DI - COSEC - Artículos de Revistas
Permanent URI for this collection
Browse
Recent Submissions
Now showing 1 - 20 of 84
Publication On the feasibility of predicting volumes of fake news- the Spanish case(IEEE, 2023-07-13) Ibáñez Lissen, Luis; González Manzano, Lorena; Fuentes García-Romero de Tejada, José María de; Goyanes Martínez, Manuel; Comunidad de Madrid; European Commission; Ministerio de Ciencia e Innovación (España); Universidad Carlos III de MadridThe growing amount of news shared on the Internet makes it hard to verify them in real-time. Malicious actors take advantage of this situation by spreading fake news to impact society through misinformation. An estimation of future fake news would help to focus the detection and verification efforts. Unfortunately, no previous work has addressed this issue yet. Therefore, this work measures the feasibility of predicting the volume of future fake news in a particular context—Spanish contents related to Spain. The approach involves different artificial intelligence (AI) mechanisms on a dataset of 298k real news and 8.9k fake news in the period 2019–2022. Results show that very accurate predictions can be reached. In general words, the use of long short-term memory (LSTM) with attention mechanisms offers the best performance, being headlines useful when a small amount of days is taken as input. In the best cases, when predictions are made for periods, an error of 10.3% is made considering the mean of fake news. This error raises to 28.7% when predicting a single day in the future.Publication ECG Identification Based on the Gramian Angular Field and Tested with Individuals in Resting and Activity States(MDPI, 2023-01-01) Cámara Núñez, María Carmen; Peris López, Pedro; Safkhani, Masoumeh; Bagheri, Nasour; Comunidad de Madrid; European Commission; Ministerio de Ciencia e Innovación (España)In the last decade, biosignals have attracted the attention of many researchers when designing novel biometrics systems. Many of these works use cardiac signals and their representation as electrocardiograms (ECGs). Nowadays, these solutions are even more realistic since we can acquire reliable ECG records by using wearable devices. This paper moves in that direction and proposes a novel approach for an ECG identification system. For that, we transform the ECG recordings into Gramian Angular Field (GAF) images, a time series encoding technique well-known in other domains but not very common with biosignals. Specifically, the time series is transformed using polar coordinates, and then, the cosine sum of the angles is computed for each pair of points. We present a proof-of-concept identification system built on a tuned VGG19 convolutional neural network using this approach. We confirm our proposal's feasibility through experimentation using two well-known public datasets: MIT-BIH Normal Sinus Rhythm Database (subjects at a resting state) and ECG-GUDB (individuals under four specific activities). In both scenarios, the identification system reaches an accuracy of 91%, and the False Acceptance Rate (FAR) is eight times higher than the False Rejection Rate (FRR).Publication Alpha band disruption in the AD-continuum starts in the subjective cognitive decline stage: a MEG study(Springer Nature, 2016-11-24) López Sanz, D.; Bruña, R.; Garcés, P.; Cámara Núñez, María Carmen; Serrano, N.; Rodríguez Rojo, I. C.; Delgado, M. L.; Montenegro, M.; López Higes, R.; Yus, M.; Maestu, F.; Ministerio de Economía y Competitividad (España); Ministerio de Educación, Cultura y Deporte (España)The consideration of Subjective Cognitive Decline (SCD) as a preclinical stage of AD remains still a matter of debate. Alpha band alterations represent one of the most significant changes in the electrophysiological profile of AD. In particular, AD patients exhibit reduced alpha relative power and frequency. We used alpha band activity measured with MEG to study whether SCD and MCI elders present these electrophysiological changes characteristic of AD, and to determine the evolution of the observed alterations across AD spectrum. The total sample consisted of 131 participants: 39 elders without SCD, 41 elders with SCD and 51 MCI patients. All of them underwent MEG and MRI scans and neuropsychological assessment. SCD and MCI patients exhibited a similar reduction in alpha band activity compared with the no SCD group. However, only MCI patients showed a slowing in their alpha peak frequency compared with both SCD and no SCD. These changes in alpha band were related to worse cognition. Our results suggest that AD-related alterations may start in the SCD stage, with a reduction in alpha relative power. It is later, in the MCI stage, where the slowing of the spectral profile takes place, giving rise to objective deficits in cognitive functioning.Publication A technical characterization of APTs by leveraging public resources(Springer, 2023-06-15) González Manzano, Lorena; Fuentes García-Romero de Tejada, José María de; Lombardi, Flavio; Ramos, Cristina; Comunidad de Madrid; European Commission; Ministerio de Ciencia e Innovación (España); Universidad Carlos III de MadridAdvanced persistent threats (APTs) have rocketed over the last years. Unfortunately, their technical characterization is incomplete—it is still unclear if they are advanced usages of regular malware or a different form of malware. This is key to develop an effective cyberdefense. To address this issue, in this paper we analyze the techniques and tactics at stake for both