Pub Date : 2025-10-21DOI: 10.1016/j.cose.2025.104731
Aditya Subash, Insu Song, Ickjai Lee, Kyungmi Lee
Research in behavioral biometrics, especially keystroke and mouse behavioral biometrics, has increased in recent years, gaining traction in industry and academia across various fields, including the detection of emotion, age, gender, fatigue, identity theft, and online assessment fraud. These methods are popular because they collect data non-invasively and continuously authenticate users by analyzing unique keystroke or mouse behavior. However, user behavior evolves over time due to several underlying factors. This can affect the performance of current keystroke and mouse behavioral biometric-based user authentication systems. We comprehensively survey current keystroke and mouse behavioral biometric approaches, exploring their use in user authentication and other real-world applications while outlining trends and research gaps. In particular, we investigate whether current approaches compensate for user behavior evolution. We find that current keystroke and mouse behavioral biometrics approaches cannot adapt to user behavior evolution and suffer from limited efficacy. Our survey highlights the need for new and improved keystroke and mouse behavioral biometrics approaches that can adapt to user behavior evolution. This study will assist researchers in improving current research efforts toward developing more secure, effective, sustainable, robust, adaptable, and privacy-preserving keystroke and mouse-behavioral biometric-based authentication systems.
{"title":"Adaptability of current keystroke and mouse behavioral biometric systems: A survey","authors":"Aditya Subash, Insu Song, Ickjai Lee, Kyungmi Lee","doi":"10.1016/j.cose.2025.104731","DOIUrl":"10.1016/j.cose.2025.104731","url":null,"abstract":"<div><div>Research in behavioral biometrics, especially keystroke and mouse behavioral biometrics, has increased in recent years, gaining traction in industry and academia across various fields, including the detection of emotion, age, gender, fatigue, identity theft, and online assessment fraud. These methods are popular because they collect data non-invasively and continuously authenticate users by analyzing unique keystroke or mouse behavior. However, user behavior evolves over time due to several underlying factors. This can affect the performance of current keystroke and mouse behavioral biometric-based user authentication systems. We comprehensively survey current keystroke and mouse behavioral biometric approaches, exploring their use in user authentication and other real-world applications while outlining trends and research gaps. In particular, we investigate whether current approaches compensate for user behavior evolution. We find that current keystroke and mouse behavioral biometrics approaches cannot adapt to user behavior evolution and suffer from limited efficacy. Our survey highlights the need for new and improved keystroke and mouse behavioral biometrics approaches that can adapt to user behavior evolution. This study will assist researchers in improving current research efforts toward developing more secure, effective, sustainable, robust, adaptable, and privacy-preserving keystroke and mouse-behavioral biometric-based authentication systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104731"},"PeriodicalIF":5.4,"publicationDate":"2025-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145365505","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-10-21DOI: 10.1016/j.cose.2025.104682
Anne Hennig , Maxime Veit , Leoni Schmidt-Enke , Fabian Neusser , Dominik Herrmann , Peter Mayer
Identifying the most effective and scalable methods for notifying website owners about compromises or vulnerabilities remains an enduring challenge. Although some success factors have been identified, results regarding effective senders and notification framing are often inconsistent, and the understanding of how recipients perceive vulnerability notifications is still limited. Heading towards a better understanding, we conducted a 3 × 3 randomized controlled notification experiment, examining the impact of three distinct senders and three variations of notification framings for compromised German websites. Our findings revealed a promising trend: receiving any notification significantly increased remediation compared to the absence of one. Remarkably, the choice of sender and framing played only a minor role in our notification experiment, which underscores the importance of notifying compromised websites and should motivate those who find vulnerabilities to take action. Yet, despite these encouraging results, a staggering 58% of the notified websites failed to remediate. To delve deeper into this phenomenon, we conducted follow-up interviews with 42 website owners who did not remediate their websites. The insights were revealing: while our notifications were delivered, many interviewees admitted they either overlooked or dismissed them as spam. This pattern persisted across different senders and framings, highlighting a critical challenge for future notification campaigns. Moving forward, future research should focus on finding ways to cut through the overwhelming amount of daily “spam” and explore strategies for how notifications can effectively convey their importance in recipients’ inboxes. Exploring strategies to raise the general awareness for cybersecurity, encouraging website owners to provide a security.txt, or providing additional assistance in the form of a self-service tool, are some proposals to increase remediation rates. We further recommend that future work should consider theories from communication science or psychology, e.g., Protection Motivation Theory (PMT) or the Elaboration-Likelihood Model, when designing notification campaigns.
