The ISC International Journal of Information Security(ISeCure) is a peer reviewed scholarly publication by Iranian Society of Cryptology. ISeCure is published biannually in print and online with full texts of articles made available for free on the website of the journal under ISeCure open access policy. ISeCure is devoted to publishing theoretical scholarship on a variety of topics related to information security. The intended audience of the journal is any person with an interest in information security from an academic perspective such as engineers, mathematicians and computer scientists. A partial list of topics for review by the journal can be found in the Aims and Scope section. Manuscript types for submission are research papers, review papers, case reports, short communications and letters to the editor. More information about the policies of the journal can be found on the About Journal and mostly in the Publication Ethics pages. To start a new submission, please first read the Guide for Authors page for detailed information about manuscript format, style and other requirements. Manuscript submission, refereeing and publishing are completely free of charge. New manuscripts should be submitted online by the corresponding author through the website after registration. Articles published in ISeCure Journal are indexed in the Emerging Sources Citation Index (ESCI) database of Web of Science/ISI and Scopus.
Abstract Least Significant Bit Matching (LSBM) is a simple steganography approach that has been detected under multiple attacks. Imperceptibility (i.e., maintenance of high perceptual image quality) and security are significant parameters in steganography. However, most conventional steganography techniques rely on single-objective optimization, which focuses on improving one parameter while often compromising others. This limitation underscores the need for approaches that balance conflicting objectives. To address this, the present study employs the Non-Dominated Sorting Genetic Algorithm II (NSGA-II) to optimize security and imperceptibility. This methodology includes a cover image division into blocks, each with two critical decisions: (1) seed determination for the pseudo-random number generator to simultaneously identify optimal pixels for data embedding and (2) selecting whether the pixel value should be increased or reduced upon a mismatch between the data bit and pixel LSB. Pixels with the highest data bit–LSB correspondence are optimal, and a pixel value change (increase or reduction) is to minimize block histogram variation. This multiobjective optimization is carried out using NSGA-II. It was comparatively revealed that the developed methodology remarkably improved image quality metrics and decreased detection accuracy at different embedding rates. At embedding rates of 0.3, 0.5, and 0.8 bpp, the Peak Signal-to-Noise Ratio (PSNR) was approximately 57.65, 55.55, and 52.75, respectively. This result represents a 1.5-2.5% improvement compared to conventional LSBM techniques.
Abstract The Internet of Things (IoT) offers transformative potential across sectors like energy, defense, and healthcare, but its limited resources make it vulnerable to cyberattacks, necessitating robust security measures such as intrusion detection systems (IDS) to safeguard its infrastructure. This article presents a study that helps intrusion detection systems identify malicious and legitimate communications. To help the system make the best decisions possible, the subcategory of the attacked traffic is also classified. We trained the suggested models to be capable of binary and multi-class classification, targeting common attacks like denial of service (DoS), distributed denial of service (DDoS), reconnaissance, and information theft directed at IoT devices. Our methodology makes use of recently published IoT datasets, such as BoTIoT, ToNIoT, WUSTL-IIOT-20212021, and CiCIoT. To assess and contrast the performance of the proposed models on these datasets, we first applied stratified undersampling to convert the original imbalanced datasets into balanced subsets, which were then used for training and evaluation. Among the models evaluated, biLSTM achieved the highest accuracy of 99.66% and MCC of 0.99759 on the WUSTL-IIoT-2021 dataset. On the BoTIoT dataset, CNN with Dual Focal Loss reached 97.76% accuracy and 0.95536 MCC. For ToNIoT, LSTM achieved 97.01% accuracy with an MCC of 0.93643, while on the CiCIoT dataset, biLSTM obtained 96.23% accuracy and 0.96347 MCC. The results show that biLSTM and LSTM models give higher performance than FNN and CNN models in terms of precision, recall, F1 score, and MCC across all datasets, demonstrating improved performance for temporal IoT intrusion detection tasks.