regular and APT-linked malware. To enable reproducibility, our approach leverages only publicly available datasets and analysis tools. Our study involves 11,651 regular malware and 4686 APT-linked ones. Results show that both sets are not only statistically different, but can be automatically classified with F1 > 0.8 in most cases. Indeed, 8 tactics reach F1 > 0.9. Beyond the differences in techniques and tactics, our analysis shows thats actors behind APTs exhibit higher technical competence than those from non-APT malwares.Publication Automatically identifying the function and intent of posts in underground forums(Springer, 2018-11-29) Caines, Andrew; Pastrana Portillo, Sergio; Hutchings, Alice; Buttery, Paula J.The automatic classification of posts from hacking-related online forums is of potential value for the understanding of user behaviour in social networks relating to cybercrime. We designed annotation schema to label forum posts for three properties: post type, author intent, and addressee. The post type indicates whether the text is a question, a comment, and so on. The author's intent in writing the post could be positive, negative, moderating discussion, showing gratitude to another user, etc. The addressee of a post tends to be a general audience (e.g. other forum users) or individual users who have already contributed to a threaded discussion. We manually annotated a sample of posts and returned substantial agreement for post type and addressee, and fair agreement for author intent. We trained rule-based (logical) and machine learning (statistical) classification models to predict these labels automatically, and found that a hybrid logical&-statistical model performs best for post type and author intent, whereas a purely statistical model is best for addressee. We discuss potential applications for this data, including the analysis of thread conversations in forum data and the identification of key actors within social networksPublication Optimization of code caves in malware binaries to evade machine learning detectors(Elservier, 2022-05-01) Yuste, Javier; Pardo, Eduardo G.; Estévez Tapiador, Juan Manuel; Comunidad de Madrid; European Commission; Ministerio de Ciencia e Innovación (España)Machine Learning (ML) techniques, especially Artificial Neural Networks, have been widely adopted as a tool for malware detection due to their high accuracy when classifying programs as benign or malicious. However, these techniques are vulnerable to Adversarial Examples (AEs), i.e., carefully crafted samples designed by an attacker to be misclassified by the target model. In this work, we propose a general method to produce AEs from existing malware, which is useful to increase the robustness of ML-based models. Our method dynamically introduces unused blocks (caves) in malware binaries, preserving their original functionality. Then, by using optimization techniques based on Genetic Algorithms, we determine the most adequate content to place in such code caves to achieve misclassification. We evaluate our model in a black-box setting with a well-known state-of-the-art architecture (MalConv), resulting in a successful evasion rate of 97.99 % from the 2k tested malware samples. Additionally, we successfully test the transferability of our proposal to commercial AV engines available at VirusTotal, showing a reduction in the detection rate for the crafted AEs. Finally, the obtained AEs are used to retrain the ML-based malware detector previously evaluated, showing an improve on its robustness.Publication Malicious uses of blockchains by malware: from the analysis to Smart-Zephyrus(Springer, 2023-05-12) Giménez Aguilar, María del Mar; Fuentes García-Romero de Tejada, José María de; González Manzano, Lorena; Comunidad de Madrid; Ministerio de Ciencia e Innovación (España); Universidad Carlos III de MadridPublication A lightweight implementation of the Tav-128 hash function(Institute of Electronics, Information and Communication Engineers, 2017-06-10) Martín González, Honorio; Peris López, Pedro; San Millán Heredia, Enrique; Estévez Tapiador, Juan ManuelIn this article we discuss the hardware implementation of a lightweight hash function, named Tav-128 [1], which was purposely designed for constrained devices such as low-cost RFID tags. In the original paper, the authors only provide an estimation of the hardware complexity. Motivated for this, we describe both an ASIC and an FPGA-based implementation of the aforementioned cryptographic primitive, and examine the performance of three architectures optimizing different criteria: area, throughput, and a trade-off between both of them.Publication Full-resilient memory-optimum multi-party non-interactive key exchange(IEEE, 2020-02-06) Salimi, Majid; Mala, Hamid; Martín González, Honorio; Peris López, PedroMulti-Party Non-Interactive Key Exchange (MP-NIKE) is a fundamental cryptographic primitive in which users register into a key generation centre and receive a public/private key pair each. After that, any subset of these users can compute a shared key without any interaction. Nowadays, IoT devices suffer from a high number and large size of messages exchanged in the Key Management Protocol (KMP). To overcome this, an MP-NIKE scheme can eliminate the airtime and latency of messages transferred between IoT devices. MP-NIKE schemes can be realized by using multilinear maps. There are several attempts for constructing multilinear maps based on indistinguishable obfuscation, lattices and