Technology Solutions for the Enterprise

VOLUME 25, NUMBER 5 SEPTEMBER/OCTOBER 2023

Security and Data Protection During the

COVID-19 Pandemic and Beyond

www.computer.org/itpro
IEEE COMPUTER SOCIETY D&I FUND

Drive Diversity
& Inclusion in
Computing

Supporting projects
and programs that
positively impact
diversity, equity, and
inclusion throughout
the computing DONATE TODAY!
community.
 Technology Solutions for the Enterprise

17
GUEST EDITORS’ INTRODUCTION
IT Professional Special Issue on Security
and Data Protection During the COVID-19
Pandemic and Beyond
José L. Hernández-Ramos, Paolo Bellavista, Georgios Kambourakis,
Jason R.C. Nurse, and J. Morris Chang

September/October 2023

20 29 37
Theme Articles

Blockchain-Based Enhancing Ransomware Attacks

Mechanism for Smart Communication of the COVID-19
Record Monitoring Among Remote Pandemic: Novel
During and After the Cybersecurity Analysts Strains, Victims, and
COVID-19 Pandemic With Visual Traces Threat Actors
Geetanjali Rathee, Chaker Abdelaziz Chen Zhong, J. B. (Joo Baek) Kim, Zubair Baig, Sri Harsha Mekala,
Kerrache, and Anissa Cheriguene and Alper Yayla and Sherali Zeadally
 Feature Articles
45 Evaluation of Tree-Based Machine Learning
Algorithms for Network Intrusion Detection
in the Internet of Things
Mohamed Saied Essa and Shawkat Kamal Guirguis

57 Misinformation Detection Using Deep Learning

Michail Tsikerdekis and Sherali Zeadally

Columns and Departments

IT Trends
4 Employer Branding: The Impact of COVID-19
on New Employee Hires in IT Companies
Hoda Diba

Formal Methods in Industry

10 Design, Validate, Implement, and Validate:
From Dreaming Approaches to Realities
Axel Legay

Life in the C-Suite

14 How Competitive Are You?
Stephen J. Andriole

Cybersecurity
64 Labeling Software Security Vulnerabilities
Irena Bojanova and John J. Guerrerio

IT Economics
71 Generative Artificial Intelligence in Marketing
Nir Kshetri

Also in this Issue

3 Masthead

C3 CS Information

Cover image credit:

©shutterstock.com/
Blue Planet Studio

www.computer.org/itpro

ISSN: 1520-9202
EDITOR IN CHIEF
Charalampos Z. Patrikakis, [email protected]
ASSOCIATE EDITORS IN CHIEF
Regular Papers: Reza Djavanshir, Johns Hopkins
University; [email protected]
Columns and Departments: George Hurlburt, STEMCorp;
[email protected]
Special Issues: Tim Weil, SecurityFeeds LLC; [email protected]
Outreach and Awards: Saeid Abolfazli, TELUS Canada
COLUMN/DEPARTMENT EDITORS
Cybersecurity: Irena Bojanova, NIST;
[email protected]
Formal Methods in Industry: Tiziana Margaria, University of
Limerick; [email protected]
IT Economics: Nir Kshetri, University of North Carolina at
Greensboro; [email protected]
IT and Future Employment: George Strawn, National Academy
of Sciences; [email protected]
IT Trends: Amir Dabirian, California State University, Fullerton;
[email protected]
Life in the C-Suite: Stephen J. Andriole, Villanova University;
[email protected]
Mastermind: George Strawn, National Academy of Sciences;
[email protected]
Software Technology: Markus Schordan, Lawrence Livermore
National Lab.; [email protected]
ADVISORY BOARD
Irena Bojanova, NIST
Wushow Chou*, North Carolina State University
Simon Liu*, Agricultural Research Service
San Murugesan*, BRITE Professional Services
Sorel Reisman (Chair), California State University
Henry Schaffer, North Carolina State University
George Strawn, National Academy of Sciences
*EIC Emeritus
EDITORIAL BOARD
Shireen Atabaki, George Washington University
J. Morris Chang, University of South Florida
Aswani Kumar Cherukuri, Vellore Institute of Technology, India
Claudio Giovanni Demartini, Politecnico di Torino
Aline Eid, University of Michigan
Marıa Jose Escalona Cuaresma, University of Seville
Hassan Keshavarz, PAYBACK GmbH
Rick Kuhn, NIST
Maria R. Lee, Shih Chien University
Helen C. Leligou, University of West Attica
Gianfranco Politano, Politecnico di Torino
Georgia Sakellari, University of Greenwich
Hiroyuki Sato, University of Tokyo
Jilei Tian, BMW Technology Chicago
Eirini Eleni Tsiropoulou, University of New Mexico
Bhuvan Unhelkar, University of South Florida
Bo Yu, PerceptIn
CS MAGAZINE OPERATIONS COMMITTEE
Irena Bojanova (Chair), Lorena Barba, Lizy K. John,
Fahim Kawsar, San Murugesan, Ipek Ozkaya, George Pallis,
Charalampos (Babis) Z. Patrikakis, Sean Peisert,
Balakrishnan (Prabha) Prabhakaran, Andre  Stork,
Ramesh Subramanian, Jeff Voas
CS PUBLICATIONS BOARD
Greg Byrd (Interim VP of Publications), Terry Benzel,
Irena Bojanova, David Ebert, Dan Katz, Shixia Liu,
Dimitrios Serpanos, Jaideep Vaidya, Ex officio: Robin Baldwin,
Nita Patel, Melissa Russell
IT PROFESSIONAL STAFF
Senior Journals Production Manager: Kristin Falco LaFleur
Peer Review Administrator: [email protected]
Periodicals Portfolio Senior Manager: Kimberly Sperka
Content Quality Assurance Manager: Jennifer Carruth
Director of Periodicals & Special Projects: Robin Baldwin
Senior Advertising Coordinator: Debbie Sims
IEEE Computer Society Executive Director: Melissa Russell
IEEE PUBLISHING OPERATIONS
Senior Director, Publishing Operations: Dawn Melley
Director, Editorial Services: Kevin Lisankie
Director, Production Services: Peter M. Tuohy
Associate Director, Editorial Services: Jeffrey E. Cichocki
Associate Director, Information Conversion
and Editorial Support: Neelam Khinvasara
Senior Manager, Journals Production: Patrick Kempf
COMPUTER SOCIETY OFFICE
IT PROFESSIONAL
c/o IEEE Computer Society
10662 Los Vaqueros Circle, Los Alamitos, CA 90720 USA
Phone +1 714 821 8380; Fax +1 714 821 4010
Website: www.computer.org/itpro

Editorial: Unless otherwise stated, bylined articles, as well as product and service descriptions, reflect the author’s or firm’s opinion. Inclusion in
IT Professional does not necessarily constitute endorsement by IEEE or the IEEE Computer Society. All submissions are subject to editing for
style, clarity, and length. IEEE prohibits discrimination, harassment, and bullying. For more information, https://www.ieee.org/about/corporate/
governance/p9-26.html. Circulation: IT Professional (ISSN 1520-9202) is published bimonthly by the IEEE Computer Society. IEEE Headquarters,
Three Park Ave., 17th Floor, New York, NY 10016 USA; IEEE Computer Society Publications Office, 10662 Los Vaqueros Cir., Los Alamitos, CA
90720 USA, phone +1 714 821 8380; IEEE Computer Society Headquarters, 2001 L St., Ste. 700, Washington, D.C. 20036 USA. For missing/
damaged copies, contact: [email protected]. Subscribe to IT Professional by visiting www.computer.org/itpro. Reuse Rights and
Reprint Permissions: Educational or personal use of this material is permitted without fee, provided such use: 1) is not made for profit; 2)
includes this notice and a full citation to the original work on the first page of the copy; and 3) does not imply IEEE endorsement of any third-
party products or services. Authors and their companies are permitted to post the accepted version of IEEE-copyrighted material on their
own web servers without permission, provided that the IEEE copyright notice and a full citation to the original work appear on the first screen
of the posted copy. An accepted manuscript is a version that has been revised by the author to incorporate review suggestions, but not the
published version with copyediting, proofreading, and formatting added by IEEE. For more information, please go to: https://www.ieee.org/
publications/rights/author-posting-policy.html. Permission to reprint/republish this material for commercial, advertising, or promotional
purposes or for creating new collective works for resale or redistribution must be obtained from IEEE by writing to the IEEE Intellectual
Property Rights Office, 445 Hoes Lane, Piscataway, NJ 08854 USA or [email protected]. Copyright © 2023 IEEE. All rights reserved.
Abstracting and Library Use: Abstracting is permitted with credit to the source. Libraries are permitted to photocopy for private use of
patrons, provided the per-copy fee indicated in the code at the bottom of the first page is paid through the Copyright Clearance Center, 222
Rosewood Dr., Danvers, MA 01923 USA. Postmaster: Send undelivered copies and address changes to Internet Computing, 445 Hoes Ln.,
Piscataway, NJ 08855 USA. Periodicals postage paid at New York, NY, and at additional mailing offices. Canadian GST #125634188. Canada
Post Corporation (Canadian distribution) publications mail agreement number 40013885. Return undeliverable Canadian addresses to PO
Box 122, Niagara Falls, ON L2E 6S8 Canada. Printed in the USA.

www.computer.org/itpro
 EDITOR: Amir Dabirian, [email protected]
DEPARTMENT: IT TRENDS
Employer Branding: The Impact of COVID-19
on New Employee Hires in IT Companies
Hoda Diba , Luleå University of Technology, 14 SE-971 87, Luleå, Sweden
O
ne of the most crucial resources that technol-
ogy companies depend on is a talented team.
Dealing with the high turnover rate in the IT
industry makes it increasingly difficult to maintain the
talent level required for those organizations to pros-
per.9,13 Fierce competition in the IT sector has led to a
high turnover rate. Due to the rapid pace of technical
breakthroughs and the ongoing evolution of the IT busi-
ness, there is a significant demand for IT specialists.
With such a high level of mobility in the workforce due to
this demand, IT workers can readily explore new career
prospects. Wilson and Furlonger18 also emphasized how
employees may look for new challenges and greater pay
due to technology’s tendency to change quickly.
On top of that, IT professionals are more than likely
to leave their current job when they don’t like the firm’s
working conditions. This has particularly become an
issue in the COVID-19 era15 as more employees have
transitioned to remote work, allowing them to manage
their time on their own terms. The transition created
an environment that has made attracting and retaining
employees much more difficult. Thus, IT firms are con-
stantly looking for effective strategies to attract and
recruit new talent and retain their current employees.
Organizations have experienced the positive and
negative effects of this constant hunt for greater oppor-
tunities. It damages organizations that lose talent but
benefits those that can attract talented workers. This
new talent pool consists of first-time applicants and
seasoned experts looking for new possibilities. As a
result, businesses need to find strategies to draw in new
employees and retain their current ones. In this study,
the focus is on how companies draw in new employees.
When assessing IT employers, IT professionals typi-
cally consider eight values.8 These eight values were
identified through a content analysis of 26,460 new
employee reviews. The employee reviews were written
1520-9202 © 2023 IEEE
Digital Object Identifier 10.1109/MITP.2023.3321926
Date of current version 3 November 2023.
4 IT Professional Published by the IEEE Computer Society
by recent hires who had been with their company for
less than a year. The study tried to determine which
values are most significant to these workers and make
suggestions to IT companies on how to use employer
brand value propositions to draw in and keep IT talent
after COVID-19.
EMPLOYER BRANDING
Employer branding is the development of a unique and
attractive organizational identity that attracts, retains,
and motivates employees. It refers to developing and
promoting an organization’s distinctive image and rep-
utation as an employer of choice. It encompasses a
firm’s efforts to communicate to existing and prospec-
tive staff members that it is a desirable workplace.2
Effective employer branding leads to luring top talent,
enhancing employee engagement and retention, boost-
ing organizational performance, and more. Employer
branding refers to creating and maintaining an organiza-
tion’s reputation as an employer of choice.2,7,8 An organi-
zation does this by crafting a distinct identity that
represents the organization’s culture, values, and mis-
sion and showcasing this to potential employees, cur-
rent employees, and the public. Employer branding is a
strategic approach aimed at attracting and retaining top
talent in a competitive job market by creating a positive
image of the organization as a great workplace. This can
include promoting the organization’s employee benefits,
perks, and development opportunities and highlighting
its diversity and inclusion initiatives, social responsibility
efforts, and workplace culture.
Effective employer branding can result in higher lev-
els of employee engagement, improved retention rates,
and a more robust talent pipeline.1 It can also help organ-
izations differentiate themselves from their competitors
and position themselves as leaders in their industry.
In addition to the brand image an employer wishes
to convey, there is the reality of what existing and
future employees perceive about the employer. The
degree to which a firm’s brand identity14 matches
those perceptions determines the brand’s impact in
September/October 2023

the market. Employees use technologies such as Web
2.012 in the form of electronic word-of-mouth on social
media and online employer review sites to discuss
work-related experiences across organizations, which
changes the expectations and assessments of their
workplace. IT firms must understand this new world of
online employer branding to manage their public brand
to attract new talent. As such, analyzing the percep-
tions and responses of first-year employees can be a
valuable approach to identifying how well the intended
brand perception matches perceived reality.
Studying the reactions and opinions of newly
acquired IT talent, particularly first-year employees, is a
vital endeavor that can offer valuable insights into the
effectiveness of an organization’s employer branding
efforts and the alignment between employee expec-
tations and actual experiences in the workplace.
Research has shown that employees’ initial impres-
sions of an organization, formed through its reputation
and employer branding, significantly influence their
work environment expectations. Berthon et al.6 empha-
sized that effective employer branding shapes can-
didate perceptions and sets expectations for their
workplace experiences. Investigating whether first-
year IT employees’ initial impressions align with their
experiences would provide a comprehensive under-
standing of the extent to which employer branding
accurately portrays the organization’s culture, values,
and opportunities. By examining whether work environ-
ment expectations have been met, organizations can
identify gaps, strengths, and areas for improvement in
their onboarding and employer branding strategies.
This research can enhance employee satisfaction,
engagement, and retention, ultimately creating a posi-
tive and productive work environment that aligns with
the expectations set through effective employer brand-
ing efforts, thereby contributing to employees’ willing-
ness to stay with the firm.3
EMPLOYEE ACQUISITION,
RETENTION, AND COVID-19
Companies face several obstacles when acquiring and
retaining talent; IT companies are no exception. As dis-
cussed by Beechler and Woodward,5 these challenges are
due to a combination of influencing factors related to the
quantity, quality, and characteristics of said talent. These
factors include global demographic and economic trends,
increasing mobility of people and organizations, trans-
formational changes to business environments, skills and
cultures, and growing levels of workforce diversity.
In addition, the IT industry has other challenges, pri-
marily due to the nature of the industry. The IT sector
September/October 2023
IT TRENDS
suffers from a skill shortage,19 which is a global issue;
competition for talent among employers; changing
employee expectations, particularly after COVID-19;
skill mismatch; job hopping, which is prevalent in the IT
sector; heavy workload and its resulting burnout; and
professional development.
High demand for IT professionals is another chal-
lenge that has affected salaries and benefits packages
by raising costs. As a result, small and medium-sized IT
companies may need help to attract and retain top
talent because they may not be able to offer the same
level of compensation as larger companies. A Society for
Human Resource Management16 study found that 83%
of IT companies reported difficulty recruiting suitable
candidates due to competition from other employers.
In addition to these challenges, the COVID-19
pandemic has produced other problems. Instead of
face-to-face interactions and collaboration being the
norm in traditional work environments, the COVID-19
pandemic necessitated a rapid shift to remote work
arrangements, challenging these established norms
and expectations. In addition, employees’ expectations
have evolved to include greater flexibility, technology-
enabled remote collaboration tools, and adaptability.
These pandemic-induced changes accelerated the
acceptance of virtual work environments, prompting
organizations to modify their structures and policies
to accommodate hybrid work models. The transition
to remote work in response to the pandemic has sig-
nificantly affected recruitment and retention efforts.
Remote work may make retaining existing employees
more challenging because they may feel isolated and
less engaged with the organization. Remote work has
also lifted limitations related to the need for physical
proximity to the work location. As such, the competi-
tion for top talent has become more intense because
geography is no longer a limiting factor.
Although the challenge of increased competition
for talent is due to high demand, as mentioned earlier,
it should also be noted that the pandemic has added
to these difficulties as organizations across industries
have shifted to remote work, creating a more global tal-
ent pool. As a result, IT organizations face increased
competition for talent from other organizations in the
industry and different sectors.
These challenges highlight the need for IT organiza-
tions to adapt their recruitment and retention strate-
gies in response to these postpandemic realities. This
may include rethinking traditional recruitment meth-
ods, finding new ways to engage remote workers, and
developing strategies to compete for talent in a more
global market. This creates additional emphasis on
each company’s branding.
IT Professional 5
IT TRENDS
DATA COLLECTION AND ANALYSIS
Glassdoor.com is an online labor market intermediary
that allows its users to review companies they have
worked for and their management anonymously.17
Glassdoor is currently the most popular company
review site. As in previous academic studies, Glassdoor
was used as a data source.17 Glassdoor’s “Company
Reviews” section features six mandatory fields that
reviewers complete. In addition, they are encouraged
to enter text information, including “pros” (likes, praises)
and “cons” (dislikes, complaints.) Glassdoor has a five-
star rating system for each company in the following
categories: career opportunities, compensation and
benefits, work–life balance, senior management, cul-
ture and values, diversity and inclusion, and an overall
rating. The diversity and inclusion rating is new (added
after our initial study before COVID-19); therefore,
before COVID-19, data on this issue were unavailable.
Similar to a previous study, Glassdoor.com was
used10 to identify the 10 top IT firms that con-
stantly scored with high ratings in the past five years
(2017–2022) and the five IT firms with the lowest ratings
(see Table 1). Those companies were analyzed to
understand the factors that IT employees care about
in their evaluation of an employer brand. Glassdoor
reports on the best and worst companies annually.
TABLE 1. Glassdoor’s top and bottom IT firms. (Source:
Glassdoor.com.)
IT Companies
Adobe
Apple
Cisco Systems
DocuSign
Google
Top LinkedIn
Microsoft
Nvidia
Salesforce
Zoom Video
Communications
Spectrum
CDK Global
Bottom CompuCom
Frontier Communications
Xerox
6 IT Professional
Data scraped using a web crawler for these compa-
nies included all positive and negative reviews, contain-
ing pros and cons. The resulting dataset featured 94,365
employee reviews. The reviews were split into two
groups: before COVID-19 (1 January 2017–29 February
2020) and after COVID-19 (1 March 2020–31 December
2021). Of these 94,365 reviews, 73,456 were related to
the top companies, with 31,235 reviews before COVID-19
and 42,221 after COVID-19. In addition, there were 20,909
reviews of bottom companies, with 8042 before COVID-19
and 12,867 after COVID-19. For this study, the data for
new employees (those who worked in their respective
workplaces for less than a year) were separated.
Similarly, these reviews by new employees were
split into two groups, before and after COVID-19. Of the
26,460 reviews associated with new employees, 21,127
involved the top companies, further broken down into
two sets: 4691 reviews before COVID-19 and 16,436 after
COVID-19. The remaining 5333 reviews were about the
bottom companies, again broken down into 1825 reviews
before COVID-19 and 3508 after COVID-19. To effec-
tively analyze this volume of data, the use of technology
was necessary. The artificial intelligence engine IBM
Watson Explorer uses natural language processing and
deep learning to analyze text.11 It was used to analyze
the data (the content of the collected reviews), developing
a dictionary based on eight employer value propositions
(Table 2) informed by the existing literature.3,4,6,7,8,20
Table 3 demonstrates top- and bottom-rated IT
companies’ ratings before and after COVID-19. It is
important to note that Glassdoor only requested
responses covering five categories for new hires before
COVID-19, but after COVID-19, Glassdoor added another
category (diversity and inclusion). Therefore, there are
no results available for this category before COVID-19.
One result that can be easily observed is that employ-
ees’ satisfaction with their work and their employer has
increased overall and in every category for the bottom
IT companies, even slightly higher when compared to
our previous study results. However, this was not the
case for the top companies. They showed a decline in
every category analyzed, demonstrated by negative
changes in their ratings. Therefore, the employees of
the bottom-rated companies expressed more positivity
after COVID-19 in almost every category and overall,
in contrast to the top companies, which received
more negative reviews after COVID-19. In addition,
the “Career Opportunities (Development)” category dis-
played the highest positive change (7%) among catego-
ries for the bottom companies. Conversely, it had the
opposite outcome for the top companies, displaying
the most significant negative change alongside the
“Work–Life Balance” category: a 4% decrease.
September/October 2023
 IT TRENDS

TABLE 2. Definition of eight employer branding value propositions.8

Employer Value Propositions for Employer Branding

Social Social value refers to the gratification that IT employees gain from working with others.
Employees cared strongly about an organizational culture that focuses on people, talented
colleagues, and a team approach to problem solving.
Interest Employees of IT companies evaluated the interest value of their work based on how
challenging and achievable their specific tasks and job requirements were.
Application Application value manifested itself as “the importance of the knowledge and skills of IT
employees are applied in a meaningful way.” This encompassed contributing to the
success of their employer and providing high-quality and innovative products and services
to customers.
Development IT professionals showed a concern with opportunities for lateral or vertical career growth
and professional development opportunities.
Economic IT employees’ comments about economic value were primarily concerned with
compensation and various types of employee benefits, such as medical or dental benefits,
holidays, “unconventional” perks such as “free food,” and others.
Management Current and former IT employees assessed their employers based on the leadership
qualities of their superiors, including but not limited to their managers’ competence,
having a strong vision, and being able to motivate and inspire others.
Work–life balance IT professionals emphasized their desire to balance work-related with nonwork-related
commitments, such as family, leisure activities, or volunteering, and praised how “flexible
working hours” enable them to meet these obligations.
Brand image Although brand identity describes the brand a firm intends to portray, brand image is
how the brand is perceived through the eyes of its target audience. Here, brand image is
defined as how employees perceive the company brand as an employer. In their reviews,
IT professionals expressed their desire to work for an exciting, “cool,” or “hip” company in a
great location.

A total of 21,127 user reviews regarding the top
companies and 4333 reviews for the bottom companies
were analyzed. The results were grouped and classified
based on the eight value propositions explained in this
article and extensively in previous studies.8 Table 4
compiles the percentage calculations for the top and
bottom companies, including praise and complaints,
before and after COVID-19. The results are displayed in
two sections. The values on the left side are based on
the top-performing IT companies, and those on the right
are based on the bottom-performing IT companies. In
each section, the data have been split between praise

TABLE 3. Star rating comparison of top and bottom IT companies before and after COVID-19.

Top IT Companies Bottom IT Companies

Before After Difference Before After Difference
Star Ratings COVID-19 COVID-19 (%) COVID-19 COVID-19 (%)
New Culture and values 4.34 4.2 3 2.77 2.93 5
employees (social)
Career opportunities 4.11 4.02 4 2.75 2.96 7
(development)
Compensations and 4.27 4.13 3 3.11 3.3 6
benefits (economical)
Senior management 3.96 3.87 2 2.5 2.67 6
(management)
Work–life balance 4.12 3.95 4 3.03 3.04 0
Diversity and inclusion 0 4.17 100 0 3.62 100
Overall star rating (%) 4.3 4.4 2 2.88 3.15 9

September/October 2023 IT Professional 7

IT TRENDS

Difference and complaints, followed by a further breakdown of

(%) before COVID-19 (1 January 2017–29 February 2020) and
4
1

1
3

0
0
3

0
after COVID-19 (1 March 2020–31 December 2021).
As expected, the results for the top and bottom com-
Complaints

panies differed. In addition to the percentages relevant

COVID-19
After

to each value proposition, Table 4 displays the catego-

(%)
10
14

8
22

17
12
6

11
ries with the most significant changes (identified by
different colors). They demonstrate the percentage of
COVID-19

change observed for each value proposition category.

Bottom IT Companies

Before

(%)

After COVID-19, the most notable of these changes

9
15
14

8
7
8
23

16
were related to the “Social” and “Work–Life Balance”
categories and, to a lesser degree, the “Interest” and
“Application” categories. For top-performing compa-
Difference
(%)

nies, brand image slightly improved, with a 2% increase

4
2

1
0
1
5
0

in praise. The rest of the categories regarding praise

remained relatively similar. However, there were some
significant changes in complaints. The “Social” and
COVID-19
Praises
After

“Work–Life Balance” categories had the biggest shifts:

(%)
21
12

28

12
5
8

3
10

7% and 6%, respectively. That is, employees’ com-

plaints regarding the social aspect of their jobs was
COVID-19

reduced by 7%. On the other hand, complaints

Before

(%)

increased by 6% regarding their work–life balance, pri-

4
16

23
22

3
11

13

marily due to the lack of separation of work from life.

Other categories changed too, mainly the “Application”
TABLE 4. Praise and complaints about top and bottom IT companies before and after COVID-19.

and “Management” categories, with an increase in

Difference

complaints, versus the “Development” and “Economical”

(%)

2
7

6
1

categories, which faced a decrease. For bottom-

performing companies, praise increased for the
Complaints

“Economical” category by 5%. The other category with a

COVID-19
After

significant change was “Interest,” with a 4% decrease.

(%)

18

26
9
6

16
10

11

The “Social” category also changed but to a lesser

degree, with a 2% decrease in praise. Not surprisingly,
regarding complaints, the “Social” category changed too,
COVID-19
Before
Top IT Companies

(%)

with a 4% decrease. This was the most significant change

17
18

7
3
13
11
6

27

in complaints among the bottom-rated companies.

Praise and complaints regarding the “Interest” category
decreased. Other changes occurred in the “Application”
Difference

and “Work–Life Balance” categories, with both having a

(%)
1

1
1

2
0

1
0
0

3% increase in complaints. The increase in work–life bal-

ance complaints could indicate COVID-19’s negative
impact on employees. These changes could be attrib-
COVID-19
Praises
After

uted to the increased remote work and hybrid work

(%)
27
16
2
6
19
2
11

18

structure. The work–life balance value proposition simi-

larly had a negative impact on the bottom companies.
COVID-19

To summarize, for the top-performing companies,

Before

(%)

the most significant changes involved the value propo-

27
16

16
3

11
7
17

sitions of social and work–life balance, with the former

being affected positively with fewer complaints and
Development

the latter negatively with increased complaints. On the

Management

Brand image
Economical
Application
Employees

other hand, the bottom-performing companies had

Work–life
balance
Interest

increased praise for the “Economical” category and

Social
New

decreased praise for the “Interest” category, followed

by a decrease in social complaints.

8 IT Professional September/October 2023


These results demonstrate interesting changes in
employees’ attitudes and viewpoints regarding their
employers and places of employment. These changes
should be studied and analyzed in more detail because
companies need to be sensitive to employees’ shifting
expectations.
The COVID-19 pandemic has significantly affected
the IT industry and its workforce, reshaping employees’
attitudes, and expectations and subsequently influenc-
ing their employers. Remote work became a norm,
causing a paradigm shift in how IT professionals view
their jobs and workplaces. Many employees have expe-
rienced the benefits of remote work and have devel-
oped a preference for flexible work arrangements that
offer a better work–life balance. Additionally, the pan-
demic underscored the importance of job security, with
many people facing uncertainties in the job market.
REFERENCES
1. T. Ambler and S. Barrow, “The employer brand,”
J. Brand Manage., vol. 4, no. 3, pp. 185–206, Dec. 1996,
doi: 10.1057/bm.1996.42.
2. K. Backhaus and S. Tikoo, “Conceptualizing and
researching employer branding,” Career Develop. Int.,
vol. 9, no. 5, pp. 501–517, Aug. 2004, doi: 10.1108/
13620430410550754.
3. J. Barney, “Firm resources and sustained competitive
advantage,” J. Manage., vol. 17, no. 1, pp. 99–120,
Mar. 1991, doi: 10.1177/014920639101700108.
4. S. Barrow and R. Mosley, The Employer Brand:
Bringing the Best of Brand Management to People
at Work. Hoboken, NJ, USA: Wiley, 2011.
5. S. Beechler and I. C. Woodward, “The global ‘war for
talent’,” J. Int. Manage., vol. 15, no. 3, pp. 273–285,
Sep. 2009, doi: 10.1016/j.intman.2009.01.002.
6. P. Berthon, M. Ewing, and L. L. Hah, “Captivating
company: Dimensions of attractiveness in employer
branding,” Int. J. Advertising, vol. 24, no. 2, pp. 151–172,
Jan. 2005, doi: 10.1080/02650487.2005.11072912.
7. A. Dabirian, J. Kietzmann, and H. Diba, “A great place
to work!? Understanding crowdsourced employer
branding,” Bus. Horiz., vol. 60, no. 2, pp. 197–205,
Mar./Apr. 2017, doi: 10.1016/j.bushor.2016.11.005.
8. A. Dabirian, J. Paschen, and J. Kietzmann, “Employer
branding: Understanding employer attractiveness of
IT companies,” IT Prof., vol. 21, no. 1, pp. 82–89,
Jan./Feb. 2019, doi: 10.1109/MITP.2018.2876980.
9. M. T. Ewing, L. F. Pitt, N. M. De Bussy, and P. Berthon,
“Employment branding in the knowledge economy,”
Int. J. Advertising, vol. 21, no. 1, pp. 3–22, Jan. 2002,
doi: 10.1080/02650487.2002.11104914.
10. “Glassdoor’s best places to work 2023 revealed.”
Glassdoor. Accessed: Feb. 24, 2022. [Online].
[email protected]
.
September/October 2023
IT TRENDS
Available: https://www.glassdoor.com/blog/best-
places-to-work-revealed/
11. R. High, The Era of Cognitive Systems: An Inside Look
at IBM Watson and How It Works, IBM Corp., New York,
NY, USA, 2012, pp. 3–6.
12. J. H. Kietzmann, K. Hermkens, I. P. McCarthy, and
B. S. Silvestre, “Social media? Get serious!
Understanding the functional building blocks of
social media,” Bus. Horiz., vol. 54, no. 3, pp. 241–251,
May/Jun. 2011, doi: 10.1016/j.bushor.2011.01.005.
13. R. Mosley, “CEOs need to pay attention to employer
branding,” Harvard Bus. Rev., vol. 11, May 2015.
[Online]. Available: https://hbr.org/2015/05/ceos-need-
to-pay-attention-to-employer-branding
14. S. Nandan, “An exploration of the brand identity-
brand image linkage: A communications perspective,”
J. Brand Manage., vol. 12, no. 4, pp. 264–278, Apr. 2005,
doi: 10.1057/palgrave.bm.2540222.
15. A. Nelke, “Impact of the COVID-19 pandemic on
corporate employer branding,” Technium Social Sci. J.,
vol. 16, pp. 388–393, Feb. 2021, doi: 10.47577/tssj.v16i1.2436.
16. “Skills shortage tightens job market; 83% of HR
professionals report difficulty recruiting: SHRM
research,” Society for Human Resource Management,
Alexandria, VA, USA, 2019. [Online]. Available: https://
www.shrm.org/about-shrm/press-room/press-
releases/pages/skills-gap-research-workplace-
immigration-report.aspx
17. A. Chamberlain and M. Smart, “Why do workers quit?
The factors that predict employee turnover,”
Glassdoor, Mill Valley, CA, USA, Research Studies,
2017. [Online]. Available: https://research.glassdoor.
com/site-us/wp-content/uploads/sites/2/2017/02/
WhyDoWorkersQuit_Glassdoor.pdf
18. T. Wilson and C. Furlonger, “The war for IT talent in
the Fourth Industrial Revolution,” Int. J. Innov.,
Manage., Technol., vol. 9, no. 2, pp. 50–53, 2018.
19. “The future of jobs report 2018,” World Economic Forum,
New York, NY, USA, 2018. [Online]. Available: https://
www.weforum.org/reports/the-future-of-jobs-report-2018
20. W.-D. Zhu et al., IBM Watson Content Analytics:
Discovering Actionable Insight From Your Content,
IBM Corp., New York, NY, USA, 2014, pp. 252–260.
HODA DIBA is a Ph.D. candidate in the Department of Social
Sciences, Technology and Arts, Division of Business Adminis-
tration and Industrial Engineering at Luleå University of
Technology, 14 SE-971 87, Luleå, Sweden. He is also a lec-
turer at California State University, Fullerton’s Department of
Information Systems and Decision Sciences. His research
interests include employer branding. Diba received his mas-
ter’s in computer science from California State University,
Fullerton. Contact him at
IT Professional 9
 EDITOR: Tiziana Margaria,

[email protected]

COLUMN: FORMAL METHODS IN INDUSTRY

Design, Validate, Implement, and Validate:

From Dreaming Approaches to Realities
Axel Legay , Catholic University of Louvain, 1343, Louvain-La-Neuve, Belgium

This article introduces the concept of statistical model checking (SMC). This approach
elegantly combines the concepts of formal verification and formal models with those
of simulation. The article also illustrates the potential of the approach in various
applications, ranging from validating complex requirements to secure goal planning.

