Search Results (58)

Small and Medium-sized Enterprises (SMEs) face disproportionately high risks from Advanced Persistent Threats (APTs), which often evade traditional cybersecurity measures. Existing frameworks catalogue adversary tactics and defensive solutions but provide limited quantitative guidance for allocating limited resources under uncertainty, a challenge amplified by the growing use of AI in both offensive operations and digital forensics. This paper proposes a game-theoretic model for improving digital forensic readiness (DFR) in SMEs. The approach integrates the MITRE ATT&CK and D3FEND frameworks to map APT behaviors to defensive countermeasures and defines 32 custom DFR metrics, weighted using the Analytic Hierarchy Process (AHP), to derive utility functions for both attackers and defenders. The main analysis considers a non-zero-sum attacker–defender bimatrix game and yields a single Nash equilibrium in which the attacker concentrates on Impact-oriented tactics and the defender on Detect-focused controls. In a synthetic calibration across ten organizational profiles, the framework achieves a median readiness improvement of 18.0% (95% confidence interval: 16.3% to 19.7%) relative to pre-framework baselines, with targeted improvements in logging and forensic preservation typically reducing key attacker utility components by around 15–30%. A zero-sum variant of the game is also analyzed as a robustness check and exhibits consistent tactical themes, but all policy conclusions are drawn from the empirical non-zero-sum model. Despite relying on expert-driven AHP weights and synthetic profiles, the framework offers SMEs actionable, equilibrium-informed guidance for strengthening forensic preparedness against advanced cyber threats. Full article

Artificial intelligence is increasingly used to support public safety by predicting events, uncovering patterns, and informing decisions. In Latin America, where crime burdens are high and data systems are heterogeneous, a region-focused synthesis is needed to assess progress, identify gaps, and clarify operational implications. Accordingly, this PRISMA-guided, multilingual (English, Spanish, and Portuguese) bibliometric review synthesizes 146 peer-reviewed journal articles (2010–October 2025) to examine trends, methods, and application domains. Since 2018, publication output accelerated, peaking in 2024–2025. Regionally, Brazil leads within a multi-hub co-authorship network linking Latin American nodes to the United States and Spain; additional hubs include Colombia, Chile, Mexico, Ecuador, and Peru. Methodologically, three motifs dominate: temporal-dependence modeling; ensemble learners with cost-sensitive decision rules; and multimodal integration of remote sensing and computer vision with administrative data. At the application level, four families prevail: utility and fiscal-fraud analytics; environmental offenses with temporal modeling; cyber and platform-based analytics; and sensing, geospatial, and forensic workflows. However, evaluation practices are heterogeneous, with frequent risks of spatial or temporal leakage; moreover, reporting on fairness, accountability, and transparency is limited. In order to support responsible scaling, research directions include interoperable data governance, leakage-controlled and cost-sensitive evaluation, domain adaptation that accounts for spatial dependence, open and auditable benchmarks, and broader regional participation. To our knowledge, this review is one of the first multilingual, region-centered syntheses of artificial intelligence and crime in Latin America, and it establishes a reproducible baseline and an actionable evidence map that enable comparable, leakage-controlled evaluation and inform research, funding, and public safety policy in the region. Full article

Cyber defense has evolved into an algorithmically intensive discipline where mathematical rigor and adaptive computation underpin the robustness and continuity of digital infrastructures. This review consolidates the algorithmic spectrum that supports modern cyber defense, from cryptographic primitives that ensure confidentiality and integrity to behavioral intelligence algorithms that provide predictive security. Classical symmetric and asymmetric schemes such as AES, ChaCha20, RSA, and ECC define the computational backbone of confidentiality and authentication in current systems. Intrusion and anomaly detection mechanisms range from deterministic pattern matchers exemplified by Aho-Corasick and Boyer-Moore to probabilistic inference models such as Markov Chains and HMMs, as well as deep architectures such as CNNs, RNNs, and Autoencoders. Malware forensics combines graph theory, entropy metrics, and symbolic reasoning into a unified diagnostic framework, while network defense employs graph-theoretic algorithms for routing, flow control, and intrusion propagation. Behavioral paradigms such as reinforcement learning, evolutionary computation, and swarm intelligence transform cyber defense from reactive automation to adaptive cognition. Hybrid architectures now merge deterministic computation with distributed learning and explainable inference to create systems that act, reason, and adapt. This review identifies and contextualizes over 50 foundational algorithms, ranging from AES and RSA to LSTMs, graph-based models, and post-quantum cryptography, and redefines them not as passive utilities, but as the cognitive genome of cyber defense: entities that shape, sustain, and evolve resilience within adversarial environments. Full article

