COMPROMISE
COMPROMISE: Mejorando la confidencialidad y privacidad en protocolos de comunicaciones
AGENCIA ESTATAL DE INVESTIGACION (AEI)
(Ref. PID2020-113795RB-C32)
9/ 2021
--
8/ 2024
Nowadays, mobile devices and networks allow us to be constantly connected anywhere. Often, these interactions leave a digital footprint that we are not aware of. Data, such as location information linked to our posts or searches in our browser may be processed by ML techniques that might allow a third party to infer sensitive information about our lives, such as location footprint. Consequently, there is a growing concern about the loss of control over personal data and the potential negative impact in our lives. Technology is now at a crossroads: trying to balance privacy and utility in scenarios that combine massive exchange communications, big databases and distributed and collaborative ML techniques towards the network edge. Precisely, the COMPROMISE project combines our knowledge in the areas of security, privacy, communication protocols, quality of service and ML, to face privacy improvements in network protocols and prevent privacy attacks, protecting communications with mechanisms that balance the trade-off between utility and privacy."
Publications
Campo-Vázquez, Celeste; García-Rubio, Carlos; Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Inferring mobile applications usage from DNS traffic Proceedings Article
In: Ad Hoc Networks, Elsevier B.V., 2024.
@inproceedings{campo012,
title = {Inferring mobile applications usage from DNS traffic},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Andrea Jimenez-Berenguel and Marta Moure-Garrido and Florina Almenares-Mendoza and Daniel Díaz-Sánchez },
url = {https://www.sciencedirect.com/science/article/pii/S1570870524002129#d1e710},
doi = {https://doi.org/10.1016/j.adhoc.2024.103601},
year = {2024},
date = {2024-07-19},
urldate = {2024-07-19},
booktitle = {Ad Hoc Networks},
publisher = {Elsevier B.V.},
abstract = {In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.
Campo-Vázquez, Celeste; García-Rubio, Carlos; Jimenez-Berenguel, Andrea; Moure-Garrido, Marta
Characterizing Mobile Applications Through Analysis of DNS Traffic Conference
PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks., ACM, 2023, ISBN: N 979-8-4007-0370-6.
@conference{campo013,
title = {Characterizing Mobile Applications Through Analysis of DNS Traffic},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Andrea Jimenez-Berenguel and Marta Moure-Garrido},
doi = {https://doi.org/10.1145/3616394.3618268},
isbn = {N 979-8-4007-0370-6},
year = {2023},
date = {2023-10-30},
urldate = {2023-10-30},
booktitle = {PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks.},
pages = {69-76},
publisher = {ACM},
abstract = {User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.
Campo-Vázquez, Celeste; García-Rubio, Carlos; Moure-Garrido, Marta
Real time detection of malicious DoH traffic using statistical analysis Journal Article
In: COMPUTER NETWORKS, vol. 234, iss. 109910, pp. 1-10, 2023, ISSN: 1389-1286.
@article{campo002,
title = {Real time detection of malicious DoH traffic using statistical analysis },
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Marta Moure-Garrido},
url = {http://hdl.handle.net/10016/38151},
doi = {https://doi.org/10.1016/j.comnet.2023.109910},
issn = {1389-1286},
year = {2023},
date = {2023-10-09},
urldate = {2023-10-09},
journal = {COMPUTER NETWORKS},
volume = {234},
issue = {109910},
pages = {1-10},
abstract = {The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.
Chica, Sergio; Marín-López, Andrés; Arroyo, David; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Enhancing the anonymity and auditability of whistleblowers protection Proceedings Article
In: pp. 413 - 422, Springer International Publishing, 2023, ISBN: 978-3-031-21229-1.
@inproceedings{pa057,
title = {Enhancing the anonymity and auditability of whistleblowers protection},
author = {Sergio Chica and Andrés Marín-López and David Arroyo and Florina Almenares-Mendoza and Daniel Díaz-Sánchez},
doi = {https://doi.org/10.1007/978-3-031-21229-1_38},
isbn = {978-3-031-21229-1},
year = {2023},
date = {2023-01-08},
pages = {413 - 422},
publisher = {Springer International Publishing},
abstract = {In our democracy a trade-off between checks and balances is mandatory. To play the role of balances, it is necessary to have information that is often only obtainable through channels that ensure the anonymity of the source. Here we present a work in progress of a system that provides anonymity to sources in a open and auditable system, oriented to audit systems of critical infrastructure and built on our previous work autoauditor.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In our democracy a trade-off between checks and balances is mandatory. To play the role of balances, it is necessary to have information that is often only obtainable through channels that ensure the anonymity of the source. Here we present a work in progress of a system that provides anonymity to sources in a open and auditable system, oriented to audit systems of critical infrastructure and built on our previous work autoauditor.
