@inproceedings {Garcia2023, title = {MAS para la convergencia de opiniones y detecci{\'o}n de anomal{\'\i}as en sistemas ciberf{\'\i}sicos distribuidos}, booktitle = {VIII Jornadas Nacionales de Investigaci{\'o}n en Ciberseguridad (JNIC)}, year = {In Press}, month = {06/2023}, address = {Vigo}, keywords = {Detecci{\'o}n avanzada, din{\'a}micas de opiniones, machine-learning, sistemas ciberf{\'\i}sicos, Sistemas multi-agente}, author = {Alberto Garcia and Cristina Alcaraz and Javier Lopez} } @inproceedings {1990, title = {Configuration vulnerability in SNORT for Windows operating systems}, booktitle = {2022 IEEE International Conference on Cyber Security and Resilience (IEEE CSR)}, year = {2022}, month = {08/2022}, pages = {82-89}, publisher = {IEEE}, organization = {IEEE}, address = {https://www.ieee-csr.org}, abstract = {

Cyber-attacks against Industrial Control Systems (ICS) can lead to catastrophic events which can be prevented by the use of security measures such as the Intrusion Prevention Systems (IPS). In this work we experimentally demonstrate how to exploit the configuration vulnerabilities of SNORT one of the most adopted IPSs to significantly degrade the effectiveness of the IPS and consequently allowing successful cyber-attacks. We illustrate how to design a batch script able to retrieve and modify the configuration files of SNORT in order to disable its ability to detect and block Denial of Service (DoS) and ARP poisoning-based Man-In-The-Middle (MITM) attacks against a Programmable Logic Controller (PLC) in an ICS network. Experimental tests performed on a water distribution testbed show that, despite the presence of IPS, the DoS and ARP spoofed packets reach the destination causing respectively the disconnection of the PLC from the ICS network and the modification of packets payload.

}, isbn = {978-1-6654-9952-1}, doi = {https://doi.org/10.1109/CSR54599.2022.9850309}, url = {https://ieeexplore.ieee.org/document/9850309}, author = {Luca Faramondi and Marta Grassi and Simone Guarino and Roberto Setola and Cristina Alcaraz} } @inproceedings {1989, title = {Implicaciones de seguridad en MAS Desplegados en Infraestructuras de Carga basadas en OCPP}, booktitle = {VII Jornadas Nacionales en Investigaci{\'o}n en Ciberseguridad (JNIC 2022)}, year = {2022}, month = {06/2022}, pages = {172-179}, abstract = {

El inter{\'e}s actual por desplegar infraestructuras de carga de veh{\'\i}culos el{\'e}ctricos para el ahorro energ{\'e}tico y la sostenibilidad es cada vez m{\'a}s palpable, lo que llama la atenci{\'o}n a muchas comunidades, especialmente a la cient{\'\i}fica, para explorar, entre otras cosas, la influencia de las nuevas tecnolog{\'\i}as de informaci{\'o}n en los procesos operacionales. Teniendo en cuenta este escenario, este art{\'\i}culo, por tanto, analiza c{\'o}mo el uso de los sistemas de multi-agente pueden beneficiar las tareas de monitorizaci{\'o}n, mantenimiento y de seguridad, y propone una arquitectura espec{\'\i}fica en base a los actores especificados en el protocolo OCPP (Open Charge Point Protocol). Esta arquitectura constituye la base para analizar los diversos tipos de amenazas que agentes software pueden sufrir, clasific{\'a}ndolas de acuerdo a las caracter{\'\i}sticas funcionales e interacciones con los diversos elementos de la infraestructura. Esta agrupaci{\'o}n y el conjunto de ataques abordados est{\'a}n basados en el SP-800-19 definido por el National Institute of Standards and Technology, y formalizados siguiendo la metodolog{\'\i}a de {\'a}rboles de ataque. El estudio revela la importancia que tiene analizar los riesgos que esta tecnolog{\'\i}a puede traer a este escenario, proporcionando, adem{\'a}s, un conjunto de recomendaciones que sirvan de gu{\'\i}a para aplicaciones futuras.

