Search Results (199)

With the rapid evolution of cyberattack techniques, identifying dynamic behavioral intents from Application Programming Interface call sequences has become a fundamental modality for ensuring reliable malware detection and information security. However, existing detection methods face the dual challenges of semantic sparsity and inadequate spatial dependency modeling when processing these sequences, which fundamentally undermines their stability against complex structural variations and in-the-wild evasive patterns. To address these critical vulnerabilities, we propose LLM-SGCF, a highly effective malware detection framework that jointly models deep behavioral semantics and spatial structures. Specifically, our framework leverages generative Large Language Models, which are subsequently encoded by BERT, to transform sparse API calls into rich and contextualized descriptions. Concurrently, it employs a novel Spatially Guided Convolution (SGC) module to localize critical malicious segments and extract cross-position dependencies in a two-dimensional semantic space. Extensive experiments on the public Aliyun and Catak datasets demonstrate that LLM-SGCF exhibits exceptional resilience to real-world structural complexity and significantly outperforms state-of-the-art baselines, achieving a peak binary-classification accuracy of 95.82%. Further ablation analyses confirm that the synergistic fusion of semantic enhancement driven by Large Language Models and spatial structural modeling dramatically improves the resilience of the framework against complex attack chains, providing a highly reliable paradigm for next-generation malware recognition systems. Full article

Two-dimensional (2D) barcodes are now embedded in payment platforms, authentication workflows, industrial traceability, smart packaging, and mobile information services. Their ubiquity has simultaneously increased the incentive for phishing, tampering, and malicious redirection, while recent RGB-colored barcode designs have introduced a second challenge: maintaining reliable payload recovery under non-ideal capture conditions. This study presents a unified framework for secure and recoverable RGB-colored 2D barcodes across QR Code, Data Matrix, Aztec, and PDF417 symbologies. The framework combines channel-separated RGB encoding, lightweight hybrid cryptographic protection, and pretrained vision-based validation to jointly improve confidentiality, authenticity, and operational trust. A recoverability-oriented evaluation protocol is introduced to quantify robustness under distance variation, angular distortion, illumination change, blur, and color shift. Experimental results show that compact schemes based on ChaCha20-Poly1305 and Ed25519 achieve the most favorable trade-off between security overhead and decoding reliability, while EfficientNet-B0 offers the best deployment balance among the evaluated vision backbones. Data Matrix and Aztec exhibit the strongest maximum reliable distance under the tested conditions. The results indicate that secure barcode design cannot be treated as a purely cryptographic or purely visual problem; instead, practical deployment benefits from a layered architecture in which cryptography, computer vision, and recoverability metrics are optimized together. Full article

With the development of artificial intelligence technologies, various models have become mainstream methods in malicious code detection. The application of these models brings significant advantages in automation, intelligence, and proactivity. However, as malicious code continuously evolves and updates, discrepancies emerge between the distribution of malicious code characteristics and those in the model’s training dataset. This leads to a decline in the model’s detection performance, a phenomenon known as concept drift. Existing research still lacks a systematic review that comprehensively explains how concept drift impacts malicious software detection models and how to effectively address this issue. Therefore, this paper reviews and analyzes the current research on this topic in five aspects: enhanced machine learning methods, deep neural network models, graph neural network models, continual learning strategies, and meta-learning strategies. By analyzing, comparing, summarizing, and discussing the various methods, this paper aims to provide insights into future improvements for reducing concept drift in malicious code detection models. This paper helps researchers understand the basic principles behind concept drift, current mitigation techniques, existing challenges, and future development directions, providing support for further research and improvement of existing methods. Full article

