Abstract: Many layer PCBs have many attack surfaces that can hide a Trojan capable of corrupting the processor execution state only with interactions with the processor through external channels such as memory bus. The focus of this research is to monitor the processor execution state only through channels and side-channels that extend beyond the processor chip boundaries. Such a decoupled monitor localizes the program execution state at a blob level - an aggregated form of the program control flow graph. Higher the level of blob aggregation, less demanding are the requirements for the side-channels and execution state revealing channels. Decoupled monitor uses side-channel sensor streams that are naturally created by the program execution (last level cache -LLC- misses). The side-channel sensor streams evaluated in this paper are (1) LLC miss address stream, (2) processor domain power stream, (3) DDR memory domain power stream captured through electromagnetic (EM) emission, and (4) performance monitoring unit (PMU) stream. Blob construction heuristics presents a monitoring overhead trade-off with the localization granularity. A blob is a program level entity whose boundaries are detectable off-processor through side-channel streams. Typical blob sizes we have encountered are 200 instructions as static size and 100s of millions of dynamically executed instructions. The goal of the decoupled monitor is to validate the execution state conformity with a precomputed golden model at a blob and blob path granularity. The monitor is evaluated on a Xilinx Zynq Ultrascale+ ZCU 106 board which contains two ARM processors and a sea of FPGA fabric. Targeted program executes on the Cortex A53 processor for the monitored program state localization. Each of the LLC address, execution path power, performance monitoring unit streams builds machine learning (ML) models for all the paths in a program. The monitor uses these trained ML models to classify the sensor stream data into a Blob/Path. The multiple streams’ classifications are resolved into a single Blob/Path localization based on confidence values of each stream classification. Individual stream’s classification accuracy ranges from 80-90% for the Blob/Path classification. The overall execution state localization is evaluated on a benchmark program "STREAM" with 3 normal execution runs and 2 anomalous runs. The accuracy of this localization is 83.3% for normal runs and 100% for anomalous runs.

Abstract: The accelerating integration of artificial intelligence (AI) into cybersecurity operations has introduced new challenges and opportunities for modernizing incident response (IR) practices. This study explores how cybersecurity practitioners perceive the adoption of intelligent automation and the readiness of legacy frameworks to address AI-driven threats. A structured, two-part quantitative survey was conducted among 194 U.S.-based professionals, capturing perceptions on operational effectiveness, trust in autonomous systems, and the adequacy of frameworks such as NIST and SANS. Using binary response formats and psychometric validation items, the study quantified views on AI’s role in reducing mean time to detect and respond, willingness to delegate actions to autonomous agents, and the perceived obsolescence of static playbooks. Findings indicate broad support for the modernization of incident response frameworks to better align with emerging AI capabilities and evolving operational demands. The results reveal a clear demand for modular, adaptive frameworks that integrate AI-specific risk models and decision auditability. These insights provide empirical grounding for the design of next-generation IR models and contribute to the strategic discourse on aligning automation capabilities with ethical, scalable, and operationally effective cybersecurity response.

Abstract: The rapid convergence of the Internet of Things (IoT) and cloud computing has intensified reliance on multi-tenancy, a model that enables resource sharing to enhance scalability and reduce costs. However, this shared infrastructure introduces significant security vulnerabilities, particularly at the intersection of IoT's resource-constrained devices and the cloud shared environment. While existing literature has addressed IoT or cloud security separately, a significant research gap exists in analyzing the specific risks of multi-tenancy in these integrated systems. This review synthesizes recent research on mitigation techniques to address security and privacy challenges in multi-tenant IoT-cloud environments. We provide a comprehensive classification of threats, including inter-tenant data leakage, side-channel vulnerabilities, and privilege escalation. Our analysis reveals a persistent security-performance trade-off that limits the widespread adoption of robust defenses in resource-constrained IoT environments. Current mitigation techniques, including access control models and AI-driven detection systems, incur significant computational overhead. This makes them impractical for numerous IoT applications with constrained processing and energy resources. This review analyzes the limitations of existing approaches and identifies key architectural gaps. In this paper, we present a roadmap of emerging solutions to resolve this security-performance trade-off. This work emphasizes the integration of Zero Trust Architectures (ZTA) for continuous verification, adaptive AI for real-time threat detection, blockchain for immutable audit trails, and the adoption of Post-Quantum Cryptography (PQC) as essential strategies to secure the next generation of mul-ti-tenant IoT-cloud infrastructures.