C
omputer systems play a major role in our every-
day life. The citizens can observe it directly
through computers and other telephones pre-
sent in our homes. However, the major role of informa-
tion systems is in decision-making processes ranging
from payroll management and employee evaluations to
the automation of strategic processes for companies
and public authorities. With the arrival of generative
artificial intelligence (AI), this situation will amplify. For
all these reasons, it is essential that information sys-
tems behave correctly and that this is duly verifiable
and provable.
To achieve this objective, European and American
agencies (among others) are developing various certifi-
cation processes that depend on the type and sensitiv-
ity of the system. All these methodologies have one
thing in common: the deployment of techniques for
validating the functional and nonfunctional require-
ments of the system from the design stage.
If it is certain that certain problems can only be
detected during the implementation (for example, secu-
rity flaws due to the choice of language) and that the
compliance of the implementation with its specifica-
tions must be validated by means of tests. It is, how-
ever, strategic to validate (part of) the system as soon
as it is designed. Indeed, detecting all the problems dur-
ing implementation would be too expensive and would
require reversing the entire system design process.
The first approach used to validate the conformity
of a system is simply to test it. This approach is widely
deployed in companies, and it is often combined with
1520-9202 © 2023 IEEE
Digital Object Identifier 10.1109/MITP.2023.3314327
Date of current version 3 November 2023.
powerful AI techniques. However, it is considered
insufficient in the process of strategic certifications
because 1) it makes it possible to detect bugs but gives
little certainty about their possible absence; 2) it allows
us to validate only trivial properties and it ignores, for
example, causalities between events; and 3) the results
vary as soon as parallelization is present, which is com-
mon for “multicomponent” systems.
Another way to validate a system is to use formal
methods whose objective is to detect all the bugs or
even to prove their total absence. In this context,
model checking (MC)2 plays a major role. This approach
explores all behaviors of the system via complex enu-
meration techniques. To achieve this objective, MC rep-
resents the behaviors of components of the system by
directed graphs called a transition system (TS). There,
nodes represent states and links represent transitions
between states. Those links can be decorated with
information, which makes it possible, for example, to
synchronize the TS of several components of the same
system, or even the time that passes to change the
state and/or the probability that this change occurs.
The requirements of the system are then represented
by so-called linear temporal logic (LTL) formulas, which
make it possible to issue hypotheses on the (sequences
of) states of the system.
As an example, Figure 1 shows an extended TS
where behaviors depends on both nondeterministic
and stochastic action. The system is equipped with
two states (S0, labeled by local property
w, and S1,
labeled by local property w) and five transitions. The
edge between S0 and S1 means that the environment
follows an action a1, and then the system goes to state
S1 with probability 1
p1 (which may, for example, repre-
sent the guarantee on the hardware). The temporal

10 IT Professional Published by the IEEE Computer Society September/October 2023

 FORMAL METHODS IN INDUSTRY

Another problem is that MC is considered too complex

by manufacturers that do not understand how it works.
Thus, the MC is often seen as an expensive black box
whose result (presence or absence of bugs) cannot
be interpreted. This situation is problematic as projects
like the Automated Rapid Certification Of Software
(ARCOS) program,a which shape a part of the U.S. military
certification process, recommend the use of formal
methods in validation processes.
It is therefore necessary to find a compromise
among what manufacturers understand, the power of
formal validation, efficiency of the approach, and the
requirements of certification processes. This compro-
mise exists, taking the form of a combination of indus-
trial simulations, mathematical models, and runtime
monitoring of requirements. It is called statistical model
FIGURE 1. An extended TS with X(wÙXGt
w) taken from
checking (SMC).
D’Argenio et al.1

SMC: BETWEEN FORMAL

VALIDATION, TEST, AND
logic property X(wÙXGt
w) makes use of the linear INDUSTRY PRACTICES
temporal operators next (X) and globally (G). Intuitively,
SMC3 is based on a well-known industrial process:
the property states that on the next step,
w will be
“model simulation.” The idea is simple: given a set of
true and, on the step after that, w will be remain true
TSs that represent a system, SMC generates execu-
for t þ 1 time steps. The property is satisfied by the
tions of the systems (taking the product on the fly from
sequence of states S0S1S0So … . If p1 > p2, the maxi-
the components) and validates them against require-
mum probability for s0s1 is achieved with action a2,
ments with runtime monitoring approaches. Then, a sta-
while the maximum probability for s0s0 is achieved
tistical algorithm like Monte Carlo is used to estimate
with action a1.
the probability of satisfying the requirement as well as
It is important to note that the creation of a TS and
the confidence that can be attached to it. The number
logic formulas is not always obvious and remains a
of simulations needed to converge depends on the trust
stumbling block for industry engineers. However, in
that one wants to put in the answer of the algorithm.
recent years, AI and ontology techniques have made
SMC can be seen as a compromise between test/
progress in automating this process. AI has shown its
simulation and formal verification. Indeed, SMC uses
ability to validate complex systems. Moreover, recent
formal models for the components and the require-
works allow to apply it directly on the implementation
ments. But, like testing, SMC limits the number of
of the system through complex synthesis mechanisms.
behaviors it observes. However, contrary to testing,
MC has been applied on a wide range of cases for
one of the main advantages of SMC is that its statistics
which it proved its utility.
engine makes it possible to calibrate the number of
However, although MC has been adopted by certifi-
simulations to be computed according to the time
cation bodies and even some companies, the approach
available and the precision that one wishes to achieve.
suffers from two major problems. The first is called
As a compromise, SMC can be used both to prove the
state-space explosion. Indeed, if the state space (the
absence of bugs and to find them. This makes it the
number of nodes) of each component is generally rela-
ideal companion for the industrial engineer.
tively small, the state space of the system may explode
SMC, which is implemented in professional tools
as it is obtained by taking the product of the graphs.
such as UPPAAL, has been applied in many situations.4
Thus, composing three components of 100 states each
As an example, the approach was used in aviation
can lead to a system of a million states. Techniques
to validate the synchronization of wireless systems
such as abstraction or partial order have been devel-
whose size was out of scope of MC. There, SMC was
oped in the academic world to counter this problem.
able to detect synchronization bugs that could not be
However, these too-complex techniques have not been
adopted by manufacturers. Moreover, they are rarely a
https://www.darpa.mil/program/automated-rapid-certification-
effective when quantities such as time come into play. of-software

September/October 2023 IT Professional 11

FORMAL METHODS IN INDUSTRY
FIGURE 2. The DALI concept. Taken from Colombo.4
highlighted with engineering inspections. Other exam-
ples include railway, automotive, and space applica-
tions. In addition to being used in industry (formally or
not), the approach has been promoted in many Euro-
pean projects, where it has contributed to create a link
between academic contributions and industrial appli-
cations, and thus to consolidate the bridges between
these two worlds.
The SMC approach is considered to be so efficient
that it has even been promoted for the validation of
biological systems (e.g., for the prediction of treatment
results depending on the chosen potiology) in CMACSb
(see http://cmacs.cs.cmu.edu/), one of the largest proj-
ects in the National Science Foundation led by Ed
Clarke (Turing Prize in Computing 2008) Beyond its
purely validating character, SMC can also be used in
more exotic processes. For example, the devices for
assisted living (DALI) project5 used a combination of
SMC with planning processes to guide an elderly per-
son in a shopping mall (see Figure 2). The objective of
DALI was to ensure that the person would visit all the
stores they wanted (long-term objectives), but also that
they would not encounter any disturbing events in their
environment. This short-term objective includes any
user preference, such as getting too close to a group of
young people or a dog. In this context, SMC is used
throughout the guidance to verify on the fly that the
b
See http://cmacs.cs.cmu.edu/
12 IT Professional
long-term planner guarantees the preferences of the
person within a short neighborhood (5 m) with the
highest possible probability: in short, that the best
comfort is guaranteed for a person during their entire
visit to the shopping center. Other similar experiments
use SMC to verify on the fly that the decision made by
an autonomous vehicle is the least risky possible.
However, despite its obvious usefulness, SMC itself
is the victim of criticism and difficulties. As an example,
the number of simulations needed to achieve good
accuracy may be too high, which might put SMC out of
sensitive applications such as automotive guidance,
where decisions need to be taken instantaneously.
Moreover, simulating a system can take time, even if it
is a model. For example, simulating the life of a biologi-
cal organism to the nearest thousandth of a second is
not easy. There are also industries that remain resis-
tant to SMC because they think they are already doing
it and that there is no reason to invest in new research
in this area. This perception is quite understandable.
Indeed, when one reads the functional description of
SMC, one might wonder what novelty is brought to
manufacturers and what the differences are compared
to well-adopted simulation processes. The answer lies
in the fact that the SMC approach exploits two impor-
tant characteristics from the formal world, namely, the
TS and the runtime monitoring of LTL properties.
First, these representations make it possible to
define new processes that increase the efficiency of
September/October 2023
 FORMAL METHODS IN INDUSTRY

the algorithm by quickly and efficiently generating sim- Given its simplicity and the services it provides, this
ulations according to the properties to be validated. approach has been widely adopted by the industry and
This, for example, is the case with importance splitting promoted by the academic community. This provides a
techniques, which guide the simulation by using the solid foundation to allow SMC to evolve in the future.
structure of the property, and the causality between
the interactions within the system (for example, the THE FUTURE OF SMC
relationship among components involved in the prop- In the previous section, the application of SMC on
erty) to “go” toward the places where the bug is most formal models was extensively discussed. However,
probable. Currently, a lot of research works focus on nothing prevents the application of SMC directly on
the efficiency of the statistical algorithm. In addition to implementations. The only prerequisite being that one
the exploitation made from the link with a TS and LTL, can give semantics in the form of a TS to the imple-
research is also being carried out to replace the Chern- mentation (the latter does not need to be calculated
off bound, the basis of Monte Carlo, with more efficient
and already exists from testing/MC methods applied to
approaches such as stopping algorithms. Other work
code) and that the runtime validation process exists
focuses on speeding up individual simulations as well
for the language under consideration. There exists initial
as exploiting distributed architectures to produce more
work on applying SMC to validate C code. Thus, SMC
simulations without biasing the process (which could
can be the engineer’s companion, both at the level of
happen if a machine were either faster or more oriented
validation to design and validation to implementation.
than another one).
Many of the benefits of SMC and much future work
A second strength of SMC, which is common to MC,
have already been covered. As with any formal-based
lies in the power of the expressiveness of TS and LTL
approach, the biggest challenges of the approach
formulas. Indeed, through extensions such as timed
will remain its industry acceptance and continued inte-
automata or Markov decision processes, a TS makes it
gration into verification processes. These challenges
possible to represent in a standardized way an abstrac-
cannot be solved by research alone. Collaboration,
tion of the behavior of complex systems. It follows that
dissemination, and training will be the keywords to
any result obtained on a TS can be verified by other
achieve its objective.
teams independently and indisputably. Currently, there
is a lot of work that focuses on the application of SMC
to extensions of a TS. A strong focus is on systems that
REFERENCES
combine probabilistic actions with nondeterministic
1. P. R. D'Argenio, A. Legay, S. Sedwards, and L.-M.
choices coming from an unknown environment. Current
Traonouez, “Smart sampling for lightweight verification
work is all moving toward combinations of SMC to pro-
of Markov decision processes,” Int. J. Softw. Tools
cess system validation with AI algorithms to predict the
Technol. Transfer, vol. 17, no. 4, pp. 469–484, Aug. 2015,
most (un)favorable nondeterministic behavior to the
doi: 10.1007/s10009-015-0383-0.
system. This prediction makes it possible to synthesize
2. E. M. Clarke, O. Grumberg, D. Kroening, D. A. Peled,
in which context the system can be used in a safe way.
and H. Veith, Model Checking, 2nd ed. Cambridge, MA,
A third strength of SMC is that it relies on runtime
USA: MIT Press, 2018.
verification techniques to verify LTL and LTL exten-
3. A. Legay, A. Lukina, L.-M. Traonouez, J. Yang, S. A.
sions. These techniques are robust, subject to spinoffs
Smolka, and R. Grosu, “Statistical model checking,”
(which guarantee long term studies), and apply to both
in Computing and Software Science. Springer-Verlag,
models and code. It also means that SMC is constantly
2019, pp. 478–504.
adapting to new types of properties (such as inclusion
4. K. G. Larsen and A. Legay, “30 years of statistical
of real time, cost of execution, and so on). Moreover,
these runtime techniques quickly make it possible to model checking,” ISoLA, vol. 12476, pp. 325–330, 2020.
either produce a state sequence, which shows a failure 5. A. Colombo, D. Fontanelli, A. Legay, L. Palopoli, and
of the system, or to extract a set of sequences con- S. Sedwards, “Efficient customisable dynamic motion
forming to the specification of the latter. Currently, the planning for assistive robots in complex human
work focuses on AI processes which, from a set of bug- environments,” J. Ambient Intell. Smart Environ., vol. 7,
free traces, can synthesize an LTL that represents no. 5, pp. 617–634, 2015, doi: 10.3233/AIS-150338.
them. Such a formula can then be used to refine the
requirements satisfied by the system. AXEL LEGAY is a professor of cybersecurity and software
As seen in this section, SMC combines the best engineering at Catholic University of Louvain, 1343, Louvain-
of formal methods, runtime verification, and statistics. La-Neuve, Belgium. Contact him at [email protected].

September/October 2023 IT Professional 13

 EDITOR: Stephen J. Andriole, [email protected]

COLUMN: LIFE IN THE C-SUITE

How Competitive Are You?

Stephen J. Andriole , Villanova School of Business, Villanova, PA, 19085, USA

C-suites should formalize the competitive intelligence function with a well-funded,

full-time, dedicated team, which should be invited into whatever strategic planning
processes exist at their companies. Tactical intelligence should impact the immediate
go-to-market processes, while strategic intelligence should shape products and services
to be offered over the next 2-3 years. Competitive intelligence is a profession with
methods, tools, techniques, technologies, certifications, associations, publications,
conferences, and podcasts—all necessary to effectively compete in the marketplace.

A
ll executives are competitive. They generally
see “business” as a blood sport where the best
products and services “win” or “lose.” But the
marketplace is not the only place where product and
service wars are won. Sometimes they’re won by just
watching and studying what their competitors are
doing.
Here are five questions:
1) Can you name all of your competitors?
2) Do you know what your competitors are doing?
3) Do you know what your competitors are planning?
4) Do you know who the “new entrants” are?
5) Does “competitive intelligence” influence your
strategy and tactics?
If you answer “no” to any of these questions, you’re
missing huge tactical and strategic opportunities. You’re
also risking some unpleasant calls from board members
when they see the competition doing some things
that make them nervous. Major risk comes from “new
entrants,” the competitors who sneak around until
they’re ready to pounce on market leaders.
COMPETITIVE INTELLIGENCE
To answer the aforementioned five questions, compa-
nies need to treat “competitive intelligence” as an
ongoing part of their strategic planning process. But
what is competitive intelligence?
Bloomenthal1 defines it this way:
1520-9202 © 2023 IEEE
Digital Object Identifier 10.1109/MITP.2023.3314326
Date of current version 3 November 2023.
“Competitive intelligence, sometimes referred
to as corporate intelligence, refers to the ability
to gather, analyze, and use information col-
lected on competitors, customers, and other
market factors that contribute to a business’s
competitive advantage. Competitive intelli-
gence is important because it helps businesses
understand their competitive environment and
the opportunities and challenges it presents.
Businesses analyze the information to create
effective and efficient business practices.”
He also recognizes two “silos” of competitive
intelligence:
“Competitive intelligence activities can be
grouped into two main silos: tactical and strate-
gic. Tactical intelligence is shorter-term and
seeks to provide input into issues such as cap-
turing market share or increasing revenues.
Strategic intelligence focuses on longer-term
issues, such as key risks and opportunities
facing the enterprise.”
Now that the stage has been set, let’s talk about
what C-suites should do to conduct competitive
intelligence.
PROCESSES
There’s advice everywhere about how to conduct com-
petitive intelligence. Let’s start with how the U.S. intelli-
gence community collects intelligence on its friends
and adversaries. Executives unfamiliar with the Central
Intelligence Agency, National Security Agency, and
Defense Intelligence Agency, among other U.S. intelligence

14 IT Professional Published by the IEEE Computer Society September/October 2023


agencies, should note the intelligence process they
employ; it consists of five steps:
1) Identify the intelligence targets.
2) Collect data and information.
3) Process the data and information.
4) Analyze and produce intelligence.
5) Disseminate the intelligence.
These steps become the framework for corporate
competitive intelligence:
Targeting is important. Four of the five ques-
tions at the beginning of this article apply: Who
are your competitors? Do you know what your
competitors are doing? Do you know what your
competitors are planning? Do you know who
the “new entrants” are? The answers to these
questions are the targets of the competitive
intelligence process.
Collection is the process of finding data and
information about what existing competitors
and potential new entrants are doing and
planning. Here’s where the synergism is clear
between what U.S. intelligence agencies and
companies do. Open source data—earnings
calls, press releases, product announcements,
social media posts, sales processes, job announce-
ments, and so on—are all sources of potentially
valuable data. But companies can also collect data
and information in other ways, such as through
employees, ex-employees, Wall Street analysts, lit-
igators, venture capitalists, start-ups, and so on.
Processing is data/information integration and
analysis—also known as analytics—with which
companies are very familiar. Analytics is now
the lifeblood of many companies as it is with
the U.S. intelligence community. Note that
processing includes all “hard” and “soft” data,
otherwise known as structured and unstruc-
tured data, respectively (see the “Competitive
Intelligence Methods, Tools, Technologies, and
Platforms” section for a discussion of the tech-
nologies that enable processing).
Production refers to the reports that answer
the targeting questions: Who are your competi-
tors? Do you know what your competitors are
doing? Do you know what your competitors are
planning? Do you know who the “new entrants”
are? These “work products” are the output of
the competitive intelligence process.
Dissemination refers to the distribution of the
intelligence to all interested parties, especially
those in the C-suite.
September/October 2023
LIFE IN THE C-SUITE
The corporate competitive intelligence process
resembles the U.S. intelligence process, although it
falls well short of applying some of the tools, techni-
ques, and technologies—including balloons—that
countries use to “spy” on each other.
COMPETITIVE INTELLIGENCE
METHODS, TOOLS, TECHNOLOGIES,
AND PLATFORMS
Which methods, tools, technologies, and platforms
enable the corporate competitive intelligence process?
Because intelligence is anchored in data, all of the
current and emerging data analysis tools, technologies,
and platforms are necessary for analysis and pro-
duction. But, as always, it all begins with targeting.
Companies should rank-order their tactical and strate-
gic targets. In an era of disruption, companies should
pay special attention to new entrants or competitive
products and services that leave their swim lanes. For
example, some companies add services to their products
even though their brand is product based. Some compa-
nies add new services over time, like Amazon and all of
the cloud computing providers. When Amazon started, it
focused on books. Now it hosts a pharmacy. Airbnb,
Uber, and Lyft came out of nowhere, at least from the
perspective of the hospitality and transportation industries.
Other technologies are especially important, such
as artificial intelligence (AI); machine learning (espe-
cially natural language processing); generative AI;
social media analytics; explanatory, descriptive, predic-
tive, and prescriptive analytics; and data science,
among other existing and emerging technologies that
focus on the collection, analysis, production, and dis-
semination of intelligence.
Note also that there are lots of tools and platforms
that help support the competitive intelligence process.
“Platforms” embed methods, tools, techniques, and
technologies into applications that companies can use
to conduct the intelligence process. Some of these
platforms are designed around function, like marketing
intelligence; some around data, like social media intelli-
gence; and some around specific vertical industries,
like health care. The Gartner Group,2 for example, lists
the competitive analysis tools and platforms that many
companies use. Some companies specialize in vertical
industry competitive intelligence, such as pharmaceu-
tical and life science competitive intelligence. These
platforms collect and analyze data, and then generate
“dashboards” that present intelligence work products
that can be disseminated with a key stroke. Companies
should avail themselves of these methods, tools, tech-
niques, technologies, and platforms where it all comes
together.
IT Professional 15
LIFE IN THE C-SUITE
COMPETITIVE INTELLIGENCE
OFFICERS
Who does competitive intelligence at the company?
Remember that competitive intelligence is a profession
with methods, tools, techniques, technologies, certifi-
cations, associations, publications, conferences, and
podcasts—you name it:
“We’re the Strategic & Competitive Intelligence
Professionals, or SCIP. We’re a global non-profit
community that increases members’ impact
through advancing ethical best practices, training
and certification, and cultivating a powerful peer
community, all grounded in our Code of Ethics.”
If competitive intelligence is a profession with all
the trappings of a discipline, companies need creden-
tialed professionals to pursue competitive intelligence.
If you’re thinking about formalizing a competitive intel-
ligence office or department, you will need professio-
nals with specific skills and competencies. You need
professionals who know how to collect and “clean”
data, data “architects,” business intelligence analysts,
machine learning experts, algorithm matchers, natural
language processing experts, and those who know
how to find, learn, and exploit cloud-based platforms.
COMPETITIVE INTELLIGENCE
AND CORPORATE STRATEGY
AND TACTICS
Remember that competitive intelligence is purposeful.
Yes, companies need to snoop around their known and
future competitors for its own sake, but the real value
of competitive intelligence is the role it plays in corpo-
rate strategy, business models, and processes. The
more companies know about their current and future
competitors, the more informed their strategies, busi-
ness models and business processes will be.
Competitive intelligence has two faces. Tactical
intelligence should impact the immediate go-to-market
processes, while strategic intelligence should shape
products and services to be offered over the next 2–3
years. Some competitive intelligence, especially that
discovered from venture capitalists and start-ups, might
push strategic planning out to 3–5 years.
All companies must make competitive intelligence
sourcing decisions. Will the work be conducted in
[email protected]
or https://andriole.com.
16 IT Professional
house or outsourced to a trusted, experienced part-
ner? Will some of the work be cosourced? This
decision is important because it defines where com-
panies draw the brains-versus-brawn line. If a com-
pany decides to insource the intelligence process
they’re tilting toward brains, but if they decide to out-
side the process they’re voting for brawn. C-suites
should think long and hard about sourcing decisions
because once the brains leave the building, it’s hard
to get them back. On the other hand, if C-suites are
already comfortable with outsourcing key activities,
then all’s well.
FINAL THOUGHTS
Competitive intelligence is often an ad hoc activity.
Sometimes it’s even anecdotal. If they haven’t already,
C-suites should strongly consider formalizing the com-
petitive intelligence function with a well-funded, full-
time, dedicated team, which should be invited into
whatever strategic planning processes exist at their
companies. It’s especially important to focus on com-
petitors leaving their lanes and ones that might come
from left field.
Competitor intelligence should also stimulate inno-
vation. The more companies learn about what their
competitors are doing, the smarter they should become
about themselves and how they should improve,
replace, reinvent, and automate their own processes
and perhaps their entire business model. This is
another benefit of competitor intelligence.
REFERENCES
1. A. Bloomenthal, Competitive Intelligence: Definition,
Types, and Uses. Investopedia, 2021. https://www.
investopedia.com/terms/c/competitive-intelligence.asp
2. “Competitive and market intelligence tools for
technology and service providers reviews and ratings,”
The Gartner Group, 2022. https://www.gartner.com/
reviews/market/competitive-and-market-intelligence-
tools-for-technology-and-service-providers
STEPHEN J. ANDRIOLE is the Thomas G. Labrecque Profes-
sor of Business Technology in the Villanova School of Busi-
ness, Villanova, PA, 19085, USA. Contact him at stephen.
September/October 2023
GUEST EDITORS’ INTRODUCTION

IT Professional Special Issue on Security and

Data Protection During the COVID-19
Pandemic and Beyond
 L. Herna
Jose ndez-Ramos , University of Murcia, 30100, Murcia, Spain
Paolo Bellavista , University of Bologna, 40136, Bologna, Italy
Georgios Kambourakis , University of the Aegean, 83200, Karlovasi, Greece

Jason R.C. Nurse , University of Kent, CT2 7NF, Kent, U.K.

J. Morris Chang , University of South Florida, FL, 33620, USA

T
he global landscape has been reshaped by the
COVID-19 pandemic, causing unprecedented
health, economic, and societal disruptions. In
this transformative period, technology emerged as a
vital lifeline, serving as both a shield against the virus
and a catalyst for adapting to new challenges. Digital
contact tracing frameworks rapidly emerged and
became popular worldwide, thus enabling swift identifi-
cation of potential exposure and containment of infec-
tions. In addition, the subsequent development of
digital COVID certificates for vaccinations, immunity,
and testing facilitated the safe resumption of daily
activities and cross-border travel.
In fact, in recent years, technological advancements
stemming from AI as well as the use of technologies
like the Internet of Things (IoT) or blockchain, have
propelled the development of innovative solutions to
combat COVID-19. Such technologies have facilitated
real-time monitoring of infected individuals and the
identification of outbreaks, enhancing our capacity to
respond effectively. However, the massive deployment
of such technological solutions exacerbates security
and data protection challenges. That is, ensuring the
privacy of individuals, safeguarding data integrity, and
enhancing cybersecurity to adapt to evolving work para-
digms have become paramount concerns. The rapid dig-
ital transformation that accompanied the pandemic’s
challenges brought about not only opportunities but
also significant cybersecurity and data protection chal-
lenges. As societies globally navigated these uncharted
waters, it became evident that addressing these issues
thoughtfully and comprehensively was essential. Indeed,
1520-9202 © 2023 IEEE
Digital Object Identifier 10.1109/MITP.2023.3322609
Date of current version 3 November 2023.
the pandemic demonstrated that cybersecurity and
data protection aspects go beyond technology, but they
have legal and social implications that will continue
evolving in the future.
While the World Health Organization declared “with
great hope” an end to COVID-19 as a public health
emergency in 2023, our society will have to face new
emergency situations in the coming decades. We hope
that the technological advancements of recent years
and those to come as well as the lessons learned from
the COVID-19 pandemic will serve to develop effective
responses while cybersecurity and data protection are
still properly addressed from a more multidisciplinary
perspective, considering social and legal aspects. Indeed,
we must ensure that cybersecurity and data protection
remain at the forefront of our strategies, considering the
complex interplay between technology, societal state
transitions, and emergency preparedness.
The articles in this special issue highlight recent
contributions in the areas of cybersecurity and data
protection related to COVID-19 and the postpandemic
world.
“Blockchain-Based Mechanism for Smart Record
Monitoring During and After the COVID-19 Pandemic,”
by Geetanjali Rathee et al.,A1 provides an overview of
security and privacy mechanisms for facilitating effi-
cient communication, decision making, planning, infor-
mation recording, and management using smart devices
in postpandemic scenarios. Furthermore, the authors
explore the utilization of blockchain technology to estab-
lish a secure and trustworthy communication network.
In “The Changing Landscape of Privacy-
Countermeasures in the Era of the COVID-19 Pan-
demic,” Sherali Majeed and Seong Oun Hwang1 analyze
the aspects related to data privacy due to the COVID-19
pandemic and present developed countermeasures to

September/October 2023 Published by the IEEE Computer Society IT Professional 17

GUEST EDITORS’ INTRODUCTION
IN THIS ISSUE
T here can be no question that COVID-19 has
profoundly impacted society and, by extension,
information technology. That is the topic of the
September/October IT Professional special issue. At
the same time, Hoda DibaA4 has written “Employer
Branding: The Impact of COVID-19 on New Employee
Hires in IT Companies” for the IT Trends department.
This article deals with subtle shifts in post-COVID
employee attitudes that will likely necessitate changes
in employer branding strategies. As this article touches
the IT professional directly and aligns with the special
issue, we elected to elevate this article to this edition’s
From the Editor column.
In the Formal Methods in Industry column, Axel
LegayA5 offers “Design, Validate, Implement, and
Validate: From Dreaming Approaches to Realities.” This
article examines statistical model checking as a formal
method to certify a strategic enterprise system as
dependable, particularly in the era of AI. Although some
limitations are inherent in this formal method, it also
possesses some decisive advantages. Next, in his
popular Life in the C-suite column, Steve AndrioleA6
asks, “How Competitive Are You?” Here, Andriole speaks
directly to the importance of tackling competitive
intelligence as a professionalized discipline as opposed
to the less formal way by which many corporations
often view their competition.
In the IT Security column, “Labeling Software
Security Vulnerabilities,” Irena Bojanova and John J.
GuerrerioA7 examine the methods by which the common
weakness enumerations (CWEs) related to 228,000
address these issues. The importance of implementing
privacy strategies in epidemic-handling systems is
emphasized, and key lessons for future similar pan-
demics are provided. This article was inadvertently
published in the July/August edition of IT Professional.
As such, it is available there to round out this special
issue with a premature preview.
In “Enhancing Communication Among Remote
Cybersecurity Analysts With Visual Traces,” Chen Zhong
et al.A2 introduce an approach to enhance communica-
tion in collaborative cybersecurity analysis during the
postpandemic era. This is done by utilizing visual traces
of experts’ analytical processes. Their method addresses
the challenges of remote work and demonstrates its
benefits through a case study. This provides insights for
18 IT Professional
common vulnerabilities and exposures (CVEs) in the
National Vulnerability Database can be mapped to the
Bugs framework. This detailed analysis reveals the value
of refining the CWE definitions with the Bugs framework
formalism to bolster a deeper understanding of CVEs.
Finally, but highly timely as always, Nir Kshetri,A8 in his
powerful IT Economics department, examines “Generative
Artificial Intelligence in Marketing.” Here, he exposes the
virtues of generative AI in marketing and counterposes
with the barriers to entry, concluding that humans
must remain in the loop. This article makes for an
informative ending to a power-packed edition of
IT Professional.
This edition also includes two feature articles, each
dealing with machine learning as applied to an aspect
of cybersecurity. The first feature, by Mohamed Saied
Essa and Shawkat Kamal Guirguis,A9 is “Evaluation of
Tree-Based Machine Learning Algorithms for Network
Intrusion Detection in the Internet of Things.” Here,
the authors present a literature review, identify salient
research gaps, and then demonstrate the comparative
value of six tree-based machine learning techniques to
detect intrusion in an Internet of Things environment.
The second feature article, by Michail Tsikerdekis and
Sherali Zeadally,A10 “Misinformation Detection Using
Deep Learning,” examines the effective use of various
deep learning techniques in attacking differing forms of
misinformation on social platforms. It then explores
relevant challenges and opportunities in the deep
learning approach toward curbing misinformation,
concluding that further research may prove rewarding.
organizations aiming to improve communication in
remote teams during collaborative problem solving in
the postpandemic era.
All transformations that accompanied the pandem-
ic’s challenges brought about not only opportunities
but also significant cybersecurity and data protec-
tion challenges. As societies globally navigated these
uncharted waters, it became evident that addressing
these issues thoughtfully and comprehensively was
essential. Indeed, the pandemic demonstrated that
cybersecurity and data protection aspects go beyond
technology, but they have legal and social implications
that will continue evolving in the future.
“Ransomware Attacks of the COVID-19 Pandemic:
Novel Strains, Victims, and Threat Actors,” by Zubair
September/October 2023

APPENDIX: RELATED
ARTICLES
A1. G. Rathee, C. A. Kerrache, and A. Cheriguene,
“Blockchain-based mechanism for smart record
monitoring during and after the COVID-19
pandemic,” IT Prof., vol. 25, no. 5, pp. 20–28,
Sep./Oct. 2023, doi: 10.1109/MITP.2023.3310650.
A2. C. Zhong, J. B. Kim, and A. Yayla, “Enhancing
communication among remote cybersecurity
analysts with visual traces,” IT Prof., vol. 25,
no. 5, pp. 29–36, Sep./Oct. 2023, doi: 10.1109/
MITP.2023.3318485.
A3. Z. Baig, S. H. Mekala, and S. Zeadally,
“Ransomware attacks of the COVID-19
pandemic: Novel strains, victims, and threat
actors,” IT Prof., vol. 25, no. 5, pp. 37–44,
Sep./Oct. 2023, doi: 10.1109/MITP.2023.3297085.
A4. H. Diba, “Employer branding: The impact of
COVID-19 on new employee hires in IT
companies,” IT Prof., vol. 25, no. 5, pp. 4–9,
Sep./Oct. 2023, doi: 10.1109/MITP.2023.3321926.
A5. A. Legay, “Design, validate, implement, and
validate: From dreaming approaches to
Baig et al.,A3 analyzes the organizational vulnerabilities
to threats exposed by the COVID-19 pandemic, focus-
ing on the rise of ransomware attacks. It analyzes
popular ransomware attacks during the pandemic
and highlights the importance of preventing malware
spread in corporate networks. The work identifies
impactful ransomware strains and emphasizes the
need for preventive and security measures.
REFERENCE
1. A. Majeed and S. O. Hwang, “The changing landscape
of privacy– Countermeasures in the era of the COVID-
19 pandemic,” IT Prof., vol. 25, no. 4, pp. 52–60, Jul./
Aug. 2023, doi: 10.1109/MITP.2023.3287876.
JOSÉ L. HERNÁNDEZ-RAMOS is a Marie Sklodowska-Curie
postdoc fellow with the Department of Information and
Communications Engineering, University of Murcia, 30100,
Murcia, Spain. Contact him at
[email protected]
. 33620, USA. Contact him at
[email protected]
.
September/October 2023
GUEST EDITORS’ INTRODUCTION
realities,” IT Prof., vol. 25, no. 5, pp. 10–13,
Sep./Oct. 2023, doi: 10.1109/MITP.2023.
3314327.
A6. S. J. Andriole, “How competitive are you?” IT
Prof., vol. 25, no. 5, pp. 14–16, Sep./Oct. 2023,
doi: 10.1109/MITP.2023.3314326.
A7. I. Bojanova and J. J. Guerrerio, “Labeling
software security vulnerabilities,” IT Prof.,
vol. 25, no. 5, pp. 64–70, Sep./Oct. 2023, doi: 10.
1109/MITP.2023.3314368.
A8. N. Kshetri, “Generative artificial intelligence in
marketing,” IT Prof., vol. 25, no. 5, pp. 71–75,
Sep./Oct. 2023, doi: 10.1109/MITP.2023.3314325.
A9. M. S. Essa and S. K. Guirguis, “Evaluation of
tree-based machine learning algorithms for
network intrusion detection in the Internet of
Things,” IT Prof., vol. 25, no. 5, pp. 45–56,
Sep./Oct. 2023, doi: 10.1109/MITP.2023.
3303919.
A10. M. Tsikerdekis and S. Zeadally, “Misinformation
detection using deep learning,” IT Prof., vol. 25,
no. 5, pp. 57–63, Sep./Oct. 2023, doi: 10.1109/
MITP.2023.3314752.
PAOLO BELLAVISTA is a full professor with the Department
of Computer Science and Engineering, Alma Mater Studiorum,
University of Bologna, 40136, Bologna, Italy. Contact him at
[email protected].
GEORGIOS KAMBOURAKIS is a full professor with the
Department of Information and Communication Systems
Engineering, University of the Aegean, 83200, Karlovasi,
Greece. Contact him at [email protected].
JASON R.C. NURSE is a reader in cybersecurity with the
School of Computing at the University of Kent, CT2 7NF,
Kent, U.K., and the Institute of Cyber Security for Society,
U.K. Contact him at [email protected].
J. MORRIS CHANG is a full professor with the Department
of Electrical Engineering, University of South Florida, FL,
IT Professional 19
 THEME ARTICLE: SECURITY AND DATA PROTECTION DURING
THE COVID-19 PANDEMIC AND BEYOND

Blockchain-Based Mechanism for Smart

Record Monitoring During and After the
COVID-19 Pandemic
Geetanjali Rathee , Netaji Subhas University of Technology, New Delhi, India
Chaker Abdelaziz Kerrache  Amar Telidji de Laghouat, Algeria
, Universite
rieure Laghouat, Algeria
Anissa Cheriguene, Ecole Normale Supe

The COVID-19 pandemic has highlighted the significance and importance of introducing
intelligent devices to improve living standards. Technological advancements and
inventions have proven particularly beneficial during times when face-to-face contact is
limited. Machine vision, as a cutting-edge paradigm, has emerged as a significant tool in
handling various COVID-19 and post-COVID-19 situations. Intelligent devices aim to
automate processes and enhance society’s quality of life by reducing reliance on human
intervention. However, security concerns and technological advancements necessitate
organizations and businesses to adopt robust security and privacy mechanisms instead
of solely relying on intelligent and smart measurement methods. This article aims to present
a comprehensive overview of security and privacy mechanisms for facilitating efficient
communication, decision making, planning, information recording, and management using
smart devices in postpandemic scenarios. Additionally, the article offers a summary of
potential techniques and basic solutions for secure communication in the future.

