Journal of Cybersecurity and Privacy

Accurate malware family classification from dynamic sandbox reports continues to be a fundamental cybersecurity challenge. Most prior works depend on random splits that tend to overestimate accuracy, whereas deployment requires robustness under temporal drift as well as changing behaviors. We present a leakage-aware pipeline that transforms CAPEv2 sandbox JSON reports into structured visual heatmaps and evaluate models under stratified and chronological splits. The pipeline rigorously flattens behavioral keys, builds normalized representations, and benchmarks Random Forest, MLP, CNN64, HybridNet, and a modern ResNeXt-50 backbone. On the Avast–CTU CAPEv2 dataset containing ten malware families, Random Forest achieves nearly state-of-the-art accuracy (97.2% accuracy, 0.993 AUC) with high efficiency on CPUs, making it attractive for triage. ResNeXt-50 achieves the best overall performance (98.4% accuracy, 0.998 AUC) and provides visual interpretability via Grad-CAM, enabling analysts to verify predictions. We further quantify efficiency trade-offs (inference throughput and GPU memory) and report ablation studies on vocabulary size and keyset choices. These results affirm that though ensemble methods are still robust, heatmap-based CNNs provide better accuracy, interpretability, and robustness against drift. Full article

Large language models (LLMs) have become essential in various use cases, such as code generation, reasoning, or translation. Applications vary from language understanding to decision making. Despite this rapid evolution, significant concerns appear regarding the security of these models and the vulnerabilities they present. In this research, we present an overview of the common LLM models, and their design components and architectures. Moreover, we present their domains of applications. Following that, we present the main security concerns associated with LLMs as defined in different security referentials and standards such as OWASP, MITRE, and NIST. Moreover, we present prior research that focuses on the security concerns in LLMs. Finally, we conduct a comparative study of the performance and robustness of several models against various attack scenarios. We highlight the behavior differences of these models, which prove the importance of giving more attention for the security aspect when using or designing LLMs. Full article

Electronic health record (EHR) data breaches create severe concerns for patients’ privacy, safety, and risk of loss for healthcare entities responsible for managing patient health records. EHR systems collect a vast amount of user-sensitive data, requiring integration, implementation, and the application of essential security principles, controls, and strategies to safeguard against persistent adversary attacks. This research is an exploratory study into current integrated EHR cybersecurity attacks using United States Health Insurance Portability and Accountability Act (HIPAA) privacy and security breach reported data. This work investigates if current EHR implementation lacks the requisite security control to prevent a cyber breach and protect user privacy. We conduct descriptive and trend analysis to describe, demonstrate, summarize data points, and predict direction based on current and historical data by covered entity, type of breaches, and point of breaches (examine, attack methods, patterns, and location of breach information). An Autoregressive Integrated Moving Average (ARIMA) model is used to provide a detailed analysis of the data demonstrating breaches caused by hacking and IT incidents show a significant trend (coefficient 0.84, p-value < 2.2 × 10⁻¹⁶ ***). The findings reveal a consistent rise in breaches—particularly from hacking and IT incidents—disproportionately affecting healthcare providers. The study highlights that EHR data breaches often follow recurring patterns, indicating common vulnerabilities, and underlines the need for prioritized, data-driven security investments. These findings validate the hypothesis that most EHR cybersecurity attacks are concentrated using similar attack methodologies and face common vulnerabilities and demonstrate the value of targeted mitigation strategies to strengthen healthcare cybersecurity. The findings highlight the urgent need for healthcare organizations and policymakers to prioritize targeted, data-driven security investments and enforce stricter controls to protect EHR systems from increasingly frequent and predictable cyberattacks. Full article

Ransomware is a fast-evolving form of cybercrime in which a ransom is demanded to restore access to a victim’s encrypted files. The business model of the criminals relies on victims being willing to pay the ransom demand. In this paper we use insights from behavioural economics to see how the framing of a ransom demand may influence willingness to pay the ransom. We then report the results of an experiment in which subjects ($n=93$) were shown eight different ransom demand splash screens, based on well-known examples of ransomware. The subjects were asked to rate and rank the ransom demands on six criteria that included willingness to pay and willingness to trust the criminals. This allows a within-subject comparison of different ransom demand frames. We find that trust is the main determinant of willingness to pay. We also find that positive framing is likely to increase willingness to pay compared to negative framing. Full article