Cloud-based intrusion detection systems (IDSs) increasingly rely on deep learning classifiers to identify malicious traffic; however, this reliance exposes them to adversarial evasion attacks in which adversaries craft near-imperceptible perturbations to bypass detection. Existing defenses based on conventional adversarial training often recover robustness against known perturbation patterns at the cost of degraded detection accuracy on canonical attack categories—a robustness–accuracy trade-off that remains an open challenge in the field. In this paper, we propose GT-CSAT (Game-Theoretic Cost-Sensitive Adversarial Training), a novel defense framework tailored for cloud security environments. GT-CSAT couples an improved Wasserstein GAN with Gradient Penalty (WGAN-GP) threat generator—conditioned on attack semantics to simulate functionally consistent and highly covert traffic variants—with a minimax adversarial training loop governed by a game-theoretic cost-sensitive loss function. The proposed loss function assigns asymmetric misclassification penalties derived from a two-player zero-sum payoff matrix, enabling the detector to maintain vigilance over both novel adversarial variants and well-characterized conventional threats simultaneously. Specifically, misclassifying an adversarially perturbed attack as benign incurs a strictly higher penalty than the symmetric cross-entropy baseline, while the cost weights are dynamically adapted via a Nash equilibrium-inspired update rule during training. We conduct comprehensive experiments on the Cloud Vulnerabilities Dataset (CVD), CICIDS-2017, and UNSW-NB15, which encompass diverse cloud-specific attack scenarios including denial-of-service, port scanning, brute-force, and SQL injection traffic. Under six representative evasion strategies—FGSM, PGD, C&W, BIM, DeepFool, and IDSGAN-style black-box perturbations—GT-CSAT achieves an average robust accuracy of 94.3%, surpassing standard adversarial training by 6.8 percentage points and the undefended baseline by 21.4 percentage points, while preserving clean-traffic detection at 97.1%. These results confirm that the game-theoretic cost structure effectively decouples robustness from accuracy, yielding a Pareto-superior detection profile relative to competing baselines across all evaluated threat models. The source code and experimental configurations have been publicly released to facilitate reproducibility. Full article

This article presents the potential for maliciously influencing a control system by interfering with the program code of an industrial controller, using a temperature control system for a heating process based on resistive electric heating as an example. The presented attack scenarios are crucial for the energy efficiency of electric heating systems, which is related to the issue of cybersecurity in the area of energy security. The aim of this research was to demonstrate that a cyberattack involving the malicious manipulation of the setpoint can be carried out in a manner invisible to the heating process operator and be difficult to detect using classical time-domain control quality indicators (time-response specifications). The first involves incorporating proportional elements with mutually inverted gains into the input and output of a closed-loop system. The second method is based on adding an additional transfer function G_m(s) in parallel to the control system. The difference between the correct and manipulated setpoints is introduced into the input, and the output signal is added to the actual (hidden) value of the controlled variable. In the first method, at the moment of starting the control system, there is a difference between the apparent (falsified) value and the ambient temperature. In the second method, the inclusion of an additional G_m(s) ensures that the apparent (falsified) value of the controlled variable matches the temperature at the moment of starting the system. PID control enables achieving satisfactory control quality in heating processes, which are characterized by high inertia and time delays. Compared to classical PID regulation, advanced control methods can, under certain conditions, provide better performance in terms of quality indicators. However, due to their high computational complexity and sensitivity to model uncertainty—particularly in methods relying on accurate system identification—PID controllers continue to be widely used in industrial practice. For this reason, the present study focuses on a control system based on a PID controller as a practical solution. Based on the results, it was found that the most effective manipulation occurred within the range from 0.9 to 1.1 of the actual setpoint value for both the first and second method, using a model with $T_m$ between 5 s and 30 s. In these cases, the quality indicators referenced to the nominal values, determined for the falsified control system responses to a step change in the setpoint, were as follows: overshoot—0.97 and 1.30 (method 1), and 0.90 and 1.10 (method 2 for 5 s), 0.75 and 1.30 (method 2 for 30 s); settling time—1.06 (method 1), and 0.98 and 1.17 (method 2 for 5 s), 0.85 and 1.14 (method 2 for 30 s). The settling times determined for the system’s response to a disturbance were: 1.00 and 1.15 (method 1), and 1.13 and 1.16 (method 2 for 5 s), 1.12 and 1.02 (method 2 for 30 s). Based on the conducted analysis, it was demonstrated that the relatively simple setpoint manipulation methods presented can effectively mask the impact of malicious interference on the temperature value in the control system of a heating process. Full article