T
he COVID-19 pandemic has brought about a
paradigm shift in the daily lives of individuals.1,2
It provided a taste and tempering of technology
in a world where individuals were afraid of commu-
nicating with each other physically. Technological
advancements and innovations have enabled people
to continue working remotely through smart and tech-
nological means, even in the midst of widespread shut-
downs. Moreover, technology has played a vital role in
effectively managing post-COVID-19 situations and
preventing the transmission of infections from one
individual to another.3,4 To control the spread of the
virus, smart devices and measurements have been
deployed to diagnose and identify infected individuals
globally. These smart measurements represent the lat-
est and most significant advancements in communica-
tion strategies.5
1520-9202 © 2023 IEEE
Digital Object Identifier 10.1109/MITP.2023.3310650
Date of current version 3 November 2023.
Organizations are converting their existing commu-
nication technologies to adopt intelligent, robotic, and
smart-based phenomena to gain more benefits. They
have benefited and improved their communication pro-
cesses through technology by adopting smart and
intelligent communication devices in various fields.6
The smart technologies are being adopted by various
organizations in almost every field, such as health care,
industries, Society 5.0, etc. In this article, we consider
health-care applications and their communication pro-
cesses using smart devices.
Smart measurements have been adopted in
health-care systems, where the recording, storing, and
analysis of information are performed via smart devi-
ces. The prescription written by a doctor, a patient’s
visit to the doctor, and the corresponding medical
tests are recorded and analyzed by smart devices.
Machine vision (MV) is one of the technologies inte-
grated with smart measurements to provide automatic
decision making while connecting with sensors.7,8 MV
attempts to integrate with existing technologies and
capture real-time images for automatic analysis and

20 IT Professional Published by the IEEE Computer Society September/October 2023

 SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
information sensing in their surroundings. Accurately
processing the recognized images enables more pre-
cise analysis and surveillance recordkeeping within
the network.
In the context of health-care applications, patient
information, such as doctor visits, prescriptions, medi-
cal tests, and operations, is efficiently managed using a
range of smart and intelligent devices. E-health-care
systems play a pivotal role in enabling seamless access
to and organization of this information through the
Internet. This integration ensures the streamlined and
secure management of health-care data, promoting
effective communication and coordination among
patients, health-care providers, and medical facilities.9
A complete health-care mechanism having a number
of smart devices that communicate and make indepen-
dent and autonomous decisions is depicted in Figure 1.
Figure 1 represents the secure communication and
transmission of information among entities when the
FIGURE 1. Internet of Things in health-care applications.
September/October 2023
record of a patient is being transferred from one place
to another. Whenever it is needed, the patient may
refer to another doctor for his/her satisfaction to
change their prescriptions, or, sometimes, doctors may
refer the patient to another doctor located in a differ-
ent hospital at a different place. Instead of subjecting
patients to redundant tests or starting the diagnosis
process from scratch, the comprehensive patient
report can be effortlessly and securely handled and
transferred within the network using smart devices.
This advancement in technology eliminates the
need for repetitive procedures, saving time and resour-
ces while ensuring the secure exchange of crucial
medical information. In addition, the processing and
recording, along with integration with the intermedi-
ates, can be done via smart e-health-care systems. Fur-
ther, the involvement of the blockchain network in the
communication process strengthens e-health manage-
ment by providing high-end security and transparency
IT Professional 21
SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
while moving the information from one location to
another. Smooth and secure communication among
intelligent devices can be easily provided by ensuring a
trust-based transmission process among the devices.
SIGNIFICANCE OF THE RESEARCH
MV is defined as one of latest technologies that helps
in dealing with and handling the post-COVID-19 world,
where the recording of a patient’s data can be done via
smart systems. However, the smart recording, manage-
ment, and storing of information can be further altered
and modified by a number of intruders, present inside
the network, for their own benefit. Let us consider a
case study where the record of a patient, including a
doctor visit, a prescription, a medication, and an opera-
tion, is handled via the Internet and smart devices. The
security, in this case, can be easily breached by altering
one of sensors present in the network to degrade
the network performance in variety of ways.10 The
breached information can be in the hands of insurance
companies, whose goal is to target those persons
whose ages are between 30 and 40 years and who
have no major medical issues. In addition, the security
can be breached in the situation where a doctor, for
their personal benefit, forces their patients to go their
recommended lab or medical store even though the
facility does not have great reviews.11 Therefore, it is
necessary to determine a secure and efficient commu-
nication mechanism by legitimating the smart devices
in the network.
CONTRIBUTIONS
To analyze the legitimacy of each smart device involved
in the communication/transmission of information and
responsible for handling and dealing with post-COVID-
19 situations, it is necessary to focus on the major
criticality and concerns corresponding to it. A single
wrong decision or incorrect identification of a person
may lead to the inflammable spread of a virus within
the coming 24 hours.12,13 This article presents a valu-
able contribution in the form of a comprehensive sur-
vey of various security schemes and proposals aimed
at establishing an efficient communication mechanism.
Moreover, the integration of existing technologies with
MV has proven to be highly beneficial for COVID-19
patients. This integration allows for the capture of
real-time images, enabling automatic analysis and
information sensing to accurately process the recog-
nized images.
With this approach, patients are spared from redun-
dant tests, and the diagnosis process becomes more
streamlined by eliminating the need to start from
22 IT Professional
scratch each time. The entire patient report can now
be effortlessly and securely handled and transferred
within the network using smart devices, ensuring the
quick and reliable dissemination of crucial medical
information. This advancement greatly enhances the
overall efficiency and effectiveness of health-care serv-
ices for COVID-19 patients. In addition, the contribu-
tions of the entire article are structured as follows:
A number of security schemes and proposals
that ensure secure communication among
intelligent devices are discussed along with
their limitations.
A number of open challenges and future direc-
tions for ensuring secure communication by
understanding the behavior of each device are
presented in this article.
A secure and transparent intelligent communi-
cation framework for an e-health-care system
using the blockchain mechanism is further
elaborated, and its accuracy metrics that
directly affect the overall performance of the
network are shown.
This article aims to emphasize the existing research
and its limitations while proposing a transparent and
secure communication mechanism for COVID-19
patients. The objective is to establish an accurate and
expedited diagnosis process. By addressing the short-
comings of current approaches, this article seeks to
enhance the efficiency and reliability of communica-
tion channels, ensuring transparency and security in
the diagnosis of COVID-19 cases.
The remainder of the article is organized as follows.
The related work is discussed in the next section; a
number of scientists and researchers have proposed
numerous security measures. The open challenges and
a proposed framework are provided in the “Open
Challenges” and “Proposed Solution” sections. Finally,
the “Conclusion and Future Directions” section con-
cludes the article and discusses the future scope of
the work.
RELATED WORK
The present section presents a number of security and
privacy proposals suggested by various researchers,
scientists, and engineers. The security schemes of
smart devices in health-care mechanisms using block-
chain technology are considered as some of the latest
solutions proposed by various scientists. Table 1
depicts a literature survey of various security schemes
in health-care applications using smart devices.
September/October 2023
 SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND

TABLE 1. Adversarial-based related work comparative table.

Reference Year Technology Security Limitation

14
Haddad et al. 2021 Blockchain Convolutional neural Middleware threat
technology networks along with
blockchain
Lavigne et al.15 2021 Real-time health care Consensus and Centralized threat
centralized
prescription method
Younis et al.16 2021 Securely preserving Novel authentication Insider threat
and accessing the and secure
data communication
protocol
Liu et al.18 2021 Blockchain in health Quantitative and Consensus threat
care qualitative
approaches
Al-Jaroodi et al.19 2020 Health 4.0 objectives Creative middleware Masquerade attack
framework
Yang et al.20 2020 CPS-based robotic Discussed the future Outsider threat
home care perspectives

Haddad et al.14 focused on blockchain technology
for solving the data management issues of health care
by incorporating machine learning techniques and fea-
tures. The authors used convolutional neural networks
along with blockchain technology to improve the data
management results. The authors claimed 98.67% and
96.02% accuracy and recall, respectively, in learning
the high-level semantics of medical records for under-
taking and assisting with valuable diagnoses.
Lavigne et al.15 proposed a real-time health care
using blockchain techniques by supporting the lifecycle
of the patient and improving its quality. The proposed
approach uses consensus and a centralized prescription
method for collecting health data. The authors provided
data access control for restricting the persons granted
access. The performance of the proposed mechanism
was analyzed using the Hyperledger Fabric tool to inves-
tigate the communication features of the network.
Younis et al.16 provided a holistic solution for
securely preserving and accessing data information in
health-care applications. The security of Internet of
Things devices was measured through blockchain by
granting and revoking their permissions and privacy
regulations. The authors further proposed a novel
authentication and secure communication protocol for
interacting with patients and cloud services through
smart contracts. The proposed mechanism was ana-
lyzed using the automated validation of Internet secu-
rity-sensitive protocols and applications.
Wang et al.17 investigated data efficiency and
enhancement criteria by following three lightweight
approaches. The authors used a lightweight machine
learning method along with a trained model on the
server layer to ensure data efficiency. In addition, they
used a streaming layer to score the incoming data by
improving the analytical framework using a trusted
vision system through blockchain.
Liu et al.18 analyzed scientific publications and pat-
ents to identify the trends of blockchain in health care
over the last five years. The authors adopted quantita-
tive and qualitative approaches to discover the tempo-
ral and theme dynamics in industry and academia. The
output results shed light on MV and challenges for
future works.
Al-Jaroodi et al.19 defined the Health 4.0 objectives
by discussing advances in traditional health-care sec-
tors. The authors categorized health-care applications
into four groups: targeted, professional, system, and
resource management. They conducted a study of
diverse applications aimed at supporting services in
achieving their specific goals. The authors also sug-
gested a creative middleware framework to offer
service-oriented applications to facilitate services.
Yang et al.20 proposed a cyberphysical system (CPS)-
based home-care robotic system for reviewing the
related technologies, including sensing, artificial intelli-
gence, cloud computing, and materials and machines
for mapping and capturing information. The authors
discussed future perspectives related to the issues and
challenges faced by robotic systems in Health Care 4.0.
Even though a number of security-based mecha-
nisms and approaches have been proposed by various

September/October 2023 IT Professional 23

SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND

researchers, scientists, and authors, very few of them

have focused on understanding the behavior of intelli-
gent devices in maintaining the patient’s diagnosis and
keeping their records confidential. In addition, the
transmission of information to a different location can
easily be secured by involving the blockchain network.
The existing works used the blockchain mechanism
but for maintaining online health-care databases. In
this article, various blockchains are maintained to pre-
vent a patient’s data from being seen by a third party
and to ensure transparency while intelligent devices
are communicating with each other.

OPEN CHALLENGES
In this section, we discuss a number of security and pri-
vacy concerns when transmitting sensitive information
among clients in the network. The information is trans-
mitted among various devices or clients in the network
that are already authenticated by the trusted authori-
ties. After a successful authentication process, the
devices can share both regular and sensitive informa-
tion in the network. The information is the identifica-
tion of the device, such as its ID, name, organization,
department, etc., while the sensitive information is
what the devices share among themselves by broad-
casting or sharing the message (via text, audio, video,
etc.) in the network. Even though the communicating
devices are authentic, the information transmitted in
the network can still be breached and compromised by
intermediate parties. Many security concerns can fur-
ther arise while sharing, analyzing, or transmitting the
patient’s records in the network.
In Figure 2, we observe the exchange of devices
and sensitive records among multiple entities, accom-
panied by potential security threats. The depicted
threats encompass data alteration, replay attacks,
data falsification, masquerading, and distributed denial
of service (DDoS). These threats pose significant
risks and can be perpetrated by intruders, leading to
potential disruptions or unauthorized manipulations of
the data.
Whether occurring during network transmission or
introduced later by malicious actors, these threats pre-
sent serious concerns for the overall security of the
system. The visual representation in Figure 2 offers
insight into the possible methods utilized by attackers
to execute these threats when transmitting informa-
tion across the network and among various clients.
Understanding these possibilities is crucial for devising
robust security measures to safeguard against poten-
tial breaches and ensure the integrity and confidential-
ity of the shared information.
FIGURE 2. Possibility of threats during information transmission.
DDoS is considered one of the significant types of
threat, where heterogenous devices that are recording
a huge amount of information automatically can be
easily captured by intruders. The intruders may com-
promise one device, which may lead to other hopes to
distribute their load and perform jamming or network
congestion by simply consuming resources in the net-
work. Later on, the data falsification threat is consid-
ered to be one of the dangerous attacks, where the
altered smart devices modify the information or simply
divert the data to any third party that can benefit from
them for their own purpose. The following list dis-
cusses a number of open challenges and future direc-
tions that need focus to ensure a secure and private
remote communication mechanism in health-care
applications using smart devices.
Sensitive information to insurance companies:
Insurance companies make money by insuring
the young age group with no serious medical
issues. Sometimes, they make a deal with one
of the intermediates in the hospital who can
easily provide a patient’s records to them. Once
they have sensitive information about a client,
they can easily target them and get them to
agree to purchase insurance by offering the
best plans and ideas.
Money margins by intermediators: Sometimes,
for tests and medicines, doctors recommend
medical labs or medical stores that have low
grades but make their huge margins in the mar-
ket. This may directly affect stakeholders, and
patients may suffer greatly.

24 IT Professional September/October 2023

 SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
Data falsification threat: This can be consid-
ered as one of the significant types of attacks,
where smart devices are compromised by
intruders and act maliciously while analyzing or
recording information in the network.
Masquerade threat: In the masquerade threat,
an intruder device tries to show the identity of
the ideal device to gain network services.
Energy consumption: The amount of energy
required to transfer information from one place
to another may further consume resources in
the network. The compromised devices con-
sume too much energy and degrade the overall
performance of the network.
Data accuracy: Data accuracy is considered to
be another significant threat, where devices may
not be able to provide accuracy while sharing
information if they are compromised by intruders.
Information modification: The recorded infor-
mation of a patient can be further compromised
or breached by intermediators who sell the infor-
mation to any third party, such as insurance
people or scientists for their research, to make
profits. People who are delivering medicines,
those maintaining patient records, or those
doing the patient tests prescribed by doctors
can further utilize such benefits for their growth.
While researchers and scientists have proposed
numerous cryptographic, algorithmic, and analytical
trusted methods to enhance security, the advance-
ments in today’s environment, where wireless net-
works and smart devices dominate communication
procedures, present new challenges. The involvement
of smart devices reduces human efforts by correctly
automating the surroundings and taking actions depend-
ing on them, but this also leads to a number of security
concerns in the network. The smart devices can be com-
promised by intruders to gain their own benefits. Further,
the amount of time and anonymous intermediate entities
involved during the communication and decisions repre-
sent additional security gaps that an intruder can use for
malicious and dishonest purposes. Therefore, it is much
needed to focus on current scenarios. Blockchain tech-
nology, currently, can be considered as one of the latest
and most significant methods for analyzing the trust
and communication process transparently. A number of
security schemes have already been highlighted by scien-
tists and researchers for maintaining transparency and
improving decision accuracy using blockchain. However,
there are still a number of security concerns that need to
be treated while using blockchain techniques for main-
taining the records of patients in health-care systems.
September/October 2023
Validation procedure: Though blockchain can
be considered as one significant solution that
provides transparency and security in the net-
work, the validation time by the nodes may
invite a number of network security issues in
the network.
Blockchain handling permission: The adminis-
trator who is allowed to modify or surveil the
blockchain should be managed at various levels
to distribute the load in the network.
Storage of information in blockchain: The block
of information in a blockchain should be han-
dled in such a way that it does not further
cause any kind of storage overhead or conges-
tion in the network.
Though various techniques have been proposed by
various researchers and scientists, it is necessary to
propose some security solutions to further improve the
communication process in a very secure manner.
PROPOSED SOLUTION
To maintain a very secure and transparent communica-
tion mechanism, including reduced time and storage
overhead, this article presents a blockchain-based
record maintenance framework for health-care sys-
tems. The proposed mechanism is depicted in Figure 3,
which shows a number of smart devices that are main-
tained using blockchain at various levels.
Blockchain of Entities
Figure 3 shows a number of entities that are involved
in maintaining the blockchain: patient records, doctors,
pathology labs, and so on. The present blockchain is
permissioned and private, where the complete block-
chain is maintained by an owner having subcategories
who gives the permission to do updates in the corre-
sponding blockchain. The patient, doctor, medical
stores, and pathology labs may maintain a blockchain
that is further separated into other blockchains. All of
the blockchains are dependent on each other, and the
patient is prioritized—before any modifications are
done, everyone has to inform or receive permission
from the patient.
Figure 3 shows a permissioned blockchain where
doctors are directly connected with their patients.
Whenever it is necessary to move or change the
location of a patient, either as prescribed by the doc-
tor or because of the patient’s wish to change his/her
doctor, permission will be asked of the owners
(patients) when moving or altering any record in the
blockchain. A change in the record, such as the
IT Professional 25
SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND

FIGURE 3. Proposed solution. Pathlabs: pathology laboratories; d: device.

address, prescriptions, or any other necessary things, regular surveillance and may be completely removed
will be reflected by maintaining consistency in the net- from the existing network to prevent further—or any
work. This leads to efficient communication and trans- type of—harm.
parency while communicating among each other. In
addition, the doctors are connected with medical labs
Baseline Approaches (BAs)
and medical stores for their respective prescriptions.
The proposed approach is validated and verified
Furthermore, another blockchain may be maintained
against two existing BAs, BA116 and BA2.17 To smooth
where intermediate entities may communicate among
the details, Figure 4 denotes BA1, BA2, and PA, where
each other via blockchain technology before access-
BA1 is existing approach 1, BA2 is existing approach 2,
ing a patient’s record.
and PA is the proposed approach (the blockchain
framework).
Updates and Verification of Records
The simulation of the proposed framework is also
The verification or addition of a block in the existing
depicted in Figure 4 against the accuracy parameter.
blockchain network is done by some of the elected
Accuracy is defined as the decisions made by smart
miners in the existing chain of blocks. During the net-
sensors without any participation of human power. The
work establishment, where each and every entity is
proposed mechanism shows accuracy along with a
considered as ideal or legitimate, an intruder may com-
reduced delay, as independent blockchains are man-
promise the devices upon communication in the
aged and handled at separate levels in the network.
network. As soon as the communication of the trans-
The proposed mechanism outperforms BA1 and BA2
mission of information proceeds, the possibility of devi-
because of the involvement of the blockchain mecha-
ces malfunctioning or the alteration of records by
nism, which ensures a secure and accurate decision
intermediate entities will be easily performed by
intruders. The aim of intruders is to hack the respective
information and gain their own actions. The intruders
may be intermediate entities whose task is to benefit
in their cost by forcing a patient to test at a specific
test lab. The intruders may also sell the entire record of
a patient or hospital to any other party to gain some
extra money. The blockchain network is maintained to
prevent such types of alterations and modifications.
The validation and verification of each and every entity
is maintained by the miners, who are elected from
among the existing blocks to keep surveillance in the FIGURE 4. Accuracy of the proposed framework (having
network. A single alteration in the record can be easily blockchain) versus existing approaches (BA1 and BA2). BA:
traced and re-examined by the intermediate parties.
baseline approach; PA: proposed approach.
The defective intelligent device may further be kept on

26 IT Professional September/October 2023

 SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
mechanism while transmitting the information in the
network. Furthermore, the proposed framework can be
improved by integrating with existing cryptographic or
trust-based schemes while understanding the behavior
of communication devices. The validation and online
storage of large blockchains can be easily managed by
limiting the amount of information that can be further
achieved by identifying the legitimacy of a device. The
proposed framework can be further measured and vali-
dated against more security measures in the future
scope of this work.
CONCLUSION AND FUTURE
DIRECTIONS
Although MV represents one of the latest technologies
for recording patient data and mitigating postpan-
demic situations, organizations must continue to
enhance the intelligence and effectiveness of current
systems to improve quality of life. The presence of
intruders within the network poses security and pri-
vacy concerns that need to be addressed. This article
presents a survey of security schemes and explores
the utilization of blockchain technology to establish
a secure and trustworthy communication network for
post-COVID-19 environments. The proposed mecha-
nism addresses open challenges and introduces a
blockchain-based security scheme that enhances
security and efficiency. The accuracy of the system is
compared against conventional approaches, and the
proposed framework can be further enhanced by inte-
grating existing cryptographic or trust-based schemes.
Additionally, future research should aim to validate the
proposed framework against a broader range of secu-
rity measures.
REFERENCES
1. S. Pokhrel and R. Chhetri, “A literature review on
impact of COVID-19 pandemic on teaching and
learning,” Higher Educ. Future, vol. 8, no. 1, pp. 133–141,
Jan. 2021, doi: 10.1177/2347631120983481.
2. B. Pranggono and A. Arabo, “COVID-19 pandemic
cybersecurity issues,” Internet Technol. Lett., vol. 4, no.
2, Mar./Apr. 2021, Art. no. e247, doi: 10.1002/itl2.247.
3. M. Chopra, S. K. Singh, A. Gupta, K. Aggarwal, B. B.
Gupta, and F. Colace, “Analysis & prognosis of
sustainable development goals using big data-based
approach during COVID-19 pandemic,” Sustain.
Technol. Entrepreneurship, vol. 1, no. 2, Mar. 2022, Art.
no. 100012, doi: 10.1016/j.stae.2022.100012.
4. A. Cheriguene, T. Kabache, A. Adnane, C. A. Kerrache,
and F. Ahmad, “On the use of blockchain technology
September/October 2023
for education during pandemics,” IT Prof., vol. 24, no.
2, pp. 52–61, Mar./Apr. 2022, doi: 10.1109/MITP.2021.
3066252.
5. A. Castiglione, M. Umer, S. Sadiq, M. S. Obaidat, and
P. Vijayakumar, “The role of Internet of Things to
control the outbreak of COVID-19 pandemic,” IEEE
Internet Things J., vol. 8, no. 21, pp. 16,072–16,082,
Nov. 2021, doi: 10.1109/JIOT.2021.3070306.
6. S. S. Kamble, A. Gunasekaran, A. Ghadge, and R. Raut,
“A performance measurement system for industry 4.0
enabled smart manufacturing system in SMMEs - A
review and empirical investigation,” Int. J. Prod. Econ.,
vol. 229, Nov. 2020, Art. no. 107853, doi: 10.1016/j.ijpe.
2020.107853.
7. M. Masud et al., “A lightweight and robust secure key
establishment protocol for Internet of Medical Things
in COVID-19 patients care,” IEEE Internet Things J.,
vol. 8, no. 21, pp. 15,694–15,703, Dec. 2020,
doi: 10.1109/JIOT.2020.3047662.
8. Z. Ren, F. Fang, N. Yan, and Y. Wu, “State of the art in
defect detection based on machine vision,” Int. J.
Precis. Eng. Manuf.-Green Technol., vol. 9, no. 2, pp.
661–691, Mar. 2022, doi: 10.1007/s40684-021-00343-6.
9. S. S. Kute, A. K. Tyagi, and S. Aswathy, “Industry 4.0
challenges in e-healthcare applications and emerging
technologies,” in Intelligent Interactive Multimedia
Systems for e-Healthcare Applications, A. K. Tyagi,
A. Abraham, and A. Kaklauskas, Eds. Singapore:
Springer, 2022, pp. 265–290.
10. K. Shankar, E. Perumal, M. Elhoseny, F. Taher, B.
Gupta, and A. A. A. El-Latif, “Synergic deep learning
for smart health diagnosis of COVID-19 for connected
living and smart cities,” ACM Trans. Internet Technol.,
vol. 22, no. 3, pp. 1–14, Nov. 2021, doi: 10.1145/3453168.
11. M. A. Rahman, M. S. Hossain, N. A. Alrajeh, and B.
Gupta, “A multimodal, multimedia point-of-care deep
learning framework for COVID-19 diagnosis,” ACM
Trans. Multimedia Comput. Commun. Appl., vol. 17,
no. 1s, pp. 1–24, Mar. 2021, doi: 10.1145/3421725.
12. W. He, Z. J. Zhang, and W. Li, “Information technology
solutions, challenges, and suggestions for tackling the
COVID-19 pandemic,” Int. J. Inf. Manage., vol. 57, Apr.
2021, Art. no. 102287, doi: 10.1016/j.ijinfomgt.2020.102287.
13. K. Intawong, D. Olson, and S. Chariyalertsak,
“Application technology to fight the COVID-19
pandemic: Lessons learned in Thailand,” Biochemical
Biophysical Res. Commun., vol. 534, pp. 830–836,
Jan. 2021, doi: 10.1016/j.bbrc.2020.10.097.
14. A. Haddad, M. H. Habaebi, M. R. Islam, and S. A.
Zabidi, “Blockchain for healthcare medical records
management system with sharing control,” in Proc. IEEE
7th Int. Conf. Smart Instrum., Meas. Appl. (ICSIMA), 2021,
pp. 30–34, doi: 10.1109/ICSIMA50015.2021.9526301.
IT Professional 27
SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
15. T. Lavigne, B. Mbarek, and T. Pitner, “A real time
healthcare tracking system based on blockchain
application,” in Proc. IEEE/ACS 18th Int. Conf. Comput.
Syst. Appl. (AICCSA), 2021, pp. 1–8, doi: 10.1109/
AICCSA53542.2021.9686880.
16. M. Younis, W. Lalouani, N. Lasla, L. Emokpae,
and M. Abdallah, “Blockchain-enabled and data-driven
smart healthcare solution for secure and privacy-
preserving data access,” IEEE Syst. J., vol. 16, no. 3, pp.
3746–3757, Sep. 2022, doi: 10.1109/JSYST.2021.3092519.
17. T. Wang, M. Du, X. Wu, and T. He, “An analytical
framework for trusted machine learning and
computer vision running with blockchain,” in Proc.
IEEE/CVF Conf. Comput. Vision Pattern Recognit.
Workshops, 2020, pp. 32–38, doi: 10.1109/
CVPRW50498.2020.00011.
18. C. Liu et al., “Blockchain technology in healthcare: A
scientific and technological driving force,” in Proc. IEEE
34th Int. Symp. Comput.-Based Med. Syst. (CBMS), 2021,
pp. 550–555, doi: 10.1109/CBMS52027.2021.00036.
19. J. Al-Jaroodi, N. Mohamed, and E. Abukhousa, “Health
4.0: On the way to realizing the healthcare of the
future,” IEEE Access, vol. 8, pp. 211,189–211,210, Nov.
2020, doi: 10.1109/ACCESS.2020.3038858.
20. G. Yang et al., “Homecare robotic systems for
healthcare 4.0: Visions and enabling technologies,”
IEEE J. Biomed. Health Inform., vol. 24, no. 9, pp.
2535–2549, Sep. 2020, doi: 10.1109/JBHI.2020.2990529.
28 IT Professional
GEETANJALI RATHEE is an assistant professor with the
Department of Computer Science and Engineering, Netaji
Subhas University of Technology, Dwarka, New Delhi, India.
Her research interests include handoff security, cognitive
networks, and blockchain technology. Rathee received her
Ph.D. degree in computer science and engineering from Jay-
pee University of Information Technology. Contact her at
[email protected].
CHAKER ABDELAZIZ KERRACHE is an associate professor
with the Department of Computer Science and the head of
the Informatics and Mathematics Laboratory at the Univer-
sity of Laghouat, Algeria. His research interests include trust
and risk management, secure multihop communications,
and vehicular networks. Kerrache received his Ph.D. degree
in computer science from the University of Laghouat. Con-
tact him at [email protected].
ANISSA CHERIGUENE is an associate professor with the
rieure of
Department of English, Ecole Normale Supe
Laghouat, Laghouat, Algeria. Her research interests include
English as a Foreign Language instruction, educational
technology, and linguistics and writing studies. Cheriguene
received her Ph.D. degree in English language and literature
from the University of Ouargla. Contact her at a.cheriguene@
ens-lagh.dz.
September/October 2023
THEME ARTICLE: SECURITY AND DATA PROTECTION DURING
THE COVID-19 PANDEMIC AND BEYOND

Enhancing Communication Among Remote

Cybersecurity Analysts With Visual Traces
Chen Zhong , J. B. (Joo Baek) Kim , and Alper Yayla , University of Tampa, Tampa, FL, 33606, USA

This article addresses the communication challenges in collaborative cybersecurity

analysis amid the rise of remote work during the postpandemic era. We introduce a
novel approach that leverages visual traces of analysts’ analytical processes to enhance
information transmission and processing in collaborative cybersecurity analysis.
Furthermore, we demonstrate the advantages of visual traces in supporting
communication in a case study. Our approach offers valuable insights for organizations
struggling to attain effective communication in remote teams during collaborative
problem-solving tasks in the postpandemic era.

T
he rise in online activities and the move to
remote work as a response to the COVID-19
pandemic have created new challenges for
cybersecurity professionals.9 Many organizations com-
bat the increased frequency and complexity of cyber-
attacks in their cybersecurity operations centers
(CSOCs). Cybersecurity analysts in CSOCs work as a
team and employ various monitoring and detection
tools, such as intrusion detection/prevention systems
and security information and event management (SIEM)
systems. They bear the critical responsibility of investi-
gating incidents: a task demanding a detailed analysis
and correlation of alerts, various system logs, reports,
and network traffic, with the goal of determining the
root cause, impacts, and potential scope of each secu-
rity incident.
In CSOCs, analysts usually communicate by creat-
ing incident reports that include important incident
details, supporting evidence, and recommended response
actions.10 They also share the results of their ongoing
investigations during regular meetings and briefings. In
urgent situations, they contact each other directly for
immediate assistance. In fact, the interdependency of
the analysis of each analyst requires high levels of team
collaboration to respond to sophisticated cyberattacks.
Current incident detection and response tools integrate
functions like instant messaging and ticketing features
to enable such collaborative analysis.
1520-9202 © 2023 IEEE
Digital Object Identifier 10.1109/MITP.2023.3318485
Date of current version 3 November 2023.
In recent years, the global transition to remote
work settings for CSOCs has become prevalent, driven
primarily by the COVID-19 pandemic. In 2022, more
than half of the global cybersecurity professionals
worked remotely or had the option to choose their
work location, up from only one quarter having the
remote option before the pandemic.7 Additionally, the
number of cybersecurity professionals worldwide work-
ing fully remote has quadrupled, forming almost one
quarter of the whole cybersecurity workforce.7 How-
ever, remote work introduces complexities in com-
munication for effective collaborative cybersecurity
analysis.3,13 In remote teams, inefficient communication
practices can lead to delayed or ineffective responses
to cybersecurity incidents. Consequently, as the num-
ber of remote analysts continues to rise, it becomes
increasingly crucial to address and overcome the com-
munication challenges to ensure a prompt and effec-
tive cybersecurity incident response.
This article tackles the global challenges arising
from the growing trend of remote work in collaborative
cybersecurity analysis and introduces a novel visual
trace approach designed to enhance communication
among remote analysts. Initially, we identify the signifi-
cant challenges encountered during collaborative cyber-
security analysis within remote teams. Furthermore,
drawing upon communication theories, we propose a
method that traces analysts’ analytical processes and
visually represents them in an interactive concept map
called an Action-Observation-Hypothesis (AOH)-Map.
We outline the key characteristics of an AOH-Map and
provide a case study to demonstrate how it can enhance