Abstract: Everyday, people regularly log into websites and applications without too much thought for the process and with an end-goal or task in mind to be achieved with the service that they are accessing. In many cases this is not an issue, but some people find this step hard, frustrating, or virtually impossible. For people who have a disability, complications can arise in this process, and we examine the nature of these problems, not only to create an empirical record but also with a view to diagnosing and to reme-diate limiting factors. A series of interviews (n=15) is analyzed with Grounded Theory (GT) coding to produce a set of theorems directly from applying Constructivist princi-ples to the data. As anticipated, results illustrate that most disabled users find that their capability to authenticate effectively is reduced due to various accessibility bar-riers. By way of inductive theorem building, this paper categorizes common traits that participants have revealed during interviews. The main goal of this paper is to lead the way towards the development of a Framework which suggests ways in which to rem-edy the root causes of these accessibility complications that hinder our disabled com-munity. It was noted during the study that most participants felt hindered when log-ging in due to their disability, which could imply a lack of accessibility for those using traditional authentication techniques. Also, maintaining security was found to be im-portant, so future work should find ways to make sure that disabled users are not left vulnerable when improving usability for them.

Abstract: The Transport Layer Security (TLS) protocol is widely used nowadays to create secure communications over TCP/IP networks. Its purpose is to ensure confidentiality, authentication, and data integrity for messages exchanged between two endpoints. To facilitate its integration into widely used applications, the protocol is typically implemented through libraries, such as OpenSSL, BoringSSL, LibreSSL, WolfSSL, NSS, or mbedTLS. These libraries encompass functions that execute the specialized TLS handshake required for channel establishment, as well as the construction and processing of TLS records, and the procedures for closing the secure channel. However, these software libraries may contain vulnerabilities or errors that could potentially jeopardize the security of the TLS channel. To identify flaws or deviations from established standards within the implemented code, a specialized tool known as TLS-Anvil can be utilized. This tool also verifies the compliance of TLS libraries with the specifications outlined in the Request for Comments documents published by the IETF. TLS-Anvil conducts numerous tests with a client/server configuration utilizing a specified TLS library and subsequently generates a report that details the number of successful tests. In this work, we exploit the results obtained from a selected subset of TLS-Anvil tests to generate rules used for anomaly detection in Suricata, a well-known signature-based Intrusion Detection System. During the tests, TLS-Anvil generates .pcap capture files that report all the messages exchanged. Such files can be subsequently analyzed with Wireshark, allowing for a detailed examination of the messages exchanged during the tests and a thorough understanding of their structure on a byte-by-byte basis. Utilizing the analyzed TLS handshake messages, we write tailored Suricata rules designed to identify TLS anomalies arising from erroneous implementations within the intercepted traffic. We detail the specific testbed put in place for deriving and validating some derived Suricata rules for the OpenSSL library. The rules that identify TLS deviations or potential attacks can subsequently be incorporated into a Suricata-enabled threat detection platform. This integration will facilitate the detection of TLS anomalies generated by code that does not conform to the specifications.

Abstract: The predictability of cyber threats is a major challenge in a dynamic digital world. One of possible approach to determine the financial impact of cyber threats is to identify vulner-able areas of the organization. However this area is primarily of interest to financial insti-tutions, many studies show us that this problem is very complex and involved. The es-sence of cyber threats are changed in time very dynamic, which can lead to a greater risk-iness of digital environment. The aim of this paper is to describe an algorithm through which it is possible to evaluate the areas of an organization that may be most vulnerable to the impacts of cyber threats. For this purpose was identified the most important areas in information environment. This paper is also focused on defining the correlation between cyber threats by their development over time from the point of view of the predictability of possible financial impacts. The proposed method was verified on organization, which was selected for our research.