The rise of large language models (LLMs), such as GPT-4, Codex, Code Llama, Claude 3, CodeGemma and DeepSeek, etc., is changing the way software development is approached. These models provide strong support for tasks like writing codes, analyzing bugs, and automation. At the same time, their use in software development creates both opportunities and new risks. This survey reviews how LLMs are being used to improve security practices in software development, including vulnerability detection, secure code generation, threat analysis, and patch development. It also discusses how attackers may exploit LLMs for malicious purposes, such as writing malware, carrying out phishing campaigns, or bypassing defenses. We draw on case studies that show LLMs can help uncover zero-day vulnerabilities and speed up secure coding but also highlight cases where they have been misused to generate harmful code, sometimes unintentionally. The paper examines technical challenges like bias in training data, the difficulty of interpreting model outputs, and the risks of adversarial attacks. It also considers ethical and regulatory issues related to accountability, compliance, and responsible use. By bringing together findings from recent research and industry practice, the survey outlines future directions for building safer models, developing stronger defensive frameworks, and shaping policies that balance innovation with security. Overall, the paper argues for a careful approach where LLMs are used to strengthen software security while addressing the risks they introduce through collaboration, oversight, and ongoing improvements. Full article

In the evolving cybersecurity landscape, detecting Thai-English code-mixed malicious scripts within high-trust domains such as governmental and academic portals presents a significant defensive challenge. While Transformer-based architectures excel in semantic parsing, they often exhibit ‘Structural Bias,’ misinterpreting the high-entropy syntax of benign legacy HyperText Markup Language (HTML) as malicious obfuscation due to inherent ‘Attention Deficit’ in token-limited models. To address this, we propose an Explainable AI (XAI)-Driven Hybrid Architecture grounded in a ‘Selective Integration’ strategy. Unlike traditional hybrid models, our framework mathematically formalizes the fusion process by synergizing context-aware WangChanBERTa embeddings with orthogonal structural statistics through Dempster-Shafer Theory and Conditional Mutual Information (CMI). The proposed model was validated on a high-fidelity corpus, achieving a state-of-the-art F1-score of 0.9908, significantly outperforming standalone Transformers, Random Forest, and unsupervised baselines. XAI diagnostics revealed a ‘Dual-Validation’ mechanism where structural features act as an epistemic anchor. This mechanism effectively triggers a ‘Semantic Veto’ to filter hallucinations caused by benign complexity, achieving a remarkably low False Positive Rate (FPR) of 0.0116. Our findings demonstrate that hybridization is most effective when engineered features provide mathematical orthogonality to semantic embeddings. This work offers a robust, theoretically grounded framework for securing critical digital infrastructures in low-resource linguistic environments. Full article

Phishing websites pose a major cybersecurity threat, exploiting unsuspecting users and causing significant financial and organisational harm. Traditional machine learning approaches for phishing detection often require extensive feature engineering, continuous retraining, and costly infrastructure maintenance. At the same time, proprietary large language models (LLMs) have demonstrated strong performance in phishing-related classification tasks, but their operational costs and reliance on external providers limit their practical adoption in many business environments. This paper presents a detection pipeline for malicious websites and investigates the feasibility of Small Language Models (SLMs) using raw HTML code and URLs. A key advantage of these models is that they can be deployed on local infrastructure, providing organisations with greater control over data and operations. We systematically evaluate 15 commonly used SLMs, ranging from 1 billion to 70 billion parameters, benchmarking their classification accuracy, computational requirements, and cost-efficiency. Our results highlight the trade-offs between detection performance and resource consumption. While SLMs underperform compared to state-of-the-art proprietary LLMs, the gap is moderate: the best SLM achieves an F1-score of 0.893 (Llama3.3:70B), compared to 0.929 for GPT-5.2, indicating that open-source models can provide a viable and scalable alternative to external LLM services. Full article

Optical networks constitute the backbone of contemporary communication infrastructures, supporting massive bandwidth, low-latency services, and high levels of scalability across core, metro, and access domains. As these systems evolve toward elastic, software-defined, and multi-domain architectures, their exposure to sophisticated security threats increases significantly. This paper provides a comprehensive survey of vulnerabilities and countermeasures in modern optical networks, spanning the physical, control, and cross-layer dimensions. We analyze major architectures—including WDM, TDM, PON, EON, and IP-over-WDM—and examine how their structural properties shape their security posture. A threat taxonomy is presented covering physical-layer attacks such as fiber tapping, optical jamming, crosstalk exploitation, and signal injection; control-plane risks including spoofing, malicious signaling, and SDN manipulation; and broader cross-layer attack vectors. We review state-of-the-art defense mechanisms, including physical-layer security (PLS), spectrum randomization, chaotic optical coding, device-level authentication, survivability techniques, intelligent monitoring, and quantum-secure solutions such as QKD. By integrating insights from recent experimental and operational studies, the survey highlights emerging challenges and identifies open problems related to secure orchestration, multi-tenant environments, and quantum-era resilience. The objective is to guide researchers, engineers, and network operators toward robust and future-proof security strategies for next-generation optical infrastructures. Full article