}, isbn = {978-84-88734-13-6}, author = {Cristina Alcaraz and Alberto Garcia and Javier Lopez} } @inproceedings {Rios2012, title = {HIDE_DHCP: Covert Communications Through Network Configuration Messages}, booktitle = {Proceedings of the 27th IFIP TC 11 International Information Security and Privacy Conference (SEC 2012)}, series = {IFIP AICT}, volume = {376}, year = {2012}, month = {June 2012}, pages = {162-173}, publisher = {Springer Boston}, organization = {Springer Boston}, address = {Heraklion, Crete, Greece}, abstract = {

Covert channels are a form of hidden communication that may violate the integrity of systems. Since their birth in multilevel security systems in the early 70{\textquoteright}s they have evolved considerably, such that new solutions have appeared for computer networks mainly due to vague protocols specifications. We analyze a protocol extensively used today, the Dynamic Host Configuration Protocol (DHCP), in search of new forms of covert communication. From this analysis we observe several features that can be effectively exploited for subliminal data transmission. This results in the implementation of HIDE_DHCP, which integrates three covert channels that accommodate to different stealthiness and bandwidth requirements

}, keywords = {Covert channels, Network Security, System Information Security}, isbn = {978-3-642-30435-4}, issn = {1868-4238}, doi = {http://dx.doi.org/10.1007/978-3-642-30436-1_14}, author = {Ruben Rios and Jose A. Onieva and Javier Lopez}, editor = {Dimitris Gritzalis and Steve Furnell and Marianthi Theoharidou} } @inproceedings {alcaraz2012b, title = {Smart Grid Privacy: Issues and Solutions}, booktitle = {21st International Conference on Computer Communications and Networks (ICCCN)}, year = {2012}, month = {Jul 2012}, pages = {1-5}, publisher = {IEEE Computer Society}, organization = {IEEE Computer Society}, address = {Munich, Germany}, abstract = {

Migration to an electronically controlled electrical grid to transmit, distribute, and deliver power to consumers has helped enhance the reliability and efficiency of conventional electricity systems. At the same time, this digitally enabled technology called the Smart Grid has brought new challenges to businesses and consumers alike. A key component of such a grid is the smart-metering technology, which is used to collect energy consumption data from homes and transmitting it back to power distributors. A crucial concern is the privacy related to the collection and use of energy consumption data. We present an analysis of Smart Grid privacy issues and discuss recently proposed solutions that can protect the privacy of Smart Grid users.

}, keywords = {Computer architecture, Data privacy, Electricity, Home appliances, privacy, security, Smart grids}, isbn = {978-1-4673-1543-2}, doi = {10.1109/ICCCN.2012.6289304}, url = {http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=\&arnumber=6289304\&contentType=Conference+Publications\&openedRefinements\%3D*\%26pageNumber\%3D7\%26rowsPerPage\%3D100\%26queryText\%3D\%28smart+grid\%29}, author = {F. Siddiqui and S. Zeadally and Cristina Alcaraz and S. Galvao} } @inproceedings {agudo2011cryptography, title = {Cryptography Goes to the Cloud}, booktitle = {1st International Workshop on Security and Trust for Applications in Virtualised Environments (STAVE 2011)}, series = {Communications in Computer and Information Science}, volume = {187}, year = {2011}, month = {June}, pages = {190-197}, publisher = {Springer}, organization = {Springer}, abstract = {

In this paper we identify some areas where cryptography can help a rapid adoption of cloud computing. Although secure storage has already captured the attention of many cloud providers, offering a higher level of protection for their customer{\textquoteright}s data, we think that more advanced techniques such as searchable encryption and secure outsourced computation will become popular in the near future, opening the doors of the Cloud to customers with higher security requirements.