Modern network intrusion detection systems (NIDSs) rely on complex deep learning models. However, the “black-box” nature of deep learning methods hinders transparency and trust in predictions, preventing the timely implementation of countermeasures against intrusion attacks. Although explainable AI (XAI) methods provide a solution to this problem by providing insights into the reasons behind the predictions, the explanations provided by the majority of them cannot be trivially converted into actionable countermeasures. In this work, we propose a novel tabular diffusion-based counterfactual explanation framework that can provide actionable explanations for network intrusion attacks. We evaluated our proposed algorithm against several other publicly available counterfactual explanation algorithms on three modern network intrusion datasets. To the best of our knowledge, this work also presents the first comparative analysis of the existing counterfactual explanation algorithms within the context of NIDSs. Our proposed method provides plausible and diverse counterfactual explanations more efficiently than the tested counterfactual algorithms, reducing the time required to generate explanations. We also demonstrate how the proposed method can provide actionable explanations for NIDSs by summarizing them into a set of actionable global counterfactual rules, which effectively filter out incoming attack queries. This ability of the rules is crucial for efficient intrusion detection and defense mechanisms. We have made our implementation publicly available on GitHub. Full article

This study presents a novel and interpretable, deployment-ready framework for predicting cybersecurity incidents through item-level behavioral, cognitive, and dispositional indicators. Based on survey data from 453 professionals across countries and sectors, we developed 72 logistic regression models across twelve self-reported incident outcomes—from account lockouts to full device compromise—within six analytically stratified layers (Education, IT, Hungary, UK, USA, and full sample). Drawing on five theoretically grounded domains—cybersecurity behavior, digital literacy, personality traits, risk rationalization, and work–life boundary blurring—our models preserve the full granularity of individual responses rather than relying on aggregated scores, offering rare transparency and interpretability for real-world applications. This approach reveals how stratified models, despite smaller sample sizes, often outperform general ones by capturing behavioral and contextual specificity. Moderately prevalent outcomes (e.g., suspicious logins, multiple mild incidents) yielded the most robust predictions, while rare-event models, though occasionally high in “Area Under the Receiver Operating Characteristic Curve” (AUC), suffered from overfitting under cross-validation. Beyond model construction, we introduce threshold calibration and fairness-aware integration of demographic variables, enabling ethically grounded deployment in diverse organizational contexts. By unifying theoretical depth, item-level precision, multilayer stratification, and operational guidance, this study establishes a scalable blueprint for human-centric cybersecurity. It bridges the gap between behavioral science and risk analytics, offering the tools and insights needed to detect, predict, and mitigate user-level threats in increasingly blurred digital environments. Full article

Obligations in the Next-Generation Access Control (NGAC) standard enable the development of security-intensive workflow systems where access privileges evolve over time. However, specifying obligations for dynamic access requirements poses challenges, with errors having the potential to cause significant harm to the authorization state in NGAC applications. To identify and rectify such errors, our work aims to verify obligations by translating NGAC policies into logical formulas in SMTs (Satisfiability Modulo Theories). A primary challenge lies in the formalization of procedural obligations into declarative SMT formulas, given the potential for interference among administrative actions within an obligation. To address this issue, this paper analyzes all conflicts among obligation actions and formalizes them as logical formulas for the correct SMT-based verification of obligations in NGAC policies. We implemented the approach using the cvc5 solver and applied it to real-world systems. The results illustrate the successful formalization and verification of access control requirements. Full article

In this literature review, we critically examine the evolving landscape of privacy in blockchain systems, with a particular focus on the differentiation of privacy attacks and protective measures across three distinct layers: the on-chain layer; the off-chain layer; and on the infrastructure, i.e., peer-to-peer network layer. In this review, we categorize prevalent privacy attacks, such as transaction tracing, data leakage, and network surveillance, highlighting their implications at each layer. In addition, we evaluate a range of protective techniques, including cryptographic methods, zero-knowledge proofs, and other privacy-preserving protocols. We explore the compatibility of these privacy techniques with existing blockchain systems. By synthesizing current research and practical implementations, our aims are to provide a comprehensive understanding of privacy challenges and solutions in blockchain environments, identify gaps, and guide future developments in privacy-enhancing technologies within the blockchain ecosystem. Full article

