我们引入了一个新的多维框架，该框架集成了MITRE ATT&；CK知识库，用于威胁情报，并采用五个互补指标，共同提供数据集适用性的全面评估。在方法上，该框架结合了威胁情报、自然语言处理和定量分析，以评估特定行业背景下数据集的适用性。将此框架应用于9个公开可用的IDS/IPS数据集，可以发现威胁覆盖方面存在重大差距，特别是在医疗保健、能源和金融部门。特别是，最近的数据集（例如，CIC-IoMT, CIC-UNSW-NB15）与特定行业的威胁更一致，而其他数据集，如CICIoV-24，尽管最近，但表现不佳。我们的研究结果为选择符合特定行业操作要求的数据集提供了一种标准化的、可解释的方法，最终提高了人工智能驱动的IDS/IPS部署在现实世界中的有效性。通过在现实世界的案例研究中部署，该框架的效率和实用性得到了验证，强调了其为数据集选择提供信息的能力，并提高了人工智能驱动的IDS/IPS在作战环境中的有效性。

{"title":"An evaluation framework for network IDS/IPS datasets: Leveraging MITRE ATT&CK and industry relevance metrics","authors":"Adrita Rahman Tory , Khondokar Fida Hasan","doi":"10.1016/j.cose.2025.104777","DOIUrl":"10.1016/j.cose.2025.104777","url":null,"abstract":"<div><div>The performance of Machine Learning (ML) and Deep Learning (DL)-based Intrusion Detection and Prevention Systems (IDS/IPS) is critically dependent on the relevance and quality of the datasets used for training and evaluation. However, current AI model evaluation practices for developing IDS/IPS focus predominantly on accuracy metrics, often overlooking whether datasets represent industry-specific threats. To address this gap, we introduce a novel multi-dimensional framework that integrates the MITRE ATT&CK knowledge base for threat intelligence and employs five complementary metrics that together provide a comprehensive assessment of dataset suitability. Methodologically, this framework combines threat intelligence, natural language processing, and quantitative analysis to assess the suitability of datasets for specific industry contexts. Applying this framework to nine publicly available IDS/IPS datasets reveals significant gaps in threat coverage, particularly in the healthcare, energy, and financial sectors. In particular, recent datasets (e.g., CIC-IoMT, CIC-UNSW-NB15) align better with sector-specific threats, whereas others, like CICIoV-24, underperform despite their recency. Our findings provide a standardized, interpretable approach for selecting datasets aligned with sector-specific operational requirements, ultimately enhancing the real-world effectiveness of AI-driven IDS/IPS deployments. The efficiency and practicality of the framework are validated through deployment in a real-world case study, underscoring its capacity to inform dataset selection and enhance the effectiveness of AI-driven IDS/IPS in operational environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"161 ","pages":"Article 104777"},"PeriodicalIF":5.4,"publicationDate":"2026-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145694034","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

ActDroid: An active learning framework for android malware detection ActDroid: android恶意软件检测的主动学习框架

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2026-01-01 Epub Date: 2025-10-24 DOI: 10.1016/j.cose.2025.104724

Ali Muzaffar , Hani Ragab Hassen , Hind Zantout , Michael A. Lones

The growing popularity of Android requires malware detection systems that can keep up with the pace of new software being released. According to a recent study, a new piece of malware appears online every 12 seconds. To address this, we treat Android malware detection as a streaming data problem and explore the use of active online learning as a means of mitigating the problem of labelling applications in a timely and cost-effective manner. Specifically, we develop a semi-supervised active learning framework that incrementally trains online learning models using only samples with low prediction confidence, while detecting concept drift and retraining the models when drift is observed. Our resulting framework achieves accuracies of up to 96 % on a balanced dataset, requires as little as 24 % of the training data to be labelled, and compensates for concept drift that occurs between the release and labelling of an application. We also consider the broader practicalities of online learning within Android malware detection, and systematically explore the trade-offs between using different static, dynamic and hybrid feature sets to classify malware. We find that features derived from static API calls lead to the best performing models, though models based around lower-dimensional permission and opcode feature sets provide a potentially more practical basis for deployment, with only a marginal deficit in accuracy. Dynamic and hybrid feature sets are found to significantly increase feature extraction costs with no net benefit to predictive performance.