}, isbn = {978-3-642-22364-8}, doi = {10.1007/978-3-642-22365-5_23}, author = {Isaac Agudo and David Nu{\~n}ez and Gabriele Giammatteo and Panagiotis Rizomiliotis and Costas Lambrinoudakis}, editor = {Changhoon Lee and Jean-Marc Seigneur and James J. Park and Roland R. Wagner} } @inproceedings {DNunez11, title = {Identity Management Challenges for Intercloud Applications}, booktitle = {1st International Workshop on Security and Trust for Applications in Virtualised Environments (STAVE 2011)}, volume = {187}, year = {2011}, month = {June}, pages = {198-204}, address = {Crete (Greece)}, abstract = {

Intercloud notion is gaining a lot of attention lately from both enterprise and academia, not only because of its benefits and expected results but also due to the challenges that it introduces regarding interoperability and standardisation. Identity management services are one of the main candidates to be outsourced into the Intercloud, since they are one of the most common services needed by companies and organisations. This paper addresses emerging identity management challenges that arise in intercloud formations, such as naming, identification, interoperability, identity life cycle management and single sign-on.

}, doi = {10.1007/978-3-642-22365-5_24}, author = {David Nu{\~n}ez and Isaac Agudo and Prokopios Drogkaris and Stefanos Gritzalis} } @inproceedings {Rios2010a, title = {Implementaci{\'o}n de un esquema de localizaci{\'o}n privada y segura para interiores}, booktitle = {IX Jornadas de Ingenier{\'\i}a Telem{\'a}tica (JITEL{\textquoteright}10)}, year = {2010}, month = {Sept.}, pages = {237 - 244}, address = {Valladolid (Spain)}, abstract = {

Las aplicaciones basadas en localizaci\ón proporcionan a los usuarios servicios personalizados dependiendo de su ubicaci\ón. Las estimaciones prev\én que estos servicios se extender\án enormemente en los pr\óximos a\ños reportando grandes beneficios tanto a la industria como a los usuarios finales. Sin embargo, para que estos avances sean posibles se hace necesario analizar en profundidad las distintas implicaciones de seguridad y privacidad que la utilizaci\ón de tales servicios pueden traer consigo a los usuarios. En este trabajo proponemos un sistema de localizaci\ón que da soporte a la provisi\ón de servicios basados en localizaci\ón para entornos indoor y que se fundamenta en la tecnolog\ía de redes de sensores inal\ámbricos. En este esquema hemos tenido en cuenta diversos aspectos de seguridad y privacidad, prestando especial atenci\ón a la limitaci\ón extrema de recursos caracter\ística de las redes de sensores. Finalmente hemos desarrollado una prueba de concepto para comprobar la viabilidad de nuestro esquema dentro del \ámbito del proyecto OSAmI.

}, isbn = {978-84-693-5398-1}, author = {Ruben Rios and Isaac Agudo and Jose L. Gonzalez}, editor = {Yannis Dimitriadis and Mar{\'\i}a Jes{\'u}s Verd{\'u} P{\'e}rez} } @inproceedings {Rios2010, title = {Source Location Privacy Considerations in Wireless Sensor Networks}, booktitle = {4th International Symposium of Ubiquitous Computing and Ambient Intelligence (UCAmI{\textquoteright}10)}, year = {2010}, month = {Sept.}, pages = {29 - 38}, publisher = {IBERGARCETA PUBLICACIONES, S.L.}, organization = {IBERGARCETA PUBLICACIONES, S.L.}, address = {Valencia (Spain)}, abstract = {

Wireless Sensor Networks are considered to be one of the cornerstones of Ambient Intelligence since they can be used in countless applications, where sensors are unobtrusively embedded into the environment to perform operations like monitoring, tracking and reporting. In such scenarios, privacy issues must be carefully considered since the mere observation of the network operation might reveal great amounts of private information to unauthorised parties. One of the problems that is gaining more attention in the realm of privacy, is the location privacy problem, which aims to prevent an attacker from obtaining the location of specific nodes of interest to him. In this paper we provide a general overview of the proposed solutions to counter this threat. Finally, we will also discuss some open challenges and future directions of research for a convenient management of privacy issues in smart environments.

