CIBERDINE - Cybersecurity: data, information and risk
2014 - 2018
Funded by Comunidad Autónoma de Madrid (Reference S2013/ICE-3095)
This project aims at strengthening our capabilities to prevent, detect, and respond to cyberattacks by developing techniques that improve situational awareness and cater for a dynamic threat management. To do so, we propose an interdisciplinary research program that tackles three important challenges in cybersecurity research. Firstly, interdependences among networks and information systems are forcing us to adopt cooperative strategies where entities of a very different nature exchange information about vulnerabilities, threats, actors, tactics, ongoing incidents, countermeasures, etc. However, organizations are extremely reluctant to openly share such information. This calls for models and technologies that facilitate sharing by determining what to share, when, with whom, as well as reasoning about the repercussions of sharing confidential data. Secondly, an improved defense capability requires a deeper and more intelligent analysis of all events that take place in the network. This requires to adapt, and develop where necessary, Big Data technologies to analyze massive amounts of securityrelated information. Finally, an effective threat management system needs to put in context available information, automatically derive dynamic risk levels for all systems, and support decisions about the selection and deployment of optimal countermeasures.
SPINY - Security and Privacy in the Internet-of-You
2014 - 2016
Funded by Ministry of economy and competitiveness. (Reference TIN2013-46469-R)
In the last few years various intersecting technological advances have made it possible to develop reasonably powerful computers and sensors small enough to be embedded almost everywhere. This has translated into a proliferation of smart devices that can be carried in, on, and around the human body. Examples include bracelets and wristwatches that record vital signs; glasses that augment our perceived reality; T-shirts that provide real-time feedback to the user; intelligent pill dispensers that remind a patient when it is time to take medication and record when he does so; and a new generation of smart implantable medical devices such as pacemakers, insulin pumps and neurostimulators. Smartphones have been key to this revolution, as they constitute powerful, general-purpose portable computers with permanent Internet connectivity and in radio range of other wearable devices. From all this it is emerging the vision of a body-based network of smart devices that travels with the bearer wherever he goes and allows him to interact with his body functions, with objects in his surroundings, and with other individuals devices and networks. By analogy with the Internet-of-Things (IoT), some authors and media have coined the term Internet-of-You (IoY) to refer to such a network.
Security and privacy challenges in the IoY are greater than in traditional computing and communications scenarios. Many of such devices incorporate numerous sensors that could leak highly sensitive information about location, gestures, moves, behavioral patterns and other physical activities, as well as recording audio, pictures and video from their surroundings. So far these aspects have been neglected in the current generation of smart devices, which has caused an alarming escalation in the number and sophistication of security incidents targeting these platforms.
In this project, we plan to conduct a research program that addresses some of these challenges with four general goals. Firstly, we plan to explore security models, design principles, and architectures for the IoY that minimize risk exposure against realistic adversaries. Secondly, we will develop mechanisms to maintain the integrity of the network and the confidentiality of the information that travels about. Thirdly, we will investigate novel solutions to increase trustworthiness in apps and services for the IoY and to thwart attacks based on malicious code. Finally, we will develop smart models and tools that take a holistic approach to the security and privacy governance issues of the IoY, with particular emphasis on the definition and enforcement of usable, flexible, user-dependent and context-specific policies.
Collaborative system to fill in and submit European accident statements using smartphones
Funded by Fundación Mapfre, Spain (Research grants Ignacio H. de Larramendi 2013)
Currently, there are some mobile apps that allow drivers to fill in and telematically submit
European accident statements, although it is more common to do it on paper.
This project addresses some of the problems that existing mobile apps still have. The main goal of
the project is to design and develop a collaborative system to fill in and submit European
accident statements using the smartphones of both drivers (currently, only the mobile phone of one
of the drivers is used and the contents of the form must necessarily be agreed between both drivers).
The proposed system will also integrate qualified electronic signatures (not done by existing apps)
and the automatic data retrieval of all the entities involved in the accident, that is, of both drivers
and both vehicles (current apps only retrieve data of one of the drivers and its vehicle automatically).