Android的日益普及要求恶意软件检测系统能够跟上新软件发布的步伐。根据最近的一项研究，每12秒就有一个新的恶意软件出现在网上。为了解决这个问题，我们将Android恶意软件检测视为一个流数据问题，并探索使用主动在线学习作为一种手段，以及时和经济有效的方式减轻标签应用程序的问题。具体来说，我们开发了一个半监督主动学习框架，该框架仅使用低预测置信度的样本增量训练在线学习模型，同时检测概念漂移并在观察到漂移时重新训练模型。我们的结果框架在平衡数据集上实现了高达96%的准确性，只需要标记24%的训练数据，并补偿了在应用程序发布和标记之间发生的概念漂移。我们还考虑了在线学习在Android恶意软件检测中的更广泛的实用性，并系统地探索了使用不同的静态、动态和混合特征集来分类恶意软件之间的权衡。我们发现，来自静态API调用的特征导致了性能最好的模型，尽管基于低维权限和操作码特征集的模型为部署提供了潜在的更实用的基础，但在准确性上只有轻微的缺陷。动态和混合特征集显著增加了特征提取成本，但对预测性能没有净收益。

{"title":"ActDroid: An active learning framework for android malware detection","authors":"Ali Muzaffar , Hani Ragab Hassen , Hind Zantout , Michael A. Lones","doi":"10.1016/j.cose.2025.104724","DOIUrl":"10.1016/j.cose.2025.104724","url":null,"abstract":"<div><div>The growing popularity of Android requires malware detection systems that can keep up with the pace of new software being released. According to a recent study, a new piece of malware appears online every 12 seconds. To address this, we treat Android malware detection as a streaming data problem and explore the use of active online learning as a means of mitigating the problem of labelling applications in a timely and cost-effective manner. Specifically, we develop a semi-supervised active learning framework that incrementally trains online learning models using only samples with low prediction confidence, while detecting concept drift and retraining the models when drift is observed. Our resulting framework achieves accuracies of up to 96 % on a balanced dataset, requires as little as 24 % of the training data to be labelled, and compensates for concept drift that occurs between the release and labelling of an application. We also consider the broader practicalities of online learning within Android malware detection, and systematically explore the trade-offs between using different static, dynamic and hybrid feature sets to classify malware. We find that features derived from static API calls lead to the best performing models, though models based around lower-dimensional permission and opcode feature sets provide a potentially more practical basis for deployment, with only a marginal deficit in accuracy. Dynamic and hybrid feature sets are found to significantly increase feature extraction costs with no net benefit to predictive performance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104724"},"PeriodicalIF":5.4,"publicationDate":"2026-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145419385","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Adaptability of current keystroke and mouse behavioral biometric systems: A survey 当前击键和鼠标行为生物识别系统的适应性：综述

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2026-01-01 Epub Date: 2025-10-21 DOI: 10.1016/j.cose.2025.104731

Aditya Subash, Insu Song, Ickjai Lee, Kyungmi Lee

Research in behavioral biometrics, especially keystroke and mouse behavioral biometrics, has increased in recent years, gaining traction in industry and academia across various fields, including the detection of emotion, age, gender, fatigue, identity theft, and online assessment fraud. These methods are popular because they collect data non-invasively and continuously authenticate users by analyzing unique keystroke or mouse behavior. However, user behavior evolves over time due to several underlying factors. This can affect the performance of current keystroke and mouse behavioral biometric-based user authentication systems. We comprehensively survey current keystroke and mouse behavioral biometric approaches, exploring their use in user authentication and other real-world applications while outlining trends and research gaps. In particular, we investigate whether current approaches compensate for user behavior evolution. We find that current keystroke and mouse behavioral biometrics approaches cannot adapt to user behavior evolution and suffer from limited efficacy. Our survey highlights the need for new and improved keystroke and mouse behavioral biometrics approaches that can adapt to user behavior evolution. This study will assist researchers in improving current research efforts toward developing more secure, effective, sustainable, robust, adaptable, and privacy-preserving keystroke and mouse-behavioral biometric-based authentication systems.

行为生物识别技术的研究，尤其是击键和鼠标行为生物识别技术，近年来得到了越来越多的关注，在工业界和学术界的各个领域都得到了关注，包括情绪、年龄、性别、疲劳、身份盗窃和在线评估欺诈的检测。这些方法很受欢迎，因为它们可以非侵入性地收集数据，并通过分析唯一的击键或鼠标行为来持续验证用户。然而，由于几个潜在因素，用户行为会随着时间的推移而演变。这可能会影响当前基于击键和鼠标行为生物识别的用户身份验证系统的性能。我们全面调查了当前的击键和鼠标行为生物识别方法，探索它们在用户认证和其他现实世界应用中的使用，同时概述了趋势和研究差距。特别是，我们研究了当前的方法是否补偿了用户行为的演变。我们发现目前的击键和鼠标行为生物识别方法不能适应用户行为的进化，而且效果有限。我们的调查强调需要新的和改进的击键和鼠标行为生物识别方法，以适应用户行为的演变。这项研究将帮助研究人员改进目前的研究工作，以开发更安全、有效、可持续、健壮、适应性强、保护隐私的基于击键和鼠标行为的生物识别认证系统。