September/October 2023 Published by the IEEE Computer Society IT Professional 29

SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
both the conveyance (information transmission from the
analyst to the team level) and convergence (information
transmission from the team to the analyst level) pro-
cesses. Support for these communication processes is
crucial for effective collaborative cybersecurity analysis.
This article makes a significant contribution to
research and practice by recognizing the global com-
munication challenges in collaborative cybersecurity
analysis among remote teams and proposing a novel
approach that leverages visual traces of analysts’
analytical processes to enhance communication. The
visual traces contain contextual information about the
analysts’ analytical processes, such as their analytical
strategies and supporting evidence. This enables team
members to achieve a better understanding of the find-
ings. The novelty of the proposed approach is its use
of visual traces for communicating incident findings
accompanied by automatically captured contextual
information, marking an advancement over current
cybersecurity tools that rely on manual reporting of
findings. Moreover, visual traces, serving as communica-
tion media, facilitate a two-way synchronization between
individual and collective cyber situation awareness
(Cyber SA), thereby enabling remote analysts to col-
laboratively construct a shared mental model. Although
our primary focus is on cybersecurity analysis, the poten-
tial benefits of visual traces in supporting information
transmission and processing can be applied to other col-
laborative problem-solving tasks in remote teams across
various domains.
COLLABORATIVE CYBERSECURITY
ANALYSIS IN THE POSTPANDEMIC
WORLD
Cyber threats, with their complexity and multifaceted
nature, necessitate teamwork among analysts. This
collaboration allows continuous monitoring and fos-
ters more effective problem solving by leveraging
diverse expertise and viewpoints within the team. As
discussed, the COVID-19 pandemic has accelerated
the remote work trend in the cybersecurity field, result-
ing in the emergence of virtual team environments for
collaborative cybersecurity analysis. However, these
environments pose significant challenges to effective
communication and teamwork.13 Research indicates
that task complexity combined with high levels of virtu-
ality increases the potential for misconceptions and
errors, making efficient communication patterns vital
for team effectiveness in remote teams.11 To improve
remote team performance, it is recommended to pro-
mote openness in information sharing by providing
access to various tools, such as videoconferencing,
e-mail, and shared databases.12
30 IT Professional
During cybersecurity analysis, analysts investigate
alerts, search for evidence, and generate hypotheses
for further analysis. This complex analytical process
involves 1) analysis actions like event searching,
2) observations of suspicious evidence resulting from
the analysis actions, and 3) hypotheses regarding
potential attack events generated based on the obser-
vations.17 The analytical process of each analyst results
in an individual cyber defense SA, which includes the
perception of suspicious events, comprehension of the
tactics, techniques, and procedures used in an attack,
and prediction of the attacker’s future actions.17
Collaborative cybersecurity analysis, on the other
hand, is a progressive and iterative process where
individual analysts perform a targeted analysis, com-
municate their findings, and leverage the collective
intelligence of the team for subsequent analysis. To
accomplish team objectives, analysts continuously
share their individual Cyber SA with their team, thereby
building and updating the collective Cyber SA. Subse-
quently, each analyst reviews the collective Cyber SA,
adjusts their individual Cyber SA accordingly, and then
proceeds with their subsequent analysis. As such, col-
laborative cybersecurity analysis is fundamentally a
collaborative problem-solving process, necessitating
efficient coordination, continuous information exchange,
and clear communication.
Given that remote work may alter the communica-
tion dynamics among analysts, we have explored the
challenges cybersecurity analysts face within remote
teams using common existing communication tools, as
summarized in Table 1. To address these challenges,
organizations must comprehend analysts’ needs for
information transmission and processing in the collab-
orative problem-solving process.
Media Capability in the Collaborative
Communication Process
Cybersecurity analysts typically employ diverse commu-
nication media to disseminate potential incident findings
and collaboratively construct a collective Cyber SA. The
capabilities of the chosen media play a significant role in
influencing communication performance,4 particularly
within multicultural and remote teams.14 Certain collabo-
rative tasks may necessitate a spectrum of media capa-
bilities to support the communication processes of
remote workers.4 This is primarily because interpersonal
communication and teamwork are greatly impacted by
both synchronous (e.g., video calls) and asynchronous
(e.g., discussion forums) communication methods.2
Media synchronicity theory (MST) studies how diverse
communication media support the information process-
ing needs of individuals and teams.4 MST suggests that
September/October 2023
 SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
TABLE 1. Major challenges of collaborative cybersecurity analysis in remote teams and the solutions provided by the
AOH-Map.
Challenge description
Delay in communicating findings: Cybersecurity analysts
face pressure to swiftly identify and address threats.8
Current communication methods (e.g., e-mail, phone, and
video conference) may require time to schedule and
connect, thus causing delays.
Complexity of using multiple analytic tools and data
sources: Analysts in CSOCs use a variety of analytical
and communication tools to obtain and report findings
from diverse data sources.8,10 This variation may cause
confusion and impede accurate incident reporting.
Difficulty in establishing trust and mutual understanding:
Remote teams struggle with limited interpersonal
communication, which hinders analysts’ ability to
understand report nuances and build trust in others’
information.13
Difficulty in aligning individual and team goals: Remote
teams face challenges in aligning analysts with a shared
goal.3 Beyond the limitations of the current computer-
mediated communication, analysts require tools that
promote clear communication, address disagreements,
and assign roles based on skills to meet team objectives.
different tasks necessitate varying levels of “media syn-
chronicity,” a dimension of media capability defined as
the extent to which the capabilities of a communica-
tion medium enable individuals to achieve synchronic-
ity.4 According to MST, communication involves two
critical processes: conveyance and convergence. Con-
veyance focuses on the transmission of a substantial
amount of information and subsequent retrospective
analysis, while convergence focuses on the trans-
mission of “high-level abstraction of information and
negotiation of these abstractions to existing mental
models.”4 Incorporating media capabilities that can
accommodate both processes is critical, given that cyber-
security analysis tasks demand analysts to exchange infor-
mation and collaborate to achieve a collective Cyber SA.
OUR APPROACH WITH
VISUAL TRACES
Figure 1 demonstrates how communication among
remote analysts can be enhanced by visualizing the
traces of their analytical processes. As previously men-
tioned, collaborative cybersecurity analysis requires indi-
vidual analysis and regular communication regarding
potential threat findings. The upper section of Figure 1
illustrates how individual analysts typically filter various
September/October 2023
AOH-Map’s solution
AOH-Map tracks analysts’ analytical processes in
real time, negating the need for manual reporting
of findings.
The automation enables analysts to focus on
ongoing investigations, boosting efficiency both
individually and within remote teams.
AOH-Map tracks analysts’ actions and details how
findings were obtained and their data sources.
The contextual information offers insights into
analysts’ motives for tool usage and fosters
collaboration in remote teams.
Visual representation of analysts’ analytical process
captures decision rationale.
This transparency helps analysts comprehend each
other’s findings, reducing the time needed to build
trust and mutual understanding.
AOH-Map allows analysts to operate at the
hypothesis level, linking their actions directly to the
driving hypotheses.
Interactive features, such as tagging and linking,
enhance communication clarity and minimize
misunderstandings.
It ensures alignment between individual and team
goals during investigations.
data sources to triage alerts, confirm event occurrences,
and gather pertinent evidence. These analysts acquire
findings of potential attack events through a series of
analytical operations. The traces of these operations
reflect the analysts’ analytical process, providing vital
context for their findings. Such context includes the
methods used by the analysts to reach these findings
and the supporting evidence. Hence, these traces give
other analysts a more detailed understanding of the find-
ings, delivering valuable contextual insights and deepen-
ing their comprehension.
Individual analysis traces are captured within a pre-
determined sliding time window. As each time window
concludes, these traces are automatically integrated
into a visual map, showcasing the team’s collective
analytical operation traces in real time, referred to as
the AOH-Map in Figure 1. As highlighted in Figure 1, the
communication between analysts aligns with the two
fundamental processes identified by MST:4 1) convey-
ance, during which analysts share their findings and
merge their individual Cyber SA with the team’s col-
lective Cyber SA, and 2) convergence, during which
analysts evaluate and comprehend the findings of
others to refine their own Cyber SA and plan for sub-
sequent analyses. We consider the varying needs for
IT Professional 31
SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
FIGURE 1. The communication process within a team of analysts through the aid of tracing individual analysts’ analytical pro-
cesses. IDS: intrusion detection system.
information transmission and processing that analysts
encounter during these processes and discuss how
visual traces can support both the conveyance and
convergence processes.
Visual Traces
Visualizing the analysis traces in the AOH-Map is
advantageous for two main reasons. First, visualization
has been proven effective in navigating cognitive
capacity constraints when analysts deal with complex
or large datasets.6 Visual analytics is commonly
deployed to aid analysts in conveying findings regard-
ing potential attack events.1,18 Second, the traces of
analytical processes intrinsically provide the context
for findings, aligning with the concept of provenance in
visual analytics.15 Provenance includes both the analyt-
ical results (findings) and the analytical process from
data to findings.15 Concept maps are frequently associ-
ated with collaborative provenance analytics.15 Studies
suggest that utilizing advanced digital concept maps
for knowledge and information visualization can enhance
knowledge and information awareness, consequently
improving collaborative problem solving among team
members who are geographically dispersed.5 There-
fore, an interactive visual map of the traces can facili-
tate finding exchanges among analysts.
AOH-Map Framework
The AOH-Map framework, as shown in the top right
corner of Figure 2, consists of three main functional
components: tracing modules, a trace parser, and
visual map. The tracing modules chronicle each ana-
lyst’s analytical process during individual analysis.
32 IT Professional
Subsequently, the trace parser automatically translates
these traces into visual elements on the AOH-Map. For
real-time analysis, a time window is established, within
which the parser processes the incoming traces. The
time-window duration is adjustable to the team’s needs.
The AOH-Map works as an interactive concept map
designed to weave together the traces of analysts’ ana-
lytical processes. It seamlessly integrates the traces
from each team member, representing the team’s collec-
tive Cyber SA, as depicted in Figure 1. Updated by the
parser, the visual map encapsulates every recorded
visual element. In the map, nodes represent analysts’
actions, observations, and hypotheses, while edges
depict the relationships among these nodes. By default,
these relationships represent the chronological order
of the nodes, but analysts have the flexibility to manu-
ally modify the edges by linking nodes in a way that
best represents the causal relationships.
Given the need for an interactive visual map, we
identified five key user interactions integral to the
design of the AOH-Map:
Searching: Analysts can navigate through the
extensive map using keywords or regular expres-
sions, which enables the efficient location of rele-
vant information.
Highlighting: Analysts can highlight important
findings or observations and annotate them,
thereby indicating the areas they intend to
focus on in future analyses.
Linking: This empowers analysts to forge links
manually between distinct nodes. For instance,
an analyst might connect one hypothesis relating
September/October 2023
 SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND

FIGURE 2. The AOH-Map framework (top right) outlines system components, with a case study showing the visual map’s evolu-
tion during collaborative cybersecurity analysis among three analysts: S1, S2, and S3.

to an attack event with another, denoting a causal
relationship between two separate attack events.
Tagging: Analysts can designate tags to nodes
to indicate their priority or status. For instance,
should the certainty of a hypothesis be in
doubt, an analyst could assign a question mark
as its tag.
Merging: To maintain the clarity and concise-
ness of the map, analysts can consolidate
duplicate actions or findings into a single node.
To achieve visual traces of analytical processes
with minimal manual effort, it is crucial to implement
the AOH-Map with careful consideration of its compat-
ibility with current analysis tools. A prime example of
such a visual analytics system is an implementation
that leverages Analytical Reasoning Support for Cyber
Analysis,18 a tracing tool embedded within an analysis
application.16 This tool captures individual analysts’
analytical processes into traces by automatically log-
ging their actions and observations, while hypotheses
are captured based on self-reporting.16 These traces
could subsequently be processed by a Python-based
parser to transform them into visual elements on the
map.18 The visual map itself could be constructed using
FreeMind,a an open source mind-mapping software that
facilitates the hierarchical arrangement of nodes to
accurately represent the relationships among actions,
observations, and hypotheses. Moreover, the versatility
of the AOH-Map design allows for potential implementa-
tion with existing SIEM systems, like Splunk, which typi-
cally maintain a history of user search queries, which
could serve as traces of the analytical process.
Case Study
We use a case to illustrate how the AOH-Map can facil-
itate communication among remote analysts. Consider
a scenario where three remote analysts, denoted as S1,
S2, and S3, were assigned to examine a cyber incident.
The case under investigation revolves around a work-
station, referred to as desk, that has reportedly been
hit with a ransomware attack.
a
http://freemind.sourceforge.net/wiki/index.php

September/October 2023 IT Professional 33

SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
As illustrated in phase 1 of Figure 2, the analysts initi-
ated their investigation from different perspectives. Ana-
lyst S1 prioritized determining whether the workstation,
“desk,” had established connections with any file servers.
Upon confirmation, S1 tagged the corresponding hypoth-
esis as confirmed on the visual map. Concurrently, S2
investigated suspicious Windows Registry events and
discovered that a USB drive had been attached to
“desk.” As a result, he tagged the associated hypothesis
as confirmed on the map. S2 also hypothesized possible
connections between “desk” and file servers but didn’t
investigate it immediately. Hence, he marked this hypoth-
esis on the map as “unconfirmed.” Meanwhile, S3 decided
to explore whether “desk” had accessed any suspicious
domains on the day of the incident. Upon discovering a
potentially suspicious domain, but remaining uncertain of
its malicious nature, S3 tagged this hypothesis to indi-
cate that it requires further verification.
Following the initial analysis, the analysts consulted
the AOH-Map to understand each other’s findings, as
shown in phase 2 in Figure 2. S1 recognized that S2’s
recent hypothesis about the connection between “desk”
and other servers had already been addressed in her
analysis. To avoid redundancy, S1 merged these two
hypotheses on the map. Moreover, S1 noticed that S3’s
hypothesis concerning a suspicious domain had not yet
been verified. Consequently, S1 highlighted this hypothe-
sis on the map, indicating her intent to explore it further.
In the subsequent investigation (phase 3 in Figure 2), S3
confirmed the malicious nature of the domain and dis-
covered an image downloaded from the domain contain-
ing an embedded executable program. S3 tagged an
unconfirmed hypothesis that the executable program
could be malware and hypothesized that the infection of
“desk” by this malware could cause its connection to the
file server (a previous finding of S3’s). Consequently, S3
returned to the map and linked these two hypotheses.
During S2’s map review, S2 determined a possible
sequence of events: the connection of “desk” to a suspi-
cious domain, as discovered by S3, could have occurred
after the attachment of the USB drive to “desk.” There-
fore, S2 linked his hypothesis about the USB drive to S3’s
hypothesis concerning the suspicious domain, illustrating
a potential chain of events. Later, upon noticing S3’s dis-
covery of a suspicious executable, and with his expertise
in malware analysis, S2 highlighted the hypothesis and
proceeded to conduct a malware analysis to confirm it.
Supporting Conveyance Processes
According to MST, the conveyance process can benefit
from lower levels of media synchronicity as individuals
do not need to work together to transmit information
34 IT Professional
simultaneously.4 As illustrated by the case, the analysts
could report their findings using the AOH-Map without
composing a report or engaging in direct communication
with fellow analysts. Due to the tracing module and
parser, the process of visualizing traces is automated.
The only components requiring manual input were inter-
actions with the map, such as tagging and highlighting.
Moreover, the visual traces provide context for how
these findings were obtained. This context allows ana-
lysts to make more informed decisions regarding the
trustworthiness of the findings. For example, S1 was
able to connect her discovery of the USB drive’s
attachment to S3’s finding of “desk” visiting a suspi-
cious domain after reviewing S3’s analysis trace. Addi-
tionally, analysts could highlight others’ findings to signal
their intent for further investigation. AOH-Map’s interac-
tive functions, such as tagging, linking, and highlighting,
support retrospective analysis and assist analysts in
processing information gleaned from others’ findings.
These interactions offer a low level of media synchronic-
ity, meeting analysts’ needs for information transmission
and processing when sharing findings with the team.
Supporting Convergence Processes
In the case, S1’s detection of a suspicious image file
downloaded from a malicious domain stemmed from
S3’s investigation of the domains that “desk” had vis-
ited. Acknowledging S3’s finding allowed S1 to connect
her previous discovery of “desk” connecting to a file
server as a potential subsequent event to the suspi-
cious image download. Such instances emphasize the
importance of analysts maintaining synchronicity with
their team’s collective Cyber SA throughout their tasks.
Gathering the team’s Cyber SA represents the con-
vergence process, as highlighted in Figure 1, where
team members comprehend each other’s findings and
update their individual Cyber SA. According to MST,
higher levels of media synchronicity can enhance the
convergence process by minimizing delays and foster-
ing a shared understanding among team members.4
The case study demonstrated that the AOH-Map ena-
bles analysts to communicate and collaborate effectively
by interacting with the visual map (through highlighting,
tagging, and linking) even without real-time meetings.
Moreover, the AOH-Map can supplement synchronous
communication in virtual team discussions during regu-
lar meetings, where analysts can use the map to navi-
gate and present their findings.
Benefits and Novelty of the AOH-Map
In Table 1, we summarize how the AOH-Map addresses
the major challenges of collaborative cybersecurity
September/October 2023
 SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
analysis in remote teams. The novelty of the AOH-Map
lies in its use of visual traces as a communication
medium and its capability to automate the capture of
these visual traces, which are fundamental for suc-
cessful collaborative problem solving. Even though the
current cybersecurity tools aim to facilitate collabora-
tion within teams, they are still ineffective because
they rely on analysts to report their findings and explain
associated contextual information through channels like
instant messaging and ticketing. In contrast, the visual
traces reflect individual analysts’ mental models. Through
interaction with the visual map, analysts can construct
a shared mental model, demonstrating the AOH-Map’s
unique capability to transform individual Cyber SA into
collective Cyber SA.
CONCLUSION
Our article addressed the global communication
challenges that collaborative cybersecurity analysts
encounter when working remotely, exacerbated by the
postpandemic era. To overcome these challenges, we
proposed a novel method that leverages visual traces
of analysts’ analytical processes to support various
communication processes in collaborative cybersecu-
rity analysis. By demonstrating how analysts collec-
tively construct Cyber SA with the aid of visual traces,
this article offered valuable insights for organizations
that have difficulty managing remote teams in the
postpandemic era. Although our proposed method
addresses the challenges faced by remote cybersecu-
rity analysts worldwide, we recognize the impact of cul-
tural differences on the effectiveness of the AOH-Map,
particularly in establishing trust and ensuring team
goal alignment.
REFERENCES
1. M. Angelini, N. Prigent, and G. Santucci, “Percival:
Proactive and reactive attack and response
assessment for cyber incidents using visual analytics,”
in Proc. IEEE Symp. Visualization Cyber Secur. (VizSec),
2015, pp. 1–8, doi: 10.1109/VIZSEC.2015.7312764.
2. K. Burke and L. Chidambaram, “How much bandwidth
is enough? A longitudinal examination of media
characteristics and group outcomes,” MIS Quart., vol. 23,
no. 4, pp. 557–579, Dec. 1999, doi: 10.2307/249489.
3. O.-K. Choi and E. Cho, “The mechanism of trust
affecting collaboration in virtual teams and the
moderating roles of the culture of autonomy and
task complexity,” Comput. Hum. Behav., vol. 91, no. 4,
pp. 305–315, Feb. 2019, doi: 10.1016/j.chb.2018.09.032.
4. A. R. Dennis, R. M. Fuller, and J. S. Valacich, “Media,
tasks, and communication processes: A theory of
September/October 2023
media synchronicity,” MIS Quart., vol. 32, no. 3, pp.
575–600, Sep. 2008, doi: 10.2307/25148857.
5. T. Engelmann, S.-O. Tergan, and F. W. Hesse, “Evoking
knowledge and information awareness for enhancing
computer-supported collaborative problem solving,”
J. Exp. Educ., vol. 78, no. 2, pp. 268–290, Dec. 2009,
doi: 10.1080/00220970903292850.
6. W. Huang, P. Eades, and S.-H. Hong, “Measuring
effectiveness of graph visualizations: A cognitive
load perspective,” Inf. Visualization, vol. 8, no. 3,
pp. 139–152, Sep. 2009, doi: 10.1057/ivs.2009.10.
7. “The (ISC)2 cybersecurity workforce study: A critical
need for cybersecurity professionals persists amidst a
year of cultural and workplace evolution,” (ISC)2 Inc.,
Alexandria, VA, USA, Rep. (ISC)2, 2022. [Online].
Available: https://media.isc2.org/-/media/Project/
ISC2/Main/Media/documents/research/ISC2-
Cybersecurity-Workforce-Study-2022.
pdf?rev=1bb9812a77c74e7c9042c3939678c196
8. F. B. Kokulu et al., “Matched and mismatched SOCs:
A qualitative study on security operations center
issues,” in Proc. ACM SIGSAC Conf. Comput. Commun.
Secur., 2019, pp. 1955–1970, doi: 10.1145/3319535.3354239.
9. M. Lang and L. Connolly. “Managing the cybersecurity
risks of teleworking in the post-pandemic ‘new
normal’.” SSRN. Accessed: Sep. 25, 2023. [Online].
Available: https://papers.ssrn.com/sol3/papers.
cfm?abstract_id=4146506
10. J. T. Luttgens, M. Pepe, and K. Mandia, Incident
Response & Computer Forensics. New York, NY, USA:
McGraw-Hill, 2014, pp. 45–77.
11. S. L. Marlow, C. N. Lacerenza, and E. Salas,
“Communication in virtual teams: A conceptual
framework and research agenda,” Hum. Resour.
Manage. Rev., vol. 27, no. 4, pp. 575–589, Jan. 2017,
doi: 10.1016/j.hrmr.2016.12.005.
12. J. R. Mesmer-Magnus, L. A. DeChurch, M. Jimenez-
Rodriguez, J. Wildman, and M. Shuffler, “A meta-
analytic investigation of virtuality and information
sharing in teams,” Organizational Behav. Hum. Decis.
Processes, vol. 115, no. 2, pp. 214–225, Jul. 2011,
doi: 10.1016/j.obhdp.2011.03.002.
13. S. Morrison-Smith and J. Ruiz, “Challenges and
barriers in virtual teams: A literature review,” SN Appl.
Sci., vol. 2, no. 6, pp. 1–33, May 2020, doi: 10.1007/
s42452-020-2801-5.
14. J. Schulze and S. Krumm, “The ‘virtual team player’: A
review and initial model of knowledge, skills, abilities,
and other characteristics for virtual collaboration,”
Organizational Psychol. Rev., vol. 7, no. 1, pp. 66–95,
2017, doi: 10.1177/2041386616675522.
15. K. Xu, A. Ottley, C. Walchshofer, M. Streit, R. Chang,
and J. Wenskovitch, “Survey on the analysis of user
IT Professional 35
SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
interactions and visualization provenance,” Comput.
Graph. Forum, vol. 39, no. 3, pp. 757–783, Jul. 2020,
doi: 10.1111/cgf.14035.
16. C. Zhong, J. Yen, P. Liu, R. Erbacher, R. Etoty, and C.
Garneau, “ARSCA: A computer tool for tracing the
cognitive processes of cyber-attack analysis,” in Proc.
IEEE Int. Multi-Disciplinary Conf. Cogn. Methods
Situation Awareness Decis., 2015, pp. 165–171,
doi: 10.1109/COGSIMA.2015.7108193.
17. C. Zhong, J. Yen, P. Liu, R. F. Erbacher, C. Garneau,
and B. Chen, “Studying analysts’ data triage
operations in cyber defense situational analysis,” in
Proc. Theory Models Cyber Situation Awareness, 2017,
pp. 128–169, doi: 10.1007/978-3-319-61152-5_6.
18. C. Zhong, A. Alnusair, B. Sayger, A. Troxell, and J. Yao,
“AOH-map: A mind mapping system for supporting
collaborative cyber security analysis,” in Proc. IEEE
Conf. Cogn. Comput. Aspects Situation Manage.
(CogSIMA), 2019, pp. 74–80, doi: 10.1109/COGSIMA.
2019.8724159.
CHEN ZHONG is an assistant professor of cybersecurity
in the Sykes College of Business, the University of Tampa,
36 IT Professional
Tampa, FL, 33606, USA. Her current research interests include
cybersecurity analytics, intelligent systems, and explainable
artificial intelligence. Zhong received her Ph.D. degree in infor-
mation sciences and technology from The Pennsylvania State
University. Contact her at [email protected].
J. B. (JOO BAEK) KIM is an assistant professor in the Sykes
College of Business, the University of Tampa, Tampa, FL,
33606, USA. His research interests include emerging technol-
ogy and media adoption in organizations and the use of
gamification in business training/education. Kim received his
Ph.D. degree in information systems and decision sciences
from Louisiana State University. Contact him at [email protected].
ALPER YAYLA is an associate professor and the director of
the cybersecurity programs in the Sykes College of Business,
the University of Tampa, Tampa, FL, 33606, USA. His research
interests include information technology leadership and cyber-
security. Yayla received his Ph.D. degree in management infor-
mation systems from Florida Atlantic University. Contact him
at [email protected].
September/October 2023
THEME ARTICLE: SECURITY AND DATA PROTECTION DURING
THE COVID-19 PANDEMIC AND BEYOND

Ransomware Attacks of the COVID-19

Pandemic: Novel Strains, Victims, and
Threat Actors
Zubair Baig and Sri Harsha Mekala , Deakin University, Geelong, Vic, 3216, Australia
Sherali Zeadally , University of Kentucky, Lexington, KY, 40506, USA

The COVID-19 pandemic has exposed many organizational vulnerabilities to cyber

threats, with ransomware being at the top of the list. These can be attributed mainly to
consolidated accessibility as organizational vision to enable remote connectivity to their
digital resources for maintaining uninterrupted and safe business operations. During the
period 2020–2022, there was a noted and significant disparity between the demand for
IT support services to sustain remote IT operations and the level of security controls
contingent for maintaining uninterrupted and secure services over various digital
platforms. According to many studies, the number of ransomware attacks increased by
150–200% through the course of the pandemic, which caused disruptions across a wide
range of industries. We present a holistic analysis of popular ransomware attacks that
have occurred during the COVID-19 pandemic (mainly during 2020–2022) and identify
popular and novel ransomware strains that have impacted businesses.

R
ansomware is a global cyber threat. It has dis-
rupted digital services and businesses alike
with impact on human lives, reputation, finan-
ces, and service restoration abilities. Contemporary
ransomware strains are capable of circumventing intel-
ligent cybersecurity controls. During the early stages
of the COVID-19 pandemic (February–March 2020),
an exponential increase in phishing and ransomware
attacks was reported globally, with weekly attacks in
June 2020 surpassing 20,000 compared with fewer
than 2000 in the previous year.1 According to the 2022
Verizon Data Breach Investigations Report,2 the number
of ransomware incidents during 2020–2021 increased by
13% when compared to the cumulative total of the pre-
vious five years. Additionally, a survey conducted by
Sophos3 revealed that 66% of organizations experi-
enced ransomware attacks in 2021, representing a sig-
nificant increase from 37% in 2020, and indicating a 78%
rise in just one year.
1520-9202 © 2023 IEEE
Digital Object Identifier 10.1109/MITP.2023.3297085
Date of current version 3 November 2023.
Notably, midsized organizations paid an average
ransom of $170,404 to retrieve their data.3 Moreover, a
CrowdStrike intelligence report4 highlighted an 82%
increase in ransomware data leaks, with instances ris-
ing from 1474 in 2020 to 2686 instances in 2021. In
2020, the average cost of ransom payments reached
$1.1 million. Furthermore, according to a report by Palo
Alto Networks,5 average ransom payments in 2021 rose
by 71%, reaching $1 million.
Figure 1 illustrates the global distribution of attack
targets during the COVID-19 pandemic for the period
March 2020 to July 2022.
Two popular attacker tactics for ransomware have
appeared during the pandemic. The first is the spray-
and-pray tactic, wherein, the adversary distributes mal-
ware (ransomware) through e-mail and malicious web
advertisements. Inadvertent victim action (of clicking
a link or downloading a payload) infects the target
device. The second approach comprises an in situ
presence of the adversary at the victim’s network to
initially chart out the organizational network topology,
and subsequently issue a data encryption command.
Such an attack entails a deep-rooted and sustained
adversarial presence in the network, possibly through

September/October 2023 Published by the IEEE Computer Society IT Professional 37

SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
FIGURE 1. Global ransomware impact during the COVID-19
pandemic.3,5
escalated privileges and persistence on the adversary’s
part.
In addition, recent advancements in ransomware
tactics, particularly the emergence of double-extortion
ransomware, involve a twofold operational approach
wherein the victim’s data are initially exfiltrated from
his or her device and subsequently offered for sale on
the dark web. Further, the stolen data are withheld as
leverage to demand a ransom.
BACKGROUND
In Alawida et al.,6 the authors presented a comprehen-
sive survey and analysis of cyberattacks during the
COVID-19 pandemic. The study examined the impact of
cyber threats on various industrial and economic sec-
tors during the period March 2020 to December 2021.
In Pranggono and Arabo,7 the authors presented
a report on cyber threat emergence during the pan-
demic. They analyzed various cyberattacks that tar-
geted various industries in the context of the COVID-19
crisis. These attacks include scams and phishing,
malware (including viruses, trojan horse, spyware, and
ransomware), and distributed denial-of-service carried
out by cybercriminals and advanced persistent threat
groups. The authors also discussed several mitigation
strategies. These include comprehensive user training
programs, deployment of virtual private networks,
implementation of multifactor authentication, network
segmentation to limit the impact of attacks, use of
antimalware software, and software update practices.
In Saleous et al.,8 the authors presented a com-
prehensive examination of attack vectors, objectives,
attacker surface, and mitigation tactics. They also dis-
cussed countermeasures such as training and aware-
ness programs, proactive network monitoring to detect
and respond to potential threats, encryption, data back-
ups, and multifactor authentication.
38 IT Professional
In Eian et al.,9 the authors proposed an artificial
intelligence (AI)-based solution that detects and miti-
gates attacks before they can infiltrate a network/
system. The proposed AI model leveraged filtering-
based machine learning for systematic scanning, verifi-
cation, filtering, and threat notifications.
Our research contributes to the field by shedding
light on the specific landscape of ransomware attacks
during the COVID-19 pandemic and serves as a foun-
dational resource for future investigations and the
deployment of proactive cybersecurity measures to
protect critical systems as well as to safeguard individ-
uals and organizations from the threats posed by ran-
somware attacks. By addressing these challenges, our
work opens avenues for further research into novel
techniques to effectively combat evolving ransomware
threats within the context of the global pandemic.
Research Contributions
We summarize the research contributions of this work
as follows:
We provide an insightful analysis of popular
ransomware strains, threat actors, and their
impact.
We discuss prevention and mitigation solutions
for securing vulnerable organizational assets
against future ransomware attacks.
Table 1 provides a mapping of ransomware strains
to geo-locations, target system types, threat actors
and impact.
RANSOMWARE STRAINS
Conti and Ryuk Ransomware
Ransomware attacks against the health-care and pub-
lic health sector comprise two notable variants of ran-
somware strains, namely, Ryuk and Conti, wherein
threat actors attack with a financial motif and adopt
malware processes such as TrickBot and BazarLoader
or BazarBackdoor.8,13 These loaders were used rigor-
ously by the threat actors as part of their cybercriminal
campaign and spread via phishing campaigns during
the pandemic. TrickBot and BazarLoader malware start
the infection chain by distributing the payload and
then deploy and execute the backdoor program from a
command-and-control server and install the malware
on the victim’s machine.
The TrickBot malware has the potential to enable
the attacker to gain access to a wide range of tools on
the victim’s machine, which is required to facilitate
malicious activities such as credential harvesting,
September/October 2023
 TABLE 1. Summary of popular ransomware attacks during the COVID-19 pandemic.

Victim Ransomware strain Sector/country Target systems Threat actor/group Impact

Brno University Defray777 Health care, Czech Microsoft PyXie IT services were shut down; unavailability of
Hospital (March 2020)10 Republic Windows/IT patient’s data; other associated hospitals were
network also impacted.
Ireland Health Service Conti HSE, Ireland Microsoft Windows Wizard spider Unavailability of patient’s data, clinical care
Executive (HSE) (Russian-based systems, and laboratory equipment; 700 GB of
(March 2021)10 attackers) data were stolen; communication channels

September/October 2023
were disrupted; the cost was approximately
$600 million to restore.
Fresenius (May 2020)11 Snake Health care, N/A N/A Patients’ details such as name, phone number,
Germany gender, date of birth, nationality, address, test
results, and doctor details were made public.
Waikato hospitals Zeppelin Health care, New Microsoft N/A Data related to patients, staff, and financial
(May 2021)12 Zealand Windows/phone information were released online (dark web); IT
lines/payroll services that control more than 600 servers
systems were shut down; laboratory services were
halted.
Benesov Hospital Emotet/TrickBot/ Health care, Czech IT services N/A Hospital services were halted; patient data
(December 2019)13 Ryuk Republic were made inaccessible; the financial loss was
$1.68 billion.
University of California, Ransomware Education, USA IT network Netwalker/MailTo Attackers gained access to a limited number of
San Francisco (phishing) servers, but not the main server; data related to
(June 2020)14 students, staff, and some information about
academic research were stolen.
Hammersmith Maze Research VPN system Maze Group COVID-19 test lab was targeted; patient data
Medical Research organization, U.K. were stolen and published on the dark web.
(March 2020)15
Cognizant (April 2020)15 Maze IT services, USA Citrix devices Maze Group Internal network was affected, including work-
from-home setups; billing and customer
services were halted; employee details such as
identity numbers, passport IDs, tax IDs, and
social security numbers were compromised; the
financial loss was $50–70 million.
Canadian COVID-19 CryCryptor Digital Services, N/A CryDroid open The operational and financial impacts, as well

IT Professional
contact tracing app Canada source ransomware as loss of data/information, were minimal.
(June 2020)16
CWT (July 2020)17 Ranger Locker Travel agency, USA IT network N/A Two terabytes of company data (financial
reports, employee e-mail addresses, salary
information, and security documents) were
stolen; the financial loss was $4.5 million.