Jinus Bordbar, Mohammadreza Mohammadrezaei, Saman Ardalan, Mohammad Ebrahim Shiri
Abstract Online social media is integral to human life, facilitating messaging, information sharing, and confidential communication while preserving privacy. Platforms like Twitter, Instagram, and Facebook exemplify this phenomenon. However, users face challenges due to network anomalies, often stemming from malicious activities such as identity theft for financial gain or harm. This paper proposes a novel method using user similarity measures and the Generative Adversarial Network (GAN) algorithm to identify anomalies (fake nodes) in user accounts in a large-scale social network while handling imbalanced data issues. Despite the problem's complexity, the method achieves an AUC rate of 80\% in classifying and detecting fake accounts. Notably, the study builds on previous research, highlighting advancements and insights into the evolving landscape of anomaly detection in online social networks. The findings of this study contribute to ongoing advancements in fake account detection, offering a hopeful solution for securing online spaces against fraudulent activities and anomaly detection in social networks.
Ehsan Abedini, Amir Jalaly Bidgoly, Mohsen Nickray
Abstract Distributed Denial-of-Service (DDoS) attacks are among the most critical security threats to distributed network infrastructures, including blockchain systems. These attacks degrade performance, cause congestion, and disrupt service delivery or transaction processing. Traditional mitigation techniques have undergone extensive development. However, they often fail to intelligently detect and manage traffic patterns and struggle to adapt to dynamic conditions in decentralized environments. This paper proposes a reinforcement learning-based congestion control (CC) method that dynamically adjusts congestion window (CWND) following traditional TCP principles based on signals such as delay and packet loss. What distinguishes our approach is that the RL-agent interprets persistent or abnormal congestion patterns as potential indicators of adversarial high-load conditions (e.g., DDoS-induced congestion) and adapts CWND adjustments more intelligently to reduce their adverse. Leveraging the Q-learning algorithm, the proposed approach adapts dynamically to fluctuating traffic and conditions. Its learning capability enables continuous monitoring of behavior and timely responsiveness to anomalies, including sustained congestion patterns often associated with adversarial traffic surges. Simulation results across various DDoS scenarios—evaluated against conventional CC algorithms—demonstrate considerable improvements in key performance indicators such as reduced latency, enhanced bandwidth utilization, improved stability, decreased packet loss, and increased throughput. The proposed Q-learning-based CC operates at the peer-to-peer layer, regulating flow among blockchain nodes. It is independent of consensus mechanisms while indirectly improving consensus efficiency by reducing message delays and packet loss. This method offers a scalable and intelligent solution for cc under adversarial conditions, thereby contributing to improved robustness and efficiency in both general distributed systems and blockchain networks.
Mohammad Alipour Shahraki, Fakhroddin Noorbehbahani
Abstract Ensuring fair task validation and reward distribution remains a significant challenge in decentralized crowdsourcing systems. Existing platforms often suffer from malicious evaluations, unfair compensation, central points of failure, and limited transparency. In this work, we propose a fully decentralized crowdsourcing protocol built on blockchain technology and smart contracts to address these issues. Our system introduces a validator-based task evaluation process and ensures secure and private task handling through encryption and decentralized IPFS storage. Participants interact through smart contracts, which manage task assignment, output verification, and automated reward distribution. To promote fairness, we employ a reward allocation strategy based on the actual contribution of each participant. The proposed system addresses critical crowdsourcing challenges including malicious or biased evaluations, Sybil attacks, collusion, single points of failure, lack of revision mechanisms, and excessive transaction costs. Experimental results show that our smart contracts are executed with low cost (total deployment cost of 0.0511 ETH, with function calls as low as 47,878 gas units). The system sustains reliable operation and maintains integrity even when adversarial validators control up to 49% of the total reputation.