the Chinese Remainder Theorem (CRT). Nevertheless, these schemes are inefficient in terms of computation cost and memory overhead. Besides, several attacks have been recently reported against CRT-based and lattice-based multilinear maps. There is only one modular exponentiation-based MP-NIKE scheme in the literature which has been claimed to be both secure and efficient. In this article, we present an attack on this scheme based on the Euclidean algorithm, in which two colluding users can obtain the shared key of any arbitrary subgroup of users. We also propose an efficient and secure MP-NIKE scheme. We show how our proposal is secure in the random oracle model assuming the hardness of the root extraction modulo a composite number.Publication Shuffle, cut, and learn: Crypto Go, a card game for teaching cryptography(MDPI, 2020-11) González-Tablas Ferreres, Ana Isabel; González Vasco, María Isabel; Cascos Fernández, Ignacio; Planet Palomino, Alvaro; Ministerio de Economía y Competitividad (España)Cryptography is the mathematical core of information security. It serves both as a source of hard computational problems and as precise language allowing for the formalization of sound security models. While dealing with the mathematical foundations of cybersecurity is only possible in specialized courses (tertiary level and beyond), it is essential to promote the role of mathematics in this field at early educational stages. With this in mind, we introduce Crypto Go, a physical card game that may be used both as a dissemination and as an educational tool. The game is carefully devised in order to entertain and stimulate players, while boosting their understanding on how basic cryptographic tools work and interplay. To get a preliminary assessment of our design, we collected data from a series of test workshops, which engaged over two hundred players from different ages and educational backgrounds. This basic evaluation indeed confirms that Crypto Go significantly improves students' motivation and has a positive impact in their perception and understanding of the field.Publication A true random number generator based on gait data for the Internet of You(IEEE, 2020-04-09) Cámara Núñez, María Carmen; Martín González, Honorio; Peris López, Pedro; Entrena Arrontes, Luis AlfonsoThe Internet of Things (IoT) is more and more a reality, and every day the number of connected objects increases. The growth is practically exponential -there are currently about 8 billion and expected to reach 21 billion in 2025. The applications of these devices are very diverse and range from home automation, through traffic monitoring or pollution, to sensors to monitor our health or improve our performance. While the potential of their applications seems to be unlimited, the cyber-security of these devices and their communications is critical for a flourishing deployment. Random Number Generators (RNGs) are essential to many security tasks such as seeds for key-generation or nonces used in authentication protocols. Till now, True Random Number Generators (TRNGs) are mainly based on physical phenomena, but there is a new trend that uses signals from our body (e.g., electrocardiograms) as an entropy source. Inspired by the last wave, we propose a new TRNG based on gait data (six 3-axis gyroscopes and accelerometers sensors over the subjects). We test both the quality of the entropic source (NIST SP800-90B) and the quality of the random bits generated (ENT, DIEHARDER and NIST 800-22). From this in-depth analysis, we can conclude that: 1) the gait data is a good source of entropy for random bit generation; 2) our proposed TRNG outputs bits that behave like a random variable. All this confirms the feasibility and the excellent properties of the proposed generator.Publication An analysis of fake social media engagement services(Elsevier, 2023-01-01) Nevado Catalán, David; Pastrana Portillo, Sergio; Vallina-Rodriguez, Narseo; Estévez Tapiador, Juan Manuel; Comunidad de Madrid; European CommissionFake engagement services allow users of online social media and other web platforms to illegitimately increase their online reach and boost their perceived popularity. Driven by socio-economic and even political motivations, the demand for fake engagement services has increased in the last years, which has incentivized the rise of a vast underground market and support infrastructure. Prior research in this area has been limited to the study of the infrastructure used to provide these services (e.g., botnets) and to the development of algorithms to detect and remove fake activity in online targeted platforms. Yet, the platforms in which these services are sold (known as panels) and the underground markets offering these services have not received much research attention. To fill this knowledge gap, this paper studies Social Media Management (SMM) panels, i.e., reselling platforms¿often found in underground forums¿in which a large variety of fake engagement services are offered. By daily crawling 86 representative SMM panels for 4 months, we harvest a dataset with 2.8 M forum entries grouped into 61k different services. This dataset allows us to build a detailed catalog of the services for sale, the platforms they target, and to derive new insights on fake social engagement services and its market. We then perform an economic analysis of fake engagement services and their trading activities by automatically analyzing 7k threads in underground forums. Our analysis reveals a broad