Contact information
Name | Marta Moure-Garrido |
public_email_address | |
Address | Room 4.0.F03 Edificio Torres Quevedo, Avenida de la Universidad 30, 28911 Leganés |
displayName | Marta Moure Garrido |
Academic
OrcidURL | |
ResearchPortalURL | |
jobline | PhD |
LinkedInURL |
Bio Information
Biography | Marta Moure-Garrido is a postdoc at the Department of Telematic Engineering of the UniversityCarlos III of Madrid. Her research interest is design and performance evaluation of communication protocols. She received her Ph.D. degree from the University Carlos III of Madrid in 2024. |
Marta Moure-Garrido is a postdoc at the Department of Telematic Engineering of the UniversityCarlos III of Madrid. Her research interest is design and performance evaluation of communication protocols. She received her Ph.D. degree from the University Carlos III of Madrid in 2024.
Contact
Address
Room 4.0.F03 Edificio Torres Quevedo, Avenida de la Universidad 30, 28911 Leganés
Publications
Moure-Garrido, Marta; Das, Sajal; Campo, Celeste; García-Rubio, Carlos
Real-Time Analysis of Encrypted DNS Traffic for Threat Detection Conference
ICC 2024 - IEEE International Conference on Communications, IEEE, 2024, ISSN: 1550-3607.
@conference{marta003,
title = {Real-Time Analysis of Encrypted DNS Traffic for Threat Detection},
author = {Marta Moure-Garrido and Sajal Das and Celeste Campo and Carlos García-Rubio},
url = {https://ieeexplore.ieee.org/document/10622347},
doi = {https://doi.org/10.1109/ICC51166.2024.10622347},
issn = {1550-3607},
year = {2024},
date = {2024-08-20},
booktitle = {ICC 2024 - IEEE International Conference on Communications},
pages = {3292-3297},
publisher = {IEEE},
abstract = {Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Moure-Garrido, Marta; Das, Sajal; Campo, Celeste; García-Rubio, Carlos
Real-Time Analysis of Encrypted DNS Traffic for Threat Detection Conference
ICC 2024 - IEEE International Conference on Communications, IEEE, 2024, ISSN: 1550-3607.
@conference{marta003b,
title = {Real-Time Analysis of Encrypted DNS Traffic for Threat Detection},
author = {Marta Moure-Garrido and Sajal Das and Celeste Campo and Carlos García-Rubio},
url = {https://ieeexplore.ieee.org/document/10622347},
doi = {https://doi.org/10.1109/ICC51166.2024.10622347},
issn = {1550-3607},
year = {2024},
date = {2024-08-20},
booktitle = {ICC 2024 - IEEE International Conference on Communications},
pages = {3292-3297},
publisher = {IEEE},
abstract = {Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Campo-Vázquez, Celeste; García-Rubio, Carlos; Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Inferring mobile applications usage from DNS traffic Proceedings Article
In: Ad Hoc Networks, Elsevier B.V., 2024.
@inproceedings{campo012,
title = {Inferring mobile applications usage from DNS traffic},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Andrea Jimenez-Berenguel and Marta Moure-Garrido and Florina Almenares-Mendoza and Daniel Díaz-Sánchez },
url = {https://www.sciencedirect.com/science/article/pii/S1570870524002129#d1e710},
doi = {https://doi.org/10.1016/j.adhoc.2024.103601},
year = {2024},
date = {2024-07-19},
urldate = {2024-07-19},
booktitle = {Ad Hoc Networks},
publisher = {Elsevier B.V.},
abstract = {In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Moure-Garrido, Marta; Campo, Celeste; García-Rubio, Carlos
Análisis estadístico del tráfico DoH para la detección del uso malicioso de túneles Conference
Investigación en Ciberseguridad Actas de las VII Jornadas Nacionales (7º.2022.Bilbao) , 2024, ISBN: 978-84-88734-13-6.
