Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
9.1
Journals
JCP
Special Issues
Intrusion/Malware Detection and Prevention in Networks—2nd Edition
share announcement

Intrusion/Malware Detection and Prevention in Networks—2nd Edition

A special issue of Journal of Cybersecurity and Privacy (ISSN 2624-800X). This special issue belongs to the section "Security Engineering & Applications".

Deadline for manuscript submissions: 10 March 2026 | Viewed by 11697

Special Issue Editors

Prof. Dr. Feng Wang

E-Mail Website
Guest Editor
School of Engineering, Liberty University, Lynchburg, VA 24515, USA
Interests: intrusion detection systems; machine learning; cyber security; IoT security and privacy internet measurement
Special Issues, Collections and Topics in MDPI journals
Prof. Dr. Yongning Tang

E-Mail Website
Guest Editor
School Information Technology, Illinois State University, Normal, IL 61790, USA
Interests: network security; artificial intelligence; adaptive learning
Special Issues, Collections and Topics in MDPI journals

Special Issue Information

Dear Colleagues,

This Special Issue is focused on the detection of intrusion and malware attacks on communication and networks, future Internet architectures, 5G and beyond wireless networks, enterprises, data centers, edge and cloud networks, software-defined networking (SDN), optical networks, the Internet and IoT-scale networks. We welcome the submission of papers on the following topics:

  • Distributed denial-of-service (DDoS) attack and defense;
  • Explainable prevention strategies;
  • Profiling normal or abnormal system behaviors;
  • Metrics for evaluating the effectiveness of intrusion detection techniques;
  • Access control;
  • Biometrics;
  • Jamming attack and defense;
  • Trojan attack and defense;
  • Viruses and malware;
  • Covert channel detection;
  • Malware and unwanted software

Prof. Dr. Feng Wang
Prof. Dr. Yongning Tang
Guest Editors

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All submissions that pass pre-check are peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 250 words) can be sent to the Editorial Office for assessment.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Journal of Cybersecurity and Privacy is an international peer-reviewed open access semimonthly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 1200 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.

Keywords

  • distributed denial-of-service (DDoS) attack and defense
  • explainable prevention strategies
  • profiling normal or abnormal system behaviors
  • metrics for evaluating the effectiveness of intrusion detection techniques
  • access control
  • biometrics
  • jamming attack and defense
  • trojan attack and defense
  • viruses and malware
  • covert channel detection
  • malware and unwanted software

Benefits of Publishing in a Special Issue

  • Ease of navigation: Grouping papers by topic helps scholars navigate broad scope journals more efficiently.
  • Greater discoverability: Special Issues support the reach and impact of scientific research. Articles in Special Issues are more discoverable and cited more frequently.
  • Expansion of research network: Special Issues facilitate connections among authors, fostering scientific collaborations.
  • External promotion: Articles in Special Issues are often promoted through the journal's social media, increasing their visibility.
  • Reprint: MDPI Books provides the opportunity to republish successful Special Issues in book format, both online and in print.

Further information on MDPI's Special Issue policies can be found here.

Related Special Issue

Published Papers (9 papers)

Download All Papers
Order results
Result details
Show export options expand_more Show export options expand_less
Select all
Export citation of selected articles as:

Research

19 pages, 1190 KB  
Article
Investigating Security Vulnerabilities in 5G Control and User Planes: Attack Patterns and Protection Strategies
by Samuel T. Aiello, Bhaskar P. Rimal, Frederick T. Sheldon and Yong Wang
J. Cybersecur. Priv. 2026, 6(1), 37; https://doi.org/10.3390/jcp6010037 - 17 Feb 2026
Abstract
The rollout of 5G Standalone networks introduces unprecedented flexibility and performance through service-based architecture (SBA), virtualization, open APIs, and network slicing, while simultaneously expanding the attack surface across control, user, and cross-plane interfaces. This article provides a systematic, vulnerability-prioritized, selective characterization of the [...] Read more.
The rollout of 5G Standalone networks introduces unprecedented flexibility and performance through service-based architecture (SBA), virtualization, open APIs, and network slicing, while simultaneously expanding the attack surface across control, user, and cross-plane interfaces. This article provides a systematic, vulnerability-prioritized, selective characterization of the current state of weaknesses specific to the 5G control and user planes and transparent risk scoring. Using a PRISMA-aligned methodology, vulnerabilities are mapped explicitly to 3GPP network functions and interfaces (e.g., AMF, SMF, UPF; N2, N4, SBA APIs) and categorized by operational evidence level ranging from theoretical analysis to documented live-network exploitation. A normalized criticality scoring model integrates likelihood, impact, exploitability, and CVSS-derived severity. The analysis shows that control-plane signaling floods, PFCP misuse, and container escapes stand out as the most pressing risks. It also exposes how little attention has been given to securing the user plane and strengthening slice isolation. The paper wraps up with clear, evidence-based hardening priorities for each plane, along with research areas that matter for today’s 5G networks and the shift toward 6G. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

