[UC3M Security Lab]

Home | People | Research | Projects | Publications | Activities | Seminars | Teaching | BSCW| On media


Research Projects

Current projects

    CIBERDINE
    SPINY


Past projects

    SACO
    E-SAVE
    iMAE
    EVADIR
    PRECIOUS
    SEGUR@
    SEGURIDAD2020
    CERTILOC
    TRADENET
    THESEUS


Current projects


CIBERDINE
CIBERDINE
CIBERDINE - Cybersecurity: data, information and risk

2014 - 2018
Funded by Comunidad Autónoma de Madrid (Reference S2013/ICE-3095)

This project aims at strengthening our capabilities to prevent, detect, and respond to cyberattacks by developing techniques that improve situational awareness and cater for a dynamic threat management. To do so, we propose an interdisciplinary research program that tackles three important challenges in cybersecurity research. Firstly, interdependences among networks and information systems are forcing us to adopt cooperative strategies where entities of a very different nature exchange information about vulnerabilities, threats, actors, tactics, ongoing incidents, countermeasures, etc. However, organizations are extremely reluctant to openly share such information. This calls for models and technologies that facilitate sharing by determining what to share, when, with whom, as well as reasoning about the repercussions of sharing confidential data. Secondly, an improved defense capability requires a deeper and more intelligent analysis of all events that take place in the network. This requires to adapt, and develop where necessary, Big Data technologies to analyze massive amounts of security­related information. Finally, an effective threat management system needs to put in context available information, automatically derive dynamic risk levels for all systems, and support decisions about the selection and deployment of optimal countermeasures.



SPINY
SPINY - Security and Privacy in the Internet-of-You

2014 - 2016
Funded by Ministry of economy and competitiveness. (Reference TIN2013-46469-R)

In the last few years various intersecting technological advances have made it possible to develop reasonably powerful computers and sensors small enough to be embedded almost everywhere. This has translated into a proliferation of smart devices that can be carried in, on, and around the human body. Examples include bracelets and wristwatches that record vital signs; glasses that augment our perceived reality; T-shirts that provide real-time feedback to the user; intelligent pill dispensers that remind a patient when it is time to take medication and record when he does so; and a new generation of smart implantable medical devices such as pacemakers, insulin pumps and neurostimulators. Smartphones have been key to this revolution, as they constitute powerful, general-purpose portable computers with permanent Internet connectivity and in radio range of other wearable devices. From all this it is emerging the vision of a body-based network of smart devices that travels with the bearer wherever he goes and allows him to interact with his body functions, with objects in his surroundings, and with other individuals devices and networks. By analogy with the Internet-of-Things (IoT), some authors and media have coined the term Internet-of-You (IoY) to refer to such a network.
Security and privacy challenges in the IoY are greater than in traditional computing and communications scenarios. Many of such devices incorporate numerous sensors that could leak highly sensitive information about location, gestures, moves, behavioral patterns and other physical activities, as well as recording audio, pictures and video from their surroundings. So far these aspects have been neglected in the current generation of smart devices, which has caused an alarming escalation in the number and sophistication of security incidents targeting these platforms.

In this project, we plan to conduct a research program that addresses some of these challenges with four general goals. Firstly, we plan to explore security models, design principles, and architectures for the IoY that minimize risk exposure against realistic adversaries. Secondly, we will develop mechanisms to maintain the integrity of the network and the confidentiality of the information that travels about. Thirdly, we will investigate novel solutions to increase trustworthiness in apps and services for the IoY and to thwart attacks based on malicious code. Finally, we will develop smart models and tools that take a holistic approach to the security and privacy governance issues of the IoY, with particular emphasis on the definition and enforcement of usable, flexible, user-dependent and context-specific policies.



MAPFRE
Collaborative system to fill in and submit European accident statements using smartphones

2014
Funded by Fundación Mapfre, Spain (Research grants Ignacio H. de Larramendi 2013)

Currently, there are some mobile apps that allow drivers to fill in and telematically submit European accident statements, although it is more common to do it on paper. This project addresses some of the problems that existing mobile apps still have. The main goal of the project is to design and develop a collaborative system to fill in and submit European accident statements using the smartphones of both drivers (currently, only the mobile phone of one of the drivers is used and the contents of the form must necessarily be agreed between both drivers). The proposed system will also integrate qualified electronic signatures (not done by existing apps) and the automatic data retrieval of all the entities involved in the accident, that is, of both drivers and both vehicles (current apps only retrieve data of one of the drivers and its vehicle automatically).