Abstract: Phishing remains one of the most prevalent and damaging forms of cyberattacks, exploiting human behavior rather than technical vulnerabilities. Despite technological advancements in email filtering, anomaly detection, and two-factor authentication, phishing continues to succeed by manipulating trust, authority, and urgency cues in unsuspecting users [1,5,14]. This study presents an empirical analysis of a phishing simulation conducted in a university setting to assess user susceptibility and promote security awareness. A simulated phishing email was sent to 35 staff members, with 80% opening the message and 40% clicking the embedded link. Behavioral responses—such as fear of reprimand and avoidance—indicated cultural and psychological barriers to effective awareness [4,9,18]. In addition to field experimentation, a technical comparison of open-source phishing tools—GoPhish, King Phisher, Phishery, and Evilginx2 — was conducted to evaluate their practicality, usability, and deployment complexity [7,11,13]. Drawing on recent literature in cybersecurity education and behavioral science, this paper highlights the need for psychologically safe, culturally sensitive, and role-specific training to reduce long-term phishing risk [3,6,8,12,17]. Our findings support the integration of simulated phishing campaigns with structured, non-punitive feedback and adaptive educational interventions to foster more resilient digital behavior.

Abstract: The purpose of the present study is to improve the efficiency of phishing web resource detection through multimodal analysis and using methods of explainable artificial intelligence. We propose a late-fusion architecture in which independent specialized models process four modalities and are combined using weighted voting. The first branch uses CatBoost for URL features and metadata; the second uses CNN1D for the symbolic level of URL representation; the third uses a transformer based on pre-trained CodeBERT for the HTML code of the homepage; and the fourth uses EfficientNet-B7 for page screenshot analysis. SHAP, Grad-CAM, and attention matrices are used for interpreting decisions; a local LLM generates a consolidated textual explanation. A prototype system based on a microservice architecture with integration into SOC has been developed. This integration enables streaming processing and reproducible validation. Computational experiments using our own updated dataset and the public MTLP dataset show high performance: F1 score of up to 0.989 on our own dataset and 0.953 on MTLP; multimodal fusion consistently outperforms single-modal baseline models. The practical significance of this approach for zero-day detection and false-positive reduction by aligning features across modalities and their explainability was demonstrated. All limitations and operational aspects (data drift, adversarial resilience, LLM latency) of the proposed prototype were presented. Authors outlined an area for further research.

Abstract: The rapid evolution of digital communication demands a paradigm shift in image steganography, moving beyond conventional data embedding to fully reversible concealment that ensures seamless integration while preserving the original cover. However, spatial-domain techniques remain inherently flawed—repetitive carrier image usage exposes hidden data to statistical detection, while deterministic extraction mechanisms violate Kerckhoff’s principle, enabling unauthorized recovery. Reliance on encryption, flawed key management, and misplaced emphasis on imperceptibility metrics further compromise true undetectability. This research introduces a provably robust steganographic framework that advances spatial-domain security through three foundational innovations: (1) Cryptographic reversibility—unlike conventional LSB methods that permanently alter cover media, our SHA-256–modulated entropy embedding enables lossless payload extraction and perfect cover recovery without auxiliary data; (2) Statistical undetectability—by integrating inverse modulo-5 arithmetic (E(x, k) = (x + k) mod 5) with dual-channel pixel diffusion, we eliminate detectable artifacts in co-occurrence matrices and histograms, achieving zero discriminability (AUC = 0.5) against ML-based steganalysis; and (3) Adaptive capacity hardening—a dynamic payload distribution system that simultaneously maximizes embedding density (1–100% pixel utilization) while resisting known-cover attacks through key-driven randomization. These mechanisms collectively establish mathematically verifiable robustness: reversibility is guaranteed by the bijective properties of our modular transformations (E⁻¹(y, k) = (y−k) mod 5), undetectability is proven via entropy preservation (ΔH < 0.02), and security is enforced through Kerckhoffs-compliant key derivation. Empirical validation confirms superiority over existing methods in PSNR (> 53 dB), structural fidelity (SSIM > 0.999), and attack resilience—redefining the theoretical limits of secure data hiding.

