COMPROMISE
COMPROMISE: Mejorando la confidencialidad y privacidad en protocolos de comunicaciones
AGENCIA ESTATAL DE INVESTIGACION (AEI)
(Ref. PID2020-113795RB-C32)
9/ 2021
--
8/ 2024
Nowadays, mobile devices and networks allow us to be constantly connected anywhere. Often, these interactions leave a digital footprint that we are not aware of. Data, such as location information linked to our posts or searches in our browser may be processed by ML techniques that might allow a third party to infer sensitive information about our lives, such as location footprint. Consequently, there is a growing concern about the loss of control over personal data and the potential negative impact in our lives. Technology is now at a crossroads: trying to balance privacy and utility in scenarios that combine massive exchange communications, big databases and distributed and collaborative ML techniques towards the network edge. Precisely, the COMPROMISE project combines our knowledge in the areas of security, privacy, communication protocols, quality of service and ML, to face privacy improvements in network protocols and prevent privacy attacks, protecting communications with mechanisms that balance the trade-off between utility and privacy."
Publications
Campo-Vázquez, Celeste; García-Rubio, Carlos; Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Inferring mobile applications usage from DNS traffic Proceedings Article
In: Ad Hoc Networks, Elsevier B.V., 2024.
@inproceedings{campo012,
title = {Inferring mobile applications usage from DNS traffic},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Andrea Jimenez-Berenguel and Marta Moure-Garrido and Florina Almenares-Mendoza and Daniel Díaz-Sánchez },
url = {https://www.sciencedirect.com/science/article/pii/S1570870524002129#d1e710},
doi = {https://doi.org/10.1016/j.adhoc.2024.103601},
year = {2024},
date = {2024-07-19},
urldate = {2024-07-19},
booktitle = {Ad Hoc Networks},
publisher = {Elsevier B.V.},
abstract = {In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel; Serrano-Navarro, Adrián
PQSec-DDS: Integrating Post-Quantum Cryptography into DDS Security for Robotic Applications Proceedings Article
In: IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024, pp. 396-403, Universidad de Sevilla , 2024, ISBN: 978-84-09-62140-8.
@inproceedings{javierblanco001,
title = {PQSec-DDS: Integrating Post-Quantum Cryptography into DDS Security for Robotic Applications},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares-Mendoza and Daniel Díaz-Sánchez and Adrián Serrano-Navarro},
url = {https://hdl.handle.net/11441/159179
https://idus.us.es/handle/11441/159179
https://idus.us.es/bitstream/handle/11441/159179/ActasJNIC24%20%282%20ed%29.pdf?sequence=4&isAllowed=y},
isbn = {978-84-09-62140-8},
year = {2024},
date = {2024-05-28},
urldate = {2024-05-28},
booktitle = {IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024},
pages = {396-403},
publisher = {Universidad de Sevilla },
abstract = {Leading cybersecurity agencies and standardization bodies have globally emphasized the critical need to transition towards Post-Quantum Cryptography (PQC) to defend against
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Leading cybersecurity agencies and standardization bodies have globally emphasized the critical need to transition towards Post-Quantum Cryptography (PQC) to defend against
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.
Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; García-Rubio, Carlos; Campo-Vázquez, Celeste
Caracterización de aplicaciones móviles mediante el análisis del tráfico DNS Proceedings Article
In: IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024, pp. 506-507, Universidad de Sevilla, 2024, ISBN: 978-84-09-62140-8.
