Cyberattacks have evolved into a threat for modern society, as they affect both individuals and organizations alike. Attacks can have a multitude of different forms, ranging from denial of service to ransomware, and target government, critical infrastructure, businesses or private environments. As this threat cannot be ignored, it should be detected as early as possible, to prevent damage as much as possible. As attacks often employ multiple stages, that compromise more and more machines and/or remove more and more lines of defense, early detection seems all the more necessary. At the same time, attacks, especially if evolving over many weeks, try to stay undetected and hence employ many measures in order not to raise suspicion, which renders detection a difficult endeavor. When an attack is detected, an appropriate response is necessary, which can be as straightforward and painful as disconnecting the victim from the net, but also can take many other forms, up to offensive countermeasures that try to attack the attacker. Both attacks and countermeasures include technical and social means, as it is sometimes easier to find out e.g. the structure of a company network by interviewing careless employees than by doing a reconnaissance.

Hence, this special issue targets actual research on the detection of and response to cyberattacks on all levels, e.g. individuals, organizations, ISPs, critical infrastructure. Research papers can address technical and/or social aspects of cyberattack detection and response, so e.g. social engineering and spear phishing detection are within the scope of the special issue.

Topics of interest include, but are not limited to:

* Malware presence detection (e.g., covert communication) at organizational and ISP levels
* Malware activation detection and response (e.g., ransomware)
* Malware propagation detection and blocking (e.g., network-based malware detection and responses)
* Botnet detection
* Response to DDoS attacks, especially in critical infrastructure sectors
* Detection of compromised network infrastructure (e.g., DNS spoofing) at organizational and ISP levels
* Technical detection of social components of cyberattacks (e.g., spear phishing, social engineering) and countermeasures
* Human-based detection of social components of cyberattacks (e.g., awareness, training, motivation)
* Detection of malicious actions by organizational insiders (technical and human-based)
* Cyber resilience of organizational insiders, especially in critical infrastructure sectors
* Detection of cyber-physical attacks on smart systems (e.g., smart home burglary prevention)
* Impact of detection and response measures on the investigation of cyberattacks
* Detection and response to cyber-physical attacks on critical infrastructure
* Cyberattack countermeasures, especially offensive responses

Guest Editors

Jörg Keller, University of Hagen, Germany (joerg.keller@fernuni-hagen.de)
Wojciech Mazurczyk, Warsaw University of Technology, Poland (wmazurcz@elka.pw.edu.pl)
Béla Genge, University of Medicine, Pharmacy, Sciences and Technology of Tg. Mures, Romania (bela.genge@ing.upm.ro)
Lothar Fritsch, Karlstad University, Sweden (lothar.fritsch@kau.se)
Simon Vrhovec, University of Maribor, Slovenia (simon.vrhovec@um.si)