{"title":"“I believe it’s incredibly difficult to fight against this flood of spam”: Towards enhancing strategies for creating effective vulnerability notifications","authors":"Anne Hennig , Maxime Veit , Leoni Schmidt-Enke , Fabian Neusser , Dominik Herrmann , Peter Mayer","doi":"10.1016/j.cose.2025.104682","DOIUrl":"10.1016/j.cose.2025.104682","url":null,"abstract":"<div><div>Identifying the most effective and scalable methods for notifying website owners about compromises or vulnerabilities remains an enduring challenge. Although some success factors have been identified, results regarding effective senders and notification framing are often inconsistent, and the understanding of how recipients perceive vulnerability notifications is still limited. Heading towards a better understanding, we conducted a 3 × 3 randomized controlled notification experiment, examining the impact of three distinct senders and three variations of notification framings for <span><math><mrow><mi>n</mi><mo>=</mo><mn>581</mn></mrow></math></span> compromised German websites. Our findings revealed a promising trend: receiving any notification significantly increased remediation compared to the absence of one. Remarkably, the choice of sender and framing played only a minor role in our notification experiment, which underscores the importance of notifying compromised websites and should motivate those who find vulnerabilities to take action. Yet, despite these encouraging results, a staggering 58% of the notified websites failed to remediate. To delve deeper into this phenomenon, we conducted follow-up interviews with 42 website owners who did not remediate their websites. The insights were revealing: while our notifications were delivered, many interviewees admitted they either overlooked or dismissed them as spam. This pattern persisted across different senders and framings, highlighting a critical challenge for future notification campaigns. Moving forward, future research should focus on finding ways to cut through the overwhelming amount of daily “spam” and explore strategies for how notifications can effectively convey their importance in recipients’ inboxes. Exploring strategies to raise the general awareness for cybersecurity, encouraging website owners to provide a security.txt, or providing additional assistance in the form of a self-service tool, are some proposals to increase remediation rates. We further recommend that future work should consider theories from communication science or psychology, e.g., Protection Motivation Theory (PMT) or the Elaboration-Likelihood Model, when designing notification campaigns.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104682"},"PeriodicalIF":5.4,"publicationDate":"2025-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145419387","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-10-21DOI: 10.1016/j.cose.2025.104708
Yan Xu , Deqiang Li , Qianmu Li
Android malware detection achieves high effectiveness through Machine Learning (ML) techniques. While promising, ML-based models are vulnerable to adversarial examples, which attempt to alter inputs slightly with functionality-preserving perturbations. Realistically, attackers can hardly take control of victim detectors, fostering attack methods in the black-box scenario. Whereas, researchers often restrict the number of model queries, commonly incurring a large degree of perturbations to evade detection. To mitigate the limitation, we design a Subgraph-based Mimicry Attack, termed SMAttack, for generating Android adversarial malware examples. SMAttack designs snippet-wise manipulations that encapsulate sub-behaviors of Android apps, enabling the semantics-transplanting from benign apps to malicious ones. Furthermore, we leverage a two-stage search procedure to pinpoint the effective perturbations: a greedy algorithm efficiently generates initial adversarial examples and an evolutionary strategy refines the used perturbations by declining redundant manipulations. The experimental results demonstrate that SMAttack effectively evades 12 Android malware detectors. Specifically, it achieves attack success rates ranging from 80% to 97% across 12 state-of-the-art detectors, outperforming other attack methods. In addition, it maintains a mean perturbation ratio of less than 7%, which is approximately 10% lower than that of the compared attacks.