SACO: An Advanced Cyberdefense Simulator
2011 - 2014
Funded by Ministry of Industry, Spain (INNPACTO 2011 Program). (Reference IPT-2011-1593-390000)
SACO is a joint effort with Indra and the
NICS Lab at the University of Malaga to
develop a realistic simulator for cyberdefense and cyberwar scenarios. SACO leverages a customized, user-designed
virtual infrastructure emulating potential target systems and facilitates the process of setting up cybersecurity
exercises on them. The simulator includes tools for automatically reasoning about cyberattacks and countermeasures,
a laboratory for creating and experimenting with malware, a platform to launch orchestrated attacks, and forensics
tools to support post-attack analysis.
E-SAVE: Evidence-based Security Arquitecture for Vehicular Environments
2010 - 2012
Funded by Ministry of Science and Innovation, Spain (PNI). (Reference TIN-2009-13461)
The project addresses the modeling, design and implementation of a multi-layer security architecture
applied to ad hoc vehicular networks (VANETs). The main objective of our proposal is to offer public authorities
the possibility to apply information technologies to ensure and satisfy critical goals in areas such as road safety,
auto-regulated traffic control and identification and prosecution of road offenders.
E-SAVE's architecture is divided in three different blocks called Operational Bases:
The project aims to give solution to two main outstanding issues regarding existing VANETs:
- Operational Base-I: The system will securely provide information to drivers about the actual current state of the traffic.
- Operational Base-II: It will serve to generate vehicular forensic digital evidences.
- Operational Base-III: It will represent a real-time system for the management of electronic penalty tickets.
To assist us in the development of the technical aspects of this project we have identified the following main areas of research:
ad hoc P2P networks, cryptography and computer forensics. Our approach is novel in the sense that, for the first time, a vehicular architecture
will globally embrace specific areas of functionality (Bases I, II and III), while ensuring that all security aspects are taken care
of from the system design, thus ensuring information and communication security throughout the model.
- The insecurity of the information generated and transmitted in this type of networks, and
- The total absence of any government procedures to process and respond to this information.
iMAE: Mobile Identify for E-government
2010 - 2014
Funded by Ministry of Industry and tourism, Spain. (Reference TSI-020100-2010-1032)
iMAE is a joint project with Galeón Software,
Epoche & Espri and the
University of Almería. We are
developing components to incorporate legally-compliant electronic signatures into mobile devices, smart TVs, and other ubiquitous systems.
We also seek to improve the usability and user experience for signing-related processes in web browsers and email clients.
iMAE does not rely on a smart-card reader directly, such as for example those required to read electronic
ID cards. We are designing an API for developers of mobile applications, in particular for Android devices.
So far the scheme is compatible with XAdES, PAdES and CAdES.
EVADIR: A Methodology for Evasion Attacks on Network Intrusion Detection Systems
Funded by Regional Government of Madrid, Spain
In this project we developed and evaluated a methodology to evade network intrusion detection
systems (NIDS). The work done was grouped into three major phases. In the first one a general
methodology to create evasion attacks was defined. Subsequently we studied different alternatives
to model a NIDS as a black box. We finally demonstrated its validity by developing new evasion
attacks against an anomaly detection system for web traffic (web application firewall).
PRECIOUS: Privacy-preserving Processing of VANET Evidences
Funded by Regional Government of Madrid, Spain. (Reference CCG10-UC3M/TIC-5174)
Nowadays, improving road safety is one of the major challenges in developed countries. Such goal is to
be achieved through several complementary actions over vehicles, drivers and roads. One of these actions
is to impose conditions to drivers and vehicles through regulations. As an example, the vehicle must be
technically ready to be driven, whereas the driver must be healthy enough to drive. Such conditions are
enforced by the Authority of each country. In order to show the compliance of vehicles or drivers with
the regulations in force, different credentials, such as vehicle's certificate of conformity or driving
licenses, are issued. Valid and up-to-date credentials are a proof of the suitability of a running vehicle
and its driver from the road safety point of view.
Enforcement systems built on electronic credentials and Intelligent Transportation System (ITS) technologies
would enable a more convenient, frequent and effective enforcement while reducing the number of human patrols
deployed on the controlled road stretches. However, creating such a system raises some critical privacy concerns,
as more frequent credential verication may enable the Authority or any of the involved parties to track vehicles
and their drivers. Privacy-aware digital credentials would enable such a service although some challenges exist.
The goals of this project are:
- to develop an enhanced model of the most common IDs and attributes used in road traffic services,
- to design an accountable and private ID management system for road traffic services, based on the previous model, and
- to build a privacy-respectful telematic verification system for vehicle and driver authorizations.
