Publications
Gutiérrez-Portela, Fernando; Almenares-Mendoza, Florina; Calderón-Benavides, Liliana
Evaluation of the performance of unsupervised learning algorithms for intrusion detection in unbalanced data environments Proceedings Article
In: IEEE, 2024, ISSN: 2169-3536.
@inproceedings{almenarez019,
title = {Evaluation of the performance of unsupervised learning algorithms for intrusion detection in unbalanced data environments},
author = {Fernando Gutiérrez-Portela and Florina Almenares-Mendoza and Liliana Calderón-Benavides},
url = {https://ieeexplore.ieee.org/document/10794744},
doi = {10.1109/ACCESS.2024.3516615},
issn = {2169-3536},
year = {2024},
date = {2024-12-12},
urldate = {2024-12-12},
publisher = {IEEE},
abstract = {In this study, the performance of different unsupervised machine learning algorithms used for intrusion detection within unbalanced data environments were analyzed; these algorithms included the K-means++ algorithm, density-based spatial clustering of applications with noise (DBSCAN), local outlier factor (LOF), and isolation forest (I-forest) using the BoT–IoT dataset. Performance metrics such as purity, homogeneity_score, completeness_score, v_measure_score, and adjusted_mutual_info_score were used to evaluate the effectiveness of algorithms in detecting various types of attacks such as distributed denial of service (DDoS), denial of service (DoS), and reconnaissance. Similarly, different methods were used for the automatic selection of the optimal number of clusters such as the elbow method, silhouette coefficient, Calinski–Harabasz index, and Davies–Bouldin index. Moreover, principal component analysis (PCA) was used to explain data variance and the influence of variables on intrusion detection. Results revealed that the K-means algorithm achieved 95% purity as well as 95% and 99% prediction accuracies for normal and abnormal data, respectively. The I-forest algorithm achieved 95% purity as well as 99% and 90% prediction accuracies for normal and abnormal data in a balanced dataset, respectively. These findings indicated that I-forest exhibited a low central processing unit (CPU) consumption rate of 10% on balanced data, outperforming DBSCAN, K-Means++, and LOF, with 16% consumption rates.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Pérez-Díaz, Jaime; Almenares-Mendoza, Florina
Authorisation models for IoT environments: A survey Journal Article
In: www.elsevier.com/locate/iot, 2024, ISSN: 2542-6605.
@article{almenarez018,
title = {Authorisation models for IoT environments: A survey},
author = {Jaime Pérez-Díaz and Florina Almenares-Mendoza},
url = {https://www.sciencedirect.com/science/article/pii/S2542660524003718?via%3Dihub#d1e3887},
doi = {https://doi.org/10.1016/j.iot.2024.101430},
issn = {2542-6605},
year = {2024},
date = {2024-11-23},
urldate = {2024-11-23},
journal = { www.elsevier.com/locate/iot},
abstract = {Authorization models are pivotal in the Internet of Things (IoT) ecosystem, ensuring secure management of data access and communication. These models function after authentication, determining the specific actions that a device is allowed to perform. This paper aims to provide a comprehensive and comparative analysis of authorization solutions within IoT contexts, based on the requirements identified from the existing literature. We critically assess the functionalities and capabilities of various authorization solutions, particularly those designed for IoT cloud platforms and distributed architectures. Our findings highlight the urgent need for further development of authorization models optimized for the unique demands of IoT environments. Consequently, we address both the persistent challenges and the gaps within this domain. As IoT continues to reshape the technological landscape, the refinement and adaptation of authorization models remain imperative ongoing pursuits.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares, Florina; Díaz-Sánchez, Daniel; and Celeste Campo,; García-Rubio, Carlos