@inproceedings{andrea001,
title = {Caracterización de aplicaciones móviles mediante el análisis del tráfico DNS},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio and Celeste Campo-Vázquez},
url = {https://idus.us.es/handle/11441/159179
https://dialnet.unirioja.es/servlet/articulo?codigo=9633499
https://idus.us.es/bitstream/handle/11441/159179/ActasJNIC24%20%282%20ed%29.pdf?sequence=4&isAllowed=y},
isbn = {978-84-09-62140-8},
year = {2024},
date = {2024-05-28},
urldate = {2024-05-28},
booktitle = {IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024},
pages = {506-507},
publisher = {Universidad de Sevilla},
abstract = {La privacidad del usuario sigue siendo vulnerable
cuando se utilizan protocolos de comunicaci´on cifrados, como
HTTPS, cuando las consultas DNS se env´ıan en texto claro a
trav´es del puerto UDP 53 (Do53). En este estudio, demostramos
la posibilidad de caracterizar una aplicaci´on m´ovil que utiliza
un usuario bas´andonos en su tr´afico Do53. Mediante el an´alisis
de un conjunto de datos de tr´afico, formado por 80 aplicaciones
m´oviles Android, podemos identificar la aplicaci´on que se est´a
utilizando bas´andonos en sus consultas DNS con una precisi´on
del 88,75 %. Aunque los sistemas operativos modernos, incluido
Android desde la versi´on 9.0, admiten el tr´afico DNS cifrado,
esta funci´on no est´a activada por defecto y depende del soporte
del proveedor de DNS. Adem´as, incluso cuando el tr´afico DNS
est´a cifrado, el proveedor de servicios DNS sigue teniendo acceso
a nuestras consultas y podr´ıa extraer informaci´on de ellas.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
La privacidad del usuario sigue siendo vulnerable
cuando se utilizan protocolos de comunicaci´on cifrados, como
HTTPS, cuando las consultas DNS se env´ıan en texto claro a
trav´es del puerto UDP 53 (Do53). En este estudio, demostramos
la posibilidad de caracterizar una aplicaci´on m´ovil que utiliza
un usuario bas´andonos en su tr´afico Do53. Mediante el an´alisis
de un conjunto de datos de tr´afico, formado por 80 aplicaciones
m´oviles Android, podemos identificar la aplicaci´on que se est´a
utilizando bas´andonos en sus consultas DNS con una precisi´on
del 88,75 %. Aunque los sistemas operativos modernos, incluido
Android desde la versi´on 9.0, admiten el tr´afico DNS cifrado,
esta funci´on no est´a activada por defecto y depende del soporte
del proveedor de DNS. Adem´as, incluso cuando el tr´afico DNS
est´a cifrado, el proveedor de servicios DNS sigue teniendo acceso
a nuestras consultas y podr´ıa extraer informaci´on de ellas.
Moure-Garrido, Marta; García-Rubio, Carlos; Campo, Celeste
Reducing DNS Traffic to Enhance Home IoT Device Privacy Journal Article
In: Sensors , vol. 24, iss. 9, 2024.
@article{marta001,
title = {Reducing DNS Traffic to Enhance Home IoT Device Privacy},
author = {Marta Moure-Garrido and Carlos García-Rubio and Celeste Campo},
url = {https://www.mdpi.com/1424-8220/24/9/2690/pdf?version=1713941333},
doi = {https://doi.org/10.3390/s24092690},
year = {2024},
date = {2024-04-24},
urldate = {2024-04-24},
journal = {Sensors },
volume = {24},
issue = {9},
publisher = {Sensors 2024},
abstract = {The deployment of Internet of Things (IoT) devices is widespread in different environments, including homes. Although security is incorporated, homes can become targets for cyberattacks because of their vulnerabilities. IoT devices generate Domain Name Server (DNS) traffic primarily for communication with Internet servers. In this paper, we present a detailed analysis of DNS traffic from IoT devices. The queried domains are highly distinctive, enabling attackers to easily identify the IoT device. In addition, we observed an unexpectedly high volume of queries. The analysis reveals that the same domains are repeatedly queried, DNS queries are transmitted in plain text over User Datagram Protocol (UDP) port 53 (Do53), and the excessive generation of traffic poses a security risk by amplifying an attacker’s ability to identify IoT devices and execute more precise, targeted attacks, consequently escalating the potential compromise of the entire IoT ecosystem. We propose a simple measure that can be taken to reduce DNS traffic generated by IoT devices, thus preventing it from being used as a vector to identify the types of devices present in the network. This measure is based on the implementation of the DNS cache in the devices; caching few resources increases privacy considerably.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The deployment of Internet of Things (IoT) devices is widespread in different environments, including homes. Although security is incorporated, homes can become targets for cyberattacks because of their vulnerabilities. IoT devices generate Domain Name Server (DNS) traffic primarily for communication with Internet servers. In this paper, we present a detailed analysis of DNS traffic from IoT devices. The queried domains are highly distinctive, enabling attackers to easily identify the IoT device. In addition, we observed an unexpectedly high volume of queries. The analysis reveals that the same domains are repeatedly queried, DNS queries are transmitted in plain text over User Datagram Protocol (UDP) port 53 (Do53), and the excessive generation of traffic poses a security risk by amplifying an attacker’s ability to identify IoT devices and execute more precise, targeted attacks, consequently escalating the potential compromise of the entire IoT ecosystem. We propose a simple measure that can be taken to reduce DNS traffic generated by IoT devices, thus preventing it from being used as a vector to identify the types of devices present in the network. This measure is based on the implementation of the DNS cache in the devices; caching few resources increases privacy considerably.
Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Campo-Vázquez, Carlos García-Rubio Celeste
Characterizing Mobile Applications Through Analysis of DNS Traffic Conference
PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks., ACM, 2023, ISBN: N 979-8-4007-0370-6.
@conference{campo013,
title = {Characterizing Mobile Applications Through Analysis of DNS Traffic},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio Celeste Campo-Vázquez},
doi = {https://doi.org/10.1145/3616394.3618268},
isbn = {N 979-8-4007-0370-6},
year = {2023},
date = {2023-10-30},
urldate = {2023-10-30},
booktitle = {PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks.},
pages = {69-76},
publisher = {ACM},
abstract = {User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.
Moure-Garrido, Marta; Campo-Vázquez, Celeste; García-Rubio, Carlos
Real time detection of malicious DoH traffic using statistical analysis Journal Article
In: COMPUTER NETWORKS, vol. 234, iss. 109910, pp. 1-10, 2023, ISSN: 1389-1286.
@article{campo002,
title = {Real time detection of malicious DoH traffic using statistical analysis },
author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},
url = {http://hdl.handle.net/10016/38151},
doi = {https://doi.org/10.1016/j.comnet.2023.109910},
issn = {1389-1286},
year = {2023},
date = {2023-10-09},
urldate = {2023-10-09},
journal = {COMPUTER NETWORKS},
volume = {234},
issue = {109910},
pages = {1-10},
abstract = {The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.
Chica, Sergio; Marín-López, Andrés; Arroyo, David; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Enhancing the anonymity and auditability of whistleblowers protection Proceedings Article
In: pp. 413 - 422, Springer International Publishing, 2023, ISBN: 978-3-031-21229-1.
@inproceedings{pa057,
title = {Enhancing the anonymity and auditability of whistleblowers protection},
author = {Sergio Chica and Andrés Marín-López and David Arroyo and Florina Almenares-Mendoza and Daniel Díaz-Sánchez},
doi = {https://doi.org/10.1007/978-3-031-21229-1_38},
isbn = {978-3-031-21229-1},
year = {2023},
date = {2023-01-08},
pages = {413 - 422},
publisher = {Springer International Publishing},
abstract = {In our democracy a trade-off between checks and balances is mandatory. To play the role of balances, it is necessary to have information that is often only obtainable through channels that ensure the anonymity of the source. Here we present a work in progress of a system that provides anonymity to sources in a open and auditable system, oriented to audit systems of critical infrastructure and built on our previous work autoauditor.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In our democracy a trade-off between checks and balances is mandatory. To play the role of balances, it is necessary to have information that is often only obtainable through channels that ensure the anonymity of the source. Here we present a work in progress of a system that provides anonymity to sources in a open and auditable system, oriented to audit systems of critical infrastructure and built on our previous work autoauditor.
Díaz-Sanchez, Daniel; Almenarez-Mendoza, Florina; Marín-López, Andres; Rojo-Rivas, Isabel
A Hybrid Approach to Ephemeral PKI Credentials Validation and Auditing Proceedings Article
In: Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022), pp. 1043 - 1054, Springer International Publishing, 2022, ISBN: 978-3-031-21332-8.