Díaz-Sanchez, Daniel; Almenarez-Mendoza, Florina; Marín-López, Andres; Rojo-Rivas, Isabel
A Hybrid Approach to Ephemeral PKI Credentials Validation and Auditing Proceedings Article
In: Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022), pp. 1043 - 1054, Springer International Publishing, 2022, ISBN: 978-3-031-21332-8.
@inproceedings{pa056,
title = {A Hybrid Approach to Ephemeral PKI Credentials Validation and Auditing},
author = {Daniel Díaz-Sanchez and Florina Almenarez-Mendoza and Andres Marín-López and Isabel Rojo-Rivas },
isbn = {978-3-031-21332-8},
year = {2022},
date = {2022-12-20},
urldate = {2022-12-20},
booktitle = {Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022)},
pages = {1043 - 1054},
publisher = {Springer International Publishing},
abstract = {IoT/M2M solutions are expected to rely on near computing infrastructures for deployment of services, frequently ephemeral, that will need adequate protection. Communication protocols in IoT services have widely adopted TLS/PKI as the de facto security standard despite PKI was not designed for issuing short lived credentials. Moreover, after several Certificate Authorities were compromised, some Certificate Pinning proposal were developed to give an additional verification to PKI certificates. Some Certificate Pinning solutions, as Certificate Transparency, provide long term auditing information for PKI certificates issued by renowned Certificate Authorities only, whereas others, as DANE, are able to verify self-issued certificates and give support for security islands that would benefit the development of IoT/M2M micro services but cannot provide long term auditing information. This article describe DANEAudits, a novel service with the objective of complementing DANE with long term auditing information without the need of new Trusted Third Parties different from the information owner.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
IoT/M2M solutions are expected to rely on near computing infrastructures for deployment of services, frequently ephemeral, that will need adequate protection. Communication protocols in IoT services have widely adopted TLS/PKI as the de facto security standard despite PKI was not designed for issuing short lived credentials. Moreover, after several Certificate Authorities were compromised, some Certificate Pinning proposal were developed to give an additional verification to PKI certificates. Some Certificate Pinning solutions, as Certificate Transparency, provide long term auditing information for PKI certificates issued by renowned Certificate Authorities only, whereas others, as DANE, are able to verify self-issued certificates and give support for security islands that would benefit the development of IoT/M2M micro services but cannot provide long term auditing information. This article describe DANEAudits, a novel service with the objective of complementing DANE with long term auditing information without the need of new Trusted Third Parties different from the information owner.
Perez-Diaz, Jaime; Almenares-Mendoza, Florina
Integrating an optimised PUF-based authentication scheme in OSCORE Proceedings Article
In: Ad Hoc Networks Journal, 2022, ISSN: 1570-8705.
@inproceedings{almenarez007,
title = {Integrating an optimised PUF-based authentication scheme in OSCORE},
author = {Jaime Perez-Diaz and Florina Almenares-Mendoza },
doi = {https://doi.org/10.1016/j.adhoc.2022.103038},
issn = {1570-8705},
year = {2022},
date = {2022-11-23},
urldate = {2022-11-23},
volume = {140},
publisher = {Ad Hoc Networks Journal},
abstract = {Due to the growth in the amount and type of connected devices, mainly IoT devices, new scalable, lightweight and security-aware protocols, e.g., CoAP and MQTT, have been defined. For the definition of these protocols, the axioms concerning security must cover all the needs regarding authentication, confidentiality, integrity and availability of both devices and servers.
CoAP specifies mainly protocol security based on the transport layer through DTLS. Nevertheless, OSCORE (Object Security for Constrained RESTful Environments) has been recently defined to support end-to-end protection of RESTful interactions over the CoAP protocol. It was designed for constrained devices and networks supporting a range of proxy operations, including translation between different transport protocols. The main challenge presents in OSCORE is the establishment and exchange of pre-shared keys required to protect data. For that, this paper defines how use an optimised version of SRAM-based PUF (Physical Unclonable Functions) for a secure authentication, key establishment and exchanging model. The proposal has been implemented and evaluated in a scenario including IoT devices.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Due to the growth in the amount and type of connected devices, mainly IoT devices, new scalable, lightweight and security-aware protocols, e.g., CoAP and MQTT, have been defined. For the definition of these protocols, the axioms concerning security must cover all the needs regarding authentication, confidentiality, integrity and availability of both devices and servers.
CoAP specifies mainly protocol security based on the transport layer through DTLS. Nevertheless, OSCORE (Object Security for Constrained RESTful Environments) has been recently defined to support end-to-end protection of RESTful interactions over the CoAP protocol. It was designed for constrained devices and networks supporting a range of proxy operations, including translation between different transport protocols. The main challenge presents in OSCORE is the establishment and exchange of pre-shared keys required to protect data. For that, this paper defines how use an optimised version of SRAM-based PUF (Physical Unclonable Functions) for a secure authentication, key establishment and exchanging model. The proposal has been implemented and evaluated in a scenario including IoT devices.