39
N/A: not applicable; VPN: virtual private network.
SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
e-mail, and data exfiltration, and deploying of ransom-
ware strains Ryuk and Conti. Once the malware has
been successfully dropped in a victim’s machine, Trick-
Bot copies itself as an executable file and often stores
itself within these Windows Operating System paths:
C:\Windows\C:\Windows\SysWoW64\C:\Users\[Username]\
AppData\Roaming\.18
BazarLoader/BazarBackdoor, on the other hand, is
an extension to TrickBot. It has become one of the
most widely used strains for deploying ransomware in
a victim’s machine. Phishing e-mails are the popular
technique for dropping these payloads onto a victim’s
machine.18
Play Ransomware
Play was first identified in 2022 and is a sophisticated
crypto virus, which is hard to trace on a victim’s
machine. Like Conti and Ryuk, the Play ransomware
deploys with the intent to establish a remote connec-
tivity between the victim and a command-and-control
server. It is reported to have been distributed via phish-
ing e-mails, fake system updates, malicious advertise-
ment links, executable files like JavaScript files, PDFs,
and Microsoft Office files. Additionally, the ransomware
gains initial access to targeted systems by exploiting
ProxyNotShell vulnerabilities in Microsoft Exchange.
Upon successful deployment of the Play variant into a
victim’s machine, it first exfiltrates data, then encrypts
files and automatically changes file extensions to be
“.PLAY.” Unlike other variants, the Play variant does
not provide regular information for victims regarding
what files are encrypted, ransom amount, and payment
instructions. A read.txt file is generated and comprises
merely an e-mail address of the attacker.19
Netwalker/MailTo Ransomware
The Netwalker ransomware strain, also referred to
as MailTo, represents a highly sophisticated Russian
ransomware group that surfaced in 2019. Notably,
this group has gained significant attention due to its
involvement in various high-profile attacks on global
organizations, including the University of California,
San Francisco; Argentina’s immigration department;
and the Toll group in Australia. This sophisticated ran-
somware strain adopts robust encryption standards
such as Rivest-Shamir-Adleman (RSA) and Advanced
Encryption Standard (AES) to render the victim’s data
inaccessible and compelling compliance with the stip-
ulated ransom payment as a means to regain access.14
The Netwalker group adheres to a multistage attack
process, beginning with the infiltration of initial access
points within the victim’s network infrastructure through
40 IT Professional
techniques such as phishing e-mails, exploit tools,
remote desktop protocol vulnerabilities, and brute-
force methods. The strain proliferates through lateral
movements, strategically identifying valuable data assets
for subsequent encryption. It follows a double-extortion
technique, whereby in addition to encrypting the victims’
data, it exfiltrates sensitive information from the com-
promised network. These illicitly obtained data are then
stored within the attacker’s infrastructure, creating a
dual threat to the victim.
Maze Ransomware
The Maze ransomware group, which emerged in 2019,
is a highly sophisticated ransomware attack group,
known for its advanced attack techniques and imple-
mentation of the double-extortion strategy. Similar to
other ransomware strains such as Netwalker, Maze fol-
lows a multistage attack process, leveraging various
entry points to gain initial access to the victim’s net-
work through phishing e-mails, vulnerabilities of remote
desktop protocol, and exploit kits.15
Notable incidents involving Maze include high-profile
attacks against renowned organizations such as Cogni-
zant and Xerox in the United States and LG Corporation
in South Korea. These attacks involved substantial ran-
som demands of approximately $70 million, illustrating
the group’s financial motivations and potential impact
on targeted entities.15
Snake Ransomware
The Snake ransomware strain, also referred to as
Ekans, first emerged in 2020 as a sophisticated form of
malware rather than a distinct ransomware group. This
strain targets critical infrastructure including manufactur-
ing, health care, smart grids, and transport networks. Its
primary objective is to infiltrate and encrypt critical files
within industrial control system environments responsi-
ble for controlling and monitoring the operational pro-
cesses in critical sectors. Notable incidents involving
the deployment of the Snake variant include attacks on
Fresenius Healthcare in Germany, Honda Motors in
Japan, and Enel Argentina, all of which entailed undis-
closed ransom demands.11
In line with other ransomware strains, the Snake ran-
somware also implements a double-extortion technique,
encompassing data exfiltration alongside the encryption
process. Rather than targeting specific files or systems,
Snake has been designed to target the entire network.
Ragnar Locker
Ragnar Locker is a ransomware strain that first emerged
in 2020 and gained popularity because of its targeted
September/October 2023
 SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
approach against high-profile and large organizations.
Attacks against CWT in the United States and the
North American network of Energias de Portugal were
attributed to the Ragnar Locker ransomware strain,
where significant ransom amounts of $10 million and
$11 million, respectively, were requested.17,20 Ragnar
Locker also adopts a double-extortion technique that
encompasses data exfiltration alongside the sensitive
data or files encryption.
To gain initial access to targeted networks, Ragnar
Locker conducts meticulous reconnaissance to detect
critical assets and potential vulnerabilities. The threat
actors of the Ragnar Locker strain often exploit vulner-
abilities of the remote desktop protocol by using brute-
force methods to guess usernames and passwords,
employing stolen credentials or weak passwords, or
exploiting unpatched software. Subsequently, to do
privilege escalation within the compromised network,
the attacker exploits the CWE-2017-0213 vulnerability
in the Windows Component Object Model aggregate
Marshaler, which enables the execution of arbitrary
code with privilege escalation. In addition, it employs
robust obfuscation techniques such as deploying a
crafted virtual machine (VM) Windows XP image to the
VirtualBox VM, mapping all local drives as read and
writable into the VM to evade detection. Additionally,
the attackers terminate specific processes associated
with security tools and backup systems to hinder their
functionality.20 Moreover, it leverages Salsa20, a robust
custom encryption algorithm with custom matrix.20
CryCryptor
CryCryptor is a ransomware strain based on the open
source CryDroid ransomware variant that primarily tar-
gets Android mobile devices. The goal is to encrypt
files on Android devices and demand ransom. Notable
examples include the CryCryptor strain, which dis-
guises itself as a COVID-19 tracing app of Canadian
health-care services. The variant is usually distributed
via malicious apps or websites. Once it infiltrates a tar-
geted Android device, it elevates its privileges and
encrypts files that are stored on the device’s local
memory or external Secure Digital card with an “.enc”
extension appended to the file names.8,16
Figure 2 shows the adoption of various attacker
tactics mapped to the MITRE ATT&CK threat intelli-
gence framework.
PREVENTION AND
MITIGATION TACTICS
A shortcoming of small and medium-sized organiza-
tions is limited resourcing for safeguarding data and
September/October 2023
adoption of poor cyber hygiene practices. With proper
employee training processes and programs in place,
the level of awareness regarding attacker tactics can
be raised. The consequent upliftment of holistic organi-
zational security would help thwart adversarial attempts
to carry out phishing-based ransomware attacks. A
cybersecurity framework encompassing good cyberse-
curity governance through the involvement of higher
management in policy drafting and decision making
for all cybersecurity-related events and comprehensive
cyber risk management through employee training would
benefit an organization in safeguarding against ransom-
ware attacks.
Mitigation tactics for ransomware strains can include
system resets or reformatting to eliminate the ransom-
ware strain, recovery from the data backups in place
onto “clean” systems, and reporting of the incident to
pertinent authorities. It is a procedure that entails
restoring a computer system to its original factory set-
tings, effectively removing all existing data and soft-
ware, including the ransomware strain. This approach
serves as a means to reinstate the system’s integrity
by removing unauthorized ransomware privileges and
reverting any altered system configurations. Addition-
ally, it aids in the elimination of potential backdoors or
vulnerabilities that may have been exploited by the ran-
somware strain. According to the report by Sophos,3
data backup is the most widely used method for restor-
ing data after a ransomware attack.
Data encryption is widely recognized as a counter-
measure against ransomware attacks, offering essential
safeguards for data confidentiality, integrity, availability,
and protection against unauthorized access.6,7 Encryp-
tion not only provides data confidentiality but also ena-
bles the detection of unauthorized modifications and
tampering attempts, thus ensuring data integrity. Vari-
ous robust cryptographic encryption algorithms, includ-
ing AES, RSA, Triple Data Encryption Standard (3DES),
Elliptic Curve Cryptography (ECC), ChaCha20, and
Twofish alongside secure key management practices,
contribute to the strength of data protection against
ransomware attacks. These encryption algorithms are
designed to make it challenging for an attacker to
decrypt or gain access to the encrypted data. Accord-
ing to the report by Sophos,3 97% of organizations that
had data encrypted got their data back.
To establish a comprehensive data protection strat-
egy, it is recommended that higher management defines
minimum data confidentiality standards based on asset
and data classifications. This includes crafting policies
for data protection, proposing and analyzing best practi-
ces for data encryption, and ratifying minimum data
encryption standards. By categorizing critical data based
IT Professional 41
SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND

FIGURE 2. Mapping of ransomware attack stages to MITRE ATT&CK.

on risk levels, organizations can tailor their encryption
practices accordingly. For instance, low-risk data may
have optional encryption, while classified/critical data
elements should be subject to mandatory encryption
systems, adhering to minimum baseline encryption
standards, as stipulated by higher management.
Restricting the execution of programs from the
“temp” folder is another means of protection against
ransomware attacks. Typically, the initial execution
of ransomware tries to copy its malware payload to
the user’s temp folder to continue its execution.
Restricting the usage of “temp” folders such as
“C:\users\<user>\appdata\temp” and the utilization of
group policy objects and software restriction policies
will help prevent the spread of ransomware strains.
Network segmentation is a widely recommended
prevention and mitigation tactic that serves as a strong
defense mechanism against ransomware attacks. It
involves segregating the network into distinct seg-
ments, typically based on criticality, to limit the lateral

42 IT Professional September/October 2023

 SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND
movement of ransomware strains within the network.
A significant strength of network segmentation lies in
its ability to enforce access control mechanisms for
each segment.7
Network segmentation can be implemented through
a structured approach that involves identifying critical
and noncritical network assets, defining segmentation
goals, and deploying the appropriate mechanisms. To
facilitate this process, firewalls, intrusion detection sys-
tem and intrusion prevention systems, virtual local area
networks, and software-defined networking (SDN)
solutions could be leveraged. SDNs, for instance, offer
centralized monitoring and management of network
infrastructure, providing dynamic and flexible network
segmentations. By leveraging SDN controllers, organiza-
tions can establish granular segmentation policies, isolate
critical systems, and control the flow of network traffic.
A zero-trust architecture (ZTA) is increasingly use-
ful to safeguard against ransomware attacks. The
effectiveness of a ZTA solution lies in the assumption
that there is no inherent trust toward any user, device,
or network, regardless of their location or security
boundaries. In the context of ransomware attacks, ZTA
fosters security through microsegmentation of net-
works, thereby limiting the lateral movement of ran-
somware strains across the network. By implementing
strict access control and by promoting the principle of
least privilege, ZTA helps minimize the attack surface
and reduces the spread of ransomware.
Furthermore, ZTA emphasizes the adoption of mul-
tifactor authentication to strengthen security. Thus,
organizations can mitigate the risk of unauthorized
access using compromised/stolen credentials.
To address the critical aspect of data protection,
ZTA incorporates data classification and categorization
based on sensitivity levels. This enables organizations
to define appropriate access control and encryption
requirements for different types of data. Notably, it
helps leverage robust encryption algorithms comprising
AES, ECC, RSA, and 3DES to bolster data protection
against ransomware. Data loss-prevention solutions as
a proactive measure comprise ZTA solutions and help
monitor and prevent unauthorized data transfers or
critical data leakage. These solutions facilitate identifi-
cation of potential ransomware attack patterns or
activity indicative of mass data encryption and data
exfiltration.
CONCLUSION
The threat of ransomware will only aggravate over time
because of advancing adversarial capabilities, ready
access to open source ransomware tools, sophisticated
September/October 2023
ability to laterally move within a corporate network, and
protection of threat groups based in less cooperative
geojurisdictions. Although prevention is the best way to
mitigate the threat, it is imperative that a victim of the
ransomware attack prevent the spread of the malware
from the compromised machines of the network to
other vulnerable devices with due diligence by securing
a corporate network from potential lateral movement
of malicious payloads.
ACKNOWLEDGMENTS
We thank the anonymous reviewers for their valuable
comments, which helped us improve the organization,
clarity, content, and presentation of this article.
REFERENCES
1. D. Braue, “Ransomware isn’t going away, are you
ready for it?” Cyber Today, pp. 45–47, 2022.
2. “Data breach investigations report,” Verizon, pp. 1–88,
2022. [Online]. Available: https://www.verizon.com/
business/en-au/resources/reports/dbir/
3. “The state of ransomware 2023,” Sophos, pp. 1–26,
2023. [Online]. Available: https://www.sophos.com/en-
us/content/state-of-ransomware
4. “CrowdStrike 2023 global threat report,” CrowdStrike,
pp. 1–42, 2021. [Online]. Available: https://www.
crowdstrike.com/global-threat-report/
5. “2022 unit 42 incident response report,” Palo Alto
Netw., Santa Clara, CA, USA, pp. 1–42, 2022. [Online].
Available: https://start.paloaltonetworks.com/2022-
unit42-incident-response-report
6. M. Alawida, A. E. Omolara, O. I. Abiodun, and
M. Al-Rajab, “A deeper look into cybersecurity issues
in the wake of COVID-19: A survey,” J. King Saud
Univ.-Comput. Inf. Sci., vol. 34, no. 10, pp. 8176–8206,
Nov. 2022, doi: 10.1016/j.jksuci.2022.08.003.
7. B. Pranggono and A. Arabo, “COVID-19 pandemic
cybersecurity issues,” Internet Technol. Lett., vol. 4,
no. 2, Mar./Apr. 2021, Art. no. e247, doi: 10.1002/itl2.247.
8. H. Saleous et al., “COVID-19 pandemic and the
cyberthreat landscape: Research challenges and
opportunities,” Digit. Commun. Netw., vol. 9, no. 1,
pp. 211–222, Feb. 2023, doi: 10.1016/j.dcan.2022.06.005.
9. I. C. Eian, L. K. Yong, M. Y. X. Li, and Y. H. Qi, “Cyber
attacks in the era of COVID-19 and possible solution
domains,” Preprints, doi: 10.20944/preprints202009.
0630.v1.
ınsky, “Cyber
10. J. Kolouch, T. Zahradnicky, and A. Kuc
security: Lessons learned from cyber-attacks on
hospitals in the COVID-19 pandemic,” Masaryk Univ.
J. Law Technol., vol. 15, no. 2, pp. 301–341, Sep. 2021,
doi: 10.5817/MUJLT2021-2-7.
IT Professional 43
SECURITY AND DATA PROTECTION DURING THE COVID-19 PANDEMIC AND BEYOND

11. B. Krebs, “Europe’s largest private hospital operator 19. T. Meskauskas, PLAY (.PLAY) Ransomware Virus -
Fresenius hit by ransomware”, Krebs on Security, Removal and Decryption Options. (2022). PC Risk.
May 2020. [Online]. Available: https://krebsonsecurity. [Online]. Available: https://www.pcrisk.com/removal-
com/2020/05/europes-largest-private-hospital- guides/24571-play-ransomware
operator-fresenius-hit-by-ransomware/ 20. “Ragnar locker ransomware (Everything You Need to
12. “Waikato District Health Board (WDHB) incident Know),” Avertium, May 2022. [Online]. Available:
response analysis,” Tew Hatu Ora, Dec. pp. 1–51, 2022. https://explore.avertium.com/resource/ragnar-locker-
[Online]. Available: https://www.tewhatuora.govt.nz/ ransomware
publications/waikato-district-health-board-wdhb-
incident-response-analysis/
ZUBAIR BAIG is an associate professor of cybersecurity with
13. O. Filipec and D. Plasil, “The cybersecurity of
healthcare the case of the Benegov hospital hit by the School of Information Technology, Deakin University,
Ryuk ransomware, and lessons learned,” Obrana a Geelong, Vic., 3216, Australia. His research interests include
Strategie-Defence Strategy, vol. 21, no. 1, pp. 27–51, cybersecurity, integrated system security architecture, digital
Jun. 2021, doi: 10.3849/1802-7199.21.2021.01.027-052. forensics, and machine learning. Baig received his Ph.D.
14. H. Landi, “UCSF pays hackers $1.1M to regain access degree in computer science from Monash University. He is a
to medical school severs,” Fierce Healthcare, Senior Member of IEEE. Contact him at zubair.baig@deakin.
Jul. 2020. [Online]. Available: https://www. edu.au.
fiercehealthcare.com/tech/ucsf-pays-hackers-1-14m-
to-regain-access-to-medical-school-servers
SRI HARSHA MEKALA is currently pursuing his doctoral
15. D. Belair, “Maze ransomware,” Augment, Nov. 2020.
[Online]. Available: https://www.augmentt.com/ degree in cybersecurity at Deakin University, Geelong, Vic.,
security/threats/ ransomware/maze-ransomware 3216, Australia. His research interests include cybersecurity,
16. “CryCryptor ransomware,” NHS 75 Digital, Leeds, U.K., digital forensics, and the Internet of Things (IoT). Harsha
Jun. 2020. [Online]. Available: https://digital.nhs.uk/ received his master of science degree in cybersecurity from
cyber-alerts/2020/cc-3523 Deakin University. Contact him at [email protected].
17. J. Stubbs, “‘Payment sent’ - Travel giant CWT pays
$4.5 million ransom to cyber criminals,” Reuters,
SHERALI ZEADALLY is a professor in the College of Commu-
Jul. 2020. [Online]. Available: https://www.reuters.
nication and Information at the University of Kentucky, Lex-
com/article/us-cyber-cwt-ransom-idUSKCN24W25W
ington, KY, 40506, USA. His research interests include
18. “Ransomware activity targeting the healthcare
and public health sector,” Cybersecurity and cybersecurity, privacy, and computer networks. Zeadally
Infrastructure Security Agency, Arlington, VA, USA, received his Ph.D. degree in computer science from the Uni-
Nov. 2020. [Online]. Available: https://www.cisa.gov/ versity of Buckingham, England. He is a Senior Member of
news-events/cybersecurity-advisories/aa20-302a IEEE. Contact him at [email protected].

44 IT Professional September/October 2023

FEATURE ARTICLE: NETWORK SECURITY

Evaluation of Tree-Based Machine Learning

Algorithms for Network Intrusion Detection
in the Internet of Things
Mohamed Saied Essa and Shawkat Kamal Guirguis , Institute of Graduate Studies and Research,
Alexandria, 21526, Egypt

The Internet of Things (IoT) is receiving increasing attention from academia and
industry. However, improving the security of the IoT environment is critical for fostering
trust in it and contributing to its growth in the manufacturing market. This study
comparatively analyzes current methods for detecting intruders and malicious activities
in IoT networks by introducing tree-based machine learning algorithms. It presents a
research gap analysis of the current literature. Furthermore, an empirical evaluation
study is presented to explore the potential of tree-based approaches to detect intruders
in IoT networks. It compares the performance of bagging and boosting techniques in
botnet detection by conducting an extensive experimental benchmarking.

T
he Internet of Things (IoT) represents the capa-
bility of heterogeneously distributed objects such
as devices, users, gateways, services, infrastruc-
ture, and so on. The IoT is widely used in smart homes,
smart offices, automated industry, smart cities, smart
agriculture, smart transportation systems, supply chains,
smart medical care, and so on. IoT environments include
a large number of devices, most of which have limited
and heterogeneous configurations. Because of this, each
layer of the three-tier IoT environment becomes a poten-
tial target for attackers and is exposed to various security
threats. As ever more machines and smart devices are
connected to the network, IoT security vulnerabilities are
gradually increasing.
Limited resources on IoT devices create constraints
when installing traditional security software. Intrusion
detection is an essential part of network security, pro-
viding real-time protection against internal and exter-
nal attacks. The main task of intrusion detection is
to classify normal and abnormal network behavior.
Intrusion detection techniques can be divided into
three categories: signature-based, knowledge-based,
and anomaly- or behavior-based techniques. Due to
the heterogeneous nature of the IoT, signature-based
techniques are ineffective. The lack of a dedicated
anomaly detection system for such a heterogeneous
1520-9202 © 2023 IEEE
Digital Object Identifier 10.1109/MITP.2023.3303919
Date of current version 3 November 2023.
and diverse network leads to much vulnerability, such
as data leakage, spoofing, denial of service (DoS), man
in the middle (MITM), energy drain, insecure gateways,
and so on.
In 2016, the United States Computer Emergency Pre-
paredness Team reported that botnet malware dis-
rupted service at a major U.S. Internet service provider.
The name of the botnet is Mirai. It caused several major
websites to be disrupted by a series of massive, distrib-
uted DoS (DDoS) attacks. It spread quickly and infected
100,000 malicious endpoints. The source code is designed
to disrupt busy box systems (often used for IoT devices)
and ultimately initiate a very large-scale DDoS.
Recently, there has been an increased focus on
building “intelligence” into defensive architectures and
leveraging machine learning (ML) techniques to clas-
sify and detect malicious traffic. To implement an
effective network intrusion detection system (NIDS),
artificial intelligence (AI) techniques are of great value.
AI techniques have great potential for building and
training models by learning traffic patterns and provid-
ing heuristic solutions for IoT environments. These
techniques are able to intelligently learn the underlying
data properties without explicitly describing normal
and malicious activities, overcoming the limitations of
traditional schemes. AI has been used for many valid
security issues in the IoT; however, this does not mean
that IoT security issues are properly addressed. Many
challenges remain in terms of the data, algorithms, and
architecture.

September/October 2023 Published by the IEEE Computer Society IT Professional 45

NETWORK SECURITY
The main contributions of this article are fourfold:
1) We examine related work on IoT network intruder
detection using tree-based ML algorithms.
2) We present a research gap analysis of related
work, pointing out strengths and weaknesses.
3) We investigate the potential of tree-based ML
methods for detecting IoT intruders by con-
ducting an empirical evaluation study.
4) We utilize a public botnet dataset of IoT devices
for models evaluation and comparison.
The remainder of this article is organized as follows.
The “Motivation” section presents the motivation for
conducting this study. The “Background” section explains
some key concepts and terms. The “Related Work” sec-
tion provides an overview of related work. The “Research
Gap Analysis” section presents a research gap analysis of
related work. The “Empirical Study” section demonstrates
the empirical investigation procedure and describes the
dataset used. The “Evaluation Results” section presents
the evaluation metrics, and conducts an empirical study
that compares the introduction of different tree-based
algorithms. The “Conclusion and Future Work” section
concludes this work.
MOTIVATION
The IoT environment has a unique nature compared to
other networks. The amount of data being transmitted
is gigantic, and digital data generated are measured
from megabytes (106) of data to geopbytes (1030).1 The
IoT environment has a crosscutting nature due to its
multidisciplinary components, which have introduced
new security challenges. Its devices are mainly designed
for functionality more than security. Diversity and het-
erogeneity make IoT systems’ security more crucial.
Moreover, most of these devices work in unattended
environments, which adds new security challenges to an
already challenging environment. Preventing IoT exploita-
tion requires adopting well-known security practices that
address the most common vulnerabilities.
It all begins with Mirai malware, the first botnet to
exploit the IoT environment. The source code of Mirai
was made available online, which led to the creation of
several other malwares (Mirai like) such as Bashlite,
also known as Gafgyt. The defenses against conven-
tional botnets can be broadly categorized as prevention,
monitoring, and response. Preventing botnet infections
is the most effective defense.
BACKGROUND
This section briefly explains some of the key concepts
and terms used in this article to help the reader under-
stand and better comprehend the article’s information.
46 IT Professional
NIDS
An NIDS is defined as a system built to monitor and
analyze network traffic to detect anomalies, intrusions,
or violations. The two main intrusion detection tech-
niques used to detect attacks in IoT systems are
signature-based (also known as misuse- or knowledge-
based) and anomaly-based (also known as behavior-
based) approaches. Sometimes they are combined to
create a hybrid detection system, but it is complex to
implement2 alongside energy and resource consump-
tion. Signature-based techniques depend on the exist-
ing threat knowledge to classify traffic as benign or
malicious, whereas anomaly-based systems rely on traf-
fic patterns to detect attacks.2 Signature-based systems
work great on existing and well-known attacks.
One of the problems with the signature-based
approach is that continuously updating the signature
database is time consuming. As the database size
increases, comparing the input against a big database
becomes a computationally expensive and time-
consuming approach. Such an approach lacks the
capability of detecting zero-day attacks. An anomaly-
based detection is the preferred approach because it
looks at benign traffic patterns and generates an
alarm, or blocks the traffic whenever an abnormal traf-
fic pattern is detected. One of the benefits of using
anomaly-based systems is that they are good at
detecting zero-day and unknown attacks but may gen-
erate high false-positive results. An anomaly-based
NIDS is one of the primary research directions that
focuses on the strong detection capabilities of large-
scale, zero-day, and unknown attacks.
ML Potential in IoT Intrusion Detection
ML is a type of AI and uses several learning algorithms
to train on data without the need for intensive pro-
gramming algorithms.3 It has been used extensively
for classification tasks. ML algorithms can be trained
to detect anomalies and patterns in IoT network data,
allowing for identification of potential security threats.
For example, it can be trained to detect abnormal
activity, such as unusual communication patterns or
unexpected data flows, which may indicate a security
breach. Furthermore, by continuously analyzing net-
work data and updating detection algorithms, it can be
used to adapt to new and evolving security threats,
improving the effectiveness of IoT network intrusion
detection over time.
Tree-Based Algorithms
Tree-based ML includes a broad family of techniques
such as decision trees (DTs), random forests (RFs), and
September/October 2023

ensemble learning (EL). They have been successfully
applied to solve challenging problems in a number of
fields.
EL refers to a group of aggregated models that
work collectively to achieve a better final prediction by
reducing bias. Bagging and boosting are two main
types of EL methods. The key difference between them
is the training method or how the trees are built and
combined. Bagging adopts parallel training, while boost-
ing adopts sequential learning.4 Both the bagging Meta
classifier (BMC) and an RF use bagging techniques to
build a full DT in parallel. The difference lies in the pre-
diction method. “F” implies averaging for the final out-
put, while the BMC implies a linear voting combination.
Gradient boosting is an extension of boosting where
the process of additively generating weak models is for-
malized as a gradient descent algorithm. The final pre-
diction is a weighted sum of all of the tree predictions.
EXtreme gradient boosting (XGB) is an implementation
of gradient-boosted DTs (GBDTs).5 It uses a boosting
technique that aggregates all the predictions from its
constituent learners in a sequential manner. In such a
way, each tree eliminates the error of its previous trees
to update the residual error.
RELATED WORK
A number of studies have been conducted for achiev-
ing efficient AI-based intrusion detection in an IoT envi-
ronment. Numerous research works have proposed
adopting the DT algorithm for network intrusion detec-
tion in an IoT environment. Bahsi et al.6 applied feature
selection to minimize the number of features to achieve
higher accuracy. They evaluated two ML methods for
classification, i.e., DT and k-nearest neighbor (KNN).
They reported that the classification accuracy of KNN
(94.97%) is less than that of DT (98.97%). They created a
simulated IoT network consisting of nine IoT devices,
including a security camera, webcam, baby monitor,
thermostat, and doorbell. The dataset contained three
labels: normal, Bashlite, and Mirai. The dataset packets
were 502,605 normal, 2,835,317 Bashlite, and 2,935,131
Mirai records. Illy et al.7 combined different ML algo-
rithms and built ensemble classifiers for intrusion detec-
tion. They adopted a DT bagging ensemble technique.
The NSL-KDD dataset8 was used for model training and
evaluation. They achieved accuracy rates of 85.81% and
84.25% for binary classification and attack classification,
respectively.
Goyal et al.9 presented an approach for detecting
botnets based on behavioral analysis. They evaluated
logistic regression (LR), support vector machines (SVMs),
artificial neural networks (ANNs), and DTs. The accuracy
September/October 2023
NETWORK SECURITY
rates were reported as 99.23%, 99.86%, and 99.74%,
respectively, while no accuracy was reported for DTs.
Chaudhary and Gupta10 presented an ML-based frame-
work for detecting DDoS attacks that works in two
phases: the detection phase and the mitigation phase.
Using Wireshark, they created a dataset by capturing the
traffic of an IoT environment consisting of PCs and Rasp-
berry Pi. It contained a total of 114,565 packets, of which
10,061 were benign. For classification, they evaluated four
algorithms: RF, SVM, LR, and DT. They reported accuracy
rates of 99.17%, 98.06%, 97.5%, and 98.34%, respectively.
Anthi et al.11 proposed a supervised approach con-
sisting of three layers for detecting and classifying
intrusions in the IoT. The system performed three main
functions. 1) It formulated a profile for the normal
behavior of each IoT device, 2) it identified malicious
packets on the network in case of an attack, and
3) then it classified the type of attack. They built a
smart home testbed consisting of eight IoT devices.
Twelve attacks were injected with four main catego-
ries, i.e., DoS, MITM, reconnaissance, and replay. To
classify unseen data, nine classifiers were selected.
The selection of classifiers was based on their classifi-
cation time, ability to support multiclass classification,
and high-dimensional feature space. The nine classi-
fiers were naïve Bayes (NB), Bayesian network, DT J48,
Zero R, One R, simple logistic, SVMs, multilayer percep-
tron (MLP), and RFs. The results showed that the DT
J48 model achieved the best performance. Reported
evaluations for the three functions of device profiling,
detecting wireless attacks, and attack type classifica-
tion were 96.2%, 90%, and 98%, respectively.
Aloqaily et al.12 adopted deep belief and DT ML
mechanisms for intrusion detection in connected vehi-
cle environments. The proposed model achieved an
accuracy rate of 99.43%. They used a simulation data-
set of 22,544 records.
Another research direction proposed the adoption
of an RF algorithm for network intrusion detection in
the IoT. Manimurugan et al.13 suggested a deep belief
model for intrusion detection in smart medical environ-
ments. They used the CICNIDS 2017 dataset.14 Their
model achieved good accuracy for a benign class
(99.37%), but unsatisfactory accuracy for anomalies.
The highest detection accuracy was for a web attack:
98.37%. Both brute force and port scan were detected
at a rate of 97.71%. The lowest accuracy rates were for
DoS/DDoS, with 96.67%, and infiltration, with 96.37%.
Alsamiri and Alsubhi15 evaluated seven ML algorithms
in terms of detecting IoT network attacks. They used
Bot-IoT10 for evaluation and implementation. The reported
highest detection accuracy rate was 99% for KNN. A
lower performance of 97% was reported for RFs, Iterative
IT Professional 47
NETWORK SECURITY
Dichotomizer 3, and adaptation boosting (ADB). Qua-
dratic discriminant analysis, MLP, and NB achieved
unsatisfactory accuracy rates of 87%, 84%, and 79%,
respectively.
Doshi et al.16 generated a labeled training dataset
consisting of benign and malicious traffic by simulating
a local network of consumer IoT devices. They used
this simulated and labeled dataset to test five different
ML classifiers, i.e., KNN, SVM with linear kernel (LSVM),
NN four-layer fully connected feedforward, DT, and RF
using Gini impurity scores. They reported that incorpo-
rating stateful features improved accuracy over state-
less features alone. For all the features, RF achieved
the highest accuracy of 99.8% and 99.5% against both
KNN and DT, respectively, and of 98.9% against NNs,
while LSVMs had the worst accuracy of 92.1%. Dwyer
et al.17 provided a Domain Name System (DNS)-based
profiling scheme to detect Mirai-like botnet activities.
Their approach depended on the contents of DNS
queries and using RF classifiers. They evaluated their
approach over real honeypot datasets and compared it
with Bayesian-based classifiers and KNN. The highest
accuracy was achieved by the RF classifier, at 99%.
Alrashdi et al.18 proposed an NIDS for the IoT in a
smart city based on the RF algorithm and extra tree. To
evaluate their model, the UNSW-NB1519 dataset was
used. They reported a detection accuracy of 99.34%
with the lowest false-positive (FP) rate. Hasan et al.20
performed a comparative implementation study to
choose the best algorithm for detecting and classifying
intrusions in the IoT. They considered LRs, SVMs, DTs,
RFs, and ANNs. They used the Pahl open source data-
set21 that contains the synthetic data of the Distributed
Smart Space Orchestration System IoT environment.
They reported that the best accuracy performance was
of RFs, with 99.4%. However, their study was not
applied to big data and other unknown problems.
Eskandari et al.22 presented an intelligent NIDS for
the IoT using lean, one-class ML algorithms. They
called their approach Passban, and it consisted of two
one-class classification techniques, i.e., iForest and a
local outlier factor. They built an IoT testbed to resem-
ble a typical smart home automation environment.
They evaluated two scenarios, i.e., an NIDS direct deploy-
ment on the IoT gateway and a separate, independent
NIDS. They evaluated it against four attacks, i.e., port
scanning, HTTP brute force, Secure Socket Shell (SSH)
brute force, and a synchronized (SYN) flood attack. The
reported detection accuracy was between 79% and 99%.
Thamilarasu et al.23 demonstrated a mobile agent-based
intrusion detection system for the medical IoT. They
simulated the topology of a hospital network on the med-
ical IoT. They trained five supervised ML algorithms, i.e.,
48 IT Professional
SVM, DT, NB, KNN, and RF. They reported unsuitable per-
formance for KNN and NB algorithms, while SVM, DT, and
RF performed well. The best reported performance was for
RF, which achieved an approximate accuracy of 100%.
A small number of studies reported the adoption of
boosting techniques for network intrusion detection in
the IoT. Alqahtani et al.24 presented an approach based
on the XGB algorithm for detecting intrusions in the
IoT. After reducing the number of features in the
N-BaIoT dataset,25 the reported accuracy in multiclass
classification was 99.97%.
Table 1 presents a comparative analysis for the pre-
vious related work in tabular form.
RESEARCH GAP ANALYSIS
After discussing previous efforts and contributions of
adopting tree-based ML algorithms for network intru-
sion detection in the IoT, this section addresses the
research gap analysis. Over the past six years, a number
of methodologies and techniques have been proposed;
however, this section analyzes the literature presented
in the “Background” section to highlight research gaps
and identify strengths and weaknesses of previous stud-
ies related to adopting tree-based ML approaches.
Lack of Using the Benchmark Dataset
Benchmarking plays an important role in improving
research. Referring to Table 1, the majority of the pre-
sented methods were tested using simulated datasets.
A few of them have been tested using standard,
well-known datasets (i.e., NSL-KDD,1 CICNIDS,26 and
UNSW-NB1519). This leads to missing a unique datum
for performance evaluation of the proposed approaches.
As each of them depends on a different simulated data-
set, the reported high accuracy values cannot be consid-
ered when benchmarking with other approaches.
Lack of Adopting Boosting-Based
Approaches
However, most of the previous studies adopted bagging-
based tree approaches such as RF algorithms for intru-
sion detection in IoT networks, and only a small number
of the previous studies reported extending this area
by evaluating several boosting-based algorithms. Con-
sidering the potential for boosting-based techniques
to reduce the models’ residual error, more attention
should be directed toward studying their implementa-
tion for detecting intrusions in the IoT.
Lack of Evidence of Reported Results
Most of the surveyed studies reported high accuracy
rates for their approaches, but no evidence of such
September/October 2023
 TABLE 1. Comparative analysis for the related work.

Number of Number of Accuracy

September/October 2023
Algorithm Author Reference Year Dataset features Objective classes (%)
[6]
DT Bahsi et al. 2018 Simulated 10 Reduce dimensionality of ML-based IoT Three 98.97
botnet detection
[7]
DT (BE) Illy et al. 2019 NSL-KDD 38 Securing fog to things Five 85.81
[9]
DT Goyal et al. 2019 Simulated Three Detecting botnets based on behavioral Two 87.15
analysis in the IoT
[10]
DT Chaudhary and 2019 Simulated N/A DDoS detection in the IoT Two 98.34
Gupta
[11]
DT (J48) Anthi et al. 2019 Simulated 121 Intrusion detection in the smart medical IoT Two 99
121 four 98
[12]
DT Aloqaily et al. 2019 NSL-KDD 122 NIDS in connected vehicles Five 99.43
[13]
DT Manimurugan et al. 2020 CICNIDS 80 NIDS in the smart medical IoT Six 98.37
[16]
RF Doshi et al. 2017 Simulated 11 DDoS detection in the IoT Two 99.8
[17]
RF Dwyer et al. 2018 Real dataset Six Profiling IoT botnet traffic using the DNS Five 99
[10]
RF Chaudhary and 2019 Simulated N/A DDoS detection in the IoT Two 99.17
Gupta
[18]
RF þ ET Alrashdi et al. 2019 UNSW-NB15 49 NIDS for the IoT Two 99.34
[20]
RF Hasan et al. 2019 Pahl 13 Intrusion detection and classifying in the IoT Eight 99.4
[22]
RF Eskandari et al. 2020 Simulated 24 NIDS for the IoT Five 99
[23]
RF Thamilarasu et al. 2020 Simulated N/A NIDS for the medical IoT Two 100
[24]
XGB Alqahtani et al. 2020 N-BaIoT Three IoT botnet attack detection Three 99.96
BE: bagging ensemble; ET: extra tree; N/A: not applicable.

IT Professional
49
NETWORK SECURITY
NETWORK SECURITY

TABLE 2. Attack descriptions.