}, isbn = {978-84-92812-61-5}, author = {Ruben Rios and Javier Lopez}, editor = {Lidia Fuentes and Nadia G{\'a}mez and Jos{\'e} Bravo} } @inproceedings {Benito2009, title = {SMEPP: A Secure Middleware for Embedded P2P}, booktitle = {ICT Mobile and Wireless Communications Summit (ICT-MobileSummit{\textquoteright}09)}, year = {2009}, month = {June}, address = {Santander (Spain)}, abstract = {

The increasing presence of embedded devices with internet access capabilities constitutes a new challenge in software development. These devices are now cooperating in a distributed manner towards what has been called as \"Internet of Things\". In this new scenario the client-server model is sometimes not adequate and dynamic ad-hoc networks are more common than before. However, security poses as a hard issue as these systems are extremely vulnerable. In this paper, we introduce SMEPP project, which aims at developing a middleware designed for P2P systems with a special focus on embedded devices and security. SMEPP is designed to be deployed in a wide range of devices. It tries to ease the development of applications hiding platforms details and other aspects such as scalability, adaptability and interoperability. A full implementation of this middleware is already available that incorporates security features specially designed for low-resource devices. Moreover, we describe two business applications being developed using this middleware in the context of \"Digital Home\" and \"Environmental Monitoring in Industrial Environments\".

}, isbn = {978-1-905824-12-0}, author = {Rafael J. Caro and David Garrido and Pierre Plaza and Rodrigo Roman and Nuria Sanz and Jose L. Serrano} } @inproceedings {Galindo2008a, title = {An Evaluation of the Energy Cost of Authenticated Key Agreement in Wireless Sensor Networks}, booktitle = {X Reuni{\'o}n Espa{\~n}ola sobre Criptolog{\'\i}a y Seguridad de la Informaci{\'o}n (RECSI{\textquoteright}08)}, year = {2008}, month = {September}, pages = {231-236}, address = {Salamanca (Spain)}, abstract = {

Wireless sensors are battery-powered devices which are highly constrained in terms of computational capabilities, memory, and communication bandwidth. While battery life is their main limitation, they require considerable energy to communicate data. Due to this, the energy saving of computationally inexpensive security primitives (like those using symmetric key cryptography) can be nullified by the bigger amount of data they require to be sent. In this work we study the energy cost of key agreement protocols between peers in a network using public key cryptography techniques. Our concern is to reduce the amount of data to be exchanged. Our main news is that a computationally very demanding security primitive, such as identity-based authenticated key exchange, can present energy-wise a better performance than traditional public key based key exchange in realistic scenarios such as Underwater Wireless Sensor Networks. Such a result is not to be expected in wired networks.

}, author = {David Galindo and Rodrigo Roman and Javier Lopez} } @inproceedings {Galindo2008aa, title = {A Killer Application for Pairings: Authenticated Key Establishment in Underwater Wireless Sensor Networks}, booktitle = {Proceedings of the 7th International Conference on Cryptology and Network Security (CANS{\textquoteright}08)}, series = {LNCS}, volume = {5339}, year = {2008}, month = {December}, pages = {120-132}, publisher = {Springer}, organization = {Springer}, address = {Hong Kong (China)}, abstract = {

Wireless sensors are low power devices which are highly constrained in terms of computational capabilities, memory, and communication bandwidth. While battery life is their main limitation, they require considerable energy to communicate data. The latter is specially dramatic in underwater wireless sensor networks (UWSN), where the acoustic transmission mechanisms are less reliable and more energy-demanding. Saving in communication is thus the primary concern in underwater wireless sensors. With this constraint in mind, we argue that non-interactive identity-based key agreement built on pairings provides the best solution for key distribution in large UWSN when compared to the state of the art. At first glance this claim is surprising, since pairing computation is very demanding. Still, pairing-based non-interactive key establishment requires minimal communication and at the same time enjoys excellent properties when used for key distribution.

