Biblio

Export results:
Author Title [ Type(Desc)] Year
Filters: First Letter Of Last Name is H  [Clear All Filters]
Book
M. Heisel, W. Joosen, J. Lopez, and F. Martinelli, "Engineering Secure Future Internet Services and Systems- Current Research",
Lecture Notes in Computer Science, vol. 8431, no. Lect.Notes ComputerState-of-the-Art Surveys, Springer , 2014. More..

Abstract

This State-of-the-Art Survey contains a selection of papers representing state-of-the-art results in the engineering of secure software-based Future Internet services and systems, produced by the NESSoS project researchers. The engineering approach of the Network of Excellence NESSoS, funded by the European Commission, is based on the principle of addressing security concerns from the very beginning in all software development phases, thus contributing to reduce the amount of software vulnerabilities and enabling the systematic treatment of security needs through the engineering process. The 15 papers included in this volume deal with the main NESSoS research areas: security requirements for Future Internet services; creating secure service architectures and secure service design; supporting programming environments for secure and composable services; enabling security assurance and integrating former results in a risk-aware and cost-aware software life-cycle.

Conference Paper
P. Najera, R. Roman, and J. Lopez, "Acceso seguro a nodos RFID en una arquitectura de red personal",
X Jornadas de Ingeniería Telemática (JITEL 2011), K. Hackbarth, R. Agüero, and R. Sanz Eds., Universidad de Cantabria, pp. 104 - 111, 09/2011. More..

Abstract

El paradigma de red personal (PN) permitirá la interacción y colaboración del creciente abanico de dispositivos personales. Con tal fin la PN ha de integrar en su seno múltiples tecnologías heterogéneas con diversas capacidades computacionales y de comunicación de forma segura. En particular, la incorporación de la tecnología RFID en objetos personales conlleva múltiples riesgos de seguridad y privacidad que han suscitado un elevado interés de la comunidad investigadora en los últimos años. Más allá de su seguridad de forma aislada, su integración en la PN y la interacción de ésta con redes de área extensa como Internet of Things requieren una arquitectura de red personal adecuada para tal contexto. Este artículo proporciona los fundamentos de tal arquitectura segura incluyendo el análisis de aspectos como la incorporación e inicialización de las restringidas etiquetas RFID en la red personal, la autenticación tanto de miembros de la PN como de usuarios y servicios remotos en su acceso a las tecnologías de contexto, el control de las políticas de privacidad y el establecimiento de canales seguros de comunicación supervisados.

J. A. Onieva, I. Agudo, J. Lopez, G.. Drapper-Gil, and M.F.. Hinarejos, "Como proteger la privacidad de los usuarios en Internet. Verificación anónima de la mayoría de edad",
XII Reunión Española sobre Criptología y Seguridad de la Información - RECSI 2012, Mondragon, pp. 297-302, Sep 2012. More..
PDF icon onieva2012.pdf (676.25 KB)
F. Moyano, C. Fernandez-Gago, K. Beckers, and M. Heisel, "Engineering Trust- and Reputation-based Security Controls for Future Internet Systems",
The 30th ACM/SIGAPP Symposium On Applied Computing (SAC 2015), pp. 1344-1349, 08/2015. DOI More..
PDF icon moyano15SAC.pdf (284.13 KB)
F. Moyano, C. Fernandez-Gago, K. Beckers, and M. Heisel, "Enhancing Problem Frames with Trust and Reputation for Analyzing Smart Grid Security Requirements",
Smart Grid Security - Second International Workshop, J. Cuellar Eds., LNCS 8448, Springer, pp. 166-180, Aug, 2014. DOI More..
PDF icon moyano14smartgridsec.pdf (404.33 KB)
J. L. Hernández-Ardieta, et al., "An Intelligent and Adaptive Live Simulator: A new Concept for Cybersecurity Training",
9th Future Security Conference, 2014. More..

Abstract

The rapid rate of change in technology and the increasing sophistication of cyber attacks require any organization to have a continuous preparation. However, the resource and time intensive nature of cybersecurity education and training renders traditional approaches highly inefficient. Simulators have attracted the attention in the last years as a potential solution for cybersecurity training. However, in spite of the advances achieved, there is still an urgent need to address some open challenges. In this paper we present a novel simulator that solves some these challenges. First, we analyse the main properties that any cybersecurity training solution should comprise, and evaluate to what extent training simulators can meet them. Next, we introduce the functional architecture and innovative features of the simulator, of which a functional prototype has already been released. Finally, we demonstrate how these capabilities are put into practice in training courses already available in the simulator.