Attack Subattack Subattack description

ACK It sends flood of acknowledgment
SCAN It scans automatically for vulnerabilities

Mirai SYN It sends flood of synchronize packet

UDP It sends UDP flooding
Plain UDP It sends UDP flooding with fewer options for higher packets rates
COMBO It sends spam data
It opens network connection to specified IP address and specified port
JUNK It sends spam data
Gafgyt SCAN It scans for vulnerabilities
TCP It sends flooding of TCP requests
UDP It sends flooding of UDP requests
IP: Internet Protocol; UDP: User Datagram Protocol.

values was presented. A few studies presented the
implementation of their approaches in shared reposito-
ries. Sharing the implementation can provide evidence
of the reported values and give other researchers the
chance to check and improve.
EMPIRICAL STUDY
This study investigates the performance of adopting
several tree-based algorithms for detecting IoT attacks.
The detection algorithms are evaluated using the most
recent standard dataset of IoT networks, along with dif-
ferent types of attacks.
Attack Modeling
This empirical study employed IoT botnet attacks, i.e.,
Gafgyt and Mirai. These two attacks are considered
the two most common IoT botnet attacks.
They attack IoT devices and turn them into a
network of remotely controlled bots, called a botnet.
Gafgyt is a DDoS attack. It is developed using C pro-
gramming for infecting Linux systems and designed to
easily cross compile to various computer architec-
tures. It is also known as Bashlite, Bashdoor, Q-Bot,
Torlus, Lizard Stresser, and Lizkebab.
Supported by a built-in dictionary of common user-
names and passwords, it propagates by brute forcing
default credentials of devices with open telnet ports. It
uses a client–server model for command and control.
If the default credentials combo is unchanged, it
can login to the device and infect it. It allows targeting
of a network prefix or multiple addresses in a single
attack. Both attacks disable the victim’s IoT device’s
telnet and SSH services. The attacks executed by
botnets include scanning, which can discover vulnera-
ble devices; flooding, which makes use of SYN,
acknowledgment, User Datagram Protocol, and TCP
flooding; and combo attacks, which open connections
and send junk data. Table 2 describes the subattacks
of each.
Dataset Description
This section describes the dataset used in the experi-
ments. The N-BaIoT25 dataset was selected for training
and evaluation purposes as it is widely accepted as a
benchmark sequential dataset. It contains realistic net-
work traffic and a variety of attack traffic. It was col-
lected by gathering the traffic of nine commercially IoT
devices authentically infected by Mirai and Bashlite
malware. The devices were two smart doorbells, one
smart thermostat, one smart baby monitor, four secu-
rity cameras, and one webcam. The traffic was cap-
tured when the devices were in normal execution and
after infection with malware. The traffic was captured
using a network-sniffing utility in a raw network traffic
packet capture format. This can be achieved through
port mirroring. Five features were extracted from the
network traffic, as abstracted in Table 3. Three or more
statistical measures were computed for each of these
five features for data aggregation, resulting in a total of
23 features. These 23 distinct features were computed
over five separate time windows (100 ms, 500 ms, 1.5 s,
10 s, and 1 min), as demonstrated in Figure 1. Using
time windows makes this dataset appropriate for
stateful IDS, resulting in total of 115 features.
N-BaIoT contains instances of network traffic data
divided into three categories: normal traffic (benign

50 IT Professional September/October 2023

 TABLE 3. Dataset attribute information.

September/October 2023
Stream characteristics
(statistical aggregation functions)
Stream Stream Variance/
aggregation aggregation standard Correlation Time
designation description Weight Mean deviation Magnitude Radius Covariance coefficient Count frame Features
H Host-source   Variance x x x x Three Five 15
IP
MI Host-source   Variance x x x x Three Five 15
IP þ MAC
HH Host-to-host   Std Dev     7 Five 35
channel
(source IP to
destination
IP)
HH_Jit Host-to-host   Variance x x x x Three Five 15
channel
jitter
HP HP Host-port-to-   Std Dev     7 Five 35
host port
channel (IP
þ socket)
Total traffic 23 Tot. 115
characteristics features
IP: Internet Protocol; MAC: media access control; Std Dev: standard deviation.

IT Professional
51
NETWORK SECURITY
NETWORK SECURITY

FIGURE 1. Feature extraction. L1: level one; L2: level 2; L3: level 3; L4: level 4; L5: level 5; H: host-source Internet Protocol; MI: host-
source Internet Protocol þ media access control; HH: host-to-host channel; HH_Jit: host-to-host channel jitter; HP HP: host-port-
to-host-port channel.

data), Bashlite-infected traffic, and Mirai-infected traf-
fic. Each data instance consists of 115 features repre-
sented by 23 different traffic characteristics in five
different time frames. Table 3 presents an abstracted
demonstration of the dataset’s attribute information.
Figure 2 shows the data exploration for the dataset col-
lected by three labeled types, i.e., benign, Mirai, and
Gafgyt. Figure 3 shows the dataset’s individual distribu-
tion of 10 malware classes in addition to the benign
traffic.
Model Implementation and Parameters
This study considers six tree-based algorithms for
empirical evaluation: DT, RF, BMC, ADB, gradient
descent boosting (GDB), and XGB. The experiments
are conducted in a Colab interactive notebook environ-
ment. For the sake of providing an evidence-based
evaluation, the project, along with the datasets, have
been uploaded to and shared on Kagglea and GitHub.b
All the configured parameters for each model are pre-
sented in Table 4. The number of estimators is the
most critical parameter for all tree-based algorithms
a
https://github.com/MohamedSaiedEssa/TreeBasedIoTNIDS
b
https://www.kaggle.com/MohamedSaiedEssa/TreeBasedIoTNIDS
because it represents the number of trees to be used.
By increasing this number, it will directly improve the
algorithm’s accuracy while also increasing the model’s
time complexity. For a fair evaluation, the number of
estimators is set to 100 for all algorithms.
EVALUATION RESULTS
This section explains the confusion matrix and the
evaluation metrics used for comparison. The evalua-
tion results are then presented, and a further discus-
sion is conducted.
Confusion Matrix
The confusion matrix is used to visualize the perfor-
mance of a classification technique. It is a table that is
often used to describe the performance on a set of
test data. It allows for easy identification of confusion
between classes. The classification is evaluated through
four indicators that are used to calculate other perfor-
mance measures:
True positives: packets are predicted as mali-
cious, and their ground truth is malicious.
True negatives: packets are predicted as benign,
and their ground truth is benign.

52 IT Professional September/October 2023

 NETWORK SECURITY

FIGURE 2. Dataset exploration.

False positives: packets are predicted as mali- Four metrics are widely used for evaluating ML
cious, while their ground truth is benign. models: accuracy, precision, recall, F1 score, and specif-
False negatives: packets are predicted as benign, icity. These four measurements are defined through
while their ground truth is malicious. the following equations, respectively:
TP þ TN
A successful detection requires correct attack identifi- Accuracy ¼
TP þ TN þ FP þ FN
cation while minimizing the number of false alarms.
TP
Precision ¼
TP þ FP
Evaluation Metrics
To perform a comprehensive performance assessment TP
Recall ðSensitivityÞ ¼
and objective evaluation, several metrics are addressed TP þ FN
to indicate how the model performs. Accuracy alone is 2  Precision  Recall
F1 Score ¼ :
not sufficient for an imbalanced dataset. Precision þ Recall

FIGURE 3. Distribution of packets for each class.

September/October 2023 IT Professional 53

NETWORK SECURITY

TABLE 4. Models’ parameters.

Predicting
Model Parameter Value

time (s)

1.58

0.69
0.95
3.62
1.37
0.1
criterion gini
splitter best
DT min_sample_split 2
min_sample_leaf 1
random_state 0

Training
estimator DTClassifier

time (s)

427.58
59.06

504.89
360.14

480.41
2307.51
BMC n_estimators 100
random_state 0
criterion gini
n_estimators 100
RF min_sample_split 2
min_sample_leaf 1

0.999982

0.999969
0.999963

0.999968
0.999945

0.999981

0.999892
F1 Score
0.999941
0.999941

0.999914
0.999914
0.999891
random_state 0
learning rate 0.1
ADB n_estimators 100
random_state 0
n_estimators 100
GDB random_state 0

0.999963

0.999946
0.999945

0.999945

0.999945
0.999982
0.999937

0.999882
0.999783
0.999991
Recall
eval_metric mlog_loss

1
XGB n_estimators 100
random_state 0
GDB: gradient descent boosting.
Precision

0.999964
0.999946

0.999946

0.999946
0.999936

0.999945
0.999883
0.999784
The goal is to maximize all measurements, which 0.999981

0.99999
1

1
range from zero toone1. Higher values correspond to
better classification performance.
For a further fair comparison, a computational cost
analysis is conducted. This analysis includes the follow-
ing measurements:
Accuracy

0.999982
0.999964

0.999968

0.999892
0.999941

0.999914
Training time: Training time is the time it takes
to build the model from the training data. Train-
ing time depends on the size of the dataset,
complexity of the algorithm, and the available
resources. For a fair evaluation, the same train-
Malicious
Malicious

Malicious

Malicious

Malicious

Malicious
Benign
Benign

Benign

Benign

Benign

Benign
Class

ing set is used for all models and the same

resources are used. Thus, training time repre-
sents only the complexity of an algorithm.
Prediction time: Prediction time is the time it
takes to make predictions using the trained
model. It represents an indication about the
Classifier

BMC

GDB
ADB

XGB

performance of the model in runtime and how

DT

RF
TABLE 5. Evaluation results.

quickly the intrusion will be detected.

Empirical Study
Technique

In this empirical study, the six tree-based algorithms

Boosting
Bagging

are evaluated for binary classification of network traffic

as either benign or malicious traffic. As the selected
DT

dataset contains an imbalanced data set when

54 IT Professional September/October 2023


collecting the 10 malicious classes, a subset of the
dataset is selected to form a balanced binary-labeled
dataset. All the benign traffic is considered to contain
555,932 instances.
The remaining malicious traffic datasets are merged
into two collective subsets, i.e., Mirai and Gafgyt, then
randomly shuffled, with half of the benign number of
instances selected from each of them. In this way, the
total number of instances in the malicious subset
equals the benign instances, representing a balanced
dataset of 1,111,864 total instances. The six algorithms
are fitted with the formed dataset. The performance
evaluation metrics identified in the “Evaluation Metrics”
section are calculated and documented in Table 5.
Discussion
The empirical evaluation results showed significant
potential for the tree-based ML algorithms in detecting
network intrusions in IoT environments. The RF algo-
rithm achieved the best performance, with an accuracy
rate of 0.999982. It achieved the highest results in all
other measures. Figure 4 shows its confusion matrix.
The GDB algorithm showed the longest training time
due to it not supporting multithreading. The XGB algo-
rithm, an implementation of GDB, supports multithreading.
CONCLUSION AND FUTURE WORK
This article presented an empirical evaluation for adopt-
ing ML tree-based algorithms for detecting network
intrusions in the IoT. Six tree-based ML algorithms were
implemented and tested using the well-known N-BaIoT
dataset for benchmarking. The results demonstrated
the significant potential of tree-based ML algorithms.
FIGURE 4. Confusion matrix for an RF classifier.
September/October 2023
NETWORK SECURITY
The best performance was achieved using the RF algo-
rithm (accuracy rate of 0.999982) and relatively reason-
able training and predicting times.
There are several potential areas for future research
in IoT intrusion detection considering the capabilities
provided by edge AI. Edge computing is an enabling
technology that enhances IoT security performance by
introducing edge AI. By enabling AI algorithms to run on
the edge, edge AI technology opens future research
directions and challenges. To prevent attacks in real
time, edge AI algorithms need to be fast and accurate.
Future research could focus on developing edge AI algo-
rithms that can quickly detect and respond to attacks in
real time without compromising performance.
REFERENCES
1. M. Almiani, A. Abughazleh, A. Al-Rahayfeh, S. Atiewi,
and A. Razaque, “Deep recurrent neural network for
IoT intrusion detection system,” Simul. Model. Pract.
Theory, vol. 101, May 2020, Art. no. 102031, doi: 10.1016/
j.simpat.2019.102031.
2. M. Dimolianis, G. S. Member, A. Pavlidis, and
V. Maglaris, “Signature-based traffic classification
and mitigation for DDoS attacks using programmable
network data planes,” IEEE Access, vol. 9,
pp. 113,061–113,076, Aug. 2021, doi: 10.1109/ACCESS.
2021.3104115.
3. J. Alzubi, A. Nayyar, and A. Kumar, “Machine learning
from theory to algorithms: An overview,” J. Phys.
Conf. Ser., vol. 1142, Dec. 2018, Art. no. 012012,
doi: 10.1088/1742-6596/1142/1/012012.
4. C. Bente jac, A. Cso
€ rgo
} , and G. Martınez,
“A comparative analysis of gradient boosting
algorithms,” Artif. Intell. Rev., vol. 54, no. 3, pp. 1937–1967,
Mar. 2021, doi: 10.1007/s10462-020-09896-5.
5. “XGBoost introduction.” Pythongeeks. Accessed:
Jul. 17, 2023. [Online]. Available: https://pythongeeks.
org/xgboost-introduction/
6. H. Bahsi, S. Nomm, and F. B. La Torre, “Dimensionality
reduction for machine learning based IoT botnet
detection,” in Proc. 15th Int. Conf. Contr., Automat.,
Robot. Vision (ICARCV), 2018, pp. 1857–1862,
doi: 10.1109/ICARCV.2018.8581205.
7. P. Illy, G. Kaddoum, C. M. Moreira, K. Kaur, and
S. Garg, “Securing fog-to-things environment using
intrusion detection system based on ensemble
learning,” in Proc. IEEE Wireless Commun. Netw. Conf.,
2019, pp. 1–7, doi: 10.1109/WCNC.2019.8885534.
8. “NSL-KDD dataset,” University of New Brunswick,
Fredericton, NB, Canada, 2009. Accessed: Jul. 30,
2023. [Online]. Available: https://www.unb.ca/cic/
datasets/nsl.html
IT Professional 55
NETWORK SECURITY
9. M. Goyal, I. Sahoo, and G. Geethakumari, “HTTP
botnet detection in IOT devices using network traffic
analysis,” in Proc. Int. Conf. Recent Adv. Energy-
Efficient Comput. Commun. (ICRAECC), 2019, pp. 1–6,
doi: 10.1109/ICRAECC43874.2019.8995160.
10. P. Chaudhary and B. B. Gupta, “DDoS detection
framework in resource constrained Internet of Things
domain,” in Proc. IEEE 8th Global Conf. Consum.
Electron. (GCCE), 2019, pp. 675–678, doi: 10.1109/
GCCE46687.2019.9015465.
11. E. Anthi, L. Williams, M. Słowi, G. Theodorakopoulos,
and P. Burnap, “A supervised intrusion detection
system for smart home IoT devices,” IEEE Internet
Things J., vol. 6, no. 5, pp. 9042–9053, Oct. 2019,
doi: 10.1109/JIOT.2019.2926365.
12. M. Aloqaily, S. Otoum, I. A. Ridhawi, and Y. Jararweh,
“An intrusion detection system for connected
vehicles in smart cities,” Ad Hoc Netw., vol. 90,
Jul. 2019, Art. no. 101842, doi: 10.1016/j.adhoc.2019.02.001.
13. S. Manimurugan, S. Al-Mutairi, M. Aborokbah, N.
Chilamkurti, S. Ganesan, and R. Patan, “Effective
attack detection in internet of medical things smart
environment using a deep belief neural network,”
IEEE Access, vol. 8, pp. 77,396–77,404, Apr. 2020,
doi: 10.1109/ACCESS.2020.2986013.
14. D. Stiawan, M. Yazid, and A. M. Bamhdi, “CICIDS-2017
dataset feature analysis with information gain for
anomaly detection,” IEEE Access, vol. 8, pp. 132,911–132,921,
Jul. 2020, doi: 10.1109/ACCESS.2020.3009843.
15. J. Alsamiri and K. Alsubhi, “Internet of Things cyber
attacks detection using machine learning,” Int. J. Adv.
Comput. Sci. Appl., vol. 10, no. 12, pp. 627–634,
Jan. 2019.
16. R. Doshi, N. Apthorpe, and N. Feamster, “Machine
learning DDoS detection for consumer Internet of
Things devices,” in Proc. Deep Learn. Secur. Workshop
(DLS), 2018, pp. 29–35, doi: 10.1109/SPW.2018.00013.
17. O. P. Dwyer, A. K. Marnerides, V. Giotsas, and
T. Mursch, “Profiling IoT-based botnet traffic
using DNS,” in Proc. IEEE Global Commun. Conf.
(GLOBECOM), 2018, pp. 1–6, doi: 10.1109/
GLOBECOM38437.2019.9014300.
18. I. Alrashdi, A. Alqazzaz, E. Aloufi, R. Alharthi, M.
Zohdy, and H. Ming, “AD-IoT: Anomaly detection of
IoT cyberattacks in smart city using machine
learning,” in Proc. IEEE 9th Annu. Comput. Commun.
Work. Conf., 2019, pp. 305–310, doi: 10.1109/CCWC.
2019.8666450.
19. N. Moustafa and J. Slay, “UNSW-NB15: A
comprehensive data set for network intrusion
detection systems (UNSW-NB15 Network Data Set),”
in Proc. Mil. Commun. Inf. Syst. Conf. (MilCIS), 2015,
pp. 1–6, doi: 10.1109/MilCIS.2015.7348942.
56 IT Professional
20. M. Hasan, M. M. Islam, M. I. I. Zarif, and M. M. A.
Hashem, “Attack and anomaly detection in IoT
sensors in IoT sites using machine learning
approaches,” Internet Things, vol. 7, Sep. 2019,
Art. no. 100059, doi: 10.1016/j.iot.2019.100059.
21. F.-X. A. M.-O. Pahl. “DS2OS traffic traces.” Kaggle.
Accessed: Jun. 20, 2023. [Online]. Available:
https://www.kaggle.com/datasets/francoisxa/
ds2ostraffictraces
22. M. Eskandari, Z. H. Janjua, M. Vecchio, and F.
Antonelli, “Passban IDS: An intelligent anomaly-based
intrusion detection system for IoT edge devices,”
IEEE Internet Things J., vol. 7, no. 8, pp. 6882–6897,
Aug. 2020, doi: 10.1109/JIOT.2020.2970501.
23. G. Thamilarasu, A. Odesile, and A. Hoang, “An
intrusion detection system for Internet of Medical
Things,” IEEE Access, vol. 8, pp. 181,560–181,576,
Sep. 2020, doi: 10.1109/ACCESS.2020.3026260.
24. M. Alqahtani, H. Mathkour, and M. M. Ben Ismail,
“IoT botnet attack detection based on optimized
extreme gradient boosting and feature selection,”
Sensors, vol. 20, no. 21, Nov. 2020, Art. no. 6336,
doi: 10.3390/s20216336.
25. Y. Meidan et al., “N-BaIoT: Network-based detection
of IoT botnet attacks using deep autoencoders,” IEEE
Pervasive Comput., vol. 17, no. 3, pp. 12–22, Jul./Sep.
2018, doi: 10.1109/MPRV.2018.03367731.
26. R. Panigrahi and S. Borah, “A detailed analysis
of CICIDS2017 dataset for designing intrusion
detection systems,” Int. J. Eng. Technol., vol. 7, no. 3,
pp. 479–482, Jan. 2018.
MOHAMED SAIED is a Ph.D. candidate in information tech-
nology in the Department of Information Technology, the
Institute of Graduate Studies and Research, Alexandria Uni-
versity, Alexandria, 21526, Egypt, and is the automation man-
ager of EZDK Steel Company, Alexandria, 21537, Egypt. His
research interests include software engineering, software
flexibility, and artificial intelligence. Saied received his M.Sc.
degree in information technology from the Institute of Grad-
uate Studies and Research, Alexandria University. Contact
him at [email protected].
SHAWKAT KAMAL GUIRGUIS is a professor of computer
science and informatics in the Department of Information
Technology, the Institute of Graduate Studies and Research,
Alexandria University, Alexandria, 21526, Egypt. His research
interests include computer networks, information security,
and databases. Shawkat received his Ph.D. degree in elec-
tronics and communication from the University of London.
Contact him at [email protected].
September/October 2023
FEATURE ARTICLE: MACHINE LEARNING

Misinformation Detection Using

Deep Learning
Michail Tsikerdekis , Western Washington University, Bellingham, WA, 98225, USA
Sherali Zeadally , University of Kentucky, Lexington, Kentucky, 40506, USA

In recent years, we have witnessed growing interest in using deep learning to detect
misinformation. This increased attention is being driven by deep learning technologies’
ability to accurately detect this misinformation. However, there is a diverse array of
content that can be considered misinformation, such as fake news and satire. Similarly,
in the field of deep learning, there are several architectures with variable efficacy
depending on the context and data involved. This study aims to highlight the various
types of misinformation attacks and deep learning architectures that are used to detect
them. Based on our selection of the recent literature, we present a classification of deep
learning approaches and their relative effectiveness in detecting misinformation, along
with their limitations in terms of accuracy as well as computational overhead. Finally,
we discuss some challenges and limitations that arise FROM the use of deep learning
architectures in misinformation detection.

M
isinformation detection research has been
on the rise over the past decade, yet misin-
formation is still prevalent today on the Inter-
net. Most recent efforts have focused on automation
to easily detect misinformation and compensate for
the inability of employees by companies to deal with
the large volumes of data that are being generated on
the Internet. Machine learning, and in particular, deep
learning solutions, have shown promise in tackling mis-
information issues.8 Yet, several years of research have
demonstrated high accuracy in misinformation detec-
tion and revealed that the problem is not monolithic in
nature. Attacks such as fake news, satire, and hate
news can be classified as misinformation, yet the
intent and effect differ for each one of these examples.
As such, the effectiveness of deep learning approaches
may vary depending on the misinformation that it aims
to detect. In fact, many studies develop, train, and use
deep learning methods to detect misinformation con-
tent by using binary labels (e.g., fake or not fake text).6
The outcome is that assumptions are made about the
accuracy of deep learning models that may not reflect
reality, such as effectiveness in real-world application
and portability across social media platforms.
In this article, we discuss the various types of misin-
formation and highlight representative cases of deep
1520-9202 © 2023 IEEE
Digital Object Identifier 10.1109/MITP.2023.3314752
Date of current version 3 November 2023.
learning models associated with different types of mis-
information detection. In particular, although larger
survey articles have focused on providing an exhaus-
tive list of research efforts and results, this article aims
to provide a succinct representative critical review of
the existing direction of misinformation detection and
provide possible recommendations for future research
in the area. We organize the rest of the article as fol-
lows. The “Definition” section provides an overview of
the various types of misinformation as defined in the
literature. In the “Deep Learning Approaches” section,
we present the deep learning approaches that have
been used to detect different types of misinformation
and highlight their strengths and weaknesses. Finally,
in the “Challenges and Opportunities” section, we
identify some challenges and opportunities for future
research in the domain of misinformation detection
using deep learning.
DEFINITION
Misinformation can be defined as a variant of other-
wise content deception. Proper communication involves
a sender S that transmits a message M over a commu-
nication channel C to a recipient R:21 The sender and
receiver utilize functions fðtÞ and dðM 0 , eÞ so that the
lossless function fðtÞ ¼ M and dðM, eÞ ¼ t, where t is
some truth, e is a person’s bias, and M is an encoded
message form for t: Rarely does a receiver not possess
a bias, so t can potentially be distorted to td , a distorted

September/October 2023 Published by the IEEE Computer Society IT Professional 57

MACHINE LEARNING
truth, the degree of which may vary depending on the
bias. Other instances that can result in td is when the
original t is not used and a generated (altered) version is
used instead t0 by S (e.g., completely fake content and
otherwise not based on any truth), or when the lossless
function f is replaced by a lossy function g when
encoding the message (i.e., skewed the original truth).
Manipulation of the following process leads to several
categories of misinformation, from which intent can
often be attributed. That is, some misinformation has
malicious intent, while in other cases it is meant to be
benign. For example, a study15 used different types of
misinformation but did not formally clarify how the
attacker would generate each type of misinformation.
Thus, in this article, we elaborate more on this aspect
and fit these categories in the aforementioned defini-
tion that we provided in the previous paragraph. Later
in this section, we elaborate on the existing classifica-
tion as well as provide our revised classification for
misinformation attacks.
The study15 released a dataset that was labeled
based on multiple categories, the origin of which was
from a heuristically crafted typology posted on a blog
from Claire Wardle. The original categories were satire,
false connection, misleading content, false context,
imposter content, manipulated content, and fabricated
content. Some of these can be identical to others
based on the definitions provided earlier, while others
can be distinctly different. Satire can alter t, replace g
with f or expect a recipient’s e to influence the decod-
ing process of a message. A combination of these
can also be used to achieve satire. However, these
approaches exist in multiple other classifications of
misinformation. For example, false connection misin-
formation, where there exists a mismatch between the
content (e.g., the text and the image do not reflect the
same truth), can be achieved by using g: In other words,
it is not necessary to alter the truth or rely on the recipi-
ent’s bias to achieve the delivery of misinformation.
A similar approach is used with false context, where
g is used to misrepresent otherwise true information in
a biased manner. Manipulated content also utilizes g in
such a way that the truth t is distorted. The recipient’s
bias ðeÞ may also influence the effectiveness of such
misinformation. In contrast, misleading content mixes
elements of the original truth along with an altered
truth such that t  t0 : Imposter content utilizes a fake
truth t0 but utilizes a function g so that it mimics a cred-
ible source. Based on a person’s bias e, the fake truth
will be accepted as legitimate. Finally, fabricate con-
tent uses a fake truth t0 but does not otherwise rely on
a specialized function to encode the message or the
recipient’s bias. It is worth pointing out that there exist
further categories such as extreme bias and hate
news, which can also be categorized as misinformation.
58 IT Professional
We posit that these can be fitted into the referenced
classifications mentioned previously. For example,
extreme bias can be fitted under the manipulated
content category and hate news under the false con-
text category.
The definitions mentioned earlier demonstrate the
variety of approaches to generate misinformation and
that the aforementioned categories are not uniform in
their application. Further, their purpose focuses more
on explaining intent, which is difficult to measure in
practice. Additional aspects can also be subjective,
such as the cost to the victim as well as to the
attacker. Therefore, for the purposes of matching the
effectiveness of deep learning as a defensive strategy,
we focus on classifying the following misinformation
attacks into corresponding larger categories based on
how the attacker achieves the specific misinformation
attack:
Generated content: This misinformation attack
focuses on cases where primarily the truth t is
manipulated. It includes fabricated content and
misleading content.
Altered content: This misinformation attack focuses
on cases where the function g is the primary
means for the attack. It includes manipulated
content, false context, and false connection.
Hybrid approach: This misinformation attack
focuses on utilizing various approaches between
the encoding function g, truth t, and even a per-
son’s bias e: It includes satire and imposter content.
DEEP LEARNING APPROACHES
The definition of deep learning varies slightly in the lit-
erature, but deep learning models are effectively neural
network models.18 In turn, neural network models can
be divided into discriminative and generative. Discrimi-
native models utilize a bottom-up approach, where
input flows through several hidden layers and onto an
output layer. They are used in classification and regres-
sion problems and the data must be labeled (i.e., super-
vised learning). On the other hand, generative models
utilize a top-down approach for unsupervised prob-
lems, pretraining and probabilistic distribution prob-
lems. In the literature, a third category, hybrid models,
are meant for classification problems and primarily uti-
lize discriminative models, but assist them through
data generated by generative models.3 However, the
categories we mentioned earlier are too broad, so
often in the literature these categories are further
expanded.
There are several feedforward neural network archi-
tectures such as convolutional neural networks (CNNs),
September/October 2023

autoencoders, adversarial networks, and restricted
Boltzmann machines (RBMs). Further architectures
include recurrent neural networks (RNNs), radial
basis function (RBF) neural networks, and Kohonen
self-organizing neural networks.18 Feedforward neural
networks consist of one-directional flow models and
can be unsupervised as well as supervised. In con-
trast, RNNs have a cyclical flow where the output
feeds into the input and are supervised. RBF neural
networks operate similarly to feedforward neural net-
works, with the main difference being the utilization
of an RBF (i.e., a Gaussian function). They can operate
in either a supervised or unsupervised manner. Koho-
nen self-organizing neural networks focus on unsu-
pervised problems to self-organize the input data.
They are primarily used for reducing the dimensional-
ity of data.
MISINFORMATION DETECTION
USING DEEP LEARNING
For the purposes of our analysis, we collected a repre-
sentative nonexhaustive sample of research studies
that made use of the different deep learning architec-
tures in misinformation detection. The selection was
made based on the deep learning architectures that
were used in each paper, and the most relevant results
retrieved from Google Scholar formed the basis for the
sample that we used. In the next step of the selection
process, we retained the most representative articles
for each deep learning architecture. We examined
them in conjunction with the datasets that were used,
especially in relation to the type of misinformation con-
tent that they attempted to detect. Table 1 summarizes
our critical review of the methods based on how they
have been used in the current literature. We also pre-
sent the associated computational requirement for
each architecture. We did this qualitatively because
the time complexity for architectures differs depending
on the deep learning parameters, complexity of the
model, and data as well as the implementation. Finally,
we also provide our interpretation of effectiveness
TABLE 1. Deep learning architectures and associated papers, data, and relative computational overhead.
Works on
Deep learning Requires small
architecture labeled data datasets
CNN Yes Yes
RNN No Unknown
Autoencoder* No Yes
Adversarial network* No Yes
RBM* No Yes
*Often combined with other models (e.g., CNNs); the computational overhead depends on the complexity and combination of models.
September/October 2023
MACHINE LEARNING
related to the use of these techniques in detecting dif-
ferent misinformation content.
CNNs
Numerous studies have utilized feedforward neural
network techniques in misinformation detection. For
example, a study utilized CNNs as a means to both
identify features and in turn identify fake news.10 The
accuracy of fake news detection on benchmarked
datasets was 98%. Similarly, several other studies have
also utilized CNNs and demonstrated high detection
accuracy (higher than 94%) for fake news.12,14,24 Such
studies involved binary classification and the datasets
comprise mainly generated content. The focus of these
models is on identifying fake content through lexical
features, and consequently, given the lack of any meta-
data, they are unable to be used as tools for identifying
altered content or mixed-approach misinformation.
However, studies that utilize CNNs to detect altered
content can be found in cases where different commu-
nication modalities may exist. For example, one recent
study has demonstrated the use of regions with CNN
models to detect altered images.28 The approach yielded
higher than 90% accuracy in detecting altered images in
the NIST16 dataset, part of the Open Media Forensics
Challenge provided by the National Institute of Stand-
ards and Technology.
Another study also combined text and image train-
ing at the same time to identify altered content using
a proposed text and image information-based CNN
approach.29 The study not only demonstrated high
detection rates (F1 was 0.921), but it also showed that
CNN approaches that focused on just images or text
were inferior to methods that combined the two. In
addition, the datasets contain mixed content of misin-
formation (i.e., both altered and generated content in
images or text), showing the potential for such a
method, when used appropriately, to detect a large
variety of misinformation. CNNs tend to be highly effi-
cient to train. Depending on their configuration, they
can have a linear time complexity. Due to their
Generated Altered
Works on Computational content content
short texts requirements efficacy efficacy
Limited Medium Medium Medium
Unknown High Medium Medium
Yes Low High High
Yes High High High
Yes High High High
IT Professional 59
MACHINE LEARNING
feedforward nature and lack of backpropagation, they
are also not as memory intensive as other deep learn-
ing methods (e.g., RNNs). The data used by most of
the studies presented in this section include publicly
available datasets that increase the reproducibility of
results. The studies used a combination of large as well
as small datasets and one study included the use of
short texts (tweets).
RNNs
The primary architecture utilized under this type of
deep learning network is long short-term memory
(LSTM). The use of such an architecture on its own is
rare because it does not yield high detection accuracy.
For example, a study that used LSTM on text yielded
accuracy comparable to just using CNNs.29 Deep,
stacked LSTM networks yield much higher accuracy,
especially when multiple word-embedding techniques
are used on a text.17 However, such techniques per-
form well when layers of CNNs and LSTM are com-
bined. One such study16 applied such a combination to
binary text classification with variable success. In one
dataset, the hybrid model of a CNN and LSTM per-
formed as well as the two models separately (although
all cases had F1 scores above 0.98), whereas in another
dataset, the hybrid model performed better than the
stand-alone CNN and LSTM approaches.
All of the approaches mentioned previously were
applied to misinformation that was generated content
or did not include other metadata to determine whether
part of the text has a basis on true text. LSTM is primarily
used for detecting altered content in manipulated
images. Studies have demonstrated higher accuracy
results with LSTM over other methods, especially
compared to nondeep learning approaches. For exam-
ple, a study1 has shown accuracy rates between 70%
and 80% for a variety of existing forged-image datasets
(e.g., NIST16). Uses for detecting a false connection
(altered content) also exist. In one study,22 articles with
unrelated titles and article contents were detected
with 97.8% accuracy using a combination of a CNN and
LSTM. It is worth pointing out that the computational
overhead of LSTM, along with the higher number of
parameters that need to be configured, make it a com-
putationally expensive solution compared to its coun-
terparts. Studies that utilized this technique used large,
publicly available datasets. Their performance for short
texts or small datasets is unknown because they were
not used in any of the studies. Reproducibility remains
high because the datasets are publicly available.
Autoencoders
The deep learning architectures mentioned previously
often require a large set of labeled data to detect
60 IT Professional
misinformation. As a result, some researchers have
proposed approaches to misinformation detection that
use unsupervised deep learning architectures. Autoen-
coders often require much fewer data than their super-
vised counterparts. A study13 on fake news detection
has demonstrated that autoencoder use is viable and
can often perform better than a technique such as
CNNs in detecting fake news. In particular, the study
trained its models on real Twitter and Weibo posts,
with no fakes included in the training. Fake cases were
only used during the testing phase, where the efficacy
of the approach was measured. Another study11 that
utilized autoencoders on images also demonstrated
that the method can be highly effective in detecting
altered content, such as altering people’s faces using
deepfake approaches.
Given that autoencoders work similarly to anomaly
detection approaches, the likelihood of identifying devi-
ations from the norms make them good candidates for
detecting both generated and altered content. Further,
autoencoders are, to some degree, similar to CNNs,
and therefore their computational cost is relatively low
compared to other deep learning methods. However,
unsupervised learning often requires larger datasets
compared to supervised learning, and that is also true
for the aforementioned studies. As a method, autoen-
coders are also used for pretraining of unlabeled data,
which are then passed to other supervised deep learn-
ing networks (e.g., CNNs). The studies in this category
used small, publicly available datasets. The use of short
texts yielded high accuracy, although it was domain
specific (e.g., Twitter and Weibo). Given the public nature
of datasets, reproducibility for all these studies is con-
venient for future researchers.
Adversarial Networks
Adversarial networks are the primary approach for
generating fake videos and images (otherwise called
deepfakes). In particular, generative adversarial net-
works (GANs) are designed so that a generator and
discriminator component interact to produce better
generated images that the discriminator component
cannot distinguish from untampered content.27 How-
ever, the same technique can be used in an unsuper-
vised manner to improve the detection of content that
appears to deviate from some baseline (i.e., anomaly
detection). One study utilized an event adversarial neu-
ral network to detect fake news on Twitter and Weibo
datasets.25 These studies demonstrate that GANs are
an effective approach in detecting fake images, com-
pared with RNNs.
In general, given the ability to perform in nonlabeled
datasets, the technique can detect generated and
altered content more effectively than other supervised
techniques. It is also an area where limited research
September/October 2023