16 pages, 299 KB  
Article
Security Challenges in 5G Network Slicing: A Risk-Based Analysis and Conceptual Framework
by José Dias, Silvestre Malta and Ricardo Santos
J. Cybersecur. Priv. 2026, 6(1), 35; https://doi.org/10.3390/jcp6010035 - 12 Feb 2026
Viewed by 139
Abstract
Network slicing is a core enabler of multi-tenant 5th Generation (5G) architectures, allowing heterogeneous services to coexist over shared infrastructure. However, ensuring effective isolation between slices remains a critical security challenge, as failures may enable cross-slice interference, data leakage, or cascading service disruption. [...] Read more.
Network slicing is a core enabler of multi-tenant 5th Generation (5G) architectures, allowing heterogeneous services to coexist over shared infrastructure. However, ensuring effective isolation between slices remains a critical security challenge, as failures may enable cross-slice interference, data leakage, or cascading service disruption. This article analyses security vulnerabilities affecting 5G network slicing from a risk-oriented perspective, with particular emphasis on isolation weaknesses across orchestration, virtualization, network, and interface layers. Due to the technical immaturity and instability of current open-source slicing platforms, experimental validation of security mechanisms proved infeasible. These limitations are therefore treated as empirical evidence informing a structured vulnerability taxonomy and a qualitative risk assessment grounded in confidentiality, integrity, and availability. Building on this analysis, the article proposes a conceptual security framework that integrates defence-in-depth, zero-trust principles, continuous monitoring, and adaptive response mechanisms to enforce isolation dynamically. Aligned with established standards and regulatory references, the framework provides a coherent theoretical foundation for future experimental validation and the secure design of resilient 5G network slicing architectures. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

36 pages, 5962 KB  
Article
Evaluation of Anomaly-Based Network Intrusion Detection Systems with Unclean Training Data for Low-Rate Attack Detection
by Angela Oryza Prabowo, Deka Julian Arrizki, Baskoro Adi Pratomo, Ahmad Ibnu Fajar, Krisna Badru Wijaya, Hudan Studiawan, Ary Mazharuddin Shiddiqi and Siti Hajar Othman
J. Cybersecur. Priv. 2026, 6(1), 14; https://doi.org/10.3390/jcp6010014 - 6 Jan 2026
Viewed by 671
Abstract
Anomaly-based network intrusion detection systems (NIDSs) complement signature-based detection methods to identify unknown (zero-day) attacks. The integration of machine and deep learning enhanced the efficiency of such NIDSs. However, since anomaly-based NIDSs heavily depend on the quality of the training data, the presence [...] Read more.
Anomaly-based network intrusion detection systems (NIDSs) complement signature-based detection methods to identify unknown (zero-day) attacks. The integration of machine and deep learning enhanced the efficiency of such NIDSs. However, since anomaly-based NIDSs heavily depend on the quality of the training data, the presence of malicious traffic in the training set can significantly degrade the model’s performance. Purging the training data of such traffic is often impractical. This study investigates performance degradation caused by increasing amounts of malicious traffic in the training data. We introduced varying portions of malicious traffic into the training sets of machine and deep learning models to determine which approach is most resilient to unclean training data. Our experiments revealed that Autoencoders, using a byte frequency feature set, achieved the highest F2 score (0.8989), with only a minor decrease of 0.0009 when trained on the most contaminated dataset. This performance drop was the smallest compared to other algorithms tested, including an Isolation Forest, a Local Outlier Factor, a One-Class Support Vector Machine, and Long Short-Term Memory. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