Integrating Post-Quantum Cryptography into CoAP and MQTT-SN Protocols Conference
2024 IEEE Symposium on Computers and Communications (ISCC), IEEE, 2024, ISBN: 979-8-3503-5424-9.
@conference{javierblanco002,
title = {Integrating Post-Quantum Cryptography into CoAP and MQTT-SN Protocols},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares and Daniel Díaz-Sánchez and and Celeste Campo and Carlos García-Rubio},
url = {https://ieeexplore.ieee.org/abstract/document/10733716/figures#figures},
doi = {https://doi.org/10.1109/ISCC61673.2024.10733716},
isbn = {979-8-3503-5424-9},
year = {2024},
date = {2024-10-31},
urldate = {2024-10-31},
booktitle = {2024 IEEE Symposium on Computers and Communications (ISCC)},
publisher = {IEEE},
abstract = {Post-Quantum Cryptography (PQC) is a practical and cost-effective solution to defend against emerging quantum computing threats. So, leading worldwide security agencies and standardization bodies strongly advocate for the proactive integration of PQ cryptography into underlying frameworks to support applications, protocols, and services. The current research predominantly addresses the incorporation of PQC in Internet communication protocols such as HTTP and DNS; nevertheless, the focus on embedded devices has been limited to evaluating PQC’s integration within TLS/DTLS in isolation. Hence, there is a notable gap in understanding how PQC impacts IoT-specific communication protocols. This paper presents the integration of PQC into two communication protocols specifically tailored for IoT devices, the Constrained Application Protocol (CoAP) and MQTT for Sensor Networks (MQTT-SN), via the wolfSSL library. These two integrations contribute to the understanding of PQC’s implications for IoT communication protocols.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares, Florina; Díaz-Sánchez, Daniel; García-Rubio, Carlos; Campo, Celeste; Marín, Andrés
Evaluating integration methods of a quantum random number generator in OpenSSL for TLS Journal Article
In: vol. 255, 2024, ISBN: 1389-1286.
@article{javierblanco003,
title = {Evaluating integration methods of a quantum random number generator in OpenSSL for TLS},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares and Daniel Díaz-Sánchez and Carlos García-Rubio and Celeste Campo and Andrés Marín},
url = {https://www.sciencedirect.com/science/article/pii/S1389128624007096?via%3Dihub},
doi = {https://doi.org/10.1016/j.comnet.2024.110877},
isbn = {1389-1286},
year = {2024},
date = {2024-10-25},
urldate = {2024-10-25},
volume = {255},
publisher = {Computer Networks},
abstract = {The rapid advancement of quantum computing poses a significant threat to conventional cryptography. Whilst post-quantum cryptography (PQC) stands as the prevailing trend for fortifying the security of cryptographic systems, the coexistence of quantum and classical computing paradigms presents an opportunity to leverage the strengths of both technologies, for instance, nowadays the use of Quantum Random Number Generators (QRNGs) – considered as True Random Number Generators (TRNGs) – opens up the possibility of discussing hybrid systems. In this paper, we evaluate both aspects, on the one hand, we use hybrid TLS (Transport Layer Security) protocol that leverages the widely used secure protocol on the Internet and integrates PQC algorithms, and, on the other hand, we evaluate two approaches to integrate a QRNG, i.e., Quantis PCIe-240M, in OpenSSL 3.0 to be used by TLS. Both approaches are compared through a Nginx Web server, that uses OpenSSL’s implementation of TLS 1.3 for secure web communication. Our findings highlight the importance of optimizing such integration method, because while direct integration can lead to performance penalties specific to the method and hardware used, alternative methods demonstrate the potential for efficient QRNG deployment in cryptographic systems.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Lorenzo, Vicente; Blanco-Romero, Javier; Almenares, Florina; Díaz-Sánchez, Daniel; García-Rubio, Carlos; Campo, Celeste; Marín, Andrés
Comparing Pseudo, Classical True and Quantum Random Number Generators Using Standard Quality Assessments Conference
XVIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2024), León, 23 al 25 de Octubre, 2024., 2024.
@conference{nokey,
title = {Comparing Pseudo, Classical True and Quantum Random Number Generators Using Standard Quality Assessments},
author = {Vicente Lorenzo and Javier Blanco-Romero and Florina Almenares and Daniel Díaz-Sánchez and Carlos García-Rubio and Celeste Campo and Andrés Marín},
year = {2024},
date = {2024-10-25},
urldate = {2024-10-25},
booktitle = {XVIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2024), León, 23 al 25 de Octubre, 2024.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Pérez-Díaz, J.; Almenares, Florina
Integración de un sistema de autenticación optimizado basado en PUF en OSCORE Conference
XVIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2024), León, 23 al 25 de Octubre, 2024., 2024.
@conference{nokey,
title = { Integración de un sistema de autenticación optimizado basado en PUF en OSCORE},
author = {J. Pérez-Díaz and Florina Almenares },
year = {2024},
date = {2024-10-25},
urldate = {2024-10-25},
booktitle = {XVIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2024), León, 23 al 25 de Octubre, 2024.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Moure-Garrido, Marta; Das, Sajal; Campo, Celeste; García-Rubio, Carlos
Real-Time Analysis of Encrypted DNS Traffic for Threat Detection Conference
ICC 2024 - IEEE International Conference on Communications, IEEE, 2024, ISSN: 1550-3607.