{"title":"Adaptability of current keystroke and mouse behavioral biometric systems: A survey","authors":"Aditya Subash, Insu Song, Ickjai Lee, Kyungmi Lee","doi":"10.1016/j.cose.2025.104731","DOIUrl":"10.1016/j.cose.2025.104731","url":null,"abstract":"<div><div>Research in behavioral biometrics, especially keystroke and mouse behavioral biometrics, has increased in recent years, gaining traction in industry and academia across various fields, including the detection of emotion, age, gender, fatigue, identity theft, and online assessment fraud. These methods are popular because they collect data non-invasively and continuously authenticate users by analyzing unique keystroke or mouse behavior. However, user behavior evolves over time due to several underlying factors. This can affect the performance of current keystroke and mouse behavioral biometric-based user authentication systems. We comprehensively survey current keystroke and mouse behavioral biometric approaches, exploring their use in user authentication and other real-world applications while outlining trends and research gaps. In particular, we investigate whether current approaches compensate for user behavior evolution. We find that current keystroke and mouse behavioral biometrics approaches cannot adapt to user behavior evolution and suffer from limited efficacy. Our survey highlights the need for new and improved keystroke and mouse behavioral biometrics approaches that can adapt to user behavior evolution. This study will assist researchers in improving current research efforts toward developing more secure, effective, sustainable, robust, adaptable, and privacy-preserving keystroke and mouse-behavioral biometric-based authentication systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104731"},"PeriodicalIF":5.4,"publicationDate":"2026-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145365505","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Android app suspicious hidden sensitive operation detection with high coverage of program execution path Android应用可疑隐藏敏感操作检测，程序执行路径覆盖率高

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2026-01-01 Epub Date: 2025-10-24 DOI: 10.1016/j.cose.2025.104723

Yongxin Lu , Zhao Zhang , Senlin Luo, Limin Pan

Detection of Suspicious Hidden Sensitive Operations (SHSO) is essential for identifying security vulnerabilities in Android applications. However, accurately identifying SHSO is complicated by anomalous control flow. Existing methods represent the main program, which includes exception handling code, as a control flow graph. The uncertainty of anomalous control flow results in missing edges between certain subgraphs and the main program entry, rendering certain subgraphs unreachable and preventing SHSO detection. Additionally, the distribution of normal sensitive operations is often imbalanced, resulting in prediction bias and misidentification of minority class samples. To address these issues, a method for detecting Android app SHSO that achieves high coverage of program execution paths is proposed. This method uses instruction labels to pinpoint exception handling code and extracts relevant sensitive function calls to complete execution paths. We implement similarity-based binary clustering of normal sensitive operations to filter minority classes and construct independent classification models for each class to reduce false positives. Experimental results show that the method significantly outperforms state-of-the-art techniques across multiple datasets, enhancing both recall and accuracy in SHSO detection.

可疑隐藏敏感操作检测（SHSO）对于识别Android应用程序中的安全漏洞至关重要。然而，由于异常控制流的存在，使得准确识别SHSO变得复杂。现有方法将主程序（包括异常处理代码）表示为控制流图。异常控制流的不确定性导致某些子图与主程序入口之间缺边，使某些子图无法到达，从而阻止了SHSO检测。此外，正常敏感操作的分布往往不平衡，导致少数类样本的预测偏差和错误识别。为了解决这些问题，提出了一种检测Android应用程序SHSO的方法，该方法实现了程序执行路径的高覆盖率。该方法使用指令标签来精确定位异常处理代码，并提取相关的敏感函数调用来完成执行路径。我们实现了基于相似度的正常敏感操作的二值聚类来过滤少数类，并为每个类构建独立的分类模型来减少误报。实验结果表明，该方法在多个数据集上明显优于当前的技术，提高了SHSO检测的召回率和准确率。

{"title":"Android app suspicious hidden sensitive operation detection with high coverage of program execution path","authors":"Yongxin Lu , Zhao Zhang , Senlin Luo, Limin Pan","doi":"10.1016/j.cose.2025.104723","DOIUrl":"10.1016/j.cose.2025.104723","url":null,"abstract":"<div><div>Detection of Suspicious Hidden Sensitive Operations (SHSO) is essential for identifying security vulnerabilities in Android applications. However, accurately identifying SHSO is complicated by anomalous control flow. Existing methods represent the main program, which includes exception handling code, as a control flow graph. The uncertainty of anomalous control flow results in missing edges between certain subgraphs and the main program entry, rendering certain subgraphs unreachable and preventing SHSO detection. Additionally, the distribution of normal sensitive operations is often imbalanced, resulting in prediction bias and misidentification of minority class samples. To address these issues, a method for detecting Android app SHSO that achieves high coverage of program execution paths is proposed. This method uses instruction labels to pinpoint exception handling code and extracts relevant sensitive function calls to complete execution paths. We implement similarity-based binary clustering of normal sensitive operations to filter minority classes and construct independent classification models for each class to reduce false positives. Experimental results show that the method significantly outperforms state-of-the-art techniques across multiple datasets, enhancing both recall and accuracy in SHSO detection.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104723"},"PeriodicalIF":5.4,"publicationDate":"2026-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145467665","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0