22 pages, 2261 KB  
Article
Statistical and Multivariate Analysis of the IoT-23 Dataset: A Comprehensive Approach to Network Traffic Pattern Discovery
by Humera Ghani, Shahram Salekzamankhani and Bal Virdee
J. Cybersecur. Priv. 2025, 5(4), 112; https://doi.org/10.3390/jcp5040112 - 16 Dec 2025
Viewed by 963
Abstract
The rapid expansion of Internet of Things (IoT) technologies has introduced significant challenges in understanding the complexity and structure of network traffic data, which is essential for developing effective cybersecurity solutions. This research presents a comprehensive statistical and multivariate analysis of the IoT-23 [...] Read more.
The rapid expansion of Internet of Things (IoT) technologies has introduced significant challenges in understanding the complexity and structure of network traffic data, which is essential for developing effective cybersecurity solutions. This research presents a comprehensive statistical and multivariate analysis of the IoT-23 dataset to identify meaningful network traffic patterns and assess the effectiveness of various analytical methods for IoT security research. The study applies descriptive statistics, inferential analysis, and multivariate techniques, including Principal Component Analysis (PCA), DBSCAN clustering, and factor analysis (FA), to the publicly available IoT-23 dataset. Descriptive analysis reveals clear evidence of non-normal distributions: for example, the features src_bytes, dst_bytes, and src_pkts have skewness values of −4.21, −3.87, and −2.98, and kurtosis values of 38.45, 29.67, and 18.23, respectively. These values indicate highly skewed, heavy-tailed distributions with frequent outliers. Correlation analysis revealed a strong positive correlation (0.97) between orig_bytes and resp_bytes, and a strong negative correlation (−0.76) between duration and resp_bytes, while inferential statistics indicate that linear regression provides optimal modeling of data relationships. Key findings show that PCA is highly effective, capturing 99% of the dataset’s variance and enabling significant dimensionality reduction. DBSCAN clustering identifies six distinct clusters, highlighting diverse network traffic behaviors within IoT environments. In contrast, FA explains only 11.63% of the variance, indicating limited suitability for this dataset. These results establish important benchmarks for future IoT cybersecurity research and demonstrate the superior effectiveness of PCA and DBSCAN for analyzing complex IoT network traffic data. The findings offer practical guidance for researchers in selecting appropriate statistical methods for IoT dataset analysis, ultimately supporting the development of more robust cybersecurity solutions. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

40 pages, 5207 KB  
Article
Integrated Analysis of Malicious Software: Insights from Static and Dynamic Perspectives
by Maria-Mădălina Andronache, Alexandru Vulpe and Corneliu Burileanu
J. Cybersecur. Priv. 2025, 5(4), 98; https://doi.org/10.3390/jcp5040098 - 10 Nov 2025
Cited by 1 | Viewed by 1909
Abstract
Malware remains one of the most persistent and evolving threats to cybersecurity, necessitating robust analysis techniques to understand and mitigate its impact. This study presents a comprehensive analysis of selected malware samples using both static and dynamic analysis techniques. In the static phase, [...] Read more.
Malware remains one of the most persistent and evolving threats to cybersecurity, necessitating robust analysis techniques to understand and mitigate its impact. This study presents a comprehensive analysis of selected malware samples using both static and dynamic analysis techniques. In the static phase, file structure, embedded strings, and code signatures were examined, while in the dynamic analysis phase, the malware was executed in a virtual sandbox environment to observe process creation, network communication, and file system changes. By combining these two approaches, various types of malware files could be characterized and have their key elements revealed. This improved the understanding of the code capabilities and evasive behaviors of malicious files. The goal of these analyses was to create a database of malware profiling tools and tools that can be utilized to identify and analyze malware. The results demonstrate that integrating static and dynamic methodologies improves the accuracy of malware profiling and supports more effective threat detection and incident response strategies. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

23 pages, 1019 KB  
Article
Simulating Collaboration in Small Modular Nuclear Reactor Cybersecurity with Agent-Based Models
by Michael B. Zamperini and Diana J. Schwerha
J. Cybersecur. Priv. 2025, 5(4), 83; https://doi.org/10.3390/jcp5040083 - 3 Oct 2025
Viewed by 1509
Abstract
This study proposes methods of computer simulation to study and optimize the cybersecurity of Small Modular Nuclear Reactors (SMRs). SMRs hold the potential to help build a clean and sustainable power grid but will struggle to gain widespread adoption without public confidence in [...] Read more.
This study proposes methods of computer simulation to study and optimize the cybersecurity of Small Modular Nuclear Reactors (SMRs). SMRs hold the potential to help build a clean and sustainable power grid but will struggle to gain widespread adoption without public confidence in their security. SMRs are emerging technologies and potentially carry higher cyber threats due to remote operations, large numbers of cyber-physical systems, and cyber connections with other industrial concerns. A method of agent-based computer simulations to model the effects, or payoff, of collaboration between cyber defenders, power plants, and cybersecurity vendors is proposed to strengthen SMR cybersecurity as these new power generators enter into the market. The agent-based model presented in this research is intended to illustrate the potential of using simulation to model a payoff function for collaborative efforts between stakeholders. Employing simulation to heighten cybersecurity will help to safely leverage the potential of SMRs in a modern and low-emission energy grid. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