SACO
SACO: An Advanced Cyberdefense Simulator

2011 - 2014
Funded by Ministry of Industry, Spain (INNPACTO 2011 Program). (Reference IPT-2011-1593-390000)

SACO is a joint effort with Indra and the NICS Lab at the University of Malaga to develop a realistic simulator for cyberdefense and cyberwar scenarios. SACO leverages a customized, user-designed virtual infrastructure emulating potential target systems and facilitates the process of setting up cybersecurity exercises on them. The simulator includes tools for automatically reasoning about cyberattacks and countermeasures, a laboratory for creating and experimenting with malware, a platform to launch orchestrated attacks, and forensics tools to support post-attack analysis.




Past projects


ESAVE
E-SAVE: Evidence-based Security Arquitecture for Vehicular Environments

2010 - 2012
Funded by Ministry of Science and Innovation, Spain (PNI). (Reference TIN-2009-13461)

The project addresses the modeling, design and implementation of a multi-layer security architecture applied to ad hoc vehicular networks (VANETs). The main objective of our proposal is to offer public authorities the possibility to apply information technologies to ensure and satisfy critical goals in areas such as road safety, auto-regulated traffic control and identification and prosecution of road offenders.

E-SAVE's architecture is divided in three different blocks called Operational Bases:
  • Operational Base-I: The system will securely provide information to drivers about the actual current state of the traffic.
  • Operational Base-II: It will serve to generate vehicular forensic digital evidences.
  • Operational Base-III: It will represent a real-time system for the management of electronic penalty tickets.
The project aims to give solution to two main outstanding issues regarding existing VANETs:
  1. The insecurity of the information generated and transmitted in this type of networks, and
  2. The total absence of any government procedures to process and respond to this information.
To assist us in the development of the technical aspects of this project we have identified the following main areas of research: ad hoc P2P networks, cryptography and computer forensics. Our approach is novel in the sense that, for the first time, a vehicular architecture will globally embrace specific areas of functionality (Bases I, II and III), while ensuring that all security aspects are taken care of from the system design, thus ensuring information and communication security throughout the model.



IMAE
iMAE: Mobile Identify for E-government

2010 - 2014
Funded by Ministry of Industry and tourism, Spain. (Reference TSI-020100-2010-1032)

iMAE is a joint project with Galeón Software, Epoche & Espri and the University of Almería. We are developing components to incorporate legally-compliant electronic signatures into mobile devices, smart TVs, and other ubiquitous systems. We also seek to improve the usability and user experience for signing-related processes in web browsers and email clients.

iMAE does not rely on a smart-card reader directly, such as for example those required to read electronic ID cards. We are designing an API for developers of mobile applications, in particular for Android devices. So far the scheme is compatible with XAdES, PAdES and CAdES.



EVADIR
EVADIR: A Methodology for Evasion Attacks on Network Intrusion Detection Systems

2011
Funded by Regional Government of Madrid, Spain

In this project we developed and evaluated a methodology to evade network intrusion detection systems (NIDS). The work done was grouped into three major phases. In the first one a general methodology to create evasion attacks was defined. Subsequently we studied different alternatives to model a NIDS as a black box. We finally demonstrated its validity by developing new evasion attacks against an anomaly detection system for web traffic (web application firewall).



PRECIOUS
PRECIOUS: Privacy-preserving Processing of VANET Evidences

2011
Funded by Regional Government of Madrid, Spain. (Reference CCG10-UC3M/TIC-5174)

Nowadays, improving road safety is one of the major challenges in developed countries. Such goal is to be achieved through several complementary actions over vehicles, drivers and roads. One of these actions is to impose conditions to drivers and vehicles through regulations. As an example, the vehicle must be technically ready to be driven, whereas the driver must be healthy enough to drive. Such conditions are enforced by the Authority of each country. In order to show the compliance of vehicles or drivers with the regulations in force, different credentials, such as vehicle's certificate of conformity or driving licenses, are issued. Valid and up-to-date credentials are a proof of the suitability of a running vehicle and its driver from the road safety point of view.

Enforcement systems built on electronic credentials and Intelligent Transportation System (ITS) technologies would enable a more convenient, frequent and effective enforcement while reducing the number of human patrols deployed on the controlled road stretches. However, creating such a system raises some critical privacy concerns, as more frequent credential verication may enable the Authority or any of the involved parties to track vehicles and their drivers. Privacy-aware digital credentials would enable such a service although some challenges exist.

The goals of this project are:
  1. to develop an enhanced model of the most common IDs and attributes used in road traffic services,
  2. to design an accountable and private ID management system for road traffic services, based on the previous model, and
  3. to build a privacy-respectful telematic verification system for vehicle and driver authorizations.




