How York researchers are strengthening cybersecurity

żě˛ĄĘÓƵ researchers are exploring how to better secure a digital world increasingly shaped by the Internet of Things (IoT) by understanding how malicious bots operate and developing stronger defences against them.

IoT devices are everyday objects that connect to the internet so they can send, receive and act on data. They range from home thermostats and baby monitors to traffic sensors, medical equipment and industrial controls. Many operate quietly in the background and are rarely updated or closely monitored, making them especially attractive targets for cybercriminals.

With the inevitable growth of information digitization, Portable Document Format (PDF) has become one of the most popular exploited file formats for document exchange among various applications and platforms. Consequently, PDF files have become an attractive target for attackers to infect and deliver malicious codes to users. Despite the efficacy and success of machine learning classifiers in detecting malicious PDF files, they require tedious feature engineering and have some limitations. Additionally, one of the main reasons for resistance to using deep learning models is their lack of interpretability. To address these challenges, this study proposes using the TabNet model for malicious PDF detection, offering global and local interpretability while maintaining high or competitive detection performance. The Optuna optimization framework is employed to further enhance the model’s capabilities. The proposed approach is evaluated on the real-world Evasive-PDFMal2022 dataset and demonstrates state-of-the-art performance compared to baseline methods.

The rapid proliferation of Internet of Things (IoT) devices has improved connectivity but introduced new cybersecurity risks, particularly from botnets. Detecting and identifying malicious botnet activities is crucial for early attack mitigation, understanding attack patterns, and deploying effective countermeasures. However, state-of-the-art IoT botnet detection models often struggle to handle imbalanced data, capture temporal patterns, and provide interpretable, explainable insights. This work proposes an IoT botnet detection and profiling model that leverages Explainable Artificial Intelligence (XAI) methods, including eXtreme Gradient Boosting (XGBoost) for feature selection, a Long Short-Term Memory (LSTM) neural network model for botnet detection and classification, and Shapley Additive Explanations (SHAP) for interpretability. This model integrates a feature selection approach that combines correlation analysis with the XGBoost algorithm to improve efficiency. The LSTM model is optimized and fine-tuned using Bayesian optimization to achieve accurate botnet detection and classification. The SHAP method provides interpretable insights into individual and collective botnet behaviors for profiling. Finally, the performance of the proposed model was evaluated with the augmented BCCC-Aposemat-IoT-Bot-2024 dataset and compared with state-of-the-art models. The results demonstrate that our proposed model achieves competitive performance while offering key advantages, including effective handling of sequential and imbalanced data, improved computational efficiency, and enhanced explainability.

MQTT is widely used in IoT systems but remains vulnerable due to its lightweight design. This paper proposes an interpretable deep learning-based intrusion detection framework that processes raw PCAP data through flow-based analysis. It introduces MQTTFlowLyzer for extracting protocol-aware features and presents the BCCC-IoT-MQTT-IDS-2025 dataset, which includes diverse attack scenarios. The framework leverages TabNet, GANDALF, and NODE to enable accurate and interpretable detection of known and novel attacks. Results show strong performance across attack types, with attention-based explanations providing insights into behavioral patterns and supporting zero-day threat identification.

Malware Memory Snapshot and process-level behavioral Log Dataset (BCCC-MalMem-SnapLog-2025)

The dataset was systematically developed to capture memory-level behavioral dynamics of malware and benign processes through interval-based snapshot analysis. Unlike prior datasets that predominantly rely on static binaries or network-level observations, this dataset focuses on runtime memory behavior and process persistence, enabling a deeper understanding of how malicious activities evolve over time. It integrates diverse malware families and benign software, ensuring realistic and unbiased modeling of system-level threats in dynamic execution environments.

Captured and labeled 2 Data sources: Memory snapshot data and process-level behavioral logs
Testbed: Controlled execution environment with interval-based memory dumping across multiple time windows
Attack Profile: Eight malware categories, including Backdoor, Hoax, HackTool, Trojan, Worm, Virus, Rootkit, and Exploit, alongside benign software samples
Data size: 40 TB of memory snapshots and associated behavioral records across multiple execution intervals
Data records: 2000 malware samples and 250 benign samples with varying persistence patterns across snapshots
Data capturing: Interval-based memory snapshot collection capturing transient and persistent process behaviors
Extracted Features: Memory and process-level features capturing temporal persistence, behavioral transitions, and execution patterns. . .

Dataset: BCCC-MalMem-SnapLog-2025

In-vehicle Controller Area Networks (CAN) are vulnerable to various injection attacks that can compromise the safety of vehicle occupants and result in financial losses. While a substantial body of work on CAN intrusion detection exists, it lacks multiclass attack classification models. Current multiclass models do not encompass all attack types or account for the vehicle’s state, i.e., whether the car is stationary or in motion. This work addresses these limitations by proposing CAN-BiGRUBERT, a multiclass CAN intrusion detection model that jointly predicts the vehicle state and attack class from CAN traffic windows. CAN-BiGRUBERT employs Bidirectional Encoder Representations from Transformers (BERT) to capture spatial dependencies within individual CAN frames, and a Bidirectional Gated Recurrent Unit (BiGRU) network to capture temporal dependencies across multiple frames in a window.  

BCCC-IoT-IDS-Zwave-2025

We released a large-scale, multi-source IoT security dataset developed over five months (20 TB data, including more than 1 BILLION records) using a comprehensive smart-home testbed comprising more than 110 devices, including sensors, actuators, smart plugs, locks, meters, and controllers. According to the paper, the dataset includes 88 distinct attack scenarios spanning network-layer, device-layer, and service-layer threats, making it the most extensive Z-Wave–focused dataset to date. The dataset integrates five data sources: IP-based traffic, Z-Wave protocol communication data, device activity logs, MQTT traffic, and MQTT message logs, providing a holistic view of benign and malicious behavior. It contains multi-class records covering 81 IP network traffic classesĚý˛ą˛Ô»ĺĚý24 Z-Wave classes, supporting advanced behavioral profiling and classification tasks. The complete dataset, including raw packets, CSV records, metadata, and labeling files, is publicly available and represents a significant resource for intrusion detection, device fingerprinting, and IoT threat analysis. . .

Dataset: BCCC-IoT-IDS-ZWave-2025

SCs are self-executing programs on the blockchain, used for transactions without intermediaries, particularly in cryptocurrencies like Ethereum. However, they are vulnerable to security flaws that can lead to significant financial losses, as demonstrated by the DAO hack 2016. Common vulnerabilities include re-entrancy errors, timestamp dependency, infinite loops, and integer overflows. Detecting these flaws is crucial but complex due to the immutable nature of the blockchain and the complexity of the contracts. Therefore, developing techniques for analyzing, testing, and verifying the security of SCs is essential to ensure their reliability and safety. This work presents a novel approach to detecting vulnerabilities in SCs using deep learning.