Although many chaos-based cryptosystems have been proposed over the past decade, they have yet to gain traction in real-world applications. A key reason for this is that most designs rely on security through obscurity, with unnecessarily complex structures that hinder cryptanalysis and formal evaluation. In this paper, we challenge this trend by showing that chaos-based ciphers can be constructed using conventional, well-understood cryptographic design paradigms without sacrificing performance. First, we present a minimalistic image encryption scheme based on the substitution–permutation network (SPN), demonstrating that it satisfies widely accepted criteria for evaluating chaos-based ciphers. We further show that simple, low-dimensional chaotic maps are sufficient to eliminate statistical biases and that variations in the underlying map have a negligible impact. Second, we propose a chaos-based Feistel block cipher (CFBC) grounded in the generalized Feistel network, enabling standard security evaluation through differential cryptanalysis. As a direct comparison with existing chaos-based image ciphers, we apply CFBC in cipher block chaining (CBC) mode to image encryption. Experimental results show that CFBC achieves a statistical performance comparable to that of state-of-the-art image ciphers. Our findings reinforce the idea that chaos-based cryptosystems need not rely on overly complex constructions and can instead adopt established principles to become more analyzable and robust. Full article

The increasing complexity and scale of cyber threats demand advanced, automated methodologies for extracting actionable cyber threat intelligence (CTI). The automated extraction of Tactics, Techniques, and Procedures (TTPs) from unstructured threat reports remains a challenging task, constrained by the scarcity of labeled data, severe class imbalance, semantic variability, and the complexity of multi-class, multi-label learning for fine-grained classification. To address these challenges, this work proposes the Threat Intelligence Extraction Framework (TIEF) designed to autonomously extract Indicators of Compromise (IOCs) from heterogeneous textual threat reports and represent them by the STIX 2.1 standard for standardized sharing. TIEF employs the DistilBERT Base-Uncased model as its backbone, achieving an F1 score of 0.933 for multi-label TTP classification, while operating with 40% fewer parameters than traditional BERT-base models and preserving 97% of their predictive performance. Distinguishing itself from existing methodologies such as TTPDrill, TTPHunter, and TCENet, TIEF incorporates a multi-label classification scheme capable of covering 560 MITRE ATT&CK classes comprising techniques and sub-techniques, thus facilitating a more granular and semantically precise characterization of adversarial behaviors. BERTopic modeling integration enabled the clustering of semantically similar textual segments and captured the variations in threat report narratives. By operationalizing sub-technique-level discrimination, TIEF contributes to context-aware automated threat detection. Full article

Traditional encryption prioritises confidentiality but complicates search operations, requiring decryption before searches can be conducted. The public key encryption with keyword search (PEKS) scheme addresses this limitation by enabling authorised users to search for specific keywords within encrypted data without compromising the underlying encryption. This facilitates efficient and secure data retrieval without the need to decrypt the entire dataset. However, PEKS is susceptible to the keyword guessing attack (KGA), exploiting the deterministic nature of the PEKS trapdoor so that the adversary can correctly guess the keyword encrypted in a trapdoor. To enhance PEKS security to counter a KGA, various schemes have been proposed. A notable one is public key authenticated encryption with keyword search (PAEKS). PAEKS combines authentication and encryption with keyword-based search functionalities, ensuring data source authentication, encrypted information security, and keyword-based searches. However, many existing PAEKS schemes rely on computationally exhaustive bilinear pairing. In this paper, we propose a PAEKS scheme based on k-resilient identity-based encryption without bilinear pairing. By using the provable security approach, we show that our proposed PAEKS scheme satisfies both ciphertext privacy and trapdoor privacy. We present a comparison of the computation cost of our proposed PAEKS scheme with the existing PAEKS schemes and highlight its efficiency, particularly in the $\mathsf{Test}$ algorithm, where it achieves the fastest execution time. By performing experiments using the real-world Enron Email dataset, we show that the proposed scheme is efficient. Full article