PDF icon 1637.pdf (1005.4 KB)
X. Wang, et al., "Location Proximity Attacks against Mobile Targets: Analytical Bounds and Attacker Strategies",
23rd European Symposium on Research in Computer Security (ESORICS 2018), LNCS 11099, Springer, pp. 373-392, 2018. DOI More..

Abstract

Location privacy has mostly focused on scenarios where users remain static. However, investigating scenarios where the victims present a particular mobility pattern is more realistic. In this paper, we consider abstract attacks on services that provide location information on other users in the proximity. In that setting, we quantify the required effort of the attacker to localize a particular mobile victim. We prove upper and lower bounds for the effort of an optimal attacker. We experimentally show that a Linear Jump Strategy (LJS) practically achieves the upper bounds for almost uniform initial distributions of victims. To improve performance for less uniform distributions known to the attacker, we propose a Greedy Updating Attack Strategy (GUAS). Finally, we derive a realistic mobility model from a real-world dataset and discuss the performance of our strategies in that setting.

PDF icon rios2018mob.pdf (398.3 KB)
X. Wang, et al., "Location Proximity Attacks against Mobile Targets: Analytical Bounds and Attacker Strategies",
23rd European Symposium on Research in Computer Security (ESORICS 2018), LNCS 11099, Springer, pp. 373-392, 2018. DOI More..

Abstract

Location privacy has mostly focused on scenarios where users remain static. However, investigating scenarios where the victims present a particular mobility pattern is more realistic. In this paper, we consider abstract attacks on services that provide location information on other users in the proximity. In that setting, we quantify the required effort of the attacker to localize a particular mobile victim. We prove upper and lower bounds for the effort of an optimal attacker. We experimentally show that a Linear Jump Strategy (LJS) practically achieves the upper bounds for almost uniform initial distributions of victims. To improve performance for less uniform distributions known to the attacker, we propose a Greedy Updating Attack Strategy (GUAS). Finally, we derive a realistic mobility model from a real-world dataset and discuss the performance of our strategies in that setting.

PDF icon rios2018mob.pdf (398.3 KB)
W.. Caelli, et al., "Online Public Key Infrastructure",
VII Reunión Española sobre Criptología y Seguridad de la Información (VII RECSI), pp. 123-135, Sep 2002.
N. Libor, et al., "Strong Authentication of Humans and Machines in Policy Controlled Cloud Computing Environment Using Automatic Cyber Identity",
Information Security Solutions Europe 2012, N. Pohlmann, H. Reimer, and W. Schneider Eds., Springer Vieweg, pp. 195-206, 2012. DOI More..

Abstract

The paper describes the experience with integration of automatic cyber identity technology with policy controlled virtualisation environment. One identity technology has been used to enable strong authentication of users (human beings) as well as machines (host systems) to the virtualization management system. The real experimental evaluation has been done in PASSIVE project (Policy-Assessed system-level Security of Sensitive Information processing in Virtualised Environments - SEVENTH FRAMEWORK PROGRAMME THEME ICT-2009.1.4 INFORMATION AND COMMUNICATION TECHNOLOGIES - Small or medium-scale focused research project - Grant agreement no.: 257644).

F. Moyano, C. Fernandez-Gago, and J. Lopez, "A Trust and Reputation Framework",
Doctoral Symposium of the International Symposium on Engineering Secure Software and Systems (ESSoS-DS 2013), M. Heisel, and E. Marchetti Eds., CEUR-WS 965, CEUR-WS, pp. 7-12, 2013. More..

Abstract

The Future Internet is posing new security challenges as their scenarios are bringing together a huge amount of stakeholders and devices that must interact under unforeseeable conditions. In addition, in these scenarios we cannot expect entities to know each other beforehand, and therefore, they must be involved in risky and uncertain collaborations. In order to minimize threats and security breaches, it is required that a well-informed decision-making process is in place, and it is here where trust and reputation can play a crucial role. Unfortunately, services and applications developers are often unarmed to address trust and reputation requirements in these scenarios. To overcome this limitation, we propose a trust and reputation framework that allows developers to create trust- and reputation-aware applications.  