@conference{marta002,
title = {Análisis estadístico del tráfico DoH para la detección del uso malicioso de túneles},
author = {Marta Moure-Garrido and Celeste Campo and Carlos García-Rubio},
url = {https://dialnet.unirioja.es/servlet/articulo?codigo=9206590},
isbn = {978-84-88734-13-6},
year = {2024},
date = {2024-07-10},
urldate = {2024-07-10},
booktitle = {Investigación en Ciberseguridad Actas de las VII Jornadas Nacionales (7º.2022.Bilbao) },
pages = {38-41},
abstract = {Las primeras versiones de DNS presentaban ciertos problemas de seguridad: integridad, autenticidad y privacidad. Para solventarlos se definió DNSSEC, pero esta versión
seguía sin garantizar privacidad. Por ello, se definieron DNS sobre TLS (DoT) en 2016 y DNS sobre HTTPS (DoH) en 2018. En los ultimos años se ha empleado la tunelización DNS para encapsular trafico maligno. Las versiones DoT y DoH han complicado la detección de estos túneles dado que los datos van encriptados. En trabajos anteriores se emplean técnicas de aprendizaje automático para identificar túneles DoH, pero tienen limitaciones. En este trabajo realizamos un análisis estadístico para aprender el patrón del tráfico DoH y estudiar las diferencias entre el tráfico benigno y el tráfico creado con herramientas de tunelización. El análisis revela que ciertos parámetros estadísticos permiten diferenciar el trafico. El siguiente paso de la investigación es aplicar técnicas más elaboradas basándonos en el análisis realizado.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
seguía sin garantizar privacidad. Por ello, se definieron DNS sobre TLS (DoT) en 2016 y DNS sobre HTTPS (DoH) en 2018. En los ultimos años se ha empleado la tunelización DNS para encapsular trafico maligno. Las versiones DoT y DoH han complicado la detección de estos túneles dado que los datos van encriptados. En trabajos anteriores se emplean técnicas de aprendizaje automático para identificar túneles DoH, pero tienen limitaciones. En este trabajo realizamos un análisis estadístico para aprender el patrón del tráfico DoH y estudiar las diferencias entre el tráfico benigno y el tráfico creado con herramientas de tunelización. El análisis revela que ciertos parámetros estadísticos permiten diferenciar el trafico. El siguiente paso de la investigación es aplicar técnicas más elaboradas basándonos en el análisis realizado.
Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; García-Rubio, Carlos; Campo-Vázquez, Celeste
Caracterización de aplicaciones móviles mediante el análisis del tráfico DNS Proceedings Article
In: IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024, pp. 506-507, Universidad de Sevilla, 2024, ISBN: 978-84-09-62140-8.
@inproceedings{andrea001,
title = {Caracterización de aplicaciones móviles mediante el análisis del tráfico DNS},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio and Celeste Campo-Vázquez},
url = {https://idus.us.es/handle/11441/159179
https://dialnet.unirioja.es/servlet/articulo?codigo=9633499
https://idus.us.es/bitstream/handle/11441/159179/ActasJNIC24%20%282%20ed%29.pdf?sequence=4&isAllowed=y},
isbn = {978-84-09-62140-8},
year = {2024},
date = {2024-05-28},
urldate = {2024-05-28},
booktitle = {IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024},
pages = {506-507},
publisher = {Universidad de Sevilla},
abstract = {La privacidad del usuario sigue siendo vulnerable cuando se utilizan protocolos de comunicación cifrados, como HTTPS, cuando las consultas DNS se envían en texto claro a través del puerto UDP 53 (Do53). En este estudio, demostramos la posibilidad de caracterizar una aplicación móvil que utiliza un usuario basándonos en su tráfico Do53. Mediante el análisis de un conjunto de datos de tráfico, formado por 80 aplicaciones móviles Android, podemos identificar la aplicación que se está utilizando basándonos en sus consultas DNS con una precisión del 88,75 %. Aunque los sistemas operativos modernos, incluido Android desde la versión 9.0, admiten el tráfico DNS cifrado, esta función no está activada por defecto y depende del soporte del proveedor de DNS. Además, incluso cuando el tráfico DNS está cifrado, el proveedor de servicios DNS sigue teniendo acceso a nuestras consultas y podría extraer información de ellas.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Campo-Vázquez, Carlos García-Rubio Celeste
Characterizing Mobile Applications Through Analysis of DNS Traffic Conference
PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks., ACM, 2023, ISBN: N 979-8-4007-0370-6.