Gurram Swapna, N.B. Gayathri, Gowri Thumbur, T. Siva Nageswara Rao
Abstract Confidentiality, unforgeability, and public verifiability are essential for secure multi-party communications. These communications play a vital role in real-world applications such as decentralized financial transactions, e-commerce, cloud computing, and web services, where authentication and privacy preservation are very important. In conventional cryptosystems, individual signcryption performed by each participant significantly increases the unsigncryption cost for the receiver. Multi-signcryption offers an efficient alternative by allowing multiple signers to jointly signcrypt a single message. This paper proposes a novel certificateless multi-signcryption scheme that eliminates the certificate management problem of traditional public key infrastructures and avoids the key escrow problem of identity-based cryptography. To reduce the computational cost associated with bilinear pairings over elliptic curves, the proposed scheme is designed in a pairing-free environment. This scheme achieves constant-time verification in the unsigncryption phase and is independent of the number of signers. Security is formally proven under the hardness assumptions of the Elliptic Curve Computational Diffie–Hellman Problem (ECCDHP) and the Elliptic Curve Discrete Logarithm Problem (ECDLP). The proposed scheme ensures confidentiality, unforgeability, and public verifiability, and it attains significantly lower computational costs than existing schemes. Hence, the proposed scheme can be used for secure group communications in resource-constrained environments where high performance is essential.
Abstract With the increasing prevalence of online services, big data systems, and Internet of Things (IoT) devices, detecting anomalies in large system logs has become a significant concern. This study presents a systematic literature review of automated log analysis for anomaly detection from January 2017 to October 2024. The study classifies existing approaches into five types: hybrid, supervised, unsupervised, semi-supervised, and self-supervised. Each technique is analysed based on its assumptions, benefits, limitations, computational complexity, and performance in practical applications. Additionally, it addresses the challenges and concerns associated with developing anomaly detection systems for real-life applications using deep neural networks. The survey's objective is not to perform a statistical analysis of the published methodologies but to classify them, highlight the key features of various deployed architectures, and focus on unresolved issues that require further investigation in this domain. The study offers valuable direction for researchers, emphasising the need for scalable, robust, and interpretable anomaly detection systems. This survey advances the understanding of current capabilities and highlights future directions for enhancing the reliability of complex systems.
Seyed Mohammad Dibaj, Taraneh Eghlidos, Hosein Pilaram
Abstract The emergence of quantum computing threatens the security of traditional cryptographic primitives underpinning anonymous communication protocols like mix networks (mixnets), necessitating quantum-resistant alternatives. This paper introduces QuMixnet, a mixnet protocol designed to withstand quantum attacks while ensuring robust anonymity and privacy. QuMixnet employs post-quantum cryptographic primitives, utilizing CRYSTALS-Dilithium for digital signatures to guarantee authenticity and CRYSTALS-Kyber for key encapsulation to secure message encryption with symmetric ciphers (e.g., AES-GCM). Operating on a peer-to-peer (P2P) architecture, every node can serve as a sender, receiver, or mix node, enhancing anonymity by obscuring participant roles. Sender-determined routing ensures that only the sender knows the full message path, with onion routing layered encryption across nodes. To counter traffic analysis, QuMixnet implements message padding to a fixed size, dummy messages for traffic covering, and batch processing with shuffling. A security model, evaluated through formal security games, confirms resilience of QuMixnet against adversaries with quantum capabilities, achieving strong sender and receiver anonymity, communication anonymity, confidentiality, and integrity. QuMixnet advances anonymous communication by offering a scalable, quantum-safe solution that fortifies privacy against evolving threats.
Keykhosro Khosravani, Taraneh Eghlidos, Mohammad Reza Aref
Abstract Oblivious Transfer (OT) is one of the fundamental building blocks in cryptography that enables various privacy-preserving applications. Constructing efficient OT schemes has been an active research area. This paper presents three efficient two-round pairing-free k-out-of-n oblivious transfer protocols with standard security. Our constructions follow the minimal communication pattern: the receiver sends k messages to the sender, who responds with n+k messages, achieving the lowest data transmission among pairing-free k-out-of-n OT schemes. Furthermore, our protocols support adaptivity and enable the sender to encrypt the n messages offline, independent of the receiver’s variables, offering significant performance advantages in one-sender-multiple-receiver scenarios. We provide security proofs under the Computational Diffie-Hellman (CDH) and RSA assumptions, without relying on the Random Oracle Model. Our protocols combine minimal communication rounds, adaptivity, offline encryption capability, and provable security, making them well-suited for privacy-preserving applications requiring efficient oblivious transfer.