}, keywords = {identity-based key agreement, key distribution, pairings, underwater wireless sensor networks}, isbn = {978-3-540-89640-1}, issn = {0302-9743 (Print) 1611-3349 (Online)}, doi = {10.1007/978-3-540-89641-8_9}, url = {http://www.springerlink.com/content/g26h0115ngt12331/}, author = {David Galindo and Rodrigo Roman and Javier Lopez} } @inproceedings {Benito2008, title = {Middleware Seguro EP2P: un Desaf{\'\i}o para las Redes Sociales}, booktitle = {XVIII Jornadas Telecom I+D}, year = {2008}, month = {October}, address = {Bilbao (Spain)}, abstract = {

Los sistemas distribuidos en dispositivos embebidos representan un nuevo reto en el desarrollo de software. Estos sistemas han supuesto una importante revoluci{\'o}n en el paradigma de la computaci{\'o}n distribuida donde se intenta fragmentar un problema grande en m{\'u}ltiples problemas m{\'a}s peque{\~n}os. El nuevo escenario tiende entonces hacia sistemas en los cuales todos los elementos de la red se consideran iguales y los mecanismos de comunicaci{\'o}n est{\~a}n basados en redes ad-hoc que se forman din{\'a}micamente. De esta forma cualquier usuario de la red (en realidad cualquier elemento, hasta el m{\'a}s simple dispositivo) adquiere valor, a mayor colaboraci{\'o}n, mayor {\'e}xito del sistema. Sin embargo, desde el punto de vista de la seguridad, estos sistemas son extremadamente vulnerables. En este art{\'\i}culo se presenta SMEPP, un middleware dise{\~n}ado especialmente para sistemas P2P incluyendo aspectos de seguridad. SMEPP est{\'a} dise{\~n}ado para poder ser ejecutado en un amplio rango de dispositivos (desde redes de sensores hasta PC), y trata de facilitar el desarrollo de aplicaciones ocultando los detalles de la plataforma y otros aspectos tales como escalabilidad, adaptabilidad e interoperabilidad. Adem{\'a}s el art{\'\i}culo presenta dos aplicaciones de alto nivel que utilizando este middleware pasan a ser m{\'a}s personales, m{\'a}s sociales y m{\'a}s baratas, haciendo que todos los usuarios de la red cobren mayor importancia.

}, author = {Rafael J. Caro and David Garrido and Pierre Plaza and Rodrigo Roman and Nuria Sanz and Jose L. Serrano} } @inproceedings {M.MagdalenaPayerasCapella2007, title = {Incompatibilidades entre Propiedades de los Protocolos de Intercambio Equitativo de Valores}, booktitle = {VI Jornadas de Ingenier{\'\i}a Telem{\'a}tica (JITEL{\textquoteright}07)}, year = {2007}, pages = {605-608}, publisher = {Universidad de Malaga}, organization = {Universidad de Malaga}, abstract = {

Sets of ideal properties are defined for different kinds of protocols designed for e-commerce applications. These sets are used as a start point in the design and then as a tool to evaluate the quality of the protocols. This is the case of fair exchange protocols and their application to electronic contract signing and certified electronic mail. However, in this area does not exist an agreement about which properties are ideal. Instead we can find properties described by different authors to his convenience. We illustrate the contradictions that appear between some of these properties.