@conference{marta003,
title = {Real-Time Analysis of Encrypted DNS Traffic for Threat Detection},
author = {Marta Moure-Garrido and Sajal Das and Celeste Campo and Carlos García-Rubio},
url = {https://ieeexplore.ieee.org/document/10622347},
doi = {https://doi.org/10.1109/ICC51166.2024.10622347},
issn = {1550-3607},
year = {2024},
date = {2024-08-20},
booktitle = {ICC 2024 - IEEE International Conference on Communications},
pages = {3292-3297},
publisher = {IEEE},
abstract = {Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Moure-Garrido, Marta; Das, Sajal; Campo, Celeste; García-Rubio, Carlos
Real-Time Analysis of Encrypted DNS Traffic for Threat Detection Conference
ICC 2024 - IEEE International Conference on Communications, IEEE, 2024, ISSN: 1550-3607.
@conference{marta003b,
title = {Real-Time Analysis of Encrypted DNS Traffic for Threat Detection},
author = {Marta Moure-Garrido and Sajal Das and Celeste Campo and Carlos García-Rubio},
url = {https://ieeexplore.ieee.org/document/10622347},
doi = {https://doi.org/10.1109/ICC51166.2024.10622347},
issn = {1550-3607},
year = {2024},
date = {2024-08-20},
booktitle = {ICC 2024 - IEEE International Conference on Communications},
pages = {3292-3297},
publisher = {IEEE},
abstract = {Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Campo-Vázquez, Celeste; García-Rubio, Carlos; Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Inferring mobile applications usage from DNS traffic Proceedings Article
In: Ad Hoc Networks, Elsevier B.V., 2024.
@inproceedings{campo012,
title = {Inferring mobile applications usage from DNS traffic},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Andrea Jimenez-Berenguel and Marta Moure-Garrido and Florina Almenares-Mendoza and Daniel Díaz-Sánchez },
url = {https://www.sciencedirect.com/science/article/pii/S1570870524002129#d1e710},
doi = {https://doi.org/10.1016/j.adhoc.2024.103601},
year = {2024},
date = {2024-07-19},
urldate = {2024-07-19},
booktitle = {Ad Hoc Networks},
publisher = {Elsevier B.V.},
abstract = {In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Moure-Garrido, Marta; Campo, Celeste; García-Rubio, Carlos
Análisis estadístico del tráfico DoH para la detección del uso malicioso de túneles Conference
Investigación en Ciberseguridad Actas de las VII Jornadas Nacionales (7º.2022.Bilbao) , 2024, ISBN: 978-84-88734-13-6.
@conference{marta002,
title = {Análisis estadístico del tráfico DoH para la detección del uso malicioso de túneles},
author = {Marta Moure-Garrido and Celeste Campo and Carlos García-Rubio},
url = {https://dialnet.unirioja.es/servlet/articulo?codigo=9206590},
isbn = {978-84-88734-13-6},
year = {2024},
date = {2024-07-10},
urldate = {2024-07-10},
booktitle = {Investigación en Ciberseguridad Actas de las VII Jornadas Nacionales (7º.2022.Bilbao) },
pages = {38-41},
abstract = {Las primeras versiones de DNS presentaban ciertos problemas de seguridad: integridad, autenticidad y privacidad. Para solventarlos se definió DNSSEC, pero esta versión
seguía sin garantizar privacidad. Por ello, se definieron DNS sobre TLS (DoT) en 2016 y DNS sobre HTTPS (DoH) en 2018. En los ultimos años se ha empleado la tunelización DNS para encapsular trafico maligno. Las versiones DoT y DoH han complicado la detección de estos túneles dado que los datos van encriptados. En trabajos anteriores se emplean técnicas de aprendizaje automático para identificar túneles DoH, pero tienen limitaciones. En este trabajo realizamos un análisis estadístico para aprender el patrón del tráfico DoH y estudiar las diferencias entre el tráfico benigno y el tráfico creado con herramientas de tunelización. El análisis revela que ciertos parámetros estadísticos permiten diferenciar el trafico. El siguiente paso de la investigación es aplicar técnicas más elaboradas basándonos en el análisis realizado.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
seguía sin garantizar privacidad. Por ello, se definieron DNS sobre TLS (DoT) en 2016 y DNS sobre HTTPS (DoH) en 2018. En los ultimos años se ha empleado la tunelización DNS para encapsular trafico maligno. Las versiones DoT y DoH han complicado la detección de estos túneles dado que los datos van encriptados. En trabajos anteriores se emplean técnicas de aprendizaje automático para identificar túneles DoH, pero tienen limitaciones. En este trabajo realizamos un análisis estadístico para aprender el patrón del tráfico DoH y estudiar las diferencias entre el tráfico benigno y el tráfico creado con herramientas de tunelización. El análisis revela que ciertos parámetros estadísticos permiten diferenciar el trafico. El siguiente paso de la investigación es aplicar técnicas más elaboradas basándonos en el análisis realizado.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel; Serrano-Navarro, Adrián
PQSec-DDS: Integrating Post-Quantum Cryptography into DDS Security for Robotic Applications Proceedings Article
In: IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024, pp. 396-403, Universidad de Sevilla , 2024, ISBN: 978-84-09-62140-8.