{"title":"SMAttack: Subgraph mimicry for black-box adversarial Android malware generation","authors":"Yan Xu , Deqiang Li , Qianmu Li","doi":"10.1016/j.cose.2025.104708","DOIUrl":"10.1016/j.cose.2025.104708","url":null,"abstract":"<div><div>Android malware detection achieves high effectiveness through Machine Learning (ML) techniques. While promising, ML-based models are vulnerable to adversarial examples, which attempt to alter inputs slightly with functionality-preserving perturbations. Realistically, attackers can hardly take control of victim detectors, fostering attack methods in the black-box scenario. Whereas, researchers often restrict the number of model queries, commonly incurring a large degree of perturbations to evade detection. To mitigate the limitation, we design a <u>S</u>ubgraph-based <u>M</u>imicry <u>Attack</u>, termed SMAttack, for generating Android adversarial malware examples. SMAttack designs snippet-wise manipulations that encapsulate sub-behaviors of Android apps, enabling the semantics-transplanting from benign apps to malicious ones. Furthermore, we leverage a two-stage search procedure to pinpoint the effective perturbations: a greedy algorithm efficiently generates initial adversarial examples and an evolutionary strategy refines the used perturbations by declining redundant manipulations. The experimental results demonstrate that SMAttack effectively evades 12 Android malware detectors. Specifically, it achieves attack success rates ranging from 80% to 97% across 12 state-of-the-art detectors, outperforming other attack methods. In addition, it maintains a mean perturbation ratio of less than 7%, which is approximately 10% lower than that of the compared attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104708"},"PeriodicalIF":5.4,"publicationDate":"2025-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145365503","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-10-20DOI: 10.1016/j.cose.2025.104714
Anuvarshini MK, Kommuri Sai Suhitha Bala, Sri Sai Tanvi Sonti, Jevitha KP
The effectiveness of a Web Application Firewall is determined by their ability to accurately detect and block malicious payloads while allowing legitimate traffic without any interference. This research evaluates the effectiveness of the popular open-source OWASP CRS (Core Rule Set) with the ModSecurity web application firewall. The study analyzes the impact on performance metrics under different configurations of the OWASP CRS. This study also aims to evaluate the detection capabilities of the WAF in its strict configuration to uncover gaps in the existing rule coverage. The identified gaps were then improved through the creation of 146 new custom rules that were designed to recognize attack payloads that managed to evade all rules in the OWASP CRS. The implemented custom rules, which were developed in accordance with the gaps identified during the test, improved the detection precision from 60.54% to 97.46 % with no increase in false positives within our controlled test environment, thereby incrementally strengthening the security of the rule set by detecting threats that had previously escaped notice.
{"title":"An empirical study on the evaluation and enhancement of OWASP CRS (Core Rule Set) in ModSecurity","authors":"Anuvarshini MK, Kommuri Sai Suhitha Bala, Sri Sai Tanvi Sonti, Jevitha KP","doi":"10.1016/j.cose.2025.104714","DOIUrl":"10.1016/j.cose.2025.104714","url":null,"abstract":"<div><div>The effectiveness of a Web Application Firewall is determined by their ability to accurately detect and block malicious payloads while allowing legitimate traffic without any interference. This research evaluates the effectiveness of the popular open-source OWASP CRS (Core Rule Set) with the ModSecurity web application firewall. The study analyzes the impact on performance metrics under different configurations of the OWASP CRS. This study also aims to evaluate the detection capabilities of the WAF in its strict configuration to uncover gaps in the existing rule coverage. The identified gaps were then improved through the creation of 146 new custom rules that were designed to recognize attack payloads that managed to evade all rules in the OWASP CRS. The implemented custom rules, which were developed in accordance with the gaps identified during the test, improved the detection precision from 60.54% to 97.46 % with no increase in false positives within our controlled test environment, thereby incrementally strengthening the security of the rule set by detecting threats that had previously escaped notice.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104714"},"PeriodicalIF":5.4,"publicationDate":"2025-10-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145365504","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-10-20DOI: 10.1016/j.cose.2025.104707
Iván Abellán Álvarez , Pol Hölzmer , Johannes Sedlmeir
Digital identity wallets promise significant advancements in digital identity management by offering users a high degree of convenience, security, and control over their data disclosure. However, there is also criticism regarding their privacy guarantees, especially when used in regulated use cases that require high levels of assurance on the correctness and binding of a legal identity. In this paper, we present a comprehensive privacy model and analysis of one of the most prominent digital wallets – the European Digital Identity Wallet (EUDIW) – as specified by the Architecture and Reference Framework (ARF) and the eIDAS 2.0 regulation. We employ a suite of qualitative privacy risk assessment methods to systematically map and evaluate information flows in three key use cases. Our analysis identifies multiple privacy risks – including linkability, identifiability, and excessive attribute data disclosure – and reveals that although the ARF is designed to comply with privacy-by-design principles, inherent design choices, such as the reliance on SD-JWT and mDOC data formats, as well as the concept of a Wallet Unit Attestation (WUA), retain risks to user privacy. Building on our findings, we then highlight how advanced Privacy-Enhancing Technologies (PETs), such as (general-purpose) Zero-Knowledge Proofs (ZKPs), can reduce or mitigate some of these risks.