now exists, but the potential for using a GAN architec-
ture for misinformation detection has been highlighted
in the literature.2 The computational requirements are
higher for training adversarial networks because a gen-
erator and discriminator model needs to be trained.
Thus, they may not be an ideal or affordable solution
for all misinformation detection contexts. These stud-
ies used smaller datasets focused on shorter texts
(e.g., tweets). It could be a challenge to reproduce the
aforementioned studies because the datasets are not
available directly as an application programming inter-
face (API) must be used. Moreover, the data may have
been deleted since the studies were conducted.
RBMs
The use of RBMs in fake news detection is another
underutilized deep learning architecture. One recent
work7 that made use of RBMs for detecting hate
speech on Twitter has demonstrated that RBMs can
be used to pretrain word vectors before they can be
passed on to other hidden layers in a deep learning
model. The results obtained with RBMs against tradi-
tional machine learning architectures (e.g., random for-
est) have demonstrated a higher accuracy for the RBM
neural network architecture. As with other unsuper-
vised approaches, RBMs can be effective in detecting
generated as well as altered content. In particular, the
stochastic nature of the architecture can help uncover
hidden features that a deterministic architecture, such
as autoencoders, may not. However, an RBM’s stochas-
tic nature, which is due to sampling via Markov chains,
makes RBMs more expensive to train compared to
other deep learning approaches. The work in this cate-
gory utilized small datasets and focused on short texts.
Our primary concern is in terms of reproducibility
because custom data, which were retrieved using a
Twitter API, were used. These data may have been
altered or deleted since the study was conducted.
CHALLENGES AND
OPPORTUNITIES
We identified a few challenges and opportunities dur-
ing the review of the current literature on misinforma-
tion detection. These include dataset considerations,
underutilized deep learning architectures, lack of simu-
lations, and policy and regulatory considerations. We
discuss these next.
Dataset Considerations
Many studies on misinformation detection utilize the
same datasets to demonstrate their efficacy. For
example, the Kaggle dataset consists of reliable and
unreliable news articles, a binary classification, and pri-
marily consists of generated content (i.e., completely
September/October 2023
MACHINE LEARNING
manufactured misinformation).9 The McIntire dataset
is similar to Kaggle and focuses on fake news and
primarily generated content. Similarly, the FakeNews
dataset focuses on just content and no associated
metadata, where the misinformation is generated con-
tent. Finally, the WELFake dataset was funded by the
European Commission and consists of an aggregate of
multiple datasets such as Kaggle and McIntire, among
others.23 The purpose was to make a larger dataset
that can aid in the prevention of overfitting of classi-
fiers. However, the labels are binary and consist of gen-
erated content. Even in cases where we may be looking
at altered content (i.e., a mix of truth and lie), there is no
associated metadata to help train the classifier in iden-
tifying such metadata. Further, the classification of mis-
information is based solely on lexical features.
A better example of a useful, publicly available
dataset that we found that has been used in misinfor-
mation detection was the PolitiFact LIAR dataset.4 It
uses text to identify the degree of a lie, with six levels
of identification regarding the credibility of the text.
This opens the possibilities of enabling the creation of
new deep learning models that can understand the
egregiousness of misinformation, as opposed to just a
binary classification of whether something is or is not
misinformation. We posit that new, complex datasets
must be created and made available for the deep learn-
ing misinformation detection field to advance and
become more accurate. At present, only trivial gains
are being made with each new study that applies a
new model on these existing datasets.
Underutilized Deep Learning
Architectures
There are some underutilized deep learning architec-
tures used in misinformation classification studies.
Such architectures include RBFs and a Kohonen self-
organizing neural network. However, studies that uti-
lize these models for misinformation detection are
limited. For example, an RBF was used in conjunction
with support vector machines with a relatively high
success rate by Song et al.19 and Wang et al.26 The
deep learning variant of an RBF neural network was
also used for classification, but no noteworthy example
uses can be found in the literature for misinformation
detection. Similarly, to date, a Kohonen self-organizing
neural network has not been used in the domain of misin-
formation detection. These examples highlight a research
gap that exists in this area as well as a missed oppor-
tunity to identify how these perform in this domain.
Lack of Simulations
Although most studies divide the datasets into training
and testing, to estimate the real-world efficacy for their
IT Professional 61
MACHINE LEARNING
models, the parameters that generated the data per-
sist across the separate datasets. This could lead to
erroneous conclusions, such as that a model may be
perceived to be universally effective, when in practice
it is expected to be effective for only the datasets on
which it was trained. In other cybersecurity domains,
studies utilize simulated datasets to generate previ-
ously unseen, seemingly random data. Misinformation
studies have not made use of simulated data to com-
plement existing findings and validate their detection
accuracy. We must develop novel methods that can
generate such data as well as the use of such data in
misinformation detection.
Policy and Regulations
There are ethical limitations to the use of artificial intel-
ligence as well as regulatory limitations that influence
its implementation. For example, the European Group
on Ethics in Science and New Technologies includes in
its ethics data protection and privacy. The use of large
volumes of data, as is often required from deep learn-
ing approaches, may conflict with such guidelines.
Beyond that, regulatory requirements may limit the use
of data, even in the presence of sufficient anonymiza-
tion. For example, German law provides the user with a
lot more control, not just on their data but also the sys-
tems and networks where their data reside.5 However,
although many social platforms are international, there
is no true transnational law that identifies when the
use of data in deep learning is permitted and when
they cannot be used. In practical terms, misinformation
detection appears to be limited and limiting itself due
to such data restrictions. For example, most of the
studies that we reviewed in this work utilized highly
focused content irrespective of the associated meta-
data regarding the author of such content and the
author’s behavior on social platforms. Yet, past studies
have shown that such behavioral data are effective in
increasing deception detection rates.20 A coordinated
effort toward enabling the use of such data in models
can further increase accuracy rates.
CONCLUSION
In this study, our focus was to provide a comprehen-
sive description of misinformation attacks and an over-
view of recent deep learning architectures utilized for
detecting misinformation across different categories
on social platforms. We examined their effectiveness
and computational requirements as well as the chal-
lenges they pose and potential research prospects in
this domain. These aspects underscore the necessity
for continued investigation in this area, where the com-
plexities of misinformation intersect with the capabili-
ties of deep learning.
62 IT Professional
ACKNOWLEDGMENTS
We thank the anonymous reviewers for their valuable
comments, which helped us improve the quality and
presentation of this article.
REFERENCES
1. J. H. Bappy, C. Simons, L. Nataraj, B. S. Manjunath,
and A. K. Roy-Chowdhury, “Hybrid LSTM and
encoder–decoder architecture for detection of image
forgeries,” IEEE Trans. Image Process., vol. 28, no. 7,
pp. 3286–3300, Jul. 2019, doi: 10.1109/TIP.2019.
2895466.
2. S. Cresci, M. Petrocchi, A. Spognardi, and S. Tognazzi,
“Adversarial machine learning for protecting against
online manipulation,” IEEE Internet Comput., vol. 26,
no. 2, pp. 47–52, Mar./Apr. 2022, doi: 10.1109/MIC.2021.
3130380.
3. L. Deng, “Three classes of deep learning architectures
and their applications: A tutorial survey,” APSIPA
Trans. Signal Inf. Process., vol. 57, pp. 1–28, Jan. 2012.
4. S. Garg, and D. K. Sharma, “New politifact: A dataset
for counterfeit news,” in Proc. 9th Int. Conf. Syst.
Model. Adv. Res. Trends (SMART), 2020, pp. 17–22,
doi: 10.1109/SMART50582.2020.9337152.
5. W. Hoffmann-Riem, “Artificial intelligence as a
challenge for law and regulation,” in Regulating
Artificial Intelligence, T. Wischmeyer and T.
Rademacher, Eds. New York, NY, USA: Springer-
Verlag, 2020, pp. 1–29.
, E.-S. Apostol, and A. Paschke,
6. V.-I. Ilie, C.-O. Truica
“Context-aware misinformation detection: A
benchmark of deep learning architectures using word
embeddings,” IEEE Access, vol. 9, pp. 162,122–162,146,
Dec. 2021, doi: 10.1109/ACCESS.2021.3132502.
7. A. I. Hendry, D. H. Fredy Manongga, and R.-C. Chen,
“Mining public opinion on radicalism in social media
via sentiment analysis,” Int. J. Innovative Comput.,
Inf. Control, vol. 16, no. 5, pp. 1787–1800, Oct. 2020,
doi: 10.24507/ijicic.16.05.1787.
8. M. R. Islam, S. Liu, X. Wang, and G. Xu, “Deep learning
for misinformation detection on online social
networks: A survey and new perspectives,” Social
Netw. Anal. Mining, vol. 10, no. 1, p. 82, 2020,
doi: 10.1007/s13278-020-00696-x.
9. N. Islam et al., “Ternion: An autonomous model for
fake news detection,” Appl. Sci., vol. 11, no. 19, 2021,
Art. no. 9292, doi: 10.3390/app11199292.
10. R. Kumar Kaliyar, A. Goswami, P. Narang, and S.
Sinha, “FNDNet – A deep convolutional neural
network for fake news detection,” Cogn. Syst. Res.,
vol. 61, pp. 32–44, Jun. 2020, doi: 10.1016/j.cogsys.2019.
12.005.
September/October 2023

11. H. Khalid, and S. S. Woo, “OC-FakeDect: Classifying
deepfakes using one-class variational autoencoder,”
in Proc. IEEE/CVF Conf. Comput. Vis. Pattern Recognit.
Workshops (CVPRW), 2020, pp. 2794–2803, doi: 10.
1109/CVPRW50498.2020.00336.
12. M. Z. Khan, and O. H. Alhazmi, “Study and analysis of
unreliable news based on content acquired using
ensemble learning (Prevalence of Fake News on
Social Media),” Int. J. Syst. Assurance Eng. Manage.,
vol. 11, no. S2, pp. 145–153, 2020, doi: 10.1007/s13198-
020-01016-4.
13. D. Li, H. Guo, Z. Wang, and Z. Zheng, “Unsupervised
fake news detection based on autoencoder,” IEEE
Access, vol. 9, pp. 29,356–29,365, Feb. 2021, doi: 10.
1109/ACCESS.2021.3058809.
14. M. Mersinias, S. Afantenos, and G. Chalkiadakis, “CLFD:
A novel vectorization technique and its application in
fake news detection,” in Proc. 12th Lang. Resour. Eval.
Conf. (LREC), 2020, pp. 3475–3483.
15. K. Nakamura, S. Levy, and W. Y. Wang, “Fakeddit:
A new multimodal benchmark dataset for fine-
grained fake news detection,” in Proc. 12th Lang.
Resour. Eval. Conf., 2020, pp. 6149–6157.
16. J. A. Nasir, O. Subhani Khan, and I. Varlamis, “Fake
news detection: A hybrid CNN-RNN based deep
learning approach,” Int. J. Inf. Manage. Data Insights,
vol. 1, no. 1, 2021, Art. no. 100007, doi: 10.1016/j.jjimei.
2020.100007.
17. P. K. Roy, A. K. Tripathy, T.-H. Weng, and K.-C. Li,
“Securing social platform from misinformation using
deep learning,” Comput. Standards Interfaces, vol. 84,
Mar. 2023, Art. no. 103674, doi: 10.1016/j.csi.2022.103674.
18. A. Shrestha, and A. Mahmood, “Review of deep
learning algorithms and architectures,” IEEE Access,
vol. 7, pp. 53,040–53,065, Apr. 2019, doi: 10.1109/
ACCESS.2019.2912200.
19. C. Song, K. Shu, and B. Wu, “Temporally evolving
graph neural network for fake news detection,” Inf.
Process. Manage., vol. 58, no. 6, 2021, Art. no. 102712,
doi: 10.1016/j.ipm.2021.102712.
20. M. Tsikerdekis, and S. Zeadally, “Multiple account
identity deception detection in social media using
nonverbal behavior,” IEEE Trans. Inf. Forensics
Security, vol. 9, no. 8, pp. 1311–1321, Aug. 2014,
doi: 10.1109/TIFS.2014.2332820.
21. M. Tsikerdekis, and S. Zeadally, “Detecting online
content deception,” IT Prof., vol. 22, no. 2, pp. 35–44,
Mar./Apr. 2020, doi: 10.1109/MITP.2019.2961638.
22. M. Umer, Z. Imtiaz, S. Ullah, A. Mehmood, G. S. Choi,
and B.-W. On, “Fake news stance detection using
deep learning architecture (CNN-LSTM),” IEEE Access,
vol. 8, pp. 156,695–156,706, Aug. 2020, doi: 10.1109/
ACCESS.2020.3019735.
September/October 2023
MACHINE LEARNING
23. P. K. Verma, P. Agrawal, I. Amorim, and R. Prodan,
“WELFAKE: Word embedding over linguistic features
for fake news detection,” IEEE Trans. Computat.
Social Syst., vol. 8, no. 4, pp. 881–893, Aug. 2021,
doi: 10.1109/TCSS.2021.3068519.
24. P. K. Verma, P. Agrawal, V. Madaan, and R. Prodan,
“MCred: Multi-modal message credibility for fake
news detection using BERT and CNN,” J. Ambient
Intell. Humanized Comput., vol. 14, no. 8, pp.
10,617–10,629, 2022, doi: 10.1007/s12652-022-04338-2.
25. Y. Wang et al., “EANN: Event adversarial neural
networks for multi-modal fake news detection,” in
Proc. 24th ACM SIGKDD Int. Conf. Knowl. Discovery
Data Mining, 2018, pp. 849–857, doi: 10.1145/3219819.
3219903.
26. Z. Wang, Z. Yin, and Y. A. Argyris, “Detecting medical
misinformation on social media using multimodal
deep learning,” IEEE J. Biomed. Health Inform., vol. 25,
no. 6, pp. 2193–2203, Jun. 2021, doi: 10.1109/JBHI.2020.
3037027.
27. D. Yadav and S. Salmani, “Deepfake: A survey on
facial forgery technique using generative adversarial
network,” in Proc. Int. Conf. Intell. Comput. Control
Syst. (ICCS), 2019, pp. 852–857, doi: 10.1109/ICCS45141.
2019.9065881.
28. C. Yang, H. Li, F. Lin, B. Jiang, and H. Zhao, “Constrained
R-CNN: A general image manipulation detection
model,” in Proc. IEEE Int. Conf. Multimedia Expo (ICME),
2020, pp. 1–6, doi: 10.1109/ICME46284.2020.9102825.
29. Y. Yang, L. Zheng, J. Zhang, Q. Cui, Z. Li, and P. S. Yu,
“TI-CNN: Convolutional neural networks for fake
news detection,” 2018, arXiv:1806.00749.
MICHAIL TSIKERDEKIS is an associate professor with the
Computer Science Department, Western Washington Univer-
sity, Bellingham, WA, 98225, USA. His research interests
include deception, data mining, and cybersecurity. Tsikerdekis
received his Ph.D. degree in informatics from Masaryk Uni-
versity, Czechia. He is a Senior Member of IEEE. Contact
him at [email protected].
SHERALI ZEADALLY is a university research professor at
the University of Kentucky, Lexington, Kentucky, 40506, USA,
and the University of Kentucky Alumni Association Endowed
Professor. His research interests include cybersecurity, pri-
vacy, and the Internet of Things. Zeadally received his doc-
toral degree in computer science from the University of
Buckingham, England. He is a Senior Member of IEEE and a
fellow of the British Computer Society and the Institution
of Engineering Technology. Contact him at szeadally@
uky.edu.
IT Professional 63
 EDITOR: Irena Bojanova,

[email protected]

DEPARTMENT: CYBERSECURITY

Labeling Software Security Vulnerabilities

Irena Bojanova , NIST, Gaithersburg, MD, 20899, USA
John J. Guerrerio , Dartmouth College, Hanover, NH, 03755, USA

Labeling software security vulnerabilities would greatly benefit modern AI cybersecurity

research. The National Vulnerability Database (NVD) partially achieves this via
assignment of Common Weakness Enumeration (CWE) entries to Common
Vulnerabilities and Exposures (CVE) entries. In this work, we explore utilization of the
Bugs Framework (BF) formalism for systematic and comprehensive CVE labeling. We
specify all memory-related CWEs via BF weaknesses and examine the suitability of these
formalisms to describe the corresponding CVEs mapped by NVD. We also identify
similarities and overlaps in CWEs that introduce ambiguities in NVD assignments.

T
here are more than 228,000 (as of August 2023)
publicly disclosed cybersecurity vulnerabilities
in the Common Vulnerabilities and Exposures
(CVE)1 repository—more than 25,000 documented in
2022 alone. Systematic labeling of this huge set of soft-
ware security vulnerabilities would enable advances in
modern AI cybersecurity research (e.g., Malzahn et al.2).
The current state of the art are the National Vulnerabil-
ity Database (NVD)3 mappings of CVEs to Common
Weakness Enumeration (CWE) entries and assign-
ments of CVE severity scores according to the Com-
mon Vulnerability Scoring System (CVSS)4. However,
deeper analysis of the CWE entries shows that many
are overly specific, ambiguous, or overlapping, compli-
cating the CWE–CVE assignment.
The Bugs Framework (BF)5 formalism ensures pre-
cise descriptions of software security vulnerabilities6,
which is instrumental in gaining a deeper understand-
ing of the CVEs. The existing NVD mappings, although
flawed, offer an opportunity to gain high-level insights
1520-9202 © 2023 Crown Copyright
©Digital Object Identifier 10.1109/MITP.2023.3314368
Date of current version 3 November 2023.
Disclaimer: Certain equipment, instruments, software, or
materials, commercial or noncommercial, are identified in
this paper to specify the experimental procedure adequately.
Such identification is not intended to imply recommendation
or endorsement of any product or service by NIST, nor is it
intended to imply that the materials or equipment identified
are necessarily the best available for the purpose.
into the CVEs through the CWEs. Mapping the CWEs to
BF and then using the NVD CWE–CVE assignments
allows us to take advantage of BF’s formal model in the
context of the CVEs. This application of BF can capture
the primary concepts (e.g., recurrent operations and
consequences) expressed by the overwhelming num-
ber of CVEs and ultimately inform an automated label-
ing approach based on machine learning (ML). We can
learn, for example, that thousands of CVEs relate to
erroneous read, while there are none relating to errone-
ous reallocate. The CWE–BF mappings also provide for-
mal BF descriptions that at least partially fit many
CVEs, which can aid in their annotation.
BF’s formalism allows us to specify each CWE as a
(cause, operation, consequence) BF weakness or a
chain of BF weaknesses.6 These specifications reveal
the underlying tacit model of the CWEs and allow us to
identify similarities and overlaps in the CWE. The latter
are part of the issues that introduce ambiguities into
the CWE to CVE assignments.
This work is our first exploration of utilizing
BF–CWE–CVE mappings to specify/label CVEs via BF.
We focus on memory-related CWEs, as there are a vast
number of memory-related CVEs corresponding to a
relatively small number of memory-related CWEs. We
specify them via BF weaknesses and examine the suit-
ability of these formalisms to describe corresponding
CVEs. We also discuss identified similarities and over-
laps among the CWEs, elucidating the NVD’s and the
security community’s struggles with assigning CWEs
to CVEs.

64 IT Professional Published by the IEEE Computer Society September/October 2023


FORMALIZING MEMORY-RELATED
CWEs VIA BF WEAKNESSES OR
CHAINS OF BF WEAKNESSES
CWE and BF both classify weaknesses; however, as
a formal model, BF has the ability to make the tacit
CWE model of memory-related software weaknesses
explicit. We employ the BF formal representation of
weaknesses as (cause, operation, consequence) tri-
ples, the BF vulnerability model,6 and the BF Memory
Bugs taxonomy.7 Specifically, we use the Memory Cor-
ruption/Disclosure (_MEM) BF class type, consisting of
three BF classes: the Memory Addressing (MAD) class
deals with the initialization, repositioning, or reassign-
ment of pointers; the Memory Management (MMN)
class deals with erroneous allocation, deallocation,
resizing, or reallocation of an object; and the Memory
Use (MUS) class deals with the initialization, reading,
writing, and clearing of an object.
The CWEs’ webpages mostly consist of textual
paragraphs (i.e., the description, extended description,
explanations of code snippets, etc.). Many distinct
phrases across CWEs have nearly identical meanings,
the paragraphs themselves could be interpreted differ-
ently, and there is no guarantee a CWE description has
all of the necessary information to fully understand the
corresponding weakness. As an Left-to-right Leftmost-
derivation One-symbol-lookahead (LL1) grammar,6 BF
inherently lacks ambiguity, and its cause–operation–
consequence structure means it is guaranteed to fully
describe a software weakness or a vulnerability. Thus,
BF can clarify and supplement the CWE entries.
We identified 60 memory-related CWEs used for
labeling CVEs, starting from the CWE to BF class
mappings introduced in Bojanova and Galhardo.7 We
updated these mappings by BF class operation and
created a (cause, operation, consequence)-based BF
description for each of these CWEs by deeply analyzing
its description, extended description, common conse-
quences, demonstrative code examples, and observed
CVE examples.
In total, the memory-related CWEs map to 48
distinct BF chains formed by the identified BF (bug,
operation, error) and/or (fault, operation, error)
weakness triples.6 Thirty-seven of these BF chains map
to a single CWE, and 11 map to more than one CWE.
The 60 CWE-BF mappings are depicted in Tables 1, 2,
and 3. Table 1 shows CWEs with entirely different BF
descriptions. Tables 2 and 3 show CWEs that have simi-
larities in terms of BF. More specifically, Table 2 shows
groups of CWEs that have the same causing chain, and
Table 3 shows groups of CWEs that have identical BF
descriptions. Note that we omit the BF class names
September/October 2023
CYBERSECURITY
when describing the weakness triples, as BF classes
are orthogonal by operation. For example, for CWE-562
(Erroneous Code, Reassign, Wild Pointer) is the same
as (Erroneous Code, MAD Reassign, Wild Pointer).
For CWE-823, CWE-400, and CWE-1325, we were
able to identify multiple distinct BF chains (shown
bulleted in Table 1). As each CWE entry is supposed
to describe only a single weakness, the existence of
CWEs that describe multiple distinct weaknesses high-
lights overlaps within the CWE.
Many CWEs provide information about preceding
weaknesses that we formalize into BF chains of weak-
nesses. As a result, some BF specifications contain
causing weakness operations from non-memory-related
BF classes—see, for example, Verify and Calculate for
CWE-823 and Coerce for CWE-843 in Table 1. The first
operation is from the Input/Output Check BF class type
(_INP), and the second two are from the Data Type
(_DAT) BF class type.5 As another example, CWE-126
ostensibly describes a buffer overread weakness. How-
ever, it also describes an erroneous calculation leading
to an incorrect pointer reposition. These three weak-
nesses form the (Erroneous Code, Calculate, Wrong
Result) ! (Wrong Index, Reposition, Overbounds
Pointer) ! (Overbounds Pointer, Read, Buffer Over
Read) BF chain.
MEMORY-RELATED CWE
SIMILARITIES AND OVERLAPS
VIA BF SPECIFICATIONS
There are three groups of memory-related CWEs (see
Table 2) that share one or more of the same BF weak-
ness triples, causing a different BF weakness triple. For
example, CWE-127, CWE-786, and CWE-124 all begin
with (Erroneous Code, Calculate, Wrong Result), which
causes (Wrong Index, Reposition, Under Bounds Pointer).
This identical causal chain leads to three different main
BF weakness triples for CWE-127, CWE-786, and CWE-
124, which properly distinguish the three entries.
There are also 11 groups of memory-related CWEs
(see Table 3) with the same BF weakness or chain of
weaknesses, suggesting areas of repetition or overlap
within the CWE.
For example, CWE-401 describes a memory leak
due to an allocated object with no references, while
CWE-771 describes erroneous removal of all references
to an allocated object. However, these weaknesses are
quite similar, as the erroneous removal of all references
to an allocated object in CWE-771 causes the memory
leak described by CWE-401, and the state described
by CWE-401 is created by the Reassign operations
described by CWE-771. In BF terms, these CWE entries
IT Professional 65
CYBERSECURITY

TABLE 1. Memory-related CWEs with different BF weaknesses/chains of weaknesses.

CWE ID BF (cause, operation, consequence) Triple(s)

655 (Missing Code/Erroneous Code, Initialize Object, Uninitialized Object)
466 (n/a, Initialize Pointer/Reposition, Over Bounds Pointer/Under Bounds Pointer)
587 (Hard Coded Address, Initialize/Reassign, Wild Pointer)
(Missing Code, Verify, Wrong Value) ! (Wrong Index, Reposition, Over Bounds Pointer)
823
(Erroneous Code, Calculate, Wrong Result) ! (Wrong Index, Reposition, Over Bounds Pointer)
562 (Erroneous Code, Reassign, Wild Pointer)
(Erroneous Code, Allocate, Memory Overflow)
1325
(Erroneous Code, . . ., Not Enough Memory) ! (Wrong Size, Allocate, Memory Overflow)
(Missing Code, Verify, Wrong Value) ! (Wrong Size, Allocate, Memory Overflow)
400 (Single Owned Address, Reassign, Memory Leak)
(Missing Code, Deallocate, Memory Leak)
822 (Untrusted Pointer, Dereference, Untrusted Pointer Dereference)
(Missing Code, Verify, Wrong Value) ! (Forbidden Address, Dereference, NULL Pointer
690
Dereference)
476 (NULL Pointer, Dereference, NULL Pointer Dereference)
(Missing Code, Initialize Pointer, Wild Pointer) ! (Wild Pointer, Read/Write/Dereference,
824 Uninitialized Pointer Dereference)

588 (Erroneous Code, Cast, Wrong Type) ! (Casted Pointer, Read/Write/Dereference, Type Confusion)
672 (Erroneous Code, Read/Write/Dereference, Use After Free)
(Wrong Object Type Resolved, Coerce, Wrong Type) ! (Casted Pointer, Read/Write/
843
Dereference, Type Confusion)
(Missing Code, Verify, Wrong Value) ! (Wrong Index, Reassign, Over Bounds Pointer/
119 Under Bounds Pointer) ! (Over Bounds Pointer/Under Bounds Pointer, Read/Write,
Buffer Overflow/Buffer Underflow/Buffer Over–Read/Buffer Under–Read)
(Missing Code/Erroneous Code, Verify, Wrong Value) ! (Wrong Index, Reassign, Over Bounds
118 Pointer/Under Bounds Pointer) ! (Over Bounds Pointer/Under Bounds Pointer, Read/Write,
Buffer Overflow/Buffer Underflow/Buffer Over–Read/Buffer Under–Read)
(Missing Code, Verify, Wrong Value) ! (Wrong Size, Allocate, Not Enough Memory Allocated) !
120
! (Not Enough Memory Allocated, Write, Buffer Overflow)
(Erroneous Code, Calculate, Wrap Around) ! (Wrong Size, Allocate, Not Enough Memory) !
680
! (Not Enough Memory, Write, Buffer Overflow)
459 (Erroneous Code, Clear, Not Cleared Object)
404 (Missing Code/Erroneous Code, Deallocate, Memory Leak/Object Corruption)
(Wrong Index, Reposition, Wrong Position Pointer) ! (Wrong Position Pointer, Deallocate,
761
Object Corruption)
772 (Missing Code, Deallocate, Memory Overflow)
1091 (Missing Code, Deallocate, None)
460 (Missing Code/Erroneous Code, Deallocate, Memory Leak)
586* (Erroneous Code, Deallocate, None)
568* (Missing Code, Deallocate, None)
The order is by the BF Memory Bugs Model operation flow.7 Causing weaknesses are in italics. Arrows (!) depict chaining. Asterisks (*) mark CWEs not
assigned to any CVEs. Ellipses (. . .) depict many possible operations. BF: Bugs Framework; CVE: Common Vulnerabilities and Exposures; CWE: Common
Weakness Enumeration; n/a: not applicable.

66 IT Professional September/October 2023


TABLE 2. Memory-related CWEs with the same causing BF chains.
CWE ID Same Causing Chain
126
(Erroneous Code, Calculate, Wrong Result) !
! (Wrong Index, Reposition, Over Bounds Pointer)
788
127
786 (Erroneous Code, Calculate, Wrong Result) !
! (Wrong Index, Reposition, Under Bounds Pointer)
124
125
(Erroneous Code, Calculate, Wrong Result) !
! (Wrong Index, Reposition, Over Bounds
Pointer/Under Bounds Pointer)
787
The order is by the BF Memory Bugs Model operation flow.7 Causing weaknesses are in italics. Arrows (!) depict chaining.
are both specified as (Single Owned Address, Reassign,
Memory Leak).
Other CWEs have slight differences only by BF
attributes, which inform about the severity of the weak-
ness and not about its nature. For example, CWE-121
describes buffer overflow on the stack, and CWE-122
describes buffer overflow on the heap. Once the
stack versus heap difference is accounted for by a
BF attribute, these two entries are specified by the
same instance of a BF weakness type: (Over Bounds
Pointer/Under Bounds Pointer, Write, Buffer Overflow/
Buffer Underflow).
The CWE hierarchical relationships between CWEs
with the same BF chain (see the third column in
Table 3) reveal that most of them have either ChildOf
or PeerOf relations. Some of them, such as CWEs 121,
122, and 123 as well as CWEs 170, 463, and 464 are sib-
lings with a common parent. However, there are also
instances of CWEs without direct relationships that
have identical chains, such as CWE-401 and CWE-771.
An interesting observation is that, while CWE-123,
CWE-415, and CWE-416 are specified with very different
BF weakness triples, they are listed as peers in the CWE.
Of special note are parent–child CWE pairs that
share a BF chain. Per the CWE, a parent entry is sup-
posed to be more abstract than its child entry. In BF
terms, this is expressed by having multiple possible
causes, consequences, and/or operations (e.g., Buffer
Overflow/Buffer Underflow versus only Buffer Over-
flow). One would expect that parent/child CWEs would
have slightly different BF chains or that the main
September/October 2023
CYBERSECURITY
Different Main Weakness
(Over Bounds Pointer, Read, Buffer Over–Read)
(Over Bounds Pointer, Read/Write,
Buffer Overflow/Buffer Over–Read)
(Under Bounds Pointer, Read, Buffer Under–Read)
(Under Bounds Pointer, Read/Write,
Buffer Underflow/Buffer Under–Read)
(Under Bounds Pointer, Write, Buffer Underflow)
(Over Bounds Pointer/Under Bounds Pointer,
Read, Buffer Over–Read/Buffer Under–Read)
(Over Bounds Pointer/Under Bounds Pointer,
Write, Buffer Overflow/Buffer Underflow)
weakness for the child would be contained within the
main weakness for the parent. For example, (Over-
bounds Pointer, Read, Buffer Over–Read) is contained
within (Over Bounds Pointer/Under Bounds Pointer,
Read, Buffer Over–Read/Buffer Under–Read). The fact
that a parent and a child have the same chain (includ-
ing both an identical main weakness and causing
weakness) means this difference in ambiguity is miss-
ing and highlights an area of overlap within the CWE.
BF also reveals missing relationships within the
CWE. CWEs that have differences only by BF attributes
(e.g., CWE-121 and CWE-122) should have some relation-
ship (e.g., PeerOf) within the CWE.
LABELING MEMORY-RELATED
CVEs VIA BF SPECIFICATIONS
There are 60,426 memory-related CVEs as of August
2023. We queried the CVE repository for entries with
CWEs assigned by NVD that map by main operation to
the _MEM BF class type. We ordered them by the NVD-
assigned CVSS severity scores and selected a maxi-
mum of 10 CVEs per operation—thus reducing the
count to 91 observable CVEs for this exploratory analy-
sis. Then, we examined the groups of CVEs mapped to
CWEs with identical causing BF chains and of CVEs
mapped to CWEs with entirely identical BF chains.
From the latter group, we also identified the CVEs that
map to CWEs with parent–child relationships.
Analyzing this subset of CVEs, we find that it covers
well the BF memory operations Reposition, Reassign,
Verify, Initialize Object, Read, Write, Dereference, Clear,
IT Professional 67
CYBERSECURITY

TABLE 3. Memory-related CWEs with the same BF weakness/chain of BF weaknesses.

CWE ID Same BF (cause, operation, consequence) Triple(s) CWE Relationships

401
(Single Owned Address, Reassign, Memory Leak)
771

770 (Missing Code, Verify, Wrong Value) !

789 ! (Wrong Size, Allocate, Memory Overflow)
456
909 (Missing Code, Initialize Object, Uninitialized Object)

457 (Missing Code, Initialize Object, Uninitialized Object) !