Ransomware attacks pose a serious threat to global cybersecurity, inflicting severe financial and operational damage on organizations, individuals, and critical infrastructure. Despite their pervasive impact, proactive measures to mitigate ransomware threats remain underdeveloped, with most efforts focused on reactive responses. Moreover, prior literature reveals a significant gap in systematic approaches for predicting such incidents. This research seeks to address this gap by employing time-series analysis to forecast ransomware attacks. Using 1880 ransomware incidents, we decompose the dataset into trend, seasonal, and residual components, fit a time-series model, and forecast future attacks. The results indicate that time-series analysis is useful for uncovering broad, structural patterns in ransomware data. To gain further insight into these results, we perform sub-analyses based on attacks targeting the top five sectors. The findings reveal reasonable predictive performance for ransomware attacks against government facilities and the healthcare and public health sector, with the latter showing an upward trend in attacks. By providing a predictive lens, our model equips organizations with actionable intelligence, enabling preemptive measures and enhanced situational awareness. Finally, this research underscores the importance of integrating time-series forecasting into cybersecurity strategies and seeks to pave the way for future advancements in predictive analytics for cyber threats. Full article

The growing sophistication of cyber threats has posed significant challenges for organizations in terms of accurately detecting and responding to incidents in a coordinated manner. Despite advances in the application of machine learning and automation, many solutions still face limitations such as high false positive rates, low scalability, and difficulties in interorganizational cooperation. This study presents MICRA (Modular Intelligent Cybersecurity Response Architecture), a modular conceptual proposal that integrates dynamic data acquisition, cognitive threat analysis, multi-layer validation, adaptive response orchestration, and collaborative intelligence sharing. The architecture consists of six interoperable modules and incorporates techniques such as supervised learning, heuristic analysis, and behavioral modeling. The modules are designed for operation in diverse environments, including corporate networks, educational networks, and critical infrastructures. MICRA seeks to establish a flexible and scalable foundation for proactive cyber defense, reconciling automation, collaborative intelligence, and adaptability. This proposal aims to support future implementations and research on incident response and cyber resilience in complex operational contexts. Full article

This paper proposes and evaluates a novel real-time cybersecurity framework integrating artificial intelligence (AI) and blockchain technology to enhance the detection and auditability of cyber threats. Traditional cybersecurity approaches often lack transparency and robustness in logging and verifying AI-generated decisions, hindering forensic investigations and regulatory compliance. To address these challenges, we developed an integrated solution combining a convolutional neural network (CNN)-based anomaly detection module with a permissioned Ethereum blockchain to securely log and immutably store AI-generated alerts and relevant metadata. The proposed system employs smart contracts to automatically validate AI alerts and ensure data integrity and transparency, significantly enhancing auditability and forensic analysis capabilities. To rigorously test and validate our solution, we conducted comprehensive experiments using the CICIDS2017 dataset and evaluated the system’s detection accuracy, precision, recall, and real-time responsiveness. Additionally, we performed penetration testing and security assessments to verify system resilience against common cybersecurity threats. Results demonstrate that our AI-blockchain integrated solution achieves superior detection performance while ensuring real-time logging, transparency, and auditability. The integration significantly strengthens system robustness, reduces false positives, and provides clear benefits for cybersecurity management, especially in regulated environments. This paper concludes by outlining potential avenues for future research, particularly extending blockchain scalability, privacy enhancements, and optimizing performance for high-throughput cybersecurity applications. Full article

The proper use of Android app permissions is crucial to the success and security of these apps. Users must agree to permission requests when installing or running their apps. Despite official Android platform documentation on proper permission usage, there are still many cases of permission abuse. This study provides a comprehensive analysis of the Android permission landscape, highlighting trends and patterns in permission requests across various applications from the Google Play Store. By distinguishing between benign and malicious applications, we uncover developers’ evolving strategies, with malicious apps increasingly requesting fewer permissions to evade detection, while benign apps request more to enhance functionality. In addition to examining permission trends across years and app features such as advertisements, in-app purchases, content ratings, and app sizes, we leverage association rule mining using the FP-Growth algorithm. This allows us to uncover frequent permission combinations across the entire dataset, specific years, and 16 app genres. The analysis reveals significant differences in permission usage patterns, providing a deeper understanding of co-occurring permissions and their implications for user privacy and app functionality. By categorizing permissions into high-level semantic groups and examining their application across distinct app categories, this study offers a structured approach to analyzing the dynamics within the Android ecosystem. The findings emphasize the importance of continuous monitoring, user education, and regulatory oversight to address permission misuse effectively. Full article