@inproceedings{javierblanco001,
title = {PQSec-DDS: Integrating Post-Quantum Cryptography into DDS Security for Robotic Applications},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares-Mendoza and Daniel Díaz-Sánchez and Adrián Serrano-Navarro},
url = {https://hdl.handle.net/11441/159179
https://idus.us.es/handle/11441/159179
https://idus.us.es/bitstream/handle/11441/159179/ActasJNIC24%20%282%20ed%29.pdf?sequence=4&isAllowed=y},
isbn = {978-84-09-62140-8},
year = {2024},
date = {2024-05-28},
urldate = {2024-05-28},
booktitle = {IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024},
pages = {396-403},
publisher = {Universidad de Sevilla },
abstract = {Leading cybersecurity agencies and standardization bodies have globally emphasized the critical need to transition towards Post-Quantum Cryptography (PQC) to defend against
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.
Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; García-Rubio, Carlos; Campo-Vázquez, Celeste
Caracterización de aplicaciones móviles mediante el análisis del tráfico DNS Proceedings Article
In: IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024, pp. 506-507, Universidad de Sevilla, 2024, ISBN: 978-84-09-62140-8.
@inproceedings{andrea001,
title = {Caracterización de aplicaciones móviles mediante el análisis del tráfico DNS},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio and Celeste Campo-Vázquez},
url = {https://idus.us.es/handle/11441/159179
https://dialnet.unirioja.es/servlet/articulo?codigo=9633499
https://idus.us.es/bitstream/handle/11441/159179/ActasJNIC24%20%282%20ed%29.pdf?sequence=4&isAllowed=y},
isbn = {978-84-09-62140-8},
year = {2024},
date = {2024-05-28},
urldate = {2024-05-28},
booktitle = {IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024},
pages = {506-507},
publisher = {Universidad de Sevilla},
abstract = {La privacidad del usuario sigue siendo vulnerable cuando se utilizan protocolos de comunicación cifrados, como HTTPS, cuando las consultas DNS se envían en texto claro a través del puerto UDP 53 (Do53). En este estudio, demostramos la posibilidad de caracterizar una aplicación móvil que utiliza un usuario basándonos en su tráfico Do53. Mediante el análisis de un conjunto de datos de tráfico, formado por 80 aplicaciones móviles Android, podemos identificar la aplicación que se está utilizando basándonos en sus consultas DNS con una precisión del 88,75 %. Aunque los sistemas operativos modernos, incluido Android desde la versión 9.0, admiten el tráfico DNS cifrado, esta función no está activada por defecto y depende del soporte del proveedor de DNS. Además, incluso cuando el tráfico DNS está cifrado, el proveedor de servicios DNS sigue teniendo acceso a nuestras consultas y podría extraer información de ellas.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Moure-Garrido, Marta; García-Rubio, Carlos; Campo, Celeste
Reducing DNS Traffic to Enhance Home IoT Device Privacy Journal Article
In: Sensors , vol. 24, iss. 9, 2024.