SEGUR@
SEGUR@: Security and Trust in the Information Society

2007 - 2010
Funded by Ministry of Industry, Spain (CENIT Program, Reference 2007/04416/002)

This project brings together industry and academy in a consortium aimed at generating an innovation framework for security, privacy and trustworthiness in the information e-society. Specifically, the main goals of this project are to provide:
  • trust in the information society,
  • privacy and identity assurance, and
  • self-protection networks.
Among our contributions, we carried out work to improve the efficiency of the identification and correlation of security events, and to proactiveluy detect fraud. On the one hand, we designed and implemented a framework to automatically generate event correlation rules for Security Information and Event Management (SIEM) systems. This framework presents an optimization challenge in the design of such correlation engine. On the other hand, we designed and implemented tools for detecting both persistent and non-persistent XSS.



SEGURIDAD2020
SEGURIDAD2020: Digital Identity Management for Digital Environments

2006 - 2007
Funded by Ministry of Commerce, industry and tourism, Spain (Reference FIT -360503-2006-3)

In this project we carried out research in various security technologies for ambient intelligence (AmI) environments. Our contributions focused on three main technologies:
  1. Secure distribution of contents in fully decentralized P2P networks
  2. Security issues in RFID systems
  3. Trust and reputation management systems




CERTILOC
CERTILOC: Digital CERTIfication service for LOCation information

2004 - 2007
Funded by Ministry of Science and Technology, Spain (PNI). (Reference SEG2004-02604)

Location-based services are attracting attention from all scopes. In next years they are supposed to be one of the more important market niches in the mobile communications environment, and one of the most significant promoters of m-commerce. Security is one of the most important features required in the provision of these services; that is why great efforts are being made in order to integrate these services with the security models and mechanisms that are necessary to provide authentication, integrity, confidentiality, access control and non repudiation. Moreover, some security models for location certification have been recently proposed. In these models, a trusted third party issues irrefutable electronic evidences about the location of a mobile device or entity by means of creating a signature for this information. The evolution of positioning systems and location services have caused new necessities like the flexibility in the definition of the location policies, the respect to the privacy rights, the independence of the different location technologies, the integration with current legislation and the use of standard protocols and interfaces of recent development.

In this project we gave solutions to these necessities by means of a new security model for location certification that takes into account the mentioned features. In order to achieve that, we integrated into the model the possibility of defining and managing policies of location certification (for example, certification of itineraries) and privacy policies. One of the tasks developed during the project was the research of techniques and mechanisms enabling this policy management. The model was compliant with existing legislation in electronic signature and personal data protection, as well as European directives related to privacy and e-commerce. The scheme used standard protocols and interfaces developed for location based services.



SACO
TRADENET: Forwarding Information to Organized Markets through Internet

2000 - 2001
Funded by Ministry of Industry and Energy, Spain

TRADENET is a joint effort with Aurigae Servicios Informáticos to develop an Internet-based platform to provide access to markets. The platform is developed in Java and routes messages to the appropriate entity, ensuring at all time the state of each message. TRADENET supports three broad classes of entities:
  • Clients, such as financial entities or individual users, who send orders to a market.
  • Providers act as intermediaries between clients and markets and negotiate specific transactions.
  • Markets, which provide the environment where orders and transactions take place.




THESEUS
THESEUS: Terminal at High Speed for European Stock Exchange Users

1995 - 1998
Funded by EU FP4-ACTS. (Reference AC008)

The objective of the project is to develop a terminal that will be a key component of an open system able to meet the telecommunication needs of the future European Capital market (in accordance with the new directives recently issued by the European Community).

The technical approach relies on the following basic ideas:
  • The capability of the ATM layers to federate bearers services protocols. By encapsulating the exchanged data units in ATM cells, it will be possible to interconnect incompatible networks without modifying or disturbing the already operating proprietary applications software (OSI upper layers).
  • The possibility to display on a single screen information exchanged between several Stock Exchanges and their brokers thanks to appropriate transaction and multiwindow display software.
  • The possibility to provide video-conferencing services associated to the trading application and using the ATM network.
The exploitation of these basic ideas leads to the design of the User-Network Interface and the Man-Machine Interface of a universal Stock Exchange terminal. The scope of THESEUS is:
  • The protocols adaptation into ATM at both terminal side and Stock Exchanges side
  • The display and transaction application at the terminal side with the objective of developing an European System capable of federating the existing systems without modifying or perturbing the already operating proprietary software.
  • The implementation of video-conferencing interactively with the trading application







UNIVERSIDAD CARLOS III DE MADRID
DEPARTMENT OF COMPUTER SCIENCE