}, author = {Magdalena Payeras and Josep L. Ferrer Gomila and Lloren Huguet Rotger and Jose A. Onieva} } @inproceedings {1716, title = {A Novel Method To Maintain Privacy in Mobile Agent Applications}, booktitle = {Fourth International Conference on Cryptology and Network Security (CANS{\textasciiacute}05)}, series = {LNCS}, volume = {3810}, year = {2005}, pages = {247-260}, publisher = {Springer}, organization = {Springer}, isbn = {978-3-540-30849-2}, author = {K. Peng and Ed Dawson and J Gonzalez-Nieto and Eiji Okamoto and J. Lopez} } @inproceedings {MildreyCarbonell2004, title = {Timeout Estimation using a Simulation Model for Non-repudiation Protocols}, booktitle = {2nd Workshop on Internet Communications Security (WICS{\textquoteright}04), (within Computational Science and its Applications International Conference)}, series = {LNCS}, volume = {3043}, year = {2004}, month = {May}, pages = {903-914}, publisher = {Springer}, organization = {Springer}, abstract = {

An essential issue for the best operation of non-repudiation protocols is to figure out their timeouts. In this paper, we propose a simulation model for this purpose since timeouts depend on specific scenario features such as network speed, TTP characteristics, number of originators and recipients, etc. Based on a one-to-many Markowicth{\textquoteright}s protocol simulation model as a specific example, we have worked out various simulation experiments.

}, author = {Mildrey Carbonell and Jose A. Onieva and Javier Lopez and Deborah Galpert and Jianying Zhou} } @inproceedings {EijiOkamoto2003, title = {Certificate Retrieval and Validation in Online Systems}, booktitle = {Symposium on Cryptography and Information Security (SCIS{\textquoteright}03)}, year = {2003}, month = {January}, pages = {25-30}, address = {Hamamatsu, Japan}, abstract = {

In order to more effectively deal with certificate management issues in PKIs, there is growing interest in supplementing offline X.509 PKI models with online services. An analysis of the security requirements of online models will be presented. Proposed online and delegated processing models will be evaluated in relation to these requirements.

}, author = {Eiji Okamoto and Javier Lopez and Ed Dawson and Juan M. Gonzalez-Nieto and Selwyn Russell and Jason Smith} } @inproceedings {SigridGuergens2001, title = {Suitability of a Classical Analysis Method for E-Commerce Protocols}, booktitle = {IV International Information Security Conference (ISC{\textquoteright}01)}, series = {LNCS}, volume = {2200}, year = {2001}, month = {October}, pages = {46-62}, publisher = {Springer-Verlag}, organization = {Springer-Verlag}, address = {Malaga, Spain}, abstract = {

We present the adaptation of our model for the validation ofkey distribution and authentication protocols to address speci c needsof protocols for electronic commerce. The two models defer in both thethreat scenario and in the formalization. We demonstrate the suitabilityof our adaptation by analyzing a speci c version of the Internet BillingServer protocol introduced by Carnegie Mellon University. Our analysisshows that, while the security properties a key distribution or authenticationprotocol shall provide are well understood, it is often not clearwhat properties an electronic commerce protocol can or shall provide.Our methods rely on automatic theorem proving tools. Speci cally, weused {\O}tter\", an automatic theorem proving software developed at ArgonneNational Laboratories.

}, author = {Sigrid Gurgens and Javier Lopez} } @inproceedings {SigridGuergens1999, title = {Efficient Detection of Failure Modes in Electronic Commerce Protocols}, booktitle = {IEEE International Workshop on Electronic Commerce and Security}, year = {1999}, month = {September}, pages = {850-857}, publisher = {IEEE Press}, organization = {IEEE Press}, address = {Florence, Italy}, abstract = {The design of key distribution and authentication protocols has been shown to be error-prone. These protocols constitute the part of more complex protocols used for electronic commerce transactions. Consequently, these new protocols are likely to contain flaws that are even more difficult to find. In this paper, we present a search method for detecting potential security flaws in such protocols. Our method relies on automatic theorem proving tools. Among others we present our analysis of a protocol recently standardized by the German standardization organization DIN to be used in digital signature applications for smartcards. Our analysis resulted in the standard being supplemented with comments that explain the possible use of cryptographic keys.}, author = {Sigrid Gurgens and Javier Lopez and Rene Peralta} }