@inproceedings{pa056,
title = {A Hybrid Approach to Ephemeral PKI Credentials Validation and Auditing},
author = {Daniel Díaz-Sanchez and Florina Almenarez-Mendoza and Andres Marín-López and Isabel Rojo-Rivas },
isbn = {978-3-031-21332-8},
year = {2022},
date = {2022-12-20},
urldate = {2022-12-20},
booktitle = {Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022)},
pages = {1043 - 1054},
publisher = {Springer International Publishing},
abstract = {IoT/M2M solutions are expected to rely on near computing infrastructures for deployment of services, frequently ephemeral, that will need adequate protection. Communication protocols in IoT services have widely adopted TLS/PKI as the de facto security standard despite PKI was not designed for issuing short lived credentials. Moreover, after several Certificate Authorities were compromised, some Certificate Pinning proposal were developed to give an additional verification to PKI certificates. Some Certificate Pinning solutions, as Certificate Transparency, provide long term auditing information for PKI certificates issued by renowned Certificate Authorities only, whereas others, as DANE, are able to verify self-issued certificates and give support for security islands that would benefit the development of IoT/M2M micro services but cannot provide long term auditing information. This article describe DANEAudits, a novel service with the objective of complementing DANE with long term auditing information without the need of new Trusted Third Parties different from the information owner.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
IoT/M2M solutions are expected to rely on near computing infrastructures for deployment of services, frequently ephemeral, that will need adequate protection. Communication protocols in IoT services have widely adopted TLS/PKI as the de facto security standard despite PKI was not designed for issuing short lived credentials. Moreover, after several Certificate Authorities were compromised, some Certificate Pinning proposal were developed to give an additional verification to PKI certificates. Some Certificate Pinning solutions, as Certificate Transparency, provide long term auditing information for PKI certificates issued by renowned Certificate Authorities only, whereas others, as DANE, are able to verify self-issued certificates and give support for security islands that would benefit the development of IoT/M2M micro services but cannot provide long term auditing information. This article describe DANEAudits, a novel service with the objective of complementing DANE with long term auditing information without the need of new Trusted Third Parties different from the information owner.
Perez-Diaz, Jaime; Almenares-Mendoza, Florina
Integrating an optimised PUF-based authentication scheme in OSCORE Proceedings Article
In: Ad Hoc Networks Journal, 2022, ISSN: 1570-8705.
@inproceedings{almenarez007,
title = {Integrating an optimised PUF-based authentication scheme in OSCORE},
author = {Jaime Perez-Diaz and Florina Almenares-Mendoza },
doi = {https://doi.org/10.1016/j.adhoc.2022.103038},
issn = {1570-8705},
year = {2022},
date = {2022-11-23},
urldate = {2022-11-23},
volume = {140},
publisher = {Ad Hoc Networks Journal},
abstract = {Due to the growth in the amount and type of connected devices, mainly IoT devices, new scalable, lightweight and security-aware protocols, e.g., CoAP and MQTT, have been defined. For the definition of these protocols, the axioms concerning security must cover all the needs regarding authentication, confidentiality, integrity and availability of both devices and servers.
CoAP specifies mainly protocol security based on the transport layer through DTLS. Nevertheless, OSCORE (Object Security for Constrained RESTful Environments) has been recently defined to support end-to-end protection of RESTful interactions over the CoAP protocol. It was designed for constrained devices and networks supporting a range of proxy operations, including translation between different transport protocols. The main challenge presents in OSCORE is the establishment and exchange of pre-shared keys required to protect data. For that, this paper defines how use an optimised version of SRAM-based PUF (Physical Unclonable Functions) for a secure authentication, key establishment and exchanging model. The proposal has been implemented and evaluated in a scenario including IoT devices.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Due to the growth in the amount and type of connected devices, mainly IoT devices, new scalable, lightweight and security-aware protocols, e.g., CoAP and MQTT, have been defined. For the definition of these protocols, the axioms concerning security must cover all the needs regarding authentication, confidentiality, integrity and availability of both devices and servers.
CoAP specifies mainly protocol security based on the transport layer through DTLS. Nevertheless, OSCORE (Object Security for Constrained RESTful Environments) has been recently defined to support end-to-end protection of RESTful interactions over the CoAP protocol. It was designed for constrained devices and networks supporting a range of proxy operations, including translation between different transport protocols. The main challenge presents in OSCORE is the establishment and exchange of pre-shared keys required to protect data. For that, this paper defines how use an optimised version of SRAM-based PUF (Physical Unclonable Functions) for a secure authentication, key establishment and exchanging model. The proposal has been implemented and evaluated in a scenario including IoT devices.
Moure-Garrido, Marta; Campo-Vázquez, Celeste; García-Rubio, Carlos
Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis Conference
PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks, ACM, 2022, ISBN: 978-1-4503-9483-3.