@article{marta001,
title = {Reducing DNS Traffic to Enhance Home IoT Device Privacy},
author = {Marta Moure-Garrido and Carlos García-Rubio and Celeste Campo},
url = {https://www.mdpi.com/1424-8220/24/9/2690/pdf?version=1713941333},
doi = {https://doi.org/10.3390/s24092690},
year = {2024},
date = {2024-04-24},
urldate = {2024-04-24},
journal = {Sensors },
volume = {24},
issue = {9},
publisher = {Sensors 2024},
abstract = {The deployment of Internet of Things (IoT) devices is widespread in different environments, including homes. Although security is incorporated, homes can become targets for cyberattacks because of their vulnerabilities. IoT devices generate Domain Name Server (DNS) traffic primarily for communication with Internet servers. In this paper, we present a detailed analysis of DNS traffic from IoT devices. The queried domains are highly distinctive, enabling attackers to easily identify the IoT device. In addition, we observed an unexpectedly high volume of queries. The analysis reveals that the same domains are repeatedly queried, DNS queries are transmitted in plain text over User Datagram Protocol (UDP) port 53 (Do53), and the excessive generation of traffic poses a security risk by amplifying an attacker’s ability to identify IoT devices and execute more precise, targeted attacks, consequently escalating the potential compromise of the entire IoT ecosystem. We propose a simple measure that can be taken to reduce DNS traffic generated by IoT devices, thus preventing it from being used as a vector to identify the types of devices present in the network. This measure is based on the implementation of the DNS cache in the devices; caching few resources increases privacy considerably.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Campo-Vázquez, Carlos García-Rubio Celeste
Characterizing Mobile Applications Through Analysis of DNS Traffic Conference
PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks., ACM, 2023, ISBN: N 979-8-4007-0370-6.
@conference{campo013,
title = {Characterizing Mobile Applications Through Analysis of DNS Traffic},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio Celeste Campo-Vázquez},
doi = {https://doi.org/10.1145/3616394.3618268},
isbn = {N 979-8-4007-0370-6},
year = {2023},
date = {2023-10-30},
urldate = {2023-10-30},
booktitle = {PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks.},
pages = {69-76},
publisher = {ACM},
abstract = {User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Moure-Garrido, Marta; Campo-Vázquez, Celeste; García-Rubio, Carlos
Real time detection of malicious DoH traffic using statistical analysis Journal Article
In: COMPUTER NETWORKS, vol. 234, iss. 109910, pp. 1-10, 2023, ISSN: 1389-1286.
@article{campo002,
title = {Real time detection of malicious DoH traffic using statistical analysis },
author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},
url = {http://hdl.handle.net/10016/38151},
doi = {https://doi.org/10.1016/j.comnet.2023.109910},
issn = {1389-1286},
year = {2023},
date = {2023-10-09},
urldate = {2023-10-09},
journal = {COMPUTER NETWORKS},
volume = {234},
issue = {109910},
pages = {1-10},
abstract = {The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.
Gutierrez-Portela, Fernando; Arteaga-Arteaga, Harold-Brayan; Almenares-Mendoza, Florina; Calderon-Benavides, Liliana; Acosta-Mesa, Héctor-Gabriel; Tabares-Soto, Reinel
Enhancing Intrusion Detection in IoT Communications Through ML Model Generalization With a New Dataset (IDSAI) Journal Article
In: IEEE Access, vol. 11, pp. 70542 - 70559, 2023, ISSN: 2169-3536.
@article{almenarez017,
title = {Enhancing Intrusion Detection in IoT Communications Through ML Model Generalization With a New Dataset (IDSAI)},
author = {Fernando Gutierrez-Portela and Harold-Brayan Arteaga-Arteaga and Florina Almenares-Mendoza and Liliana Calderon-Benavides and Héctor-Gabriel Acosta-Mesa and Reinel Tabares-Soto},
url = {https://ieeexplore.ieee.org/document/10172186},
doi = {https://doi.org/10.1109/ACCESS.2023.3292267},
issn = {2169-3536},
year = {2023},
date = {2023-07-04},
urldate = {2023-07-04},
journal = {IEEE Access},
volume = {11},
pages = {70542 - 70559},
abstract = {One of the fields where Artificial Intelligence (AI) must continue to innovate is computer security. The integration of Wireless Sensor Networks (WSN) with the Internet of Things (IoT) creates ecosystems of attractive surfaces for security intrusions, being vulnerable to multiple and simultaneous attacks. This research evaluates the performance of supervised ML techniques for detecting intrusions based on network traffic captures. This work presents a new balanced dataset (IDSAI) with intrusions generated in attack environments in a real scenario. This new dataset has been provided in order to contrast model generalization from different datasets. The results show that for the detection of intruders, the best supervised algorithms are XGBoost, Gradient Boosting, Decision Tree, Random Forest, and Extra Trees, which can generate predictions when trained and predicted with ten specific intrusions (such as ARP spoofing, ICMP echo request Flood, TCP Null, and others), both of binary form (intrusion and non-intrusion) with up to 94% of accuracy, as multiclass form (ten different intrusions and non-intrusion) with up to 92% of accuracy. In contrast, up to 90% of accuracy is achieved for prediction on the Bot-IoT dataset using models trained with the IDSAI dataset.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Chica, Sergio; Marín-López, Andrés; Arroyo, David; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Enhancing the anonymity and auditability of whistleblowers protection Proceedings Article
In: pp. 413 - 422, Springer International Publishing, 2023, ISBN: 978-3-031-21229-1.
