Publications

Export results:
Author Title Type [ Year(Asc)]
Filters: First Letter Of Title is T  [Clear All Filters]
J. E. Rubio, R. Roman, C. Alcaraz, and Y. Zhang, "Tracking Advanced Persistent Threats in Critical Infrastructures through Opinion Dynamics",
European Symposium on Research in Computer Security (ESORICS 2018), vol. 11098, Springer, pp. 555-574, 08/2018. DOI More..

Abstract

Advanced persistent threats pose a serious issue for modern industrial environments, due to their targeted and complex attack vectors that are difficult to detect. This is especially severe in critical infrastructures that are accelerating the integration of IT technologies. It is then essential to further develop effective monitoring and response systems that ensure the continuity of business to face the arising set of cyber-security threats. In this paper, we study the practical applicability of a novel technique based on opinion dynamics, that permits to trace the attack throughout all its stages along the network by correlating different anomalies measured over time, thereby taking the persistence of threats and the criticality of resources into consideration. The resulting information is of essential importance to monitor the overall health of the control system and correspondingly deploy accurate response procedures.

PDF icon RubioRomanAlcarazZhang2018.pdf (1.21 MB)
D. Ferraris, C. Fernandez-Gago, and J. Lopez, "A Trust-by-Design Framework for the Internet of Things",
2018 9th IFIP International Conference on New Technologies Mobility and Security (NTMS), IEEE, 04/2018. DOI More..

Abstract

The Internet of Things (IoT) is an environment of interconnected entities, that are identifiable, usable and controllable via the Internet. Trust is necessary in a system such as IoT as the entities involved should know the effect of interacting with other entities. Moreover, the entities must also be able to trust a system to reliably use it. An IoT system is composed of different entities from different vendors, each of them with a different purpose and a different lifecycle. So considering trust in the whole IoT system lifecycle is useful and necessary to guarantee a good service for the whole system. The heterogeneity and dynamicity of this field make it difficult to ensure trust in IoT. We propose a trust by design framework for including trust in the development of an IoT entity considering all the phases of the life-cycle. It is composed of the K-Model and transversal activities.

PDF icon 1684.pdf (165.19 KB)
I. Agudo, A. El Kaafarani, D. Nuñez, and S. Pearson, "A Technique for Enhanced Provision of Appropriate Access to Evidence across Service Provision Chains",
10th International IFIP Summer School on Privacy and Identity Management, pp. 187-204, 2016. DOI More..

Abstract

Transparency and verifiability are necessary aspects of accountability, but care needs to be taken that auditing is done in a privacy friendly way. There are situations where it would be useful for certain actors to be able to make restricted views within service provision chains on accountability evidence, including logs, available to other actors with specific governance roles. For example, a data subject or a Data Protection Authority (DPA) might want to authorize an accountability agent to act on their behalf, and be given access to certain logs in a way that does not compromise the privacy of other actors or the security of involved data processors. In this paper two cryptographic-based techniques that may address this issue are proposed and assessed.

A. Nieto, R. Roman, and J. Lopez, "Testigo digital: delegación vinculante de evidencias electrónicas para escenarios IoT",
II Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2016), pp. 109-116, 06/2016. More..

Abstract

En un mundo en el que los usuarios dependen cada vez más de sus dispositivos, éstos almacenan gran cantidad de datos y son una fuente muy valiosa de información sobre su entorno. Sin embargo, la heterogeneidad y la densidad de los objetos conectados, características propias de la Internet de las Cosas (IoT), sirven de velo para ocultar conductas maliciosas que afectan a estos dispositivos, sin que quede rastro de tales acciones. En este artículo definimos el concepto de testigo digital: funcionalidad que permitirá a los dispositivos personales y otros objetos colaborar para implementar una cadena de custodia digital en la IoT. El fin perseguido es ofrecer soluciones que mitiguen los efectos de la ciberdelincuencia, amparándose en la colaboración de los dispositivos con arquitecturas de seguridad embebidas para alertar de conductas maliciosas, y dejar constancia de éstas.

PDF icon 1578.pdf (2.04 MB)
C. Fernandez-Gago, et al., "Tools for Cloud Accountability: A4Cloud Tutorial",
9th IFIP Summer School on Privacy and Identity Management for the Future Internet in the Age of Globalisation, vol. 457, Springer IFIP AICT, pp. 219-236, 2015. DOI More..

Abstract

Cloud computing is becoming a key IT infrastructure technology being adopted progressively by companies and users. Still, there are issues and uncertainties surrounding its adoption, such as security and how users data is dealt with that require attention from developers, researchers, providers and users. The A4Cloud project tries to help solving the problem of accountability in the cloud by providing tools that support the process of achieving accountability. This paper presents the contents of the first A4Cloud tutorial. These contents include basic concepts and tools developed within the project. In particular, we will review how metrics can aid the accountability process and some of the tools that the A4Cloud project will produce such as the Data Track Tool (DTT) and the Cloud Offering Advisory Tool (COAT).

PDF icon 1516.pdf (1.48 MB)
F. Moyano, K. Beckers, and C. Fernandez-Gago, "Trust-Aware Decision-Making Methodology for Cloud Sourcing",
26th International Conference on Advanced Information Systems Engineering (CAiSE 2014), M. Jarke, et al. Eds., LCNS 8484, Springer, pp. 136-149, 06/2014. DOI More..