@conference{campo013,
title = {Characterizing Mobile Applications Through Analysis of DNS Traffic},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio Celeste Campo-Vázquez},
doi = {https://doi.org/10.1145/3616394.3618268},
isbn = {N 979-8-4007-0370-6},
year = {2023},
date = {2023-10-30},
urldate = {2023-10-30},
booktitle = {PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks.},
pages = {69-76},
publisher = {ACM},
abstract = {User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Moure-Garrido, Marta; Campo-Vázquez, Celeste; García-Rubio, Carlos
Real time detection of malicious DoH traffic using statistical analysis Journal Article
In: COMPUTER NETWORKS, vol. 234, iss. 109910, pp. 1-10, 2023, ISSN: 1389-1286.
@article{campo002,
title = {Real time detection of malicious DoH traffic using statistical analysis },
author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},
url = {http://hdl.handle.net/10016/38151},
doi = {https://doi.org/10.1016/j.comnet.2023.109910},
issn = {1389-1286},
year = {2023},
date = {2023-10-09},
urldate = {2023-10-09},
journal = {COMPUTER NETWORKS},
volume = {234},
issue = {109910},
pages = {1-10},
abstract = {The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.
García-Rubio, Carlos; Campo, Celeste; Moure-Garrido, Marta
Synthetic Generation of Electrical Consumption Traces in Smart Homes Conference
Lecture Notes in Networks and Systems, vol. 594, Springer International Publishing, 2022, ISBN: 978-3-031-21332-8.
@conference{garciarubio008,
title = {Synthetic Generation of Electrical Consumption Traces in Smart Homes},
author = {Carlos García-Rubio and Celeste Campo and Marta Moure-Garrido },
url = {https://link.springer.com/chapter/10.1007/978-3-031-21333-5_68},
doi = {https://doi.org/10.1007/978-3-031-21333-5_68},
isbn = {978-3-031-21332-8},
year = {2022},
date = {2022-11-21},
urldate = {2022-11-21},
booktitle = { Lecture Notes in Networks and Systems},
volume = {594},
pages = {681-692},
publisher = {Springer International Publishing},
abstract = {With the introduction of the smart grid, smart meters and smart plugs, it is possible to know the energy consumption of a smart home, either per appliance or aggregate. Some recent works have used energy consumption traces to detect anomalies, either in the behavior of the inhabitants or in the operation of some device in the smart home. To train and test the algorithms that detect these anomalies, it is necessary to have extensive and well-annotated consumption traces. However, this type of traces is difficult to obtain. In this paper we describe a highly configurable synthetic electrical trace generator, with characteristics similar to real traces, that can be used in this type of study. In order to have a more realistic behavior, the traces are generated by adding the consumption of several simulated appliances, which precisely represent the consumption of different typical electrical devices. Following the behavior of the real traces, variations at different scales of time and anomalies are introduced to the aggregated smart home energy consumption.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Moure-Garrido, Marta; Campo-Vázquez, Celeste; García-Rubio, Carlos
Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis Conference
PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks, ACM, 2022, ISBN: 978-1-4503-9483-3.