This study presents a dual-module architecture for image forgery detection in the context of cyber fraud investigation, designed to provide interpretable and court-admissible forensic evidence. The forgery segmentation module built on an encoder–decoder structure segments forged regions at the pixel level to produce a binary mask. The forgery classification module with two-stream structure integrates contextual and noise-residual cues from the raw image and the binary mask to determine the designated forgery method. The segmentation module achieves an F1-Score of 0.875 and an IoU of 0.78, while the classification module reaches an F1-Score of 0.94. The combined system attains an end-to-end F1-Score of 0.855 and AUC of 0.91, demonstrating reliable detection performance and enhanced explainability. These results highlight the framework’s potential for forensic image analysis and its practical applicability to real-world cyber fraud investigations. Full article

The increasing adoption of smart home technologies introduces significant cybersecurity and forensic challenges. This necessitates a shift from traditional reactive digital forensics to a more proactive approach to safeguarding these environments. This research is situated within Saudi Arabia’s ambitious digital transformation, as outlined in Vision 2030, which promotes the development of smart cities and homes. The unique technological landscape and national initiatives in Saudi Arabia require tailored cybersecurity solutions. Existing models are often too theoretical, generic, or overly specialized, lacking practical validation and comprehensive integration for modern IoT ecosystems. There is a pronounced lack of a scalable, validated framework designed explicitly for proactive digital forensic readiness in smart homes. The study employs a mixed-methodology approach, combining a PRISMA systematic literature review with Design Science Research (DSR) to develop and validate the Smart Proactive Forensic Metamodel for Smart Homes (SPFMSH). The developed SPFMSH was tested against realistic cyberattack scenarios, including unauthorized access and intrusion, data exfiltration, and device hijacking by ransomware. In each scenario, the model demonstrated its capability to proactively detect threats, automatically preserve forensic evidence, and provide structured investigative timelines. This validation proved its effectiveness in transforming security incidents into forensically sound investigations within the Saudi smart home context. SPFMSH delivers a practical, holistic framework that addresses the limitations of previous models, moving beyond theory to offer an implementable solution. Its development is a significant step towards enhancing national cybersecurity resilience and supporting the secure adoption of smart home technologies in alignment with Saudi Vision 2030. Full article

The article presents a method for detecting low-intensity DDoS attacks, focused on identifying difficult-to-detect “low-and-slow” scenarios that remain undetectable by traditional defence systems. The key feature of the developed method is the statistical criteria’s (χ² and T statistics, energy ratio, reconstruction errors) integration with a combined neural network architecture, including convolutional and transformer blocks coupled with an autoencoder and a calibrated regressor. The developed neural network architecture combines mathematical validity and high sensitivity to weak anomalies with the ability to generate interpretable artefacts that are suitable for subsequent forensic analysis. The developed method implements a multi-layered process, according to which the first level statistically evaluates the flow intensity and interpacket intervals, and the second level processes features using a neural network module, generating an integral blend-score S metric. ROC-AUC and PR-AUC metrics, learning curve analysis, and the estimate of the calibration error (ECE) were used for validation. Experimental results demonstrated the superiority of the proposed method over existing approaches, as the achieved values of ROC-AUC and PR-AUC were 0.80 and 0.866, respectively, with an ECE level of 0.04, indicating a high accuracy of attack detection. The study’s contribution lies in a method combining statistical and neural network analysis development, as well as in ensuring the evidentiary value of the results through the generation of structured incident reports (PCAP slices, time windows, cryptographic hashes). The obtained results expand the toolkit for cyber-attack analysis and open up prospects for the methods’ practical application in monitoring systems and law enforcement agencies. Full article

Industrial Internet of Things (IIoT) systems face severe security and trust challenges, particularly under cross-domain data sharing and federated orchestration. We present QuantumTrust-FedChain, a cyber-resilient federated learning framework integrating quantum variational trust modeling, blockchain-backed provenance, and Byzantine-robust aggregation for secure IIoT collaboration in 6G networks. The architecture includes a Quantum Graph Attention Network (Q-GAT) for modeling device trust evolution using encrypted device logs. This consensus-aware federated optimizer penalizes adversarial gradients using stochastic contract enforcement, and a shard-based blockchain for real-time forensic traceability. Using datasets from SWaT and TON IoT, experiments show 98.3% accuracy in anomaly detection, 35% improvement in defense against model poisoning, and full ledger traceability with under 8.5% blockchain overhead. This framework offers a robust and explainable solution for secure AI deployment in safety-critical IIoT environments. Full article