27 pages, 1175 KB  
Article
Microarchitectural Malware Detection via Translation Lookaside Buffer (TLB) Events
by Cristian Agredo, Daniel F. Koranek, Christine M. Schubert Kabban, Jose A. Gutierrez del Arroyo and Scott R. Graham
J. Cybersecur. Priv. 2025, 5(3), 75; https://doi.org/10.3390/jcp5030075 - 17 Sep 2025
Viewed by 1266
Abstract
Prior work has shown that Translation Lookaside Buffer (TLB) data contains valuable behavioral information. Many existing methodologies rely on timing features or focus solely on workload classification. In this study, we propose a novel approach to malware classification using only TLB-related Hardware Performance [...] Read more.
Prior work has shown that Translation Lookaside Buffer (TLB) data contains valuable behavioral information. Many existing methodologies rely on timing features or focus solely on workload classification. In this study, we propose a novel approach to malware classification using only TLB-related Hardware Performance Counters (HPCs), explicitly excluding any dependence on timing features such as task execution duration or memory access timing. Our methodology evaluates whether TLB data alone, without any timing information, can effectively distinguish between malicious and benign programs. We test this across three classification scenarios: (1) A binary classification problem involving distinguishing malicious from benign tasks, (2) a 4-way classification problem designed to improve separability, and (3) a 10-way classification problem with classes of individual benign and malware tasks. Our results demonstrate that even without execution time or memory access timing, TLB events achieve up to 81% accuracy for the binary, and 72% accuracy for the 4-class grouping, and 61% accuracy for the 10-class grouping. These findings demonstrate that time-independent TLB patterns can serve as robust behavioral signatures. This work expands the understanding of microarchitectural side effects by demonstrating that TLB-only features, independent of timing-based techniques, can be effectively used for real-world malware detection. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

11 pages, 610 KB  
Article
Structured Heatmap Learning for Multi-Family Malware Classification: A Deep and Explainable Approach Using CAPEv2
by Oussama El Rhayati, Hatim Essadeq, Omar El Beqqali, Hamid Tairi, Mohamed Lamrini and Jamal Riffi
J. Cybersecur. Priv. 2025, 5(3), 72; https://doi.org/10.3390/jcp5030072 - 10 Sep 2025
Viewed by 1485
Abstract
Accurate malware family classification from dynamic sandbox reports continues to be a fundamental cybersecurity challenge. Most prior works depend on random splits that tend to overestimate accuracy, whereas deployment requires robustness under temporal drift as well as changing behaviors. We present a leakage-aware [...] Read more.
Accurate malware family classification from dynamic sandbox reports continues to be a fundamental cybersecurity challenge. Most prior works depend on random splits that tend to overestimate accuracy, whereas deployment requires robustness under temporal drift as well as changing behaviors. We present a leakage-aware pipeline that transforms CAPEv2 sandbox JSON reports into structured visual heatmaps and evaluate models under stratified and chronological splits. The pipeline rigorously flattens behavioral keys, builds normalized representations, and benchmarks Random Forest, MLP, CNN64, HybridNet, and a modern ResNeXt-50 backbone. On the Avast–CTU CAPEv2 dataset containing ten malware families, Random Forest achieves nearly state-of-the-art accuracy (97.2% accuracy, 0.993 AUC) with high efficiency on CPUs, making it attractive for triage. ResNeXt-50 achieves the best overall performance (98.4% accuracy, 0.998 AUC) and provides visual interpretability via Grad-CAM, enabling analysts to verify predictions. We further quantify efficiency trade-offs (inference throughput and GPU memory) and report ablation studies on vocabulary size and keyset choices. These results affirm that though ensemble methods are still robust, heatmap-based CNNs provide better accuracy, interpretability, and robustness against drift. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

19 pages, 1079 KB  
Article
An Approach for Anomaly Detection in Network Communications Using k-Path Analysis
by Mamadou Kasse, Rodolphe Charrier, Alexandre Berred, Cyrille Bertelle and Christophe Delpierre
J. Cybersecur. Priv. 2024, 4(3), 449-467; https://doi.org/10.3390/jcp4030022 - 19 Jul 2024
Cited by 3 | Viewed by 2243
Abstract
In this paper, we present an innovative approach inspired by the Path-scan model to detect paths with k adjacent edges (k-path) exhibiting unusual behavior (synonymous with anomaly) within network communications. This work is motivated by the challenge of identifying malicious activities [...] Read more.
In this paper, we present an innovative approach inspired by the Path-scan model to detect paths with k adjacent edges (k-path) exhibiting unusual behavior (synonymous with anomaly) within network communications. This work is motivated by the challenge of identifying malicious activities carried out in vulnerable k-path in a small to medium-sized computer network. Each observed edge (time series of the number of events or the number of packets exchanged between two computers in the network) is modeled using the three-state observed Markov model, as opposed to the Path-scan model which uses a two-state model (active state and inactive state), to establish baselines of behavior in order to detect anomalies. This model captures the typical behavior of network communications, as well as patterns of suspicious activity, such as those associated with brute force attacks. We take a perspective by analyzing each vulnerable k-path, enabling the accurate detection of anomalies on the k-path. Using this approach, our method aims to enhance the detection of suspicious activities in computer networks, thus providing a more robust and accurate solution to ensure the security of computer systems. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

Show export options expand_more Show export options expand_less
Select all
Export citation of selected articles as:
 
Displaying articles 1-9
Back to TopTop