{"title":"Privacy evaluation of the European Digital Identity Wallet’s Architecture and Reference Framework","authors":"Iván Abellán Álvarez , Pol Hölzmer , Johannes Sedlmeir","doi":"10.1016/j.cose.2025.104707","DOIUrl":"10.1016/j.cose.2025.104707","url":null,"abstract":"<div><div>Digital identity wallets promise significant advancements in digital identity management by offering users a high degree of convenience, security, and control over their data disclosure. However, there is also criticism regarding their privacy guarantees, especially when used in regulated use cases that require high levels of assurance on the correctness and binding of a legal identity. In this paper, we present a comprehensive privacy model and analysis of one of the most prominent digital wallets – the European Digital Identity Wallet (EUDIW) – as specified by the Architecture and Reference Framework (ARF) and the eIDAS 2.0 regulation. We employ a suite of qualitative privacy risk assessment methods to systematically map and evaluate information flows in three key use cases. Our analysis identifies multiple privacy risks – including linkability, identifiability, and excessive attribute data disclosure – and reveals that although the ARF is designed to comply with privacy-by-design principles, inherent design choices, such as the reliance on SD-JWT and mDOC data formats, as well as the concept of a Wallet Unit Attestation (WUA), retain risks to user privacy. Building on our findings, we then highlight how advanced Privacy-Enhancing Technologies (PETs), such as (general-purpose) Zero-Knowledge Proofs (ZKPs), can reduce or mitigate some of these risks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104707"},"PeriodicalIF":5.4,"publicationDate":"2025-10-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145419370","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-10-17DOI: 10.1016/j.cose.2025.104704
Chen Wang, Hongbo Tang, Yu Zhao, Wei You, Jie Yang, Hang Qiu
Kubernetes has become the dominant container orchestration platform, relying on a centralized control plane to manage workloads across nodes. However, its exposed control plane interfaces introduce critical security risks. This paper conducts a systematic static analysis of these interfaces and uncovers insufficient access controls and missing rate-limiting mechanisms. We design four attack strategies and implement seven representative attacks in both local and cloud environments. The experiments demonstrate severe consequences, including sensitive data leakage, denial-of-service conditions, up to 90% CPU overhead, and 70% packet loss in co-located containers, which also lose the ability to resolve non-local DNS queries. Based on these findings, we propose mitigation strategies that have been acknowledged by cloud vendors and the Kubernetes community, with plans for deployment in future releases. This work provides the first systematic study of control plane interface vulnerabilities, and future research should explore automated analysis frameworks and isolated experimental environments to strengthen Kubernetes security in multi-tenant commercial platforms.