range of offered services and levels of customization, where buyers can acquire fake engagement services by selecting features such as the quality of the service, the speed of delivery, the country of origin, and even personal attributes of the fake account (e.g., gender). The price analysis also yields interesting empirical results, showing significant disparities between prices of the same product across different markets. These observations suggest that the market is still undeveloped and sellers do not know the real market value of the services that they offer, leading them to underprice or overprice their services.Publication Identifying key relationships between nation-state cyberattacks and geopolitical and economic factors: A model(Hindawi, 2022-06-29) González Manzano, Lorena; Fuentes García-Romero de Tejada, José María de; Ramos Ibáñez, Cristina; Sánchez, Angel; Quispe Remón, Florabel; Comunidad de Madrid; Ministerio de Ciencia e Innovación (España)Nation-state cyberattacks, and particularly Advanced Persistent Threats (APTs), have rocketed in the last years. Their use may be aligned with nation-state geopolitical and economic (GPE) interests, which are key for the underlying international relations (IRs). However, the interdependency between APTs and GPE (and thus IRs) has not been characterized yet and it could be a steppingstone for an enhanced cyberthreat intelligence (CTI). To address this limitation, a set of analytic models are proposed in this work. They are built considering 234M geopolitical events and 306 malicious software tools linked to 13 groups of 7 countries between 2000 and 2019. Models show a substantial support for launched and received cyberattacks considering GPE factors in most countries. Moreover, strategic issues are the key motivator when launching APTs. Therefore, from the CTI perspective, our results show that there is a likely cause-effect relationship between IRs (particularly GPE relevant indicators) and APTs.Publication A nested decision tree for event detection in smart grids(European Association for the Development of Renewable Energy, Environment and Power Quality (EA4EPQ), 2022-09) Turanzas, J.; Alonso Martínez, Mónica; Amarís Duarte, Hortensia Elena; Gutierrez, J.; Pastrana Portillo, SergioDigitalization process experienced by traditional power networks towards smart grids extend the challenges faced by power grid operators to the field of cybersecurity. False data injection attacks, one of the most common cyberattacks in smart grids, could lead the power grid to sabotage itself. In this paper, an event detection algorithm for cyberattack in smart grids is developed based on a decision tree. In order to find the most accurate algorithm, two different decision trees with two different goals have been trained: one classifies the status of the network, corresponding to an event, and the other will classify the location where the event is detected. To train the decision trees, a dataset made by co-simulating a power network and a communication network has been used. The decision trees are going to be compared in different settings by changing the division criteria, the dataset used to train them and the misclassification cost. After looking at their performance independently, the best way to combine them into a single algorithm is presented.Publication Key-recovery attacks on KIDS, a keyed anomaly detection system(IEEE, 2015-05-15) Estévez Tapiador, Juan Manuel; Orfila Díaz-Pabon, Agustín; Ribagorda Garnacho, Arturo; Ramos Álvarez, BenjamínMost anomaly detection systems rely on machine learning algorithms to derive a model of normality that is later used to detect suspicious events. Some works conducted over the last years have pointed out that such algorithms are generally susceptible to deception, notably in the form of attacks carefully constructed to evade detection. Various learning schemes have been proposed to overcome this weakness. One such system is Keyed IDS (KIDS), introduced at DIMVA "10. KIDS" core idea is akin to the functioning of some cryptographic primitives, namely to introduce a secret element (the key) into the scheme so that some operations are infeasible without knowing it. In KIDS the learned model and the computation of the anomaly score are both key-dependent, a fact which presumably prevents an attacker from creating evasion attacks. In this work we show that recovering the key is extremely simple provided that the attacker can interact with KIDS and get feedback about probing requests. We present realistic attacks for two different adversarial settings and show that recovering the key requires only a small amount of queries, which indicates that KIDS does not meet the claimed security properties. We finally revisit KIDS' central idea and provide heuristic arguments about its suitability and limitations.Publication ALTERDROID: eifferential fault analysis of obfuscated smartphone malware(IEEE, 2016-04-01) Suárez de Tangil Rotaeche, Guillermo Nicolás; Estévez Tapiador, Juan Manuel; Lombardi, Flavio; Di Prieto, Roberto; Comunidad de Madrid; Ministerio de Economía y Competitividad (España)Malware for smartphones has rocketed over the last years. Market operators face the challenge of keeping their stores free from malicious apps, a task that has become increasingly complex as malware developers are progressively using advanced techniques to defeat malware detection tools. One such technique commonly observed in recent malware samples consists of hiding and obfuscating