Abstract In 2023, Zhang et al. introduced the lightweight block cipher family GFRX-b/k, offering various versions with different block (b) and key (k) lengths. Due to the similarity of the GFRX’s round function to that of the SIMON, the designers referenced the cryptanalysis conducted on the SIMON-32 and claimed that the GFRX-64/128, with higher than 19 and 13 rounds, is resistant to differential and linear cryptanalysis, respectively. In this paper, we examine the differential and linear cryptanalysis of GFRX-64/96 and GFRX-64/128. We first introduce baseline neural distinguishers for up to 7 rounds of the GFRX-64/96. Subsequently, we extend a 6-round neural distinguisher by adding 2 rounds to perform a key recovery attack, achieving an 8-round key rank analysis through a deep learning-based approach. Furthermore, we conduct an automated cryptanalysis of GFRX-64 using a SAT/SMT-based framework, identifying an 11-round differential distinguisher with a probability of 2−62, a 15-round linear distinguisher with a correlation of 2−30, and a 17-round linear hull with a correlation of 2−31.61. These results indicate that reducing the differential and linear cryptanalysis of the GFRX block cipher to the differential and linear cryptanalysis of the SIMON block cipher cannot yield accurate results or bounds. To the best of our knowledge, this work represents the first third-party cryptanalysis of the GFRX block cipher, offering new insights into its security.
Abstract Selecting optimal cybersecurity countermeasures requires integration with mission-critical objectives beyond technical risk minimization. This paper presents a mission-centric framework for countermeasure selection in cybersecurity situation awareness systems by extending the RiskMAP methodology with agent-based and discrete-event simulation. The framework employs a multi-criteria decision-making approach based on the Confidentiality, Integrity, and Availability (CIA) triad, weighing mission objectives and mapping vulnerabilities and threats using MITRE ATT&CK and D3FEND taxonomies. Candidate countermeasures are evaluated considering risk reduction, implementation cost, operational impact, and mission alignment. We demonstrate the approach through a case study on a critical infrastructure organization’s network modeled in AnyLogic. Results show improved alignment between security posture and organizational priorities while maintaining effective risk reduction, outperforming traditional methods. This framework enables quantitative visualization and optimization of security investments relative to mission continuity. All simulation models, data, and scripts are openly available to support reproducibility.
Abstract As deep learning models are increasingly deployed in critical sectors such as healthcare, finance, and security, ensuring their protection against emerging threats has become crucial. Among these threats, side-channel attacks (SCAs) represent a particular challenge since they can extract sensitive information such as model architectures, parameters, and even user inputs without requiring direct access to the model. By leveraging the physical and micro-architectural properties of the hardware, attackers can compromise systems. This survey begins by classifying leakage sources and attacker objectives, then analyzes representative studies that demonstrate practical side-channel exploits against deep-learning hardware. It also reviews existing defenses aimed at mitigating these vulnerabilities and concludes by outlining key open research challenges and potential future directions.