This article develops a method for detecting malware based on the multi-scale recurrent architecture (time-aware multi-scale LSTM) with salience gating, multi-headed attention, and a sequential statistical change detector (CUSUM) integration. The research aim is to create an algorithm capable of effectively detecting malicious activities in behavioural data streams of executable files with minimal delay and ensuring interpretability of the results for subsequent use in forensic audit and cyber defence systems. To implement the task, deep learning methods (training LSTM models with dynamic consideration of time intervals and adaptive attention mechanisms) and sequence statistical analysis (CUSUM, Kulback–Leibler divergence, and Wasserstein distances), as well as regularisation approaches to improve the model stability and explainability, were used. Experimental evaluation demonstrates the proposed approaches’ high efficiency, with the neural network model achieving competitive indicators of accuracy, recall, and classification balance with a low level of false positives and an acceptable detection delay. Attention and salience profile analysis confirmed the possibility of interpreting signals and early detection of abnormal events, which reduces the experts’ workload and reduces the number of false positives. This study introduces the new hybrid architecture development that combines the advantages of recurrent and statistical methods, the theoretical properties formalisation of gated cells for long-term memory, and the proposal of a practical approach to the model solutions’ explainability. The developed method implementation, implemented in the specialised software product form, is shown in a forensic audit. Full article

Digital currencies, led by Bitcoin and USDT, are characterized by decentralization and anonymity, which obscure the identities of traders and create a conducive environment for illicit activities such as drug trafficking, money laundering, cyber fraud, and terrorism financing. Focusing on the USDT-TRC20 token on the Tron blockchain, we propose a two-layer transaction network-based approach for virtual currency address identity recognition for digging out hidden relationships and encrypted assets. Specifically, a two-layer transaction network is constructed: Layer A describes the flow of USDT-TRC20 between on-chain addresses over time, while Layer B represents the flow of TRX between on-chain addresses over time. Subsequently, an identity metric is proposed to determine whether a pair of addresses belongs to the same user or group. Furthermore, transaction records are systematically acquired through blockchain explorers, and the efficacy of the proposed recognition method is empirically validated using dataset from the Key Laboratory of Digital Forensics. Finally, the transaction topology is visualized using Neo4j, providing a comprehensive and intuitive representation of the traced transaction pathways. Full article

Personalized, scalable, and data-driven learning is now possible in cyber science education because of artificial intelligence (AI). This article examines how AI technologies, such as intelligent tutoring, adaptive learning, virtual labs, and AI assessments, are being included in cyber science curricula. Using examples and research studies published between 2020 and 2025 that have undergone peer review, this paper combines qualitative analysis and framework analysis to discover any similarities in how these policies were put into place and their effects. According to the findings, using AI in instruction boosts student interest, increases the number of courses finished, improves skills, and ensures clear instruction in areas such as cybersecurity, digital forensics, and incident response. Ethical issues related to privacy, bias in algorithms, and access issues are also covered in this paper. This study gives a useful approach that helps teachers, curriculum designers, and institution heads use AI in cyber education properly. Full article

This paper proposes and evaluates a novel real-time cybersecurity framework integrating artificial intelligence (AI) and blockchain technology to enhance the detection and auditability of cyber threats. Traditional cybersecurity approaches often lack transparency and robustness in logging and verifying AI-generated decisions, hindering forensic investigations and regulatory compliance. To address these challenges, we developed an integrated solution combining a convolutional neural network (CNN)-based anomaly detection module with a permissioned Ethereum blockchain to securely log and immutably store AI-generated alerts and relevant metadata. The proposed system employs smart contracts to automatically validate AI alerts and ensure data integrity and transparency, significantly enhancing auditability and forensic analysis capabilities. To rigorously test and validate our solution, we conducted comprehensive experiments using the CICIDS2017 dataset and evaluated the system’s detection accuracy, precision, recall, and real-time responsiveness. Additionally, we performed penetration testing and security assessments to verify system resilience against common cybersecurity threats. Results demonstrate that our AI-blockchain integrated solution achieves superior detection performance while ensuring real-time logging, transparency, and auditability. The integration significantly strengthens system robustness, reduces false positives, and provides clear benefits for cybersecurity management, especially in regulated environments. This paper concludes by outlining potential avenues for future research, particularly extending blockchain scalability, privacy enhancements, and optimizing performance for high-throughput cybersecurity applications. Full article