908 ! (Uninitialized Object, . . ., . . . )

170
463* (Erroneous Code, Write, Object Corruption)
464*

805 (Wrong Size, Read/Write,

806* Buffer Overflow/Buffer Underflow/Buffer
Overread/Buffer Under–Read)

121
(Overbounds Pointer/Under Bounds Pointer, Write,
122
Buffer Overflow/Buffer Underflow)
123
416
825 (Dangling Pointer, Read/Write/Dereference, Use After Free)

415
(Erroneous Code, Deallocate, Double Free)
1341

226
244*
(Missing Code, Clear, Not Cleared Object)
1239*
1272*

590
762 (Mismatched Operation, Deallocate, Object Corruption)
763

The order is by the BF Memory Bugs Model operation flow.7 Listing the operation is sufficient, as BF classes are orthogonal by operation. Causing
weaknesses are in italics. Arrows (!) depict chaining. Asterisks (*) mark CWEs not assigned to any CVEs. Ellipses (. . .) depict many possible
operations and consequences.

and Deallocate. However, although there may be CVEs
related to the BF memory operations Initialize Pointer,
Extend, Reallocate–Extend, Reduce, and Reallocate–
Reduce, they are not identifiable via CWEs in the entire
CVE repository. This indicates gaps in CWEs or issues
with the CWE assignments. In any case, we would need
different methods to identify and specify CVEs related
to these operations.
Examining further this subset of CVEs, we confirm
that, overall, memory-related CWE to CVE assignments
are almost completely correct by BF operation. For
example, the CVEs mapped to CWE-126 and CWE-788
(see Table 2) correctly distinguish between the Read
only and Read/Write operations, respectively. We
only sporadically find examples of incorrect CWE to
CVE assignments by operation, such as CWE-123 to

68 IT Professional September/October 2023


CVE-2018-12036. The confusion for this CVE must relate
to the use of “writes” in its description, while, in fact,
it is a BF _INP class type vulnerability: (Missing Code,
Validate, File Injection).
However, when examining the CVEs by the CWE BF
weaknesses or chains of weaknesses, which cover not
only operations but also causes and consequences, we
find that parts of these BF weakness specifications
may not fit all of the corresponding CVEs. For example,
the BF CWE-126 chain (see Table 2) completely fits the
(Overbounds Pointer, Read, Buffer Over–Read) main
weakness of CVEs, such as CVE-2014-0160 (Heart-
bleed), as well as their (Wrong Index, Reposition, Over-
bounds Pointer) direct causing weakness. However,
most of the CVEs with CWE-126 assigned have as an ini-
tial weakness Missing Code for a Verify operation and
not Erroneous Code in a Calculate operation—see the
first Heartbleed weakness in Bojanova and Galhardo.8
We conclude that the causal chains from Table 2
may be helpful for describing some CVEs but are too
specific to fit other CVEs. This can be explained by
CWE’s lack of flexibility to describe all possible security
weaknesses—the entries could be too specific to be
reused, some may be missing, and some may be over-
lapping. We will have to use entirely different methods
to identify and specify the parts of the BF description
for a CVE that do not fit the overly specific CWE varia-
tion assigned to that CVE.
We also find that, from the CWEs with different BF
specifications (see Table 1), CWE-586 and CWE-568 are
not assigned to any CVE. Then, from the CWE groups
with identical BF specifications (see Table 3), the fol-
lowing CWEs were not assigned to any CVE at all: CWE
806 from the 805, 806 pair, CWE 1341 from the 415, 1341
pair, CWE 463 and CWE 464 from the 170, 463, 464 tri-
ple, and CWE 224, CWE 1239, and CWE 1272 from the
226, 224, 1239, 1272 quadruple. It is interesting to
explore if there are CVEs that are better described by
the unused CWEs (marked with asterisks in Tables 1
and 3). One such example is CVE-2023-38434 (although
outside of our 91-CVE set), which describes a double
free when closing a web connection. NVD assigns it
CWE-415 (Double Free) of a memory resource instead
of the more general CWE-1341 (Multiple Releases of
Same Resource or Handle). These two CWEs share the
(Erroneous Code, Deallocate, Double Free) BF weak-
ness triple (see Table 3); their similarity and the vague
memory versus resource distinction introduces errors
and ambiguities in CWE–CVE assignments that would
also affect our efforts for CVE labeling.
The rest of the similar CWEs (see Table 3) lead, in
many cases, to ambiguous CWE–CVE assignments.
One such example is CVE-2022-0519, which describes a
September/October 2023
CYBERSECURITY
buffer access with an incorrect length value leading to
a buffer overread. NVD assigns this CVE to CWE-119
(Improper Restriction of Operations within the Bounds
of a Memory Buffer) and CWE-805 (Buffer Access with
Incorrect Length Value). However, CWE-126 (Buffer
Over-read) also nicely and more accurately describes
this CVE than the abstract CWE-119.
Another area of ambiguity among CWEs relates to
BF attributes. For example, CVE-2023-40295 describes
a buffer overflow on the heap. NVD assigns CWE-787
(Out-of-bounds Write) to this CVE, which accurately
describes the vulnerability. However, CWE-122 is also a
suitable assignment, as it describes buffer overflow
specifically on the heap. Apart from this minor differ-
ence (captured in BF by an address-related attribute),
CWE-122 and CWE-787 share an identical main weak-
ness: (Over Bounds Pointer/Under Bounds Pointer,
Write, Buffer Overflow, Buffer Underflow). While CWE-
122 is the more specific mapping, the similarities cre-
ate difficulty in deciding which CWE should be
assigned to this CVE.
In many cases, CWE–CVE assignments capture
either the cause of a vulnerability or its consequence
but not both. CVE-2022-34399 and CVE 2022-32454
describe a buffer overread and a buffer overwrite
vulnerability, respectively. The BF chain for CVE-2022-
34399 is (Missing Code, Verify, Inconsistent Value) !
(Wrong Index, Reposition, Overbounds Pointer) !
(Overbounds Pointer, Write, Buffer Overflow), and the
BF chain for CVE-2022-32454 is (Missing Code, Verify,
Wrong Value) ! (Wrong Size, Read, Buffer Over–Read).
NVD assigns CWE-119 (Improper Restriction of Opera-
tions within the Bounds of a Memory Buffer) and CWE-
805 (Buffer Access with Incorrect Length Value) to CVE
2022-34399 and CWE-121 (Stack Based Buffer Overflow)
to CVE 2022-32454. However, the CWEs assigned to CVE
2022-34399 only describe the cause of the vulnerability,
and the CWE assigned to CVE 2022-32454 only describes
its consequence. One must assign CWE-126 (Buffer
Over-read) to CVE 2022-34399 and CWE-112 (Missing
XML Validation) to capture the full story of each weak-
ness underlying the vulnerability. This inconsistency in
capturing either the cause or the consequence of a vul-
nerability further complicates the CWE–CVE assignment.
The findings from this work show areas that would
require additional analysis to create precise BF CVE
descriptions. We would have to examine deeply corre-
sponding vulnerability reports, source code with bugs,
source code with fixes, and other available related
resources. Utilizing the BF vulnerability model, the BF
cybersecurity concepts definitions, and BF taxons defi-
nitions5,6 as well as any of their synonyms in use, we
can employ modern ML and AI approaches toward
IT Professional 69
CYBERSECURITY
automatic CVE analysis and generation of BF CVE
specifications.
CONCLUSION
Labeled vulnerability descriptions are of great demand
for advanced AI research related to cybersecurity
vulnerabilities, attacks, and mitigation techniques. As a
formal bugs/weaknesses model,6 BF has the ability
to unambiguously describe the chains of underlying
weaknesses for any software security vulnerability.
With this work, we begin specifying the detailed infor-
mation provided for each CWE. We use the CWEs as a
bridge to the corresponding CVEs and explore to what
extent the BF CWE descriptions may aid in the manual
creation of BF CVE descriptions. We invite you to collab-
orate with us in this direction by joining the BF CVE spec-
ification challenge at https://samate.nist.gov/BF/.5
Our future goal is to employ ML and AI approaches
for automated generation of BF CVE descriptions.
The result would be a reference dataset of labeled
vulnerability specifications for use by AI algorithms.
The labels will constitute the exhaustive sets of causes,
operations, consequences, and attributes values, pre-
cisely defined as BF class taxonomies. The BF CVE refer-
ence dataset will be a great source not only for research
but also for cybersecurity education and guidance.
REFERENCES
1. “Metrics,” MITRE Corp., US, 2023. Accessed: Jul. 7, 2023.
[Online]. Available: https://www.cve.org/About/Metrics
2. D. Malzahn, Z. Birnbaum, and C. Wright-Hamor,
“Automated vulnerability testing via executable attack
70 IT Professional
graphs,” in Proc. IEEE Int. Conf. Cyber Secur. Protection
Digit. Services (Cyber Secur.), 2020, pp. 1–10, doi: 10.
1109/CyberSecurity49315.2020.9138852.
3. “National vulnerability database,” Nat. Inst. Standards
Technol, Gaithersburg, MD, USA, 2023, Accessed:
Mar. 2, 2023. [Online]. Available: https://nvd.nist.gov
4. “Common vulnerability scoring system special interest
group.” FIRST. Accessed: Jul. 7, 2023. [Online].
Available: https://www.first.org/cvss
5. I. Bojanova, “The bugs framework,” Nat. Inst. Standards
Technol, Gaithersburg, MD, USA, 2023. Accessed: Aug.
20, 2023. [Online]. Available: https://samate.nist.gov/BF/
6. I. Bojanova and C. E. Galhardo, “Bug, fault, error,
or weakness: Demystifying software security
vulnerabilities,” IT Prof., vol. 25, no. 1, pp. 7–12,
Jan. 2023, doi: 10.1109/MITP.2023.3238631.
7. I. Bojanova and C. E. Galhardo, “Classifying memory
bugs using bugs framework approach,” in Proc. IEEE
45nd Annu. Comput., Softw., Appl. Conf., 2021, vol. 1,
pp. 1157–1164, doi: 10.1109/compsac51774.2021.00159.
8. I. Bojanova and C. E. Galhardo, “Heartbleed revisited:
Is it just a buffer over-read?” IT Prof., vol. 25, no. 2,
pp. 83–89, Mar. 2023, doi: 10.1109/MITP.2023.3259119.
IRENA BOJANOVA is a computer scientist at NIST, Gaithers-
burg, MD, 20899, USA. Contact her at [email protected].
JOHN GUERRERIO is a sophomore at Dartmouth College,
where he is majoring in computer science and mathematical
data science, and a Summer Undergraduate Research Fel-
lowship student at NIST. Contact him at john.j.guerrerio.26@
dartmouth.edu.
September/October 2023
EDITOR: Nir Kshetri,
[email protected]
DEPARTMENT: IT ECONOMICS
Generative Artificial Intelligence in Marketing
Nir Kshetri , University of North Carolina at Greensboro
Generative artificial intelligence tools have found a wide range of uses in marketing.
This article delves into how these tools are transforming three key areas of marketing:
personalization, insight generation, and content creation.
T
he arrival of generative artificial intelligence
(GAI) has triggered a truly enterprisewide adop-
tion of AI. Although all functional areas in an
enterprise are benefitting from this breakthrough inno-
vation,1 marketing has been an area that has been par-
ticularly affected positively by the recent developments
in GAI.
Recent surveys have shown that there is wide-
spread use of GAI among marketers and growing
demand of this innovation (Table 1). Especially midlevel
and junior marketers are reported to have higher GAI
adoption rates compared to senior marketers (https://
tinyurl.com/3u63k2vr).
Marketers view GAI as a productivity booster. For
instance, in a survey conducted by the nonprofit busi-
ness membership and research group organization
Conference Board (Table 1), more than four-fifths (82%)
of respondents expected that productivity will improve
with further adoption of GAI. Just 4% expected produc-
tivity to decline with GAI use (https://tinyurl.com/
3u63k2vr). Technology company Salesforce’s May 2023
survey, which was a part of its Generative AI Snapshot
Series (Table 1), found that GAI saves marketers
more than five h of work per week, which translates
to more than a month per year (5 h*52 weeks)/8-h
workday¼32.5 days) (https://www.salesforce.com/news/
stories/generative-ai-for-marketing-research/). GAI can
be used for tasks such as analyzing customer reviews,
social media comments, or any other text data and pro-
vide a summary of positive and negative comments.2
This allows marketing professionals to shift their atten-
tion to more strategic tasks. Likewise, management
consulting firm McKinsey & Company’s estimate sug-
gests that GAI could increase the productivity of the
1520-9202 © 2023 IEEE
Digital Object Identifier 10.1109/MITP.2023.3314325
Date of current version 3 November 2023.
September/October 2023 Published by the IEEE Computer Society
marketing function, which saves between 5% and 15%
of total marketing spending.3
The benefits of GAI tools in marketing, however,
extend far beyond just cost cutting or time saving. GAI
tools can be used to do things that are not otherwise
possible. For instance, GAI enables brands to take mar-
keting and sales to the next level and deliver truly one-
to-one personalized experiences in a way that is not
possible by humans alone. GAI brings benefits such as
dynamic messaging capabilities by leveraging person-
alization to send the right message at the right time
to customers based on detailed and valuable data.
Relevant real-time imagery and predictive recommen-
dations can help scale personalization across key
moments in a cost-effective way.4
In this article, an overview of how GAI is transform-
ing key areas and activities in marketing is provided.
Specifically, the focus is on the top three uses of GAI in
marketing as identified by Boston Consulting Group’s
April 2023 survey: personalization, insight generation,
and content creation. It should be noted that these
uses are interrelated. Insight generated by GAI, for
instance, can be used as a basis to develop better mar-
keting content that enhances user engagement. Like-
wise, personalization is a key part of content creation.
Indeed, roughly one-third of respondents in the Confer-
ence Board survey used GAI to personalize customer/
user content (Table 1).
PERSONALIZATION
Personalization leads to improved marketing perfor-
mance. Nonetheless, the process involved in personali-
zation is challenging and hard to apply.5 For instance,
firms need to gather and analyze information about
the customer and their interactions from internal
and external sources. Then, key marketing activities
such as advertising, product design, packaging, pricing,
and distribution need to be customized based on a
IT Professional 71
IT ECONOMICS

TABLE 1. GAI usage status among marketers: some representative surveys.

Survey Conducted By
Salesforce in partnership
with YouGov (https://
tinyurl.com/5efr7rey)
Boston Consulting Group
(https://tinyurl.com/
puwykkj4)
The Conference Board, in
collaboration with Ragan
Communications (https://
tinyurl.com/3u63k2vr)
Conducted/Released
In (Respondents)
Conducted from 18–25 May
2023 (1029 marketers)
Conducted in April 2023
(more than 200 chief
marketing officers from
several sectors in eight
countries in North
America, Europe, and Asia)
August 2023 (287
marketers and
communicators)
Key Findings Additional Findings
Fifty-one percent were GAI saves marketers more
using GAI and an than 5 h of work per week.
additional 22% had plans
to use the tools “very
soon.”
Seventy percent were Top three uses:
using GAI and 19% were personalization (67%),
testing. Only 3% had no insight generation (51%)
plans to use the and content creation
technology. (49%).
Eighty-seven percent of Top applications:
marketers had summarizing content
used/experimented with (44%), doing the
AI tools. legwork/stimulating
creative thinking (41%),
personalizing of customer/
user content (33%),
research (30%), generating
content faster (30%), and
enhancing customer
service (17%).

customer profile.6 Personalized response is thus often
too time consuming for marketing teams.
Most of the traditional marketing tools fail to effec-
tively personalize marketing efforts. For instance, content
recommendation systems rely on generic algorithms
such as collaborative filtering, which predicts a user’s
preference and filters out items based on reactions by
similar users. This technique involves searching a large
group of people and identifying a smaller set of users
with preferences similar to a particular user. Such algo-
rithms often fail to capture an individual’s preferences
(https://tinyurl.com/2xhy65fr).
Marketers can utilize GAI tools to generate sophis-
ticated responses at the individual level, which can be
used to develop and automate an effective personal-
ized marketing strategy at scale (https://tinyurl.com/
2uhhjrzs). These tools can be utilized to deliver hyper-
personalized content, and product recommendations,
experience, and offers at just the right time. This is
illustrated with an example of a lawnmower shopper.
GAI such as ChatGPT can analyze a user’s language
patterns, behavior, and other data points to make rec-
ommendations that are highly tailored to a potential
shopper (https://tinyurl.com/2xhy65fr). When the shop-
per starts to search for a lawnmower, ads can be per-
sonalized and delivered based on their profile.
Contextualizing the experience is an important
way to improve personalization. Marketing efforts and
recommendations can be specifically tailored toward
local conditions. GAI can be used to create images, vid-
eos, and show products in real time in locations and
situations that are relevant for potential customer. For
instance, backyard pictures can be uploaded on the
product page and the vender can show how the lawn-
mower could work there, or show a product that has
been designed to the shopper’s use case. This means
that a user shopping for a lawnmower in San Francisco,
California, is delivered a different experience compared
to one in Syracuse, New York.4
Moreover, GAI such as ChatGPT’s learn and adapt
over time. As users interact with the recommended
content, the system can refine its recommendations
based on more data. This ensures that future recom-
mendations are even more tailored to the shopper’s
preferences. All these can create a virtuous cycle of
feedback and improvement that can lead to more
accurate suggestions (https://tinyurl.com/2xhy65fr).
Unsurprisingly, surveys have revealed that person-
alization is among the most frequent GAI use cases
in marketing (Table 1). Chief marketing officers are
already taking advantage of GAI to better personalize
products and services. Banks use GAI to analyze cus-
tomer data and offer personalized investment advice
based on their risk profile. Likewise, some retailers use
GAI to create personalized recommendations that
would influence them to buy more. The goals of these

72 IT Professional September/October 2023


personalization efforts include better engagement,
improved conversion rates, and increased customer
loyalty (https://tinyurl.com/puwykkj4).
INSIGHT GENERATION
Companies are using GAI to conduct market and con-
sumer research in a reliable manner to gain insights,
which can be used to improve products and services
(https://tinyurl.com/puwykkj4). In general, AI has reduced
the time taken to generate insights from raw data. AI
solutions can produce insights in seconds that often
take human teams days or even weeks, however, a
large proportion of data was illegible for the existing AI
solutions. This means that organizations could not
make use of such data in the past. Fortunately, the rise
of GAI has changed this dramatically.
Leading software vendors such as Microsoft and
Salesforce have incorporated GAI capabilities into their
products, which can be used to gain customer insight.
Note that customer insight is knowledge about the
customer that is valuable for a company.7 For instance,
the Copilot feature in Microsoft’s Dynamics 365 Cus-
tomer Insights has added GPT-4 to popular Office
products such as Word, Excel, Teams, PowerPoint, and
Outlook. Marketers can use Copilot’s GAI capabilities
to gain insights from their customer data platform.
Additionally, companies can learn about new customer
groups to target (https://tinyurl.com/mw3txfuk).
Another notable example of a GAI tool being used
to generate customer insight and make effective use
of such insight is Salesforce’s Einstein GPT. Einstein
GPT combines Salesforce’s proprietary AI models with
OpenAI’s GPT model. The goal is to have layers on top
of OpenAI’s GPT model and use content stored in the
Salesforce cloud to fine-tune the model (https://tinyurl.
com/yzxt3bfv). Einstein GPT is available across the
company’s entire Customer 360 customer relationship
management platform (Salesforce’s portfolio of prod-
ucts). It is integrated into Salesforce cloud, Tableau
(visual analytics platform), Slack (messaging app), and
MuleSoft (integration platforms that help businesses
to connect their data, devices, and applications) (https://
tinyurl.com/yzxt3bfv).
Salesforce’s Customer 360 can conduct research on
a prospective new customer and provide an overview
about the customer. A new pane, Einstein Assistant,
opens on the screen. The overview of the prospect com-
pany appears in the form of a text. The assistant can
also find news articles about the company (e.g., plans to
move into a new market). It can then write a letter to
the prospect acknowledging the new plan. It can be
asked to rewrite the letter in a different tone. Einstein
September/October 2023
IT ECONOMICS
Assistant can also create a message for another sales-
person in Slack who had dealt with the prospect com-
pany in the past. It can access Tableau to learn more
about specific products that the prospective customer
had purchased in the past (https://tinyurl.com/yw2cdk34).
In this way, Einstein GPT generates customer insight
and acts rapidly and effectively on the insight. The
insight can help companies develop and introduce
new products and services to address unmet needs of
the customer. All these can lead to an improvement in
customer experience.
CONTENT MARKETING
Content marketing focuses on creating and distributing
marketing content such as videos, photos/imageries,
presentations, flyers, blogs, infographics, social media
posts, and tweets to enhance customer engagement
and increase sales (https://tinyurl.com/fzswj968). GAI is
a valuable way to come up with new ideas and work
more quickly and thus create an effective marketing
content faster and at a low cost.
By making use of a huge amount of data about
human language and aesthetic styles, GAI tools can
generate sophisticated, personalized, and contextually
relevant marketing content quickly. GAI thus drasti-
cally cuts the time it takes to produce marketing
content. With appropriate prompts, GAI can create 10
different ad angles for a product based on customer
reviews or other factors.2 It is possible to create an ad
for a product in the style of famous artists such as Sal-
vador Dali, Pablo Picasso, and Vincent Van Gogh. If a
company is planning to launch a new product, GAI
tools can write effective social media copy that can be
used on social media sites such as Facebook, Twitter,
and LinkedIn.2
Marketers’ use of GAI in content creation is also
facilitated by digital advertising giants such as Meta,
which have made such tools available. In May 2023,
Meta announced a GAI Sandbox that offers advertisers
access to three tools. The first tool would help adver-
tisers create different variations of ad copy in the
company’s Facebook or Instagram platform. When
advertisers enter an ad’s copy, GAI will suggest several
variations of the copy to test. The second tool would
help generate background through text prompts. An
advertiser can use text prompts to describe the back-
ground appearance or style. The GAI tool offers various
images and advertisers can test their impact on perfor-
mance. The third tool involves an image cropping fea-
ture to create visuals in different aspect ratios for
various media such as social posts, stories, or short
videos (https://tinyurl.com/5n8wk5pr). Meta made the
IT Professional 73
IT ECONOMICS
Sandbox features available to a small group of adver-
tisers with a plan to roll out the new program in the
future. The makeup brand Jones Road Beauty was one
of the early testers of the Sandbox (https://tinyurl.com/
5t3dehfa).
CHALLENGES AND BARRIERS
HINDERING THE USE OF GAI
IN MARKETING
There are several barriers and challenges to the wide-
spread use of GAI in marketing. The most important
barrier, especially for small and medium-sized enter-
prises, centers on costs. For instance, to get access to
Copilot, Microsoft 365 businesses need to pay an addi-
tional $30 per user per month.8 Likewise, as of August
2023, GPT-4 cost $20 with a monthly subscription to
ChatGPT Plus. Although ChatGPT can be used for free,
its training data go up until 2021 only. This means that
it cannot access real-time content and it does not
search the Internet for answers. Thus, companies can-
not rely on it to get timely insights such as how con-
sumers might be thinking about a brand. Likewise,
ChatGPT cannot identify current trends that poten-
tially impact marketing activities.
Second, marketers are worried about data security
and privacy in GAI tools (https://tinyurl.com/3u63k2vr).
There are potential privacy violations if marketers enter
sensitive customer data as a part of their prompts. Sur-
veys have reported that the instances of companies’
employees putting confidential client data into ChatGPT
are more common than most people think.9 Many sur-
veys have found that consumers are increasingly con-
cerned about organizations’ data protection measures,
and they are less likely to do business with a company
that fails to protect their sensitive data.10 For these
reasons, several companies have banned ChatGPT
to prevent the worst-case scenario of an employee
uploading sensitive data into the chatbot while seek-
ing help at work.11
Third, the perceived risks and costs associated with
transitioning to a new way of performing marketing
tasks may lead to businesses’ and employees’ unwill-
ingness to use GAI for such tasks. There are often sub-
stantial immediate costs involved in learning new ways
of doing things, such as writing effective prompts to
get the results they want, the time and frustration
costs, and the cost of correcting any mistakes pro-
duced by unfamiliarity with how GAI works in market-
ing.12 There are also concerns about how GAI would fit
in the corporate culture. In general, organizations are
still trying to figure out how to adapt team culture and
processes around GAI (https://tinyurl.com/477b3xvu).
74 IT Professional
Marketers maintain a gloomy view regarding the impact
of GAI on organizational culture. For instance, in the
Conference Board survey (Table 1), only 16% expected
improvements in team culture while 22% expected neg-
ative effects on such a culture (https://tinyurl.com/
3u63k2vr).
Finally, there are concerns about GAI-led job losses.
According to the consulting organization Challenger,
Gray & Christmas, GAI use in organizations resulted in
roughly 4000 job losses in May 2023 alone (https://
tinyurl.com/45dux8s8). In the Conference Board survey
(Table 1), only 4% of respondents expected that GAI’s
use would lead to an increase in the number of market-
ing jobs, whereas 40% expected a decline in such jobs
(https://tinyurl.com/3u63k2vr).
CONCLUSION
Human teams’ skills, points of view, and experiences
are still needed in most marketing activities, and thus,
GAI will not completely replace them. However, as dis-
cussed in this article, GAI can perform a number of
marketing tasks at a lower cost, higher speed, and
more effectively than human teams or other existing
tools. For instance, on the personalization front, past
algorithms were ineffective. Likewise, AI models lacked
scalability when it came to personalization. GAI tools
such as ChatGPT can help develop a marketing auto-
mation program that can produce hyperpersonalized
content based on an individual customer profile and
their journeys and interactions with a company and its
products and services. These tools thus have the
potential to help achieve personalization at scale for
marketing organizations. GAI is also transforming other
key marketing activities, such as Insight generation
and content marketing.
REFERENCES
1. “The great acceleration: CIO perspectives on
generative AI: How technology leaders are adopting
emerging tools to deliver enterprise-wide AI,” MIT
Technol. Rev., Jul. 2023. Accessed: Aug. 11, 2023.
[Online]. Available: https://www.technologyreview.
com/2023/07/18/1076423/the-great-acceleration-cio-
perspectives-on-generative-ai/
2. M. Graham, “Five things marketers should know
about generative AI in advertising,” Wall Street J.,
Mar. 2023. Accessed: Aug. 11, 2023. [Online]. Available:
https://www.wsj.com/articles/five-things-marketers-
should-know-about-generative-ai-in-advertising-5381c1d0
3. “The economic potential of generative AI: The next
productivity frontier,” McKinsey & Company,
September/October 2023
 IT ECONOMICS

New York, NY, USA, Jun. 2023. [Online]. Available: 9. N. Kshetri, “Cybercrime and privacy threats of
https://www.mckinsey.com/capabilities/mckinsey- large language models,” IT Prof., vol. 25, no. 3,
digital/our-insights/the-economic-potential-of- pp. 9–13, May/Jun. 2023, doi: 10.1109/MITP.2023.
generative-ai-the-next-productivity-frontier#introduction 3275489.
4. A. Bernard. “AI in ecommerce: True one-on-one 10. N. Kshetri, Cybersecurity Management: An
personalization is coming.” CMSWire. Accessed: Organizational and Strategic Approach. Toronto, ON,
Aug. 11, 2023. [Online]. Available: https://www. Canada: The University of Toronto Press, 2021.
cmswire.com/customer-experience/ai-in-ecommerce- 11. T. Telford and P. Verma, “Employees want ChatGPT at
true-one-on-one-personalization-is-coming/ work. Bosses worry they’ll spill secrets,” Washington
5. J. Vesanen, “What is personalization? A conceptual Post, Jul. 2023. Accessed: Aug. 11, 2023. [Online].
framework,” Eur. J. Marketing, vol. 41, nos. 5–6, Available: https://www.washingtonpost.com/business/
pp. 409–418, 2007, doi: 10.1108/03090560710737534. 2023/07/10/chatgpt-safe-company-work-ban-lawyers-
6. J. Vesanen and M. Raulas, “Building bridges for code/
personalization: A process model for marketing,” 12. H. Margetts and P. Dunleavy, “Cultural barriers to
J. Interactive Marketing, vol. 20, no. 1, pp. 5–20, e-government: Better,” National Audit Office, Public
Winter 2006, doi: 10.1002/dir.20052. Services through e-government, London, U.K., 2002.
7. B. Smith, H. N. Wilson, and M. Clark, “Creating and [Online]. Available: https://www.nao.org.uk/
using customer insight: 12 Rules of best practice,” publications/nao-reports/01-02
J. Med. Marketing, vol. 6, no. 2, pp. 135–139, 2006,
doi: 10.1057/palgrave.jmm.5050013.
NIR KSHETRI is a professor in the Bryan School of Business
8. T. Warren. “Microsoft puts a steep price on Copilot,
its AI-powered future of Office documents.” The and Economics, the University of North Carolina at
Verge. Accessed: Aug. 11, 2023. [Online]. Available: Greensboro, Greensboro, NC, 27412, USA, and IT Professio-
https://www.theverge.com/2023/7/18/23798627/micro- nal’s IT Economics editor. Contact him at nbkshetr@
soft-365-copilot-price-commercial-enterprise uncg.edu.

September/October 2023 IT Professional 75

 EXECUTIVE COMMITTEE
President: Nita Patel
President-Elect: Jyotika Athavale
Past President: William D. Gropp
www.computer.org First VP: Hironori Washizaki
Second VP: Grace A. Lewis
Secretary: Carolyn McGregor
PURPOSE: Engaging professionals from all areas of
Treasurer: Michela Taufer
computing, the IEEE Computer Society sets the standard for
VP, Membership & Geographic Activities: Fernando Bouche
education and engagement that fuels global technological
VP, Professional & Educational Activities: Deborah Silver
advancement. Through conferences, publications, and
programs, IEEE CS empowers, guides, and shapes the future Interim VP, Publications: Greg Byrd
of its members, and the greater industry, enabling new VP, Standards Activities: Annette Reilly
opportunities to better serve our world. VP, Technical & Conference Activities: Grace A. Lewis
OMBUDSMAN: Direct unresolved complaints to 2023–2024 IEEE Division VIII Director: Leila De Floriani
[email protected]. 2022–2023 IEEE Division V Director: Cecilia Metra

CHAPTERS: Regular and student chapters worldwide provide 2023 IEEE Division V Director-Elect: Christina M. Schober
the opportunity to interact with colleagues, hear technical
experts, and serve the local professional community. BOARD OF GOVERNORS
Term Expiring 2023:
AVAILABLE INFORMATION: To check membership status,
report an address change, or obtain more information on any Jyotika Athavale, Terry Benzel, Takako Hashimoto, Irene Pazos
of the following, email Customer Service at help@computer. Viana, Annette Reilly, Deborah Silver
org or call +1 714 821 8380 (international) or our toll-free Term Expiring 2024:
number, +1 800 272 6657 (US): Saurabh Bagchi, Charles (Chuck) Hansen, Carlos E. Jimenez-
• Membership applications Gomez, Daniel S. Katz, Shixia Liu, Cyril Onwubiko
• Publications catalog
Term Expiring 2025:
• Draft standards and order forms
İlkay Altintaş, Nils Aschenbruck, Mike Hinchey, Joaquim Jorge,
• Technical committee list
Rick Kazman, Carolyn McGregor
• Technical committee application
• Chapter start-up procedures
• Student scholarship information EXECUTIVE STAFF
• Volunteer leaders/staff directory
Executive Director: Melissa Russell
• IEEE senior member grade application (requires 10 years
practice and significant performance in five of those 10) Director, Governance & Associate Anne Marie Kelly
Executive Director:
Director, Conference Operations: Silvia Ceballos
PUBLICATIONS AND ACTIVITIES Director, Information Technology & Sumit Kacker
Computer: The flagship publication of the IEEE Computer Services:
Society, Computer, publishes peer-reviewed technical Director, Marketing & Sales: Michelle Tubb
content that covers all aspects of computer science, Director, Membership Development: Eric Berkowitz
computer engineering, technology, and applications. Director, Periodicals & Special Projects: Robin Baldwin
Periodicals: The Society publishes 12 magazines, 19 journals.
Conference Proceedings & Books: Conference Publishing IEEE BOARD OF DIRECTORS
Services publishes more than 275 titles every year.
President & CEO: Saifur Rahman
Standards Working Groups: More than 150 groups produce
President-Elect: Thomas M. Coughlin
IEEE standards used throughout the world.
Director & Secretary: Forrest (Don) Wright
Technical Communities: TCs provide professional interaction
Director & Treasurer: Mary Ellen Randall
in more than 30 technical areas and directly influence
Past President: K. J. Ray Liu
computer engineering conferences and publications.
Director & VP, Educational Activities: Rabab Ward
Conferences/Education: The society holds more than 215
Director & VP, Publication Services & Sergio Benedetto
conferences each year and sponsors many educational
Products:
activities, including computing science accreditation.
Director & VP, Member & Geographic Jill Gostin
Certifications: The society offers three software Activities:
developer credentials.
Director & President, Standards Yu Yuan
Association:
COMPUTER SOCIETY OFFICES Director & VP, Technical Activities: John Verboncoeur
Director & President, IEEE-USA: Eduardo Palacio
Washington, D.C.: Los Alamitos:
2001 L St., Ste. 700, 10662 Los Vaqueros Cir.,
Washington, D.C. 20036-4928; Los Alamitos, CA 90720;
Phone: +1 202 371 0101; Phone: +1 714 821 8380;
Fax: +1 202 728 9614; Email: [email protected]
Email: [email protected]

MEMBERSHIP & PUBLICATION ORDERS

Phone: +1 800 272 6657; Fax: +1 714 816 2121;
Email: [email protected] revised 25 July 2023
 puter.o
rg Scien
ti
Comp fic
uting
ed an Data
d Visua
ality Inform lizatio
n
n
ce4c1.
indd Techn ation
1
ology
n Quan
tum
y Comp
uting
uting

3/26/2
0 10:23
AM

Intern
et of
Ethic Thing
s s
Mach
ine L
Quan earnin
tu g
Comp m
uting
JUNE
2020

JULY 20
ww w.c 20
ompu
ter.org

ww w.c
ompu
ter.org

ce7c1.ind
d 1

5/20/20
7:57 PM

6/24/20
1:20 PM

Secu
rity an
Priva d
cy High-P
Auto
matio
n Comp erforman
Block uting ce
chain Hard
Digit ware
al Affect
Transf ive
ormat Comp
ion uting
Educa
tion

MAY 20
20

w w w.c
ompu
ter.org

ce5c1.
indd
1

ww w.c NOVE
ompu MBER
ter.org 2020

ww w.c
ompu
ter.org

4/22/2
0 5:3
3 PM
ce11c1.in
dd 1

7/22/20
3:51 PM

ce9c1.
indd
10/22/20 1
10:20

ComputingEdge
AM

Secu
rit
Priva y and
cy
Data
Intern
et
Artifi
cial
Intell

Your one-stop resource for industry hot topics,

igenc
e

technical overviews, and in-depth articles.

Cutting-edge OCTO
BER 20
Unique original Keeps you up to
articles from the content by date on what you
20

w w w.c
ompu

IEEE Computer computing need to know across

ter.org

ce10c1
.indd
1
Society’s portfolio thought leaders, the technology
of 12 magazines. innovators, spectrum.
and experts.
9/23/2
0 12:48
PM

Subscribe for free

www.computer.org/computingedge