@inproceedings{pa057,
title = {Enhancing the anonymity and auditability of whistleblowers protection},
author = {Sergio Chica and Andrés Marín-López and David Arroyo and Florina Almenares-Mendoza and Daniel Díaz-Sánchez},
doi = {https://doi.org/10.1007/978-3-031-21229-1_38},
isbn = {978-3-031-21229-1},
year = {2023},
date = {2023-01-08},
pages = {413 - 422},
publisher = {Springer International Publishing},
abstract = {In our democracy a trade-off between checks and balances is mandatory. To play the role of balances, it is necessary to have information that is often only obtainable through channels that ensure the anonymity of the source. Here we present a work in progress of a system that provides anonymity to sources in a open and auditable system, oriented to audit systems of critical infrastructure and built on our previous work autoauditor.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Díaz-Sanchez, Daniel; Almenarez-Mendoza, Florina; Marín-López, Andres; Rojo-Rivas, Isabel
A Hybrid Approach to Ephemeral PKI Credentials Validation and Auditing Proceedings Article
In: Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022), pp. 1043 - 1054, Springer International Publishing, 2022, ISBN: 978-3-031-21332-8.
@inproceedings{pa056,
title = {A Hybrid Approach to Ephemeral PKI Credentials Validation and Auditing},
author = {Daniel Díaz-Sanchez and Florina Almenarez-Mendoza and Andres Marín-López and Isabel Rojo-Rivas },
isbn = {978-3-031-21332-8},
year = {2022},
date = {2022-12-20},
urldate = {2022-12-20},
booktitle = {Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022)},
pages = {1043 - 1054},
publisher = {Springer International Publishing},
abstract = {IoT/M2M solutions are expected to rely on near computing infrastructures for deployment of services, frequently ephemeral, that will need adequate protection. Communication protocols in IoT services have widely adopted TLS/PKI as the de facto security standard despite PKI was not designed for issuing short lived credentials. Moreover, after several Certificate Authorities were compromised, some Certificate Pinning proposal were developed to give an additional verification to PKI certificates. Some Certificate Pinning solutions, as Certificate Transparency, provide long term auditing information for PKI certificates issued by renowned Certificate Authorities only, whereas others, as DANE, are able to verify self-issued certificates and give support for security islands that would benefit the development of IoT/M2M micro services but cannot provide long term auditing information. This article describe DANEAudits, a novel service with the objective of complementing DANE with long term auditing information without the need of new Trusted Third Parties different from the information owner.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Chica, Sergio; Marín, Andrés; Arroyo-Guardeño, David; Díaz, Jesús; Almenares, Florina; Díaz, Daniel
Enhancing the anonymity and auditability of whistleblowers protection Conference
2022.
@conference{almenarez015,
title = {Enhancing the anonymity and auditability of whistleblowers protection},
author = {Sergio Chica and Andrés Marín and David Arroyo-Guardeño and Jesús Díaz and Florina Almenares and Daniel Díaz },
url = {http://hdl.handle.net/10261/275765},
doi = {https://doi.org/10.20350/digitalCSIC/14702},
year = {2022},
date = {2022-11-30},
urldate = {2022-11-30},
abstract = { In our democracy a trade-off between checks and balances is mandatory. To play the role of balances, it is necessary to have information that is often only obtainable through channels that ensure the anonymity of the source. Here we present a work in progress of a system that provides anonymity to sources in a open and auditable system, oriented to audit systems of critical infrastructure and built on our previous work autoauditor.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Perez-Diaz, Jaime; Almenares-Mendoza, Florina
Integrating an optimised PUF-based authentication scheme in OSCORE Proceedings Article
In: Ad Hoc Networks Journal, 2022, ISSN: 1570-8705.
@inproceedings{almenarez007,
title = {Integrating an optimised PUF-based authentication scheme in OSCORE},
author = {Jaime Perez-Diaz and Florina Almenares-Mendoza },
doi = {https://doi.org/10.1016/j.adhoc.2022.103038},
issn = {1570-8705},
year = {2022},
date = {2022-11-23},
urldate = {2022-11-23},
volume = {140},
publisher = {Ad Hoc Networks Journal},
abstract = {Due to the growth in the amount and type of connected devices, mainly IoT devices, new scalable, lightweight and security-aware protocols, e.g., CoAP and MQTT, have been defined. For the definition of these protocols, the axioms concerning security must cover all the needs regarding authentication, confidentiality, integrity and availability of both devices and servers.