This study proposes a memory-based forensic procedure for real-time recovery of deleted data in Microsoft SQL Server environments. This approach is particularly relevant for sensor-driven and embedded systems—such as those used in IoT gateways and edge computing platforms—where lightweight SQL engines store critical operational and measurement data locally and are vulnerable to insider manipulation. Traditional approaches to deleted data recovery have primarily relied on transaction log analysis or static methods involving the examination of physical files such as .mdf and .ldf after taking the database offline. However, these methods face critical limitations in real-time applicability and may miss volatile data that temporarily resides in memory. To address these challenges, this study introduces a methodology that captures key deletion event information through transaction log analysis immediately after data deletion and directly inspects memory-resident pages loaded in the server’s Buffer Pool. By analyzing page structures in the Buffer Pool and cross-referencing them with log data, we establish a memory-driven forensic framework that enables both the recovery and verification of deleted records. In the experimental validation, records were deleted in a live SQL Server environment, and a combination of transaction log analysis and in-memory page inspection allowed for partial or full recovery of the deleted data. This demonstrates the feasibility of real-time forensic analysis without interrupting the operational database. The findings of this research provide a foundational methodology for enhancing the speed and accuracy of digital forensics in time-sensitive scenarios, such as insider threats or cyber intrusion incidents, by enabling prompt and precise recovery of deleted data directly from memory. These capabilities are especially critical in IoT environments, where real-time deletion recovery supports sensor data integrity, forensic traceability, and uninterrupted system resilience. Full article

Cybersecurity researchers and security analysts rely heavily on data to train and test network threat detection models, and to conduct post-breach forensic analyses. Comprehensive data-including network traces, host telemetry, and contextual information-are crucial for these tasks. However, widely used public datasets often suffer from outdated network traffic and features, statistical anomalies, and simulation artifacts. Furthermore, existing data collection systems frequently face architectural and computational limitations, necessitating workarounds that result in incomplete or disconnected data. Currently, no framework provides comprehensive data collection from all network segments without requiring specialized or proprietary hardware or software agents. This paper introduces InDepth, a scalable system employing a distributed, data-link layer architecture that enables comprehensive data acquisition across entire networks. We also present a model cyber range capable of dynamically generating datasets for evaluation. We demonstrate the effectiveness of InDepth using real-world network data. Full article

The increase in malicious cyber activities has generated the need to produce effective tools for the field of digital forensics and incident response. Artificial intelligence (AI) and its fields, specifically machine learning (ML) and deep learning (DL), have shown great potential to aid the task of processing and analyzing large amounts of information. However, models generated by DL are often considered “black boxes”, a name derived due to the difficulties faced by users when trying to understand the decision-making process for obtaining results. This research seeks to address the challenges of transparency, explainability, and reliability posed by black-box models in digital forensics. To accomplish this, explainable artificial intelligence (XAI) is explored as a solution. This approach seeks to make DL models more interpretable and understandable by humans. The SHAP (SHapley Additive eXplanations) and LIME (Local Interpretable Model-agnostic Explanations) methods will be implemented and evaluated as a model-agnostic technique to explain predictions of the generated models for forensic analysis. By applying these methods to the XGBoost and TabNet models trained on the UNSW-NB15 dataset, the results indicated distinct global feature importance rankings between the model types and revealed greater consistency of local explanations for the tree-based XGBoost model compared to the deep learning-based TabNet. This study aims to make the decision-making process in these models transparent and to assess the confidence and consistency of XAI-generated explanations in a forensic context. Full article

AI-driven cyber threats are evolving faster than current defense mechanisms, complicating forensic investigations. As attacks grow more sophisticated, forensic methods struggle to analyze vast wearable device data, highlighting the need for an advanced framework to improve threat detection and responses. This paper presents a generative artificial intelligence (GenAI)-assisted framework that enhances cyberforensics and strengthens strategic cyber resilience, particularly for chief information security officers (CISOs). It addresses three key challenges: inefficient incident reconstruction, open-source intelligence (OSINT) limitations, and real-time decision-making difficulties. The framework integrates GenAI to automate routine tasks, the cross-layering of digital attributes from wearable devices and open-source intelligence (OSINT) to provide a comprehensive understanding of malicious incidents. By synthesizing digital attributes and applying the 5W approach, the framework facilitates accurate incident reconstruction, enabling CISOs to respond to threats with improved precision. The proposed framework is validated through experimental testing involving publicly available wearable device datasets (e.g., GPS data, pairing and activity logs). The results show that GenAI enhances incident detection and reconstruction, increasing the accuracy and speed of CISOs’ responses to threats. The experimental evaluation demonstrates that our framework improves cyberforensics efficiency by streamlining the integration of digital attributes, reducing the incident reconstruction time and enhancing decision-making precision. The framework enhances cybersecurity resilience in critical infrastructures, although challenges remain regarding data privacy, accuracy and scalability. Full article