Differential privacy (DP) is an important framework to provide strong theoretical guarantees on the privacy and utility of released data. Since its introduction in 2006, DP has been applied to various data types and domains. More recently, the introduction of metric differential privacy has improved the applicability and interpretability of DP in cases where the data resides in more general metric spaces. In metric DP, indistinguishability of data points is modulated by their distance. In this work, we demonstrate how to extend metric differential privacy to datasets representing three-dimensional rotations in SO(3) through two mechanisms: a Laplace mechanism on SO(3), and a novel privacy mechanism based on the Bingham distribution. In contrast to other applications of metric DP to directional data, we demonstrate how to handle the antipodal symmetry inherent in SO(3) while transferring privacy from $S^3$ to SO(3). We show that the Laplace mechanism fulfills $ϵ\varphi$-privacy, where $\varphi$ is the geodesic metric on SO(3), and that the Bingham mechanism fulfills $\widetilde{ϵ}\varphi$-privacy with $\widetilde{ϵ}={\displaystyle \frac{\pi }{4}}ϵ$. Through a simulation study, we compare the distribution of samples from both mechanisms and argue about their respective privacy–utility tradeoffs. Full article

In today’s era of technology, where information is readily available anytime and from anywhere, safeguarding our privacy and sensitive data is more important than ever. The thermal sensors embedded within a CPU are primarily utilized for monitoring and regulating the processor’s temperature during operation. However, they can serve as valuable components in increasing the security of a system as well, by enabling the detection of anomalies through temperature monitoring. This study presents three distinct methods demonstrating that anomalies in CPU heat dissipation can be effectively detected using the thermal sensors of a CPU, even under conditions of significant environmental use. First, it evaluates the Hot-n-Cold anomaly detection technique across various noisy environments, demonstrating that the presence of additional lines of code inserted into a Linux command can be identified through thermal analysis. Second, it detects the CryptoTrooper ransomware attack by fingerprinting the associated cryptographic processes in terms of temperature. Finally, it detects unauthorized system login attempts by capturing and analyzing their distinctive thermal signatures. This study demonstrates that various detection mechanisms can be implemented using thermal sensors to enhance system security. It also motivates the need for further research in this relatively underexplored area with the goal of developing more effective methods of protecting data. Full article

The increasing complexity and volume of cybersecurity logs demand advanced analytical techniques capable of accurate threat detection and explainability. This paper investigates the application of Large Language Models (LLMs), specifically qwen2.5:7b, gemma3:4b, llama3.2:3b, qwen3:8b and qwen2.5:32b to cybersecurity log classification, demonstrating their superior performance compared to traditional machine learning models such as XGBoost, Random Forest, and LightGBM. We present a comprehensive evaluation pipeline that integrates domain-specific prompt engineering, robust parsing of free-text LLM outputs, and uncertainty quantification to enable scalable, automated benchmarking. Our experiments on a vulnerability detection task show that the LLM achieves an F1-score of 0.928 ([0.913, 0.942] 95% CI), significantly outperforming XGBoost (0.555 [0.520, 0.590]) and LightGBM (0.432 [0.380, 0.484]). In addition to superior predictive performance, the LLM generates structured, domain-relevant explanations aligned with classical interpretability methods. These findings highlight the potential of LLMs as interpretable, adaptive tools for operational cybersecurity, making advanced threat detection feasible for SMEs and paving the way for their deployment in dynamic threat environments. Full article

Frame-wise steganalysis is a crucial task in low-bit-rate speech streams that can achieve active defense. However, there is no common theory on how to extract steganalysis features for frame-wise steganalysis. Moreover, existing frame-wise steganalysis methods cannot extract fine-grained steganalysis features. Therefore, in this paper, we propose a frame-wise steganalysis method based on mask-gating attention and bilinear codeword feature interaction mechanisms. First, this paper utilizes the mask-gating attention mechanism to dynamically learn the importance of the codewords. Second, the bilinear codeword feature interaction mechanism is used to capture an informative second-order codeword feature interaction pattern in a fine-grained way. Finally, multiple fully connected layers with a residual structure are utilized to capture higher-order codeword interaction features while preserving lower-order interaction features. The experimental results show that the performance of our method is better than that of the state-of-the-art frame-wise steganalysis method on large steganography datasets. The detection accuracy of our method is 74.46% on 1000K testing samples, whereas the detection accuracy of the state-of-the-art method is 72.32%. Full article