The S-100 standard for Electronic Chart Display and Information Systems (ECDIS) uses Lua scripts to render electronic charts, yet lacks security specifications for script execution. This paper evaluates automated Static Application Security Testing (SAST) tools versus expert manual review for S-100-compliant software. Four SAST tools were applied alongside an expert review of OpenS100, a reference implementation for next-generation ECDIS. While automated tools identified numerous defects, they failed to detect 83% (19/23) of expert-identified vulnerabilities, including an unrestricted Lua interpreter flaw with a Common Vulnerability Scoring System (CVSS) score of 9.3. This vulnerability enables Remote Code Execution (RCE) via malicious portrayal catalogues, verified through Proof of Concept (PoC) development. The analysis demonstrates that SAST tools are constrained by limited maritime domain knowledge and challenges in analyzing cross-language semantic risks at the C++–Lua interface. The findings establish that identified vulnerabilities stem from specification gaps in the S-100 standard rather than isolated coding errors. These results indicate that functional safety certifications require supplementation to address design-level security risks. The evidence supports that the International Hydrographic Organization (IHO) incorporate security controls, such as script sandboxing and library restrictions, into the S-100 framework before the 2029 mandatory adoption deadline. Full article

This paper develops a fractional six-compartment model to describe malware spread in wireless sensor networks. To represent actual network activity, the model is constructed using generalized proportional-Caputo operators that incorporate memory and tempering effects. The existence and uniqueness of solutions are proved by applying fixed-point theorems. The stability of the system is then studied using the Ulam–Hyers approach and its extended form. A fractional Adams predictor–corrector method is employed to illustrate the dynamics. The results suggest that memory and tempering play an important role in shaping infection patterns, and they indicate that fractional calculus can provide a useful framework for studying and managing malware in distributed sensor networks. Full article

Technical job interviews have become a vulnerable environment for social engineering attacks, particularly when they involve direct interaction with malicious code. In this context, the present manuscript investigates an exploratory case study, aiming to provide an in-depth analysis of a single incident rather than seeking to generalize statistical evidence. The study examines a real-world covert attack conducted through a simulated interview, identifying the technical and psychological elements that contribute to its effectiveness, assessing the performance of artificial intelligence (AI) assistants in early detection and proposing mitigation strategies. To this end, a methodology was implemented that combines discursive reconstruction of the attack, code exploitation and forensic analysis. The experimental phase, primarily focused on evaluating 10 large language models (LLMs) against a fragment of obfuscated code, reveals that the malware initially evaded detection by 62 antivirus engines, while assistants such as GPT 5.1, Grok 4.1 and Claude Sonnet 4.5 successfully identified malicious patterns and suggested operational countermeasures. The discussion highlights how the apparent legitimacy of platforms like LinkedIn, Calendly and Bitbucket, along with time pressure and technical familiarity, act as catalysts for deception. Based on these findings, the study suggests that LLMs may play a role in the early detection of threats, offering a potentially valuable avenue to enhance security in technical recruitment processes by enabling the timely identification of malicious behavior. To the best of available knowledge, this represents the first academically documented case of its kind analyzed from an interdisciplinary perspective. Full article

Cross-site scripting (XSS) attacks are among the threats facing web security, resulting from the diversity and complexity of HTML formats. Research has shown that some text processing-based methods are limited in their ability to detect this type of attack. This article proposes an approach aimed at improving the detection of this type of attack, taking into account the limitations of certain techniques. It combines the effectiveness of deep learning represented by convolutional neural networks (CNN) and the accuracy of classification methods represented by support vector machines (SVM). It takes advantage of the ability of CNNs to effectively detect complex visual patterns in the face of injection variations and the SVM’s powerful classification capability, as XSS attacks often use obfuscation or encryption techniques that are difficult to be detected with textual methods alone. This work relies on a dataset that focuses specifically on XSS attacks, which is available on Kaggle and contains 13,686 sentences in script form, including benign and malicious cases associated with these attacks. Benign data represents 6313 cases, while malicious data represents 7373 cases. The model was trained on 80% of this data, while the remaining 20% was allocated for test. Computer vision techniques were used to analyze the visual patterns in the images and extract distinctive features, moving from a textual representation to a visual one where each character is converted into its ASCII encoding, then into grayscale pixels. In order to visually distinguish the characteristics of normal and malicious code strings and the differences in their visual representation, a CNN model was used in the analysis. The convolution and subsampling (pooling) layers extract significant patterns at different levels of abstraction, while the final output is converted into a feature vector that can be exploited by a classification algorithm such as an Optimized SVM. The experimental results showed excellent performance for the model, with an accuracy of (99.7%), and this model is capable of generalizing effectively without the risk of overfitting or loss of performance. This significantly enhances the security of web applications by providing robust protection against complex XSS threats. Full article