CoAP specifies mainly protocol security based on the transport layer through DTLS. Nevertheless, OSCORE (Object Security for Constrained RESTful Environments) has been recently defined to support end-to-end protection of RESTful interactions over the CoAP protocol. It was designed for constrained devices and networks supporting a range of proxy operations, including translation between different transport protocols. The main challenge presents in OSCORE is the establishment and exchange of pre-shared keys required to protect data. For that, this paper defines how use an optimised version of SRAM-based PUF (Physical Unclonable Functions) for a secure authentication, key establishment and exchanging model. The proposal has been implemented and evaluated in a scenario including IoT devices.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
CoAP specifies mainly protocol security based on the transport layer through DTLS. Nevertheless, OSCORE (Object Security for Constrained RESTful Environments) has been recently defined to support end-to-end protection of RESTful interactions over the CoAP protocol. It was designed for constrained devices and networks supporting a range of proxy operations, including translation between different transport protocols. The main challenge presents in OSCORE is the establishment and exchange of pre-shared keys required to protect data. For that, this paper defines how use an optimised version of SRAM-based PUF (Physical Unclonable Functions) for a secure authentication, key establishment and exchanging model. The proposal has been implemented and evaluated in a scenario including IoT devices.
García-Rubio, Carlos; Campo, Celeste; Moure-Garrido, Marta
Synthetic Generation of Electrical Consumption Traces in Smart Homes Conference
Lecture Notes in Networks and Systems, vol. 594, Springer International Publishing, 2022, ISBN: 978-3-031-21332-8.
@conference{garciarubio008,
title = {Synthetic Generation of Electrical Consumption Traces in Smart Homes},
author = {Carlos García-Rubio and Celeste Campo and Marta Moure-Garrido },
url = {https://link.springer.com/chapter/10.1007/978-3-031-21333-5_68},
doi = {https://doi.org/10.1007/978-3-031-21333-5_68},
isbn = {978-3-031-21332-8},
year = {2022},
date = {2022-11-21},
urldate = {2022-11-21},
booktitle = { Lecture Notes in Networks and Systems},
volume = {594},
pages = {681-692},
publisher = {Springer International Publishing},
abstract = {With the introduction of the smart grid, smart meters and smart plugs, it is possible to know the energy consumption of a smart home, either per appliance or aggregate. Some recent works have used energy consumption traces to detect anomalies, either in the behavior of the inhabitants or in the operation of some device in the smart home. To train and test the algorithms that detect these anomalies, it is necessary to have extensive and well-annotated consumption traces. However, this type of traces is difficult to obtain. In this paper we describe a highly configurable synthetic electrical trace generator, with characteristics similar to real traces, that can be used in this type of study. In order to have a more realistic behavior, the traces are generated by adding the consumption of several simulated appliances, which precisely represent the consumption of different typical electrical devices. Following the behavior of the real traces, variations at different scales of time and anomalies are introduced to the aggregated smart home energy consumption.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Moure-Garrido, Marta; Campo-Vázquez, Celeste; García-Rubio, Carlos
Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis Conference
PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks, ACM, 2022, ISBN: 978-1-4503-9483-3.
@conference{campo015,
title = {Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis},
author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},
url = {https://dl.acm.org/doi/10.1145/3551663.3558605},
doi = {https://doi.org/10.1145/3551663.3558605},
isbn = {978-1-4503-9483-3},
year = {2022},
date = {2022-10-24},
urldate = {2022-10-24},
booktitle = {PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks},
publisher = {ACM},
abstract = {DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At first, the DNS communication protocol presented certain security problems: integrity, authenticity and confidentiality. DNSSEC provides security but still does not guarantee confidentiality. To solve this problem, DNS over TLS (DoT) and DNS over HTTPS (DoH) were defined. In recent years, DNS tunneling, a covert form of encapsulating data transmission, has been used to encapsulate malicious traffic in a DNS connection. DoT and DoH versions complicate the detection of these tunnels because the encrypted data prevents performing an analysis of the content of the DNS traffic. Previous work has used machine learning techniques to identify DoH tunnels, but these have limitations. In this study, we identify the most significant features that singularize malicious traffic from benign traffic by statistical analysis. Based on the selected features, we obtain satisfactory results in the classification between benign and malicious DoH traffic. The study reveals that it is possible to differentiate traffic based on certain statistical parameters.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Rojo-Rivas, MaríaIsabel; Díaz-Sánchez, Daniel; Almenarez, Florina; Marín-Lopez, Andrés
Kriper: A blockchain network with permissioned storage Journal Article
In: Future Generation Computer Systems, vol. 138, pp. 160-171, 2022, ISSN: 0167-739X.