PDF icon moyano2013essosds.pdf (217.23 KB)
F. Moyano, K. Beckers, and C. Fernandez-Gago, "Trust-Aware Decision-Making Methodology for Cloud Sourcing",
26th International Conference on Advanced Information Systems Engineering (CAiSE 2014), M. Jarke, et al. Eds., LCNS 8484, Springer, pp. 136-149, 06/2014. DOI More..

Abstract

Cloud sourcing consists of outsourcing data, services and infrastructure to cloud providers. Even when this outsourcing model brings advantages to cloud customers, new threats also arise as sensitive data and critical IT services are beyond customers' control. When an organization considers moving to the cloud, IT decision makers must select a cloud provider and must decide which parts of the organization will be outsourced and to which extent. This paper proposes a methodology that allows decision makers to evaluate their trust in cloud providers. The methodology provides a systematic way to elicit knowledge about cloud providers, quantify their trust factors and aggregate them into trust values that can assist the decision-making process. The trust model that we propose is based on trust intervals, which allow capturing uncertainty during the evaluation, and we define an operator for aggregating these trust intervals. The methodology is applied to an eHealth scenario.

PDF icon moyano14caise.pdf (333.6 KB)
G. Draper-Gil, J. L. Ferrer-Gomilla, M.F.. Hinarejos, J. A. Onieva, and J. Lopez, "Un protocolo para la firma de contratos en escenarios multi-two-party con atomicidad",
XII Reunión Española de Criptología y Seguridad de la Información, pp. 357-362, 09/2012. More..

Abstract

Los avances tecnológicos que está experimentando el mundo digital (Internet, comunicaciones, etc.) están acercando a consumidores y proveedores. Los proveedores pueden ofrecer sus productos directamente a los consumidores finales, y éstos son capaces de acceder a los proveedores desde cualquier lugar y en cualquier momento. A la hora de adquirir productos o
servicios, esta facilidad de acceso permite a los consumidores consultar distintas ofertas de diferentes proveedores. Pero en el caso de que el consumidor quiera múltiples productos, como los paquetes turísticos, formados por vuelos, hoteles, excursiones, etc, los consumidores carecen de herramientas que les permitan realizar la contratación multi-two-party de manera atómica. En
este artículo presentamos un protocolo de firma de contratos multi-two-party con atomicidad que garantiza la equitatividad de todas las partes.

PDF icon 422.pdf (93.98 KB)
Conference Proceedings
J. Lopez, and B. M. H"ammerli Eds., "Critical Information Infrastructures Security, Second International Workshop, CRITIS 2007, Málaga, Spain, October 3-5, 2007. Revised Papers",
CRITIS, vol. 5141, Springer, 2007. DOI More..
J. Garcia-Alfaro, J. Herrera-Joancomarti, G. Livraga, and R. Rios, Data Privacy Management, Cryptocurrencies and Blockchain Technology , LNCS, vol. 11025, Springer International Publishing, 2018. DOI More..

Abstract

ESORICS 2018 International Workshops, DPM 2018 and CBT 2018, Barcelona, Spain, September 6-7, 2018, Proceedings

B.. Hammerli, N.. Svendsen, and J. Lopez Eds., "Proceedings of the 7th International Conference on Critical Information Infrastructures Security (CRITIS 2012)",
7th International Conference on Critical Information Infrastructures Security (CRITIS 2012), vol. LNCS 7722, Springer, 2013. More..
J. Lopez, X. Huang, and R. Sandhu Eds., Proceedings of the 7th International Conference on Network and System Security (NSS 2013) , vol. LNCS, no. 7873, Springer, Jun 2013. More..
Journal Article
A. D. Syrmakesis, C. Alcaraz, and N. D. Hatziargyriou, "Classifying resilience approaches for protecting smart grids against cyber threats",
International Journal of Information Security, vol. 21, Springer, pp. 1189–1210, 05/2022. DOI (I.F.: 2.427)More..

Abstract

Smart grids (SG) draw the attention of cyber attackers due to their vulnerabilities, which are caused by the usage of heterogeneous communication technologies and their distributed nature. While preventing or detecting cyber attacks is a well-studied field of research, making SG more resilient against such threats is a challenging task. This paper provides a classification of the proposed cyber resilience methods against cyber attacks for SG. This classification includes a set of studies that propose cyber-resilient approaches to protect SG and related cyber-physical systems against unforeseen anomalies or deliberate attacks. Each study is briefly analyzed and is associated with the proper cyber resilience technique which is given by the National Institute of Standards and Technology in the Special Publication 800-160. These techniques are also linked to the different states of the typical resilience curve. Consequently, this paper highlights the most critical challenges for achieving cyber resilience, reveals significant cyber resilience aspects that have not been sufficiently considered yet and, finally, proposes scientific areas that should be further researched in order to enhance the cyber resilience of SG.