modules containing malicious functionality in places that static analysis tools overlook (e.g., within data objects). In this paper, we describe ALTERDROID, a dynamic analysis approach for detecting such hidden or obfuscated malware components distributed as parts of an app package. The key idea in ALTERDROID consists of analyzing the behavioral differences between the original app and a number of automatically generated versions of it, where a number of modifications (faults) have been carefully injected. Observable differences in terms of activities that appear or vanish in the modified app are recorded, and the resulting differential signature is analyzed through a pattern-matching process driven by rules that relate different types of hidden functionalities with patterns found in the signature. A thorough justification and a description of the proposed model are provided. The extensive experimental results obtained by testing ALTERDROID over relevant apps and malware samples support the quality and viability of our proposal.Publication Feasibility analysis of Inter-Pulse Intervals based solutions for cryptographic token generation by two electrocardiogram sensors(Elsevier, 2019-07-01) Ortiz Martín, Lara; Picazo Sánchez, Pablo; Peris López, Pedro; Estévez Tapiador, Juan Manuel; Schneider, Gerardo; Comunidad de Madrid; Ministerio de Economía y Competitividad (España)In this paper we address the problem of how two devices that are sensing the same heart signal can generate the same cryptographic token by extracting them from the Inter-Pulse Intervals (IPIs) of each cardiac signal. Our analysis is based on the use of a run-time monitor, which is extracted from a formal model and verified against predefined properties, combined with a fuzzy extractor to improve the final result. We first show that it is impossible, in general, to correct the differences between the IPIs derived from two captured electrocardiogram (ECG) signals when using only error correction techniques, thus being impossible to corroborate previous claims on the feasibility of this approach. Then, we provide a large-scale evaluation of the proposed method (run-time monitor and fuzzy extractor) over 19 public databases from the Physionet repository containing heart signals. The results clearly show the practicality of our proposal achieving a 91% of synchronization probability for healthy individuals. Additionally, we also conduct an experiment to check how long the sensors should record the heart signal in order to generate tokens of 32, 64 and 128 bits. Contrarily to what it is usually assumed (6, 12, and 24 s for individuals with a heart rate of 80 beats-per-minute), the sensors have to wait 13, 28 and 56.5 s on median, respectively, to derive the same token from both sensors.Publication An efficient confidentiality-preserving Proof of Ownership for deduplication(Elsevier, 2015-04-01) González Manzano, Lorena; Orfila Díaz-Pabon, AgustínData storage in the cloud is becoming widespread. Deduplication is a key mechanism to decrease the operating costs cloud providers face, due to the reduction of replicated data storage. Nonetheless, deduplication must deal with several security threats such as honest-but-curious servers or malicious users who may try to take ownership of files they are not entitled to. Unfortunately, state-of-the-art solutions present weaknesses such as not coping with honest-but-curious servers, deployment problems, or lacking a sound security analysis. In this paper we present a novel Proof of Ownership scheme that uses convergent encryption and requires neither trusted third parties nor complex key management. The experimental evaluation highlights the efficiency and feasibility of our proposal that is proven to be secure under the random oracle model in the bounded leakage setting. (C) 2015 Elsevier Ltd. All rights reserved.Publication The malSource dataset: quantifying complexity and code reuse in malware development(IEEE, 2019-12-01) Calleja Cortiñas, Alejandro; Estévez Tapiador, Juan Manuel; Caballero, Juan; Comunidad de Madrid; Ministerio de Economía y Competitividad (España)During the last decades, the problem of malicious and unwanted software (malware) has surged in numbers and sophistication. Malware plays a key role in most of today's cyberattacks and has consolidated as a commodity in the underground economy. In this paper, we analyze the evolution of malware from 1975 to date from a software engineering perspective. We analyze the source code of 456 samples from 428 unique families and obtain measures of their size, code quality, and estimates of the development costs (effort, time, and number of people). Our results suggest an exponential increment of nearly one order of magnitude per decade in aspects such as size and estimated effort, with code quality metrics similar to those of benign software. We also study the extent to which code reuse is present in our dataset. We detect a significant number of code clones across malware families and report which features and functionalities are more commonly shared. Overall, our results support claims about the increasing complexity of malware and its production progressively becoming an industry.Publication Editorial: Security and privacy in Internet of Things(Springer, 2019-06-01) Fuentes García-Romero de Tejada, José María de; González Manzano, Lorena; López, Javier; Peris López, Pedro; Choo, Kim-Kwang Raymond; Comunidad de Madrid; Ministerio de Economía y Competitividad (España)