SEGUR@: Security and Trust in the Information Society
2007 - 2010
Funded by Ministry of Industry, Spain (CENIT Program, Reference 2007/04416/002)
This project brings together industry and academy in a consortium aimed at generating an innovation framework for security,
privacy and trustworthiness in the information e-society. Specifically, the main goals of this project are to provide:
Among our contributions, we carried out work to improve the efficiency of the identification and correlation of security events,
and to proactiveluy detect fraud. On the one hand, we designed and implemented a framework to automatically generate event correlation
rules for Security Information and Event Management (SIEM) systems. This framework presents an optimization challenge in the design
of such correlation engine. On the other hand, we designed and implemented tools for detecting both persistent and non-persistent XSS.
- trust in the information society,
- privacy and identity assurance, and
- self-protection networks.
SEGURIDAD2020: Digital Identity Management for Digital Environments
2006 - 2007
Funded by Ministry of Commerce, industry and tourism, Spain (Reference FIT -360503-2006-3)
In this project we carried out research in various security technologies for ambient intelligence (AmI) environments. Our contributions
focused on three main technologies:
- Secure distribution of contents in fully decentralized P2P networks
- Security issues in RFID systems
- Trust and reputation management systems
CERTILOC: Digital CERTIfication service for LOCation information
2004 - 2007
Funded by Ministry of Science and Technology, Spain (PNI). (Reference SEG2004-02604)
Location-based services are attracting attention from all scopes. In next years they are supposed
to be one of the more important market niches in the mobile communications environment, and one of the most significant
promoters of m-commerce. Security is one of the most important features required in the provision of these services;
that is why great efforts are being made in order to integrate these services with the security models and mechanisms
that are necessary to provide authentication, integrity, confidentiality, access control and non repudiation. Moreover,
some security models for location certification have been recently proposed. In these models, a
trusted third party issues irrefutable electronic evidences about the location of a mobile device or entity by means of
creating a signature for this information. The evolution of positioning systems and location services have caused new
necessities like the flexibility in the definition of the location policies, the respect to the privacy rights, the independence
of the different location technologies, the integration with current legislation and the use of standard protocols and interfaces
of recent development.
In this project we gave solutions to these necessities by means of a new security model for location certification that
takes into account the mentioned features. In order to achieve that, we integrated into the model the possibility of defining
and managing policies of location certification (for example, certification of itineraries) and privacy policies. One of the tasks
developed during the project was the research of techniques and mechanisms enabling this policy management. The model was
compliant with existing legislation in electronic signature and personal data protection, as well as European directives related
to privacy and e-commerce. The scheme used standard protocols and interfaces developed for location based services.
TRADENET: Forwarding Information to Organized Markets through Internet
2000 - 2001
Funded by Ministry of Industry and Energy, Spain
TRADENET is a joint effort with Aurigae Servicios Informáticos to
develop an Internet-based platform to provide access to markets. The platform is developed in Java and routes messages to the
appropriate entity, ensuring at all time the state of each message. TRADENET supports three broad classes of entities:
- Clients, such as financial entities or individual users, who send orders to a market.
- Providers act as intermediaries between clients and markets and negotiate specific transactions.
- Markets, which provide the environment where orders and transactions take place.
THESEUS: Terminal at High Speed for European Stock Exchange Users
1995 - 1998
Funded by EU FP4-ACTS. (Reference AC008)
The objective of the project is to develop a terminal that will be a key component of an open system
able to meet the telecommunication needs of the future European Capital market (in accordance with the
new directives recently issued by the European Community).
The technical approach relies on the following basic ideas:
The exploitation of these basic ideas leads to the design of the User-Network Interface and the Man-Machine
Interface of a universal Stock Exchange terminal. The scope of THESEUS is:
The capability of the ATM layers to federate bearers services protocols. By encapsulating the exchanged
data units in ATM cells, it will be possible to interconnect incompatible networks without modifying or
disturbing the already operating proprietary applications software (OSI upper layers).
The possibility to display on a single screen information exchanged between several Stock Exchanges
and their brokers thanks to appropriate transaction and multiwindow display software.
The possibility to provide video-conferencing services associated to the trading application and using
the ATM network.
The protocols adaptation into ATM at both terminal side and Stock Exchanges side
- The display and transaction application at the terminal side with the objective of
developing an European System capable of federating the existing systems without modifying
or perturbing the already operating proprietary software.
- The implementation of video-conferencing interactively with the trading application