Amirhossein Heydari, Azadeh Mansouri, Ahmad Mahmoudi-Aznaveh
Abstract Backdoor attacks pose a significant threat to deep learning systems by injecting hidden malicious behavior to the model while preserving high accuracy on clean data. Such attacks are particularly dangerous in scenarios where users rely on pre-trained models or outsource training to untrusted parties. In this work, we propose a practical defense strategy that assumes no knowledge of the backdoor trigger or the training process, relying on a small trusted clean dataset. Our method introduces a two-stage pipeline: First, we aggregate predictions from multiple potentially compromised models to train an intermediate Teacher-Aggregation (TA) model; then, we distill this knowledge into a compact light-weight student model. This multi-stage approach effectively alleviates backdoor effects while preserving clean accuracy. Experimental results on MNIST and CIFAR-10 demonstrate that our method significantly reduces the Attack Success Rate (ASR)—to approximately 0.1% on MNIST and 2.6% on CIFAR-10—outperforming baseline ensemble defenses. Furthermore, our lightweight student model is suitable for edge deployment, providing a generic and scalable defense that remains robust under minimal assumptions, making it well-suited for real-world applications in adversarial environments. Our code is available at: https://github.com/mr-pylin/backdoor-toolbox
Abstract Multi-Server Authentication and Key Agreement (MAKA) protocols in 5G networks play a pivotal role in securing communications due to their widespread applications in domains such as drones, cellular networks, and secure communications. We propose a novel and efficient protocol for multi-server authentication and key agreement in 5G networks, based on Elliptic Curve Cryptography (ECC). The proposed protocol is secure against attacks such as user and server impersonation, password guessing, insider attacks, tracking, session key disclosure, replay, denial-of-service, and man-in-the-middle attacks. Additionally, distinctive features such as user anonymity, avoidance of bilinear pairing, key confirmation, perfect forward secrecy, and the ability to perform authentication without an online registration server make the proposed scheme more efficient and secure, compared to previous schemes. Formal analysis using Proverif cryptographic protocol verifier, confirms the protocol’s confidentiality and authentication properties, while its computational and communication efficiency demonstrates relative superiority over comparable schemes.
Abstract In the quantum computing era, classical encryption faces unprecedented vulnerabilities, while Quantum Key Distribution (QKD) alone remains insufficient for top-secret data transmission due to practical hardware flaws. In this paper, a novel dual-layered framework that integrates steganography with QKD is proposed to enhance security and concealment. The proposed protocol embeds encrypted messages within QKD keys during post-processing, leveraging existing infrastructure without requiring hardware modifications. The message is first compressed, encoded, and encrypted using a pre-shared QKD key via one-time-pad encryption. A block-based search mechanism then hides message bits within the sifted key while preserving statistical randomness. Crucially, this approach provides two-layer security: information-theoretic encryption via QKD and undetectable message existence. Evaluations confirm ultra-low failure probabilities of embedding (below 10−12 for 1000-bit messages) and minimal deviations in sifted key length (under 1% for typical blocks). The solution enables eavesdropper detection, maintaining full compatibility with standard QKD post-processing. By unifying steganographic stealth with QKD’s theoretical security, this work establishes a practical solution for transmitting top-secret data against evolving quantum threats.
Abstract The evolution of fifth-generation cellular networks (5G) brings unprecedented improvements in speed, latency, and scalability, but also introduces significant new security challenges. While earlier studies have primarily focused on performance benchmarking or examined isolated vulnerabilities, there remains a lack of comprehensive, reproducible security evaluations of 5G core networks. This paper presents a scenario-based simulation study of three distinct denial-of-service (DoS) attacks targeting critical components of the 5G control plane. Using open-source tools such as Open5GS and UERANSIM, we demonstrate: (1) large-scale registration flooding that overloads both the next-generation NodeB (gNB) and the Access and Mobility Management Function (AMF); (2) AMF resource exhaustion through massive NGSetupRequest messages; and (3) tampering with a security-related parameter in the User Equipment (UE) registration process to disrupt authentication. The evaluation quantifies the impacts of Central Processing Unit (CPU) and Random Access Memory (RAM) under these attacks, showing that even commodity hardware testbeds can reveal critical vulnerabilities. Moreover, analysis of the logs collected during the attacks confirms the successful execution of each attack scenario. The findings highlight how scenario-based simulations effectively explore various 5G attack surfaces and underscore the necessity for targeted defense mechanisms to enhance the resilience of next-generation mobile networks.