Abstract: Cybersecurity is the practice of protecting digital system from cyber threats such as hacking, malware, and phishing attacks. It helps in protecting from the Cyber-attacks through different strategies like Antivirus software etc. Cyber Physical Systems (CPS) rely on advanced communication.Cyber Physical Systems (CPS) control technologies to efficiently manage devices. It also helps the flow of information in the system. However, it has limitations with respect to modifying physical configuration and difficulty to scale. Cyber Physical Systems (CPS) is controlled through offline mode by different experts for different Cyber attacks on Cyber Physical Systems (CPS). Cyber attacks are getting more advanced and lethal. Traditional pedagogical approaches often struggle to simulate real-world cybersecurity challenges, limiting experiential learning. To overcome this shortcoming , using the Digital Twins (DTs) and Generative Artificial Intelligence (Gen AI).The rapid advancement in Digital Twins (DTs) and Generative Artificial Intelligence (Gen AI). Integration of Digital Twins (DTs) and Generative Artificial Intelligence (Gen AI). cybersecurity management is Particularly in fields that require analytical reasoning and regulatory compliance. enhancing standards to support cybersecurity, and ensuring Digital Twins (DTs) and Generative Artificial Intelligence (Gen AI) can be fully integrated in Cybersecurity. The developed twin has advanced features compared to any equivalent system in the literature When coupled with Generative Artificial Intelligence (Gen AI) models for Cybersecurity.Large Language Models (LLMs) further enhance the experience by generating threat narratives, adaptive feedback, and role-based attack defense scenarios.

Abstract: The increasing sophistication of cyber threats necessitates a proactive approach to cybersecurity, with ethical hacking and penetration testing serving as foundational pillars of an effective defense strategy. However, the practical execution of a security assessment involves a fragmented workflow, often requiring practitioners to leverage numerous disparate command-line tools for reconnaissance, scanning, exploitation, and reporting. This paper presents a comprehensive review of EthiHack Pro v2.0, a hypothetical integrated software suite designed to address these challenges. The tool consolidates the entire penetration testing lifecycle into a single, GUI-driven platform built on Python and a robust ecosystem of security-focused libraries. We analyze its modular architecture, the technological stack underpinning its capabilities, and its structured workflow, which guides users from initial information gathering to final vulnerability exploitation. A significant innovation of the platform is its experimental AI-powered reporting module, which leverages generative AI to automate the creation of detailed, multi-audience security reports. This review examines the tool's design, functionality, and potential to streamline security assessments, making advanced testing methodologies more accessible and efficient for cybersecurity professionals.

Abstract: Insider threats remain a serious concern for organizations in both public and private sectors. Detecting anomalous behavior in enterprise environments is critical for preventing insider incidents. While many prior studies demonstrate promising results using deep learning on offline datasets, few address real-time operationalisation or calibrated alert control within a Security Information and Event Management (SIEM) workflow. This paper presents a SIEM-integrated prototype that fuses the Computer Emergency Response Team Insider Threat Test Dataset (CERT) enterprise logs (logon, device, HTTP, and email) with behavioral biometrics from Balabit mouse dynamics. Per-modality one-dimensional convolutional neural network (1-D CNN) branches are trained independently using imbalance-aware strategies, including downsampling, class weighting, and focal loss. A unified 20×N feature schema ensures train-serve parity and consistent feature validation during live inference. Post-training calibration using Platt and isotonic regression enables analyst-controlled threshold tuning and stable alert budgeting inside the SIEM. The models are deployed in Splunk’s Machine Learning Toolkit (MLTK), where dashboards visualise anomaly timelines, risky users or hosts, and cross-stream overlaps. Evaluation emphasises operational performance, precision-recall balance, calibration stability, and throughput rather than headline accuracy. Results show calibrated, controllable alert volumes: for Device, precision ≈ 0.70 at recall ≈ 0.30(PR-AUC = 0.468, ROC-AUC = 0.949); for Logon, ROC-AUC = 0.936 with an ultra-low false-positive rate at a conservative threshold. Batch CPU inference sustains ≈ 70.5k windows/s, confirming real-time feasibility. This study’s main contribution is demonstrating a calibrated, multi-modal CNN framework that integrates directly within a live SIEM pipeline. It provides a reproducible path from offline anomaly detection research to Security Operations Centre (SOC)-ready deployment, bridging the gap between academic models and operational Cybersecurity practice.