Campo-Vázquez, Celeste; García-Rubio, Carlos; Moure-Garrido, Marta
Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis Conference
PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks, ACM, 2022, ISBN: 978-1-4503-9483-3.
@conference{campo015,
title = {Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Marta Moure-Garrido },
url = {https://dl.acm.org/doi/10.1145/3551663.3558605},
doi = {https://doi.org/10.1145/3551663.3558605},
isbn = {978-1-4503-9483-3},
year = {2022},
date = {2022-10-24},
urldate = {2022-10-24},
booktitle = {PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks},
publisher = {ACM},
abstract = {DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At first, the DNS communication protocol presented certain security problems: integrity, authenticity and confidentiality. DNSSEC provides security but still does not guarantee confidentiality. To solve this problem, DNS over TLS (DoT) and DNS over HTTPS (DoH) were defined. In recent years, DNS tunneling, a covert form of encapsulating data transmission, has been used to encapsulate malicious traffic in a DNS connection. DoT and DoH versions complicate the detection of these tunnels because the encrypted data prevents performing an analysis of the content of the DNS traffic. Previous work has used machine learning techniques to identify DoH tunnels, but these have limitations. In this study, we identify the most significant features that singularize malicious traffic from benign traffic by statistical analysis. Based on the selected features, we obtain satisfactory results in the classification between benign and malicious DoH traffic. The study reveals that it is possible to differentiate traffic based on certain statistical parameters.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At first, the DNS communication protocol presented certain security problems: integrity, authenticity and confidentiality. DNSSEC provides security but still does not guarantee confidentiality. To solve this problem, DNS over TLS (DoT) and DNS over HTTPS (DoH) were defined. In recent years, DNS tunneling, a covert form of encapsulating data transmission, has been used to encapsulate malicious traffic in a DNS connection. DoT and DoH versions complicate the detection of these tunnels because the encrypted data prevents performing an analysis of the content of the DNS traffic. Previous work has used machine learning techniques to identify DoH tunnels, but these have limitations. In this study, we identify the most significant features that singularize malicious traffic from benign traffic by statistical analysis. Based on the selected features, we obtain satisfactory results in the classification between benign and malicious DoH traffic. The study reveals that it is possible to differentiate traffic based on certain statistical parameters.
Campo-Vázquez, Celeste; García-Rubio, Carlos; Moure-Garrido, Marta
Entropy-Based Anomaly Detection in HouseholdElectricity Consumption Journal Article
In: Energies, vol. 15, 2022, ISSN: 1996-1073.
@article{campo003,
title = {Entropy-Based Anomaly Detection in HouseholdElectricity Consumption},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Marta Moure-Garrido},
doi = {https://doi.org/10.3390/en15051837},
issn = {1996-1073},
year = {2022},
date = {2022-03-02},
urldate = {2022-03-02},
journal = {Energies},
volume = {15},
abstract = {Energy efficiency is one of the most important current challenges, and its impact at a global level is considerable. To solve current challenges, it is critical that consumers are able to control their energy consumption. In this paper, we propose using a time series of window-based entropy to detect anomalies in the electricity consumption of a household when the pattern of consumption behavior exhibits a change. We compare the accuracy of this approach with two machine learning approaches, random forest and neural networks, and with a statistical approach, the ARIMA model. We study whether these approaches detect the same anomalous periods. These different techniques have been evaluated using a real dataset obtained from different households with different consumption profiles from the Madrid Region. The entropy-based algorithm detects more days classified as anomalous according to context information compared to the other algorithms. This approach has the advantages that it does not require a training period and that it adapts dynamically to changes, except in vacation periods when consumption drops drastically and requires some time for adapting to the new situation.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Energy efficiency is one of the most important current challenges, and its impact at a global level is considerable. To solve current challenges, it is critical that consumers are able to control their energy consumption. In this paper, we propose using a time series of window-based entropy to detect anomalies in the electricity consumption of a household when the pattern of consumption behavior exhibits a change. We compare the accuracy of this approach with two machine learning approaches, random forest and neural networks, and with a statistical approach, the ARIMA model. We study whether these approaches detect the same anomalous periods. These different techniques have been evaluated using a real dataset obtained from different households with different consumption profiles from the Madrid Region. The entropy-based algorithm detects more days classified as anomalous according to context information compared to the other algorithms. This approach has the advantages that it does not require a training period and that it adapts dynamically to changes, except in vacation periods when consumption drops drastically and requires some time for adapting to the new situation.