@conference{campo015,
title = {Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis},
author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},
url = {https://dl.acm.org/doi/10.1145/3551663.3558605},
doi = {https://doi.org/10.1145/3551663.3558605},
isbn = {978-1-4503-9483-3},
year = {2022},
date = {2022-10-24},
urldate = {2022-10-24},
booktitle = {PE-WASUN '22: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks},
publisher = {ACM},
abstract = {DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At first, the DNS communication protocol presented certain security problems: integrity, authenticity and confidentiality. DNSSEC provides security but still does not guarantee confidentiality. To solve this problem, DNS over TLS (DoT) and DNS over HTTPS (DoH) were defined. In recent years, DNS tunneling, a covert form of encapsulating data transmission, has been used to encapsulate malicious traffic in a DNS connection. DoT and DoH versions complicate the detection of these tunnels because the encrypted data prevents performing an analysis of the content of the DNS traffic. Previous work has used machine learning techniques to identify DoH tunnels, but these have limitations. In this study, we identify the most significant features that singularize malicious traffic from benign traffic by statistical analysis. Based on the selected features, we obtain satisfactory results in the classification between benign and malicious DoH traffic. The study reveals that it is possible to differentiate traffic based on certain statistical parameters.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At first, the DNS communication protocol presented certain security problems: integrity, authenticity and confidentiality. DNSSEC provides security but still does not guarantee confidentiality. To solve this problem, DNS over TLS (DoT) and DNS over HTTPS (DoH) were defined. In recent years, DNS tunneling, a covert form of encapsulating data transmission, has been used to encapsulate malicious traffic in a DNS connection. DoT and DoH versions complicate the detection of these tunnels because the encrypted data prevents performing an analysis of the content of the DNS traffic. Previous work has used machine learning techniques to identify DoH tunnels, but these have limitations. In this study, we identify the most significant features that singularize malicious traffic from benign traffic by statistical analysis. Based on the selected features, we obtain satisfactory results in the classification between benign and malicious DoH traffic. The study reveals that it is possible to differentiate traffic based on certain statistical parameters.
Moure-Garrido, Marta; Campo-Vázquez, Celeste; García-Rubio, Carlos
Entropy-Based Anomaly Detection in HouseholdElectricity Consumption Journal Article
In: Energies, vol. 15, 2022, ISSN: 1996-1073.
@article{campo003,
title = {Entropy-Based Anomaly Detection in HouseholdElectricity Consumption},
author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},
doi = {https://doi.org/10.3390/en15051837},
issn = {1996-1073},
year = {2022},
date = {2022-03-02},
urldate = {2022-03-02},
journal = {Energies},
volume = {15},
abstract = {Energy efficiency is one of the most important current challenges, and its impact at a global level is considerable. To solve current challenges, it is critical that consumers are able to control their energy consumption. In this paper, we propose using a time series of window-based entropy to detect anomalies in the electricity consumption of a household when the pattern of consumption behavior exhibits a change. We compare the accuracy of this approach with two machine learning approaches, random forest and neural networks, and with a statistical approach, the ARIMA model. We study whether these approaches detect the same anomalous periods. These different techniques have been evaluated using a real dataset obtained from different households with different consumption profiles from the Madrid Region. The entropy-based algorithm detects more days classified as anomalous according to context information compared to the other algorithms. This approach has the advantages that it does not require a training period and that it adapts dynamically to changes, except in vacation periods when consumption drops drastically and requires some time for adapting to the new situation.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Energy efficiency is one of the most important current challenges, and its impact at a global level is considerable. To solve current challenges, it is critical that consumers are able to control their energy consumption. In this paper, we propose using a time series of window-based entropy to detect anomalies in the electricity consumption of a household when the pattern of consumption behavior exhibits a change. We compare the accuracy of this approach with two machine learning approaches, random forest and neural networks, and with a statistical approach, the ARIMA model. We study whether these approaches detect the same anomalous periods. These different techniques have been evaluated using a real dataset obtained from different households with different consumption profiles from the Madrid Region. The entropy-based algorithm detects more days classified as anomalous according to context information compared to the other algorithms. This approach has the advantages that it does not require a training period and that it adapts dynamically to changes, except in vacation periods when consumption drops drastically and requires some time for adapting to the new situation.