Abstract: With the proliferation of remote education and online assessments, maintaining academic integrity while ensuring cybersecurity has become a critical challenge. This paper proposes a comprehensive and intelligent e-proctoring system that integrates Artificial Intelligence (AI), wearable EEG technology, and secure Internet of Things (IoT) components within the Moodle learning management environment. The system combines multiple security and proctoring techniques: webcam-based facial and environmental monitoring, EEG signal analysis via a Muse2 headband for real-time stress and identity detection, and a restricted examination environment enforced by the Safe Exam Browser (SEB). To ensure robust security, a layered defense model is employed, incorporating multi-factor biometric authentication, IPSec-based encryption, VPN tunneling, and entity verification through challenge-response protocols. Experimental evaluations validate the system's effectiveness in preventing and detecting cheating, while performance analyses confirm minimal network impact even under VPN-enforced encryption. The proposed solution demonstrates a scalable, secure, and intelligent approach to safeguarding academic integrity in digital education.

Abstract: This paper on Nigeria and West Africa reframes cybersecurity from a technological issue to a governance and sovereignty concern. This study uses postcolonial technology theory and institutional analysis to examine how infrastructure dependency, legal fragmentation, and foreign platform dominance make the region's digital ecosystems vulnerable to surveillance, cybercrime, and geopolitical influence. This paper examines Eurocentric digital sovereignty that promotes infrastructure autarky and hybrid governance frameworks that mix strategic autonomy and reliance. Big Tech dependence and regulatory intransigence affects state capacity, cybersecurity enforcement, and local cloud infrastructure in Kenya, South Africa, and Nigeria, according to this study. A Digital Sovereignty Index, cyber-independence plans, and ECOWAS-run infrastructure in every area are suggested. This paper proposes that Nigeria lead Africa's digital sovereignty framework with rights-based, inclusive, and decentralised cybersecurity governance. Finally, it indicates that digital sovereignty is about robust infrastructure, inventive organisational frameworks, and collaborative governance, not independence or centralisation. This study conclusions include further research recommendations to address AI governance, cross-country benchmarking, and African digital sovereignty.

Abstract: Small and Medium-sized Enterprises (SMEs) face disproportionately high risks from Advanced Persistent Threats (APTs), which often evade traditional cybersecurity measures. Existing frameworks catalogue adversary tactics and defensive solutions but provide limited quantitative guidance for allocating limited resources under uncertainty, a challenge amplified by the growing use of AI in both offensive operations and digital forensics. This paper proposes a game-theoretic model for improving Digital Forensic Readiness (DFR) in SMEs. The approach integrates the MITRE ATT&CK and D3FEND frameworks to map APT behaviours to defensive countermeasures and defines 32 custom DFR metrics, weighted using the Analytic Hierarchy Process (AHP), to derive utility functions for both attackers and defenders. The main analysis considers a non-zero-sum attacker–defender bimatrix game and yields a single Nash equilibrium in which the attacker concentrates on Impact-oriented tactics and the defender on Detect-focused controls. In a synthetic calibration across ten organisational profiles, the framework achieves a median readiness improvement of 18.0% (95% confidence interval: 16.3% to 19.7%) relative to pre framework baselines, with targeted improvements in logging and forensic preservation typically reducing key attacker utility components by around 15–30%. A zero-sum variant of the game is also analysed as a robustness check and exhibits consistent tactical themes, but all policy conclusions are drawn from the empirical non-zero-sum model. Despite relying on expert-driven AHP weights and synthetic profiles, the framework offers SMEs actionable, equilibrium-informed guidance for strengthening forensic preparedness against advanced cyber threats.

Abstract: The increasing frequency and growing impact of cyber attacks have led organizations to adopt proactive defence approaches to cyber security risk mitigation, especially in the case of advanced persistent threats (APTs). The correct identification of the specific malicious actors behind a cyber attack is important for the success of the incident response and for the investigative work of the security operation centre (SOC) team. This research explores the capabilities and limitations of a machine learning (ML) approach to identifying malicious actors and the threats they pose (threat actor attribution) based on the tactics, techniques, and procedures (TTPs ) observed in specific cyber incidents, and on the incident context (the geographical location and industry affiliation of the victims targeted in the attack). A large language model (LLM) was used to extract TPPs from the MITRE database of cyber incidents The experiments included modelling threat actor attribution using five ML algorithms K-Nearest Neighbors (KNN), Decision Trees (DT), Random Forests (RF), Support Vector Machines (SVM), and Naïve Bayes (NB), applying different methods for feature selection and weighting. The results indicated that model accuracy and other performance metrics were significantly improved when the input dataset included both TTP and contextual features. The KNN and SVM models produced the best performance results; the highest classification accuracy achieved was 93.19%. The outcomes of this study may be applied by cyber security professionals to identify malicious actors, estimate the number and types of datapoints that are required to adequately attribute an actor to a cyber-attack, and improve the accuracy of the classification by weighting the input dataset features.