{"title":"Losing control: Exposing security weaknesses of Kubernetes control plane interfaces","authors":"Chen Wang, Hongbo Tang, Yu Zhao, Wei You, Jie Yang, Hang Qiu","doi":"10.1016/j.cose.2025.104704","DOIUrl":"10.1016/j.cose.2025.104704","url":null,"abstract":"<div><div>Kubernetes has become the dominant container orchestration platform, relying on a centralized control plane to manage workloads across nodes. However, its exposed control plane interfaces introduce critical security risks. This paper conducts a systematic static analysis of these interfaces and uncovers insufficient access controls and missing rate-limiting mechanisms. We design four attack strategies and implement seven representative attacks in both local and cloud environments. The experiments demonstrate severe consequences, including sensitive data leakage, denial-of-service conditions, up to 90% CPU overhead, and 70% packet loss in co-located containers, which also lose the ability to resolve non-local DNS queries. Based on these findings, we propose mitigation strategies that have been acknowledged by cloud vendors and the Kubernetes community, with plans for deployment in future releases. This work provides the first systematic study of control plane interface vulnerabilities, and future research should explore automated analysis frameworks and isolated experimental environments to strengthen Kubernetes security in multi-tenant commercial platforms.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104704"},"PeriodicalIF":5.4,"publicationDate":"2025-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145365507","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-10-16DOI: 10.1016/j.cose.2025.104713
Mingkun He, Jike Ge, Zuqin Chen, Jin Ling, Weiquan Kong
Malicious software (malware) attacks constitute a major category of security risks affecting the Android operating system. Current Android malware classification approaches exhibit notable limitations: methods that ignore program semantic information often demonstrate suboptimal accuracy and robustness, while techniques leveraging control-flow or data-flow graph representations, though more effective, face computational challenges due to large graph sizes and high overhead. In response to these limitations, MCGDroid is introduced as a novel solution for classifying Android malware, utilizing a representation based on multi-feature class-call graphs. MCGDroid processes disassembled smali code to construct class-call graphs, where nodes are enriched with semantic features including opcodes and sensitive APIs. These class-call graphs, enriched with multiple features, are subsequently processed through a graph convolutional network to carry out malware detection and classification tasks. We confirmed the effectiveness and stability of the proposed method through comprehensive experimental evaluation. The experimental evaluation demonstrates that MCGDroid attains high detection and classification accuracies of 98.92% and 97.02%, respectively, with corresponding F1-scores of 98.54% and 96.65%. When evaluated on the obfuscated test set, the model maintains robust performance, achieving 93.12% detection accuracy and 86.26% classification accuracy.
{"title":"MCGDroid: An android malware classification method based on multi-feature class-call graph characterization","authors":"Mingkun He, Jike Ge, Zuqin Chen, Jin Ling, Weiquan Kong","doi":"10.1016/j.cose.2025.104713","DOIUrl":"10.1016/j.cose.2025.104713","url":null,"abstract":"<div><div>Malicious software (malware) attacks constitute a major category of security risks affecting the Android operating system. Current Android malware classification approaches exhibit notable limitations: methods that ignore program semantic information often demonstrate suboptimal accuracy and robustness, while techniques leveraging control-flow or data-flow graph representations, though more effective, face computational challenges due to large graph sizes and high overhead. In response to these limitations, MCGDroid is introduced as a novel solution for classifying Android malware, utilizing a representation based on multi-feature class-call graphs. MCGDroid processes disassembled smali code to construct class-call graphs, where nodes are enriched with semantic features including opcodes and sensitive APIs. These class-call graphs, enriched with multiple features, are subsequently processed through a graph convolutional network to carry out malware detection and classification tasks. We confirmed the effectiveness and stability of the proposed method through comprehensive experimental evaluation. The experimental evaluation demonstrates that MCGDroid attains high detection and classification accuracies of 98.92% and 97.02%, respectively, with corresponding F1-scores of 98.54% and 96.65%. When evaluated on the obfuscated test set, the model maintains robust performance, achieving 93.12% detection accuracy and 86.26% classification accuracy.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104713"},"PeriodicalIF":5.4,"publicationDate":"2025-10-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145365506","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-10-15DOI: 10.1016/j.cose.2025.104710
Srinidhi Vasudevan, Anna Piazza, Lavanya Rajendran, Samuel Duraivel
As organisations embrace immersive environment to conduct their operations, the metaverse can be considered as a prominent technology that both enhance business efficiency and expose them to new security vulnerabilities that cannot be fully mitigated using traditional cybersecurity models. This study explores the adoption of the metaverse through the Trust, Identity, Privacy, and Security (TIPS) framework, emphasising the interdependencies between these security dimensions. Although prior research has examined these factors independently, little attention has been paid to their combined impact on organisational adoption of metaverse. Addressing this gap, we employ qualitative research based on thematic content analysis using Natural Language Processing (NLP) and the Natural Language Toolkit (NLTK), leveraging insights from in-depth interviews with business and IT professionals from micro & small, and medium enterprises (M/SMEs); entities that often lack extensive cybersecurity resources yet seek competitive advantages through digital innovation. Our findings reveal a structured hierarchical dependency between Trust, Identity, Privacy, and Security (TIPS) factors in metaverse adoption contexts, going beyond just identifying interrelationships between these elements. Specifically, trust in metaverse environments is influenced by user embodiment. The avatar as identity complicates identity verification and privacy protection as digital avatars merge physical and virtual identities. Finally, the metaverse raises privacy concerns, demanding frameworks that ensure transparency and user consent. Insights from our analysis suggest organisations should prioritise security-by-design principles while balancing implementation with user experience considerations to successfully navigate the socio-technical complexities of metaverse adoption.