@article{diazsanchez010,
title = {Kriper: A blockchain network with permissioned storage},
author = {MaríaIsabel Rojo-Rivas and Daniel Díaz-Sánchez and Florina Almenarez and Andrés Marín-Lopez},
doi = {https://doi.org/10.1016/j.future.2022.08.006},
issn = {0167-739X},
year = {2022},
date = {2022-08-17},
urldate = {2022-08-17},
journal = {Future Generation Computer Systems},
volume = {138},
pages = {160-171},
abstract = {Blockchain has been a revolution in the past few years. Beyond the new currencies that were created around different incarnations of the blockchain concept, there are many other contributions that provide interesting services as a data linked structure using a decentralized network that provide a high level of security. Companies have developed many projects to incorporate blockchain into their business logic pursuing to incorporate other related services as persistence of large volumes of data, privacy or anonymity of transactions, distributed data processing, security (confidentiality, integrity, and availability), document management or micro messages in real time. Nevertheless, as it will be discussed in this article, current blockchains do not meet the needs of companies in many aspects, leading to a scarce or superficial adoption. This article introduces Kriper, a blockchain that aims at meeting corporate world needs by responding with a community-based, open blockchain that may also be segregated and private for certain uses whereas it provides a permissioned distributed storage and micro message lightweight services.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Moure-Garrido, Marta; Campo-Vázquez, Celeste; García-Rubio, Carlos
Entropy-Based Anomaly Detection in HouseholdElectricity Consumption Journal Article
In: Energies, vol. 15, 2022, ISSN: 1996-1073.
@article{campo003,
title = {Entropy-Based Anomaly Detection in HouseholdElectricity Consumption},
author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},
doi = {https://doi.org/10.3390/en15051837},
issn = {1996-1073},
year = {2022},
date = {2022-03-02},
urldate = {2022-03-02},
journal = {Energies},
volume = {15},
abstract = {Energy efficiency is one of the most important current challenges, and its impact at a global level is considerable. To solve current challenges, it is critical that consumers are able to control their energy consumption. In this paper, we propose using a time series of window-based entropy to detect anomalies in the electricity consumption of a household when the pattern of consumption behavior exhibits a change. We compare the accuracy of this approach with two machine learning approaches, random forest and neural networks, and with a statistical approach, the ARIMA model. We study whether these approaches detect the same anomalous periods. These different techniques have been evaluated using a real dataset obtained from different households with different consumption profiles from the Madrid Region. The entropy-based algorithm detects more days classified as anomalous according to context information compared to the other algorithms. This approach has the advantages that it does not require a training period and that it adapts dynamically to changes, except in vacation periods when consumption drops drastically and requires some time for adapting to the new situation.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Pérez-Díaz, Jaime; Almenares, Florina
A PUF-based Authentication Mechanism for OSCORE Conference
PE-WASUN '21: Proceedings of the 18th ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks, 2021.
@conference{almenarez016,
title = {A PUF-based Authentication Mechanism for OSCORE},
author = {Jaime Pérez-Díaz and Florina Almenares},
url = {https://dl.acm.org/doi/10.1145/3479240.3488526},
doi = {https://doi.org/10.1145/3479240.3488526},
year = {2021},
date = {2021-11-22},
urldate = {2021-11-22},
booktitle = {PE-WASUN '21: Proceedings of the 18th ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks},
pages = {65-72},
abstract = {Within environment generated when deploying Internet of Things (IoT) solutions, there is a need to do it securely. Authentication of the devices against the applications deployed on the servers, which receive or send data to the IoT devices must be carried out. Standard IoT protocols, such as CoAP or MQTT, define secure communica- tions through protocols on transport, network or application layers. Nevertheless, a shortcoming when protocols using secret keys are used lies in the management of such keys, which is out of scope of the specifications. For this reason, this article presents an authenti- cation solution for OSCORE (Object Security for Constrained RESTful Environments) based on PUFs (Physical Unclonable Functions) that makes it possible to establish a secure mechanism for the exchange and management of keys. The performance of this proposal has been evaluated, showing its viability.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}