Abstract: Authentication mechanisms attract considerable research interest due to the protective role they offer, and when they fail, the system becomes vulnerable and immediately exposed to attacks. Blockchain technology was recently incorporated to enhance authentication mechanisms through its inherited specifications that cover higher security requirements. This article proposes a dynamic multi-factor authentication (MFA) mechanism based on blockchain technology. The approach combines a honeytoken authentication method implemented with smart contracts and deploys the dynamic change of honeytokens for enhanced security. Two additional random numbers are inserted into the honeytoken within the smart contract to protect from potential attackers, forming a triad of values. The produced set is then imported into a dynamic hash algorithm that changes daily, introducing an additional layer of complexity and unpredictability. The honeytokens are securely transferred to the user through a dedicated and safe communication channel, ensuring the integrity and confidentiality of this critical authentication factor. Extensive evaluation and threat analysis of the proposed blockchain-based MFA dynamic mechanism (BMFA) demonstrate that it meets high-security standards and possesses essential properties that give prospects for future use in many domains.

Abstract: The rising complexity of malware and the exponential growth in the android applications, including obfuscation and polymorphic behaviour has rendered conventional detection techniques increasingly ineffective. The work proposed here presents a robust and adaptive framework and comparative study of two deep learning paradigms called Recurrent Neural Networks (RNN) with Long Short-Term Memory (LSTM) units and Transformers based architectures for effective malware detection. We constructed and trained both models on the EMBER-2018 dataset, using opcode sequences and bytecode representations extracted from Android executables. The RNN-LSTM model captures temporal dependencies and sequential patterns. While the Transformer model leverages self-attention to learn long-range relationships and global context. To address the less generalizable or less precise centres, we also utilize secRNNlong, a technically secured LSTM architecture for robust static malware detection. Our experiments show that, in practice, secRNNlong offers a balance between interpretability and performance, achieving better performance than the baseline RNNs in the major detection metrics. Experimental results indicate that while RNN-LSTM models are lightweight and efficient, Transformer models achieve higher detection performance and generalize better to unseen malware variants.

Abstract: This research proposes a heterogeneous graph neural network (GNN) framework to attribute advanced persistent threat (APT) activity using enriched cyber threat intelligence (CTI). We construct a tripartite graph linking APT groups, contextualised Tactics, Techniques, and Procedures (TTPs), and their Cyber Kill Chain (CKC) stages. TTP nodes are embedded with Sentence-BERT (SBERT) vectors for semantic similarity, while CKC stages provide procedural context. This design captures both behavioural semantics and attack-stage relationships, enabling robust and interpretable attribution. Empirical evaluation in CTI-HAL achieves a Macro F1 score of 0.84 and 85% accuracy, addressing limitations in baselines such as DeepOP (technique prediction without CKC integration) and APT-MMF (no procedural/temporal TTP modelling). The framework is suitable for Security Operations Centres (SOCs), enabling faster and more accurate decision-making during incident response. This framework advances automated, explainable APT attribution for practical SOC deployment.

Abstract: In this era of technology, phishing emails remain a critical cybersecurity threat, exploiting human vulnerabilities to compromise sensitive data and systems. Traditional detection methods, such as blacklists and static heuristics, often fail to keep pace with the evolving sophistication of phishing tactics. We propose RealPhish, a real-time phishing detection algorithm combining machine learning, Natural Language Processing (NLP), and rule-based heuristics to identify malicious emails with high precision. RealPhish analyzes both static email features and simulated user interaction data to enhance detection accuracy. Using a publicly available phishing email dataset and synthetically generated behavioral data, the algorithm achieves a detection accuracy of 95%, with a precision of 96% and recall of 89%, outperforming baseline models. The system also includes a rule-based override layer for known threats and provides interpretable outputs for transparency. RealPhish demonstrates strong potential for deployment in real-world email security platforms, offering a scalable and adaptive solution to combat phishing attacks in real time.