{"title":"Mapping the metaverse minefield: A TIPS framework for security-conscious business adoption","authors":"Srinidhi Vasudevan, Anna Piazza, Lavanya Rajendran, Samuel Duraivel","doi":"10.1016/j.cose.2025.104710","DOIUrl":"10.1016/j.cose.2025.104710","url":null,"abstract":"<div><div>As organisations embrace immersive environment to conduct their operations, the metaverse can be considered as a prominent technology that both enhance business efficiency and expose them to new security vulnerabilities that cannot be fully mitigated using traditional cybersecurity models. This study explores the adoption of the metaverse through the Trust, Identity, Privacy, and Security (TIPS) framework, emphasising the interdependencies between these security dimensions. Although prior research has examined these factors independently, little attention has been paid to their combined impact on organisational adoption of metaverse. Addressing this gap, we employ qualitative research based on thematic content analysis using Natural Language Processing (NLP) and the Natural Language Toolkit (NLTK), leveraging insights from in-depth interviews with business and IT professionals from micro & small, and medium enterprises (M/SMEs); entities that often lack extensive cybersecurity resources yet seek competitive advantages through digital innovation. Our findings reveal a structured hierarchical dependency between Trust, Identity, Privacy, and Security (TIPS) factors in metaverse adoption contexts, going beyond just identifying interrelationships between these elements. Specifically, trust in metaverse environments is influenced by user embodiment. The avatar as identity complicates identity verification and privacy protection as digital avatars merge physical and virtual identities. Finally, the metaverse raises privacy concerns, demanding frameworks that ensure transparency and user consent. Insights from our analysis suggest organisations should prioritise security-by-design principles while balancing implementation with user experience considerations to successfully navigate the socio-technical complexities of metaverse adoption.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104710"},"PeriodicalIF":5.4,"publicationDate":"2025-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145324642","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-10-14DOI: 10.1016/j.cose.2025.104706
Danish Vasan , Mohammad Hammoudeh , Adel F. Ahmed , Hamad Naeem
The safety and reliability of ship navigation systems are critical for secure maritime operations. With growing reliance on digital tools, these systems face increasing vulnerability to cyber–physical threats such as GPS spoofing, sensor manipulation, and control logic interference. This research presents a comprehensive threat model across key navigation subsystems and proposes a multi-layer defense strategy based on cross-sensor validation. Rather than relying on hardware redundancy or statistical anomaly filters, our framework validates sensor data and control decisions through consistency checks across GPS, INS, sonar, and depth systems. Standard filtering techniques, such as Kalman filters, are used for state estimation. Experimental simulations across various attack scenarios show that the proposed defense restores navigational accuracy and operational safety, reducing error by over 99% in most subsystems. A public dataset and codebase are released to support future maritime cybersecurity research on GitHub1.