Dynamic heterogeneous redundancy (DHR) architectures combine heterogeneity, redundancy, and dynamism to create security-centric frameworks that can be used to mitigate network attacks that exploit unknown vulnerabilities. However, conventional DHR architectures rely on centralized control modules for scheduling and adjudication, leading to significant single-point failure risks and trust bottlenecks that severely limit their deployment in security-critical scenarios. To address these challenges, this paper proposes a decentralized DHR architecture based on the Raft consensus algorithm. It deeply integrates the Raft consensus mechanism with the DHR execution layer to build a consensus-centric control plane and designs a dual-log pipeline to ensure all security-critical decisions are executed only after global consistency via Raft. Furthermore, we define a multi-dimensional attacker model—covering external, internal executor, internal node, and collaborative Byzantine adversaries—to analyze the security properties and explicit defense boundaries of the architecture under Raft’s crash-fault-tolerant assumptions. To assess the effectiveness of the proposed architecture, a prototype consisting of five heterogeneous nodes was developed for thorough evaluation. The experimental results show that, for non-Byzantine external and internal attacks, the architecture achieves high detection and isolation rates, maintains high availability, and ensures state consistency among non-malicious nodes. For stress tests in which a minority of nodes exhibit Byzantine-like behavior, our prototype preserves log consistency and prevents incorrect state commitments; however, we explicitly treat these as empirical observations under a restricted adversary rather than a general Byzantine fault tolerance guarantee. Performance testing revealed that the system exhibits strong security resilience in attack scenarios, with manageable performance overhead. Instead of turning Raft into a Byzantine-fault-tolerant consensus protocol, the proposed architecture preserves Raft’s crash-fault-tolerant guarantees at the consensus layer and achieves Byzantine-resilient behavior at the execution layer through heterogeneous redundant executors and majority-hash validation. To support evaluation during peer review, we provide a runnable prototype package containing Docker-based deployment scripts, pre-built heterogeneous executors, and Raft control-plane images, enabling reviewers to observe and assess the representative architectural behaviors of the system under controlled configurations without exposing the internal source code. The complete implementation will be made available after acceptance in accordance with institutional IP requirements, without affecting the scope or validity of the current evaluation. Full article

Side-Channel-based Anomaly Detection (SCAD) offers a powerful and non-intrusive means of detecting unauthorized behavior in IoT and cyber–physical systems. It leverages signals that emerge from physical activity—such as electromagnetic (EM) emissions or power consumption traces—as passive indicators of software execution integrity. This capability is particularly critical in IoT/IIoT environments, where large fleets of deployed devices are at heightened risk of firmware tampering, malicious code injection, and stealthy post-deployment compromise. However, its deployment remains constrained by the costly and time-consuming need to re-fingerprint whenever a program is updated or modified, as fingerprinting involves a precision-intensive manual capturing process for each execution path. To address this challenge, we propose a generative modeling framework that synthesizes realistic EM signals for newly introduced or updated execution paths. Our approach utilizes a Conditional Wasserstein Generative Adversarial Network with Gradient Penalty (CWGAN-GP) framework trained on real EM traces that are conditioned on Execution State Descriptors (ESDs) that encode instruction sequences, operands, and register values. Comprehensive evaluations at instruction-level granularity demonstrate that our approach generates synthetic signals that faithfully reproduce the distinctive features of real EM emissions—achieving 85–92% similarity to real emanations. The inclusion of ESD conditioning further improves fidelity, reducing the similarity distance by ∼$13\%$. To gauge SCAD utility, we train a basic semi-supervised detector on the synthetic signals and find ROC-AUC results within ±1% of detectors trained on real EM data across varying noise conditions. Furthermore, the proposed 1DCNNGAN model (a CWGAN-GP variant) achieves faster training and reduced memory requirements compared with the previously leading ResGAN. Full article