Impact Factor: 2.427
Journal Citation Reports® Science Edition (Thomson Reuters, 2021)

PDF icon Syrmakesis2022.pdf (257.14 KB)
X. Wang, X. Hou, R. Rios, N. Ole Tippenhauer, and M. Ochoa, "Constrained Proximity Attacks on Mobile Targets",
ACM Transactions on Privacy and Security (TOPS), vol. 25, issue 2, no. 10, Association for Computer Machinery (ACM), pp. 1 - 29, 05/2022. DOI (I.F.: 2.717)More..

Abstract

Proximity attacks allow an adversary to uncover the location of a victim by repeatedly issuing queries with fake location data. These attacks have been mostly studied in scenarios where victims remain static and there are no constraints that limit the actions of the attacker. In such a setting, it is not difficult for the attacker to locate a particular victim and quantifying the effort for doing so is straightforward. However, it is far more realistic to consider scenarios where potential victims present a particular mobility pattern. In this paper, we consider abstract (constrained and unconstrained) attacks on services that provide location information on other users in the proximity. We derive strategies for constrained and unconstrained attackers, and show that when unconstrained they can practically achieve success with theoretically optimal effort. We then propose a simple yet effective constraint that may be employed by a proximity service (for example, running in the cloud or using a suitable two-party protocol) as countermeasure to increase the effort for the attacker several orders of magnitude both in simulated and real-world cases.

Impact Factor: 2.717
Journal Citation Reports® Science Edition (Thomson Reuters, 2021)

PDF icon rios2022cpa.pdf (1.03 MB)
C. Fernandez-Gago, U. Hustadt, C. Dixon, M. Fisher, and B. Konev, "First-Order Temporal Verification in Practice",
Journal of Automated Reasoning, vol. 34, Springer, pp. 295-321, 2005. DOI (I.F.: 0.875)More..

Abstract

First-order temporal logic, the extension of first-order logic with operators dealing with time, is a powerful and expressive formalism with many potential applications. This expressive logic can be viewed as a framework in which to investigate problems specified in other logics. The monodic fragment of first-order temporal logic is a useful fragment that possesses good computational properties such as completeness and sometimes even decidability. Temporal logics of knowledge are useful for dealing with situations where the knowledge of agents in a system is involved. In this paper we present a translation from temporal logics of knowledge into the monodic fragment of first-order temporal logic. We can then use a theorem prover for monodic first-order temporal logic to prove properties of the translated formulas. This allows problems specified in temporal logics of knowledge to be verified automatically without needing a specialized theorem prover for temporal logics of knowledge. We present the translation, its correctness, and examples of its use.

Impact Factor: 0.875
Journal Citation Reports® Science Edition (Thomson Reuters, 2005)

J. Forne, et al., "Pervasive Authentication and Authorization Infrastructures for Mobile Users",
Computer and Security, vol. 29, elsevier, pp. 501-514, 2010. DOI (I.F.: 0.889)More..

Abstract

Network and device heterogeneity, nomadic mobility, intermittent connectivity and, more generally, extremely dynamic operating conditions, are major challenges in the design of security infrastructures for pervasive computing. Yet, in a ubiquitous computing environment, limitations of traditional solutions for authentication and authorization can be overcome with a pervasive public key infrastructure (pervasive-PKI). This choice allows the validation of credentials of users roaming between heterogeneous networks, even when global connectivity is lost and some services are temporarily unreachable. Proof-of-concept implementations and testbed validation results demonstrate that strong security can be achieved for users and applications through the combination of traditional PKI services with a number of enhancements like: (i) dynamic and collaborative trust model, (ii) use of attribute certificates for privilege management, and (iii) modular architecture enabling nomadic mobility and enhanced with reconfiguration capabilities.

Impact Factor: 0.889
Journal Citation Reports® Science Edition (Thomson Reuters, 2010)

PDF icon JordiForne2009.pdf (4.07 MB)