{"title":"Cyber-attacks: Securing ship navigation systems using multi-layer cross-validation defense","authors":"Danish Vasan , Mohammad Hammoudeh , Adel F. Ahmed , Hamad Naeem","doi":"10.1016/j.cose.2025.104706","DOIUrl":"10.1016/j.cose.2025.104706","url":null,"abstract":"<div><div>The safety and reliability of ship navigation systems are critical for secure maritime operations. With growing reliance on digital tools, these systems face increasing vulnerability to cyber–physical threats such as GPS spoofing, sensor manipulation, and control logic interference. This research presents a comprehensive threat model across key navigation subsystems and proposes a multi-layer defense strategy based on cross-sensor validation. Rather than relying on hardware redundancy or statistical anomaly filters, our framework validates sensor data and control decisions through consistency checks across GPS, INS, sonar, and depth systems. Standard filtering techniques, such as Kalman filters, are used for state estimation. Experimental simulations across various attack scenarios show that the proposed defense restores navigational accuracy and operational safety, reducing error by over 99% in most subsystems. A public dataset and codebase are released to support future maritime cybersecurity research on GitHub<span><span><sup>1</sup></span></span>.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"160 ","pages":"Article 104706"},"PeriodicalIF":5.4,"publicationDate":"2025-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145324643","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-10-13DOI: 10.1016/j.cose.2025.104702
Aidan M. Winkler , Prinkle Sharma
The proactive detection of advanced adversarial behaviors remains a critical challenge for Security Information and Event Management (SIEM) platforms, particularly as attackers adopt stealthy, multi-phase campaigns. This paper presents a cross-platform, MITRE ATT&CK aligned evaluation framework for systematically measuring the SIEM detection coverage, responsiveness, and accuracy. The framework was demonstrated through the Wazuh SIEM platform and atomic red team testing, targeting four high-impact tactics: Collection, Command-and-Control (C2), Exfiltration, and Impact. The results show a high detection rate for C2 and Impact techniques, and partial detection for Collection and Ex-filtration tactics owing to gaps in correlation and telemetry depth. The overall detection rate was approximately 85%, with platform-specific differences driven by the endpoint logging capabilities. Quantitative performance analysis yielded a precision of 91.4%, recall of 85.2%, and false positive rate of 4.8%, confirming both detection effectiveness and operational feasibility. The main contributions of this study are as follows: (i) a reproducible, ATT&CK aligned framework adaptable to both open source and commercial SIEMs, (ii) actionable detection rule enhancements to improve Security Operations Centerwork (SOC) operations, and (iii) scalability considerations for deployment in enterprise environments. By integrating structured adversary modeling with operational SOCs flows, the proposed framework advances proactive cyber defence in complex enterprise environments.
{"title":"Proactive threat detection in enterprise systems using Wazuh: A MITRE ATT&CK Evaluation","authors":"Aidan M. Winkler , Prinkle Sharma","doi":"10.1016/j.cose.2025.104702","DOIUrl":"10.1016/j.cose.2025.104702","url":null,"abstract":"<div><div>The proactive detection of advanced adversarial behaviors remains a critical challenge for Security Information and Event Management (SIEM) platforms, particularly as attackers adopt stealthy, multi-phase campaigns. This paper presents a cross-platform, MITRE ATT&CK aligned evaluation framework for systematically measuring the SIEM detection coverage, responsiveness, and accuracy. The framework was demonstrated through the Wazuh SIEM platform and atomic red team testing, targeting four high-impact tactics: Collection, Command-and-Control (C2), Exfiltration, and Impact. The results show a high detection rate for C2 and Impact techniques, and partial detection for Collection and Ex-filtration tactics owing to gaps in correlation and telemetry depth. The overall detection rate was approximately 85%, with platform-specific differences driven by the endpoint logging capabilities. Quantitative performance analysis yielded a precision of 91.4%, recall of 85.2%, and false positive rate of 4.8%, confirming both detection effectiveness and operational feasibility. The main contributions of this study are as follows: (i) a reproducible, ATT&CK aligned framework adaptable to both open source and commercial SIEMs, (ii) actionable detection rule enhancements to improve Security Operations Centerwork (SOC) operations, and (iii) scalability considerations for deployment in enterprise environments. By integrating structured adversary modeling with operational SOCs flows, the proposed framework advances proactive cyber defence in complex enterprise environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104702"},"PeriodicalIF":5.4,"publicationDate":"2025-10-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145320849","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号