@conference{campo015,
title = {Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis},
author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},
url = {https://dl.acm.org/doi/10.1145/3551663.3558605},
doi = {https://doi.org/10.1145/3551663.3558605},
isbn = {978-1-4503-9483-3},
year = {2022},
date = {2022-10-24},
urldate = {2022-10-24},
booktitle = {PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks},
publisher = {ACM},
abstract = {DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At first, the DNS communication protocol presented certain security problems: integrity, authenticity and confidentiality. DNSSEC provides security but still does not guarantee confidentiality. To solve this problem, DNS over TLS (DoT) and DNS over HTTPS (DoH) were defined. In recent years, DNS tunneling, a covert form of encapsulating data transmission, has been used to encapsulate malicious traffic in a DNS connection. DoT and DoH versions complicate the detection of these tunnels because the encrypted data prevents performing an analysis of the content of the DNS traffic. Previous work has used machine learning techniques to identify DoH tunnels, but these have limitations. In this study, we identify the most significant features that singularize malicious traffic from benign traffic by statistical analysis. Based on the selected features, we obtain satisfactory results in the classification between benign and malicious DoH traffic. The study reveals that it is possible to differentiate traffic based on certain statistical parameters.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Moure-Garrido, Marta; Campo-Vázquez, Celeste; García-Rubio, Carlos
Entropy-Based Anomaly Detection in HouseholdElectricity Consumption Journal Article
In: Energies, vol. 15, 2022, ISSN: 1996-1073.
@article{campo003,
title = {Entropy-Based Anomaly Detection in HouseholdElectricity Consumption},
author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},
doi = {https://doi.org/10.3390/en15051837},
issn = {1996-1073},
year = {2022},
date = {2022-03-02},
urldate = {2022-03-02},
journal = {Energies},
volume = {15},
abstract = {Energy efficiency is one of the most important current challenges, and its impact at a global level is considerable. To solve current challenges, it is critical that consumers are able to control their energy consumption. In this paper, we propose using a time series of window-based entropy to detect anomalies in the electricity consumption of a household when the pattern of consumption behavior exhibits a change. We compare the accuracy of this approach with two machine learning approaches, random forest and neural networks, and with a statistical approach, the ARIMA model. We study whether these approaches detect the same anomalous periods. These different techniques have been evaluated using a real dataset obtained from different households with different consumption profiles from the Madrid Region. The entropy-based algorithm detects more days classified as anomalous according to context information compared to the other algorithms. This approach has the advantages that it does not require a training period and that it adapts dynamically to changes, except in vacation periods when consumption drops drastically and requires some time for adapting to the new situation.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Moure-Garrido, Marta; Campo-Vázquez, Celeste; García-Rubio, Carlos
Anomalies detection using entropy in household energy consumption data Conference
Intelligent Environments 2020 Workshop Proceedings of the 16th International Conference on Intelligent Environments, 2020, ISBN: 978-1-64368-090-3.
@conference{campo016,
title = {Anomalies detection using entropy in household energy consumption data },
author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},
url = {https://ebooks.iospress.nl/publication/54775},
doi = {10.3233/AISE200055},
isbn = {978-1-64368-090-3},
year = {2020},
date = {2020-05-04},
urldate = {2020-05-04},
booktitle = {Intelligent Environments 2020 Workshop Proceedings of the 16th International Conference on Intelligent Environments},
pages = {311-320},
abstract = {The growing boom in smart grids and home automation makes possible
to obtain information of household energy consumption. In this work, we study if
entropy is a good mechanism to detect anomalies in household energy consumption traces. We propose an entropy algorithm based on windowing the temporal
series of energy consumption. We select a trace with a duration of 3 months from
the REFIT project household energy consumption data set, available open access.
Entropy can adapt to changes in consumption in this trace, by learning and forgetting patterns dynamically. Although entropy is a promising technique and it has
many advantages, as the traces in this data set are not sufficiently labeled to check
the correct functioning of the algorithms, we propose to further validate the results
using synthetic traces.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
to obtain information of household energy consumption. In this work, we study if
entropy is a good mechanism to detect anomalies in household energy consumption traces. We propose an entropy algorithm based on windowing the temporal
series of energy consumption. We select a trace with a duration of 3 months from
the REFIT project household energy consumption data set, available open access.
Entropy can adapt to changes in consumption in this trace, by learning and forgetting patterns dynamically. Although entropy is a promising technique and it has
many advantages, as the traces in this data set are not sufficiently labeled to check
the correct functioning of the algorithms, we propose to further validate the results
using synthetic traces.