Togu Novriansyah Turnip, Birger Andersen, Cesar Vargas-Rosales
Abstract The rapid advancement of quantum computing poses a direct threat to classical public-key cryptographic systems at the core of Internet security protocols. Post-quantum cryptography (PQC) has therefore become central to ongoing standardisation and early deployment efforts. This paper presents a comparative analysis of PQC integration into TLS, SSH, and IPsec, examining cross-cutting challenges, protocol-specific trade-offs, and deployment considerations. Our findings show that PQC adoption introduces markedly uneven overheads across protocols: handshake latency may increase by up to 600% in TLS, by 29% in SSH, and by up to 300% in IPsec, while memory requirements in hybrid configurations can exceed 300 KB in resource-constrained environments. We further demonstrate that message fragmentation, certificate chain expansion, and cumulative rekeying costs emerge as protocol-dependent bottlenecks, underscoring that migration strategies must be tailored to the architecture and operational context of each protocol. Beyond performance, we identify interoperability gaps, downgrade vulnerabilities, and side-channel risks as critical obstacles to secure deployment. By combining empirical performance evidence with a structured review of challenges and deployment strategies, our study provides actionable insights for practitioners, informs ongoing standards development, and highlights research priorities essential to building a resilient, quantum-resistant Internet infrastructure.
Abstract Deterministic Random Bit Generators (DRBGs) are essential for cryptographic security but remain vulnerable to covert kleptographic attacks that implant backdoors to leak sensitive information. Despite being known for two decades, as demonstrated by incidents such as the Snowden revelations and Dual-EC, these attacks persist in modern protocols, including TLS and post-quantum systems. This paper introduces a novel kleptographic backdoor for hash-based DRBGs, utilising a dual-phase design: secret information is split across two complementary phases, each requiring the other for recovery. This design significantly increases the overall complexity compared with conventional methods. To enhance indistinguishability, we integrate randomness derived from the discrete logarithm problem, ensuring statistical conformity. By leveraging ElGamal encryption to ensure compatibility with our approach, we develop a highly covert backdoor. Rigorous validation via the NIST Statistical Test Suite (STS) and neural network-based anomaly detection confirms the backdoor passes all NIST tests while evading machine learning detection, maintaining statistical integrity and structural consistency.
Abstract The extensive use of malware targeting Windows systems, particularly through Portable Executable (PE) files, has prompted significant research into malware detection. Although many approaches have been proposed, the increasing complexity and evasiveness of modern malware continue to present substantial challenges, underscoring the need for further advancements in detection strategies. This paper introduces a static malware detection framework based on deep learning and a set of carefully engineered binary features extracted directly from raw PE files. In contrast to conventional methods that rely on metadata or dynamic analysis, our approach performs detailed parsing of file headers, section layouts, entropy levels, import/export tables, and embedded resources to form a comprehensive feature set. A deep neural network is trained on these features, with its architecture and hyperparameters fine-tuned using Bayesian optimisation. The model is evaluated on a balanced dataset of benign and malicious PE files, achieving high accuracy (98.83%) and an F1-score of 98.95%. Fully automated and independent of dynamic execution or commercial tools, the proposed solution is well-suited for deployment in real-world applications such as antivirus systems and intrusion detection platforms.
Mohammad Mohammadi, Moein Bannaye Zahmati, Morteza Noferesti
Abstract Insider threats pose a significant cybersecurity risk, as authorised users can exploit legitimate access to compromise sensitive systems and data. This paper proposes an integrated behavioural anomaly detection approach to address three critical challenges in AI-driven insider threat detection: lack of interpretability, misleading evaluation metrics, and misalignment with operational taxonomies. Our approach employs a three-stage pipeline: (1) an LSTM autoencoder to detect temporal anomalies in login patterns, (2) DBSCAN clustering to identify suspicious file access and device usage during anomalous sessions, and (3) DBSCAN-based URL analysis to uncover exfiltration patterns. By analysing behaviour across time, location, and web activity, this framework builds actionable threat chains mapped to MITRE ATT&CK techniques including T1078, T1005, T1204.002, T1567.002. It bridges the gap between theoretical models and the daily work of a Security Operations Center (SOC). In the data exfiltration scenario on the CERT R6.2 insider threat dataset, the proposed approach achieved a recall of 83.3% and an accuracy of 91.7% in classifying malicious days. The framework also provides interpretable alerts and maintains operational efficiency.