Abstract

Cloud sourcing consists of outsourcing data, services and infrastructure to cloud providers. Even when this outsourcing model brings advantages to cloud customers, new threats also arise as sensitive data and critical IT services are beyond customers' control. When an organization considers moving to the cloud, IT decision makers must select a cloud provider and must decide which parts of the organization will be outsourced and to which extent. This paper proposes a methodology that allows decision makers to evaluate their trust in cloud providers. The methodology provides a systematic way to elicit knowledge about cloud providers, quantify their trust factors and aggregate them into trust values that can assist the decision-making process. The trust model that we propose is based on trust intervals, which allow capturing uncertainty during the evaluation, and we define an operator for aggregating these trust intervals. The methodology is applied to an eHealth scenario.

PDF icon moyano14caise.pdf (333.6 KB)
L. Cazorla, C. Alcaraz, and J. Lopez, "Towards Automatic Critical Infrastructure Protection through Machine Learning",
8th International Conference on Critical Information Infrastructures Security, vol. 8328, Springer, pp. 197-203, 2013. DOI More..

Abstract

Critical Infrastructure Protection (CIP) faces increasing challenges in number and in sophistication, which makes vital to provide new forms of protection to face every day’s threats. In order to make such protection holistic, covering all the needs of the systems from the point of view of security, prevention aspects and situational awareness should be considered. Researchers and Institutions stress the need of providing intelligent and automatic solutions for protection, calling our attention to the need of providing Intrusion Detection Systems (IDS) with intelligent active reaction capabilities. In this paper, we support the need of automating the processes implicated in the IDS solutions of the critical infrastructures and theorize that the introduction of Machine Learning (ML) techniques in IDS will be helpful for implementing automatic adaptable solutions capable of adjusting to new situations and timely reacting in the face of threats and anomalies. To this end, we study the different levels of automation that the IDS can implement, and outline a methodology to endow critical scenarios with preventive automation. Finally, we analyze current solutions presented in the literature and contrast them against the proposed methodology

PDF icon 1805.pdf (110.09 KB)
F. Moyano, C. Fernandez-Gago, and J. Lopez, "Towards Engineering Trust-aware Future Internet Systems",
3rd International Workshop on Information Systems Security Engineering (WISSE 2013), X. Franch, and P. Soffer Eds., LNBIP 148, Springer-Verlag, pp. 490-501, Jun 2013. DOI More..

Abstract

Security must be a primary concern when engineering Future Internet (FI) systems and applications. In order to achieve secure solutions, we need to capture security requirements early in the Software Development Life Cycle (SDLC). Whereas the security community has traditionally focused on providing tools and mechanisms to capture and express hard security requirements (e.g. confidentiality), little attention has been paid to other important requirements such as trust and reputation. We argue that these soft security requirements can leverage security in open, distributed, heterogeneous systems and applications and that they must be included in an early phase as part of the development process. In this paper we propose a UML extension for specifying trust and reputation requirements, and we apply it to an eHealth case study.

PDF icon moyano13wisse.pdf (505.78 KB)
F. Moyano, B. Baudry, and J. Lopez, "Towards Trust-Aware and Self-Adaptive Systems",
7th IFIP WG 11.11 International Conference on Trust Management (IFIPTM 2013), C. Fernandez-Gago, I. Agudo, F. Martinelli, and S. Pearson Eds., AICT 401, Springer, pp. 255-262, Jun 2013. DOI More..

Abstract

The Future Internet (FI) comprises scenarios where many heterogeneous and dynamic entities must interact to provide services (e.g., sensors, mobile devices and information systems in smart city scenarios). The dynamic conditions under which FI applications must execute call for self-adaptive software to cope with unforeseeable changes in the application environment. Software engineering currently provides frameworks to develop reasoning engines that automatically take reconfiguration decisions and that support the runtime adaptation of distributed, heterogeneous applications. However, these frameworks have very limited support to address security concerns of these application, hindering their usage for FI scenarios. We address this challenge by enhancing self-adaptive systems with the concepts of trust and reputation. Trust will improve decision-making processes under risk and uncertainty, in turn improving security of self-adaptive FI applications. This paper presents an approach that includes a trust and reputation framework into a platform for adaptive, distributed component-based systems, thus providing software components with new abilities to include trust in their reasoning process.  

PDF icon moyano2013ifiptm.pdf (585.82 KB)
F. Moyano, C. Fernandez-Gago, and J. Lopez, "A Trust and Reputation Framework",
Doctoral Symposium of the International Symposium on Engineering Secure Software and Systems (ESSoS-DS 2013), M. Heisel, and E. Marchetti Eds., CEUR-WS 965, CEUR-WS, pp. 7-12, 2013. More..

Abstract

The Future Internet is posing new security challenges as their scenarios are bringing together a huge amount of stakeholders and devices that must interact under unforeseeable conditions. In addition, in these scenarios we cannot expect entities to know each other beforehand, and therefore, they must be involved in risky and uncertain collaborations. In order to minimize threats and security breaches, it is required that a well-informed decision-making process is in place, and it is here where trust and reputation can play a crucial role. Unfortunately, services and applications developers are often unarmed to address trust and reputation requirements in these scenarios. To overcome this limitation, we propose a trust and reputation framework that allows developers to create trust- and reputation-aware applications.  

PDF icon moyano2013essosds.pdf (217.23 KB)
F. Moyano, C. Fernandez-Gago, I. Agudo, and J. Lopez, "A Task Ordering Approach for Automatic Trust Establishment",
Proceedings of the 2012 International Symposium on Engineering Secure Software and Systems (ESSoS 2012), G. Barthe, B. Livshits, and R. Scandariato Eds., LNCS 7159, Springer, pp. 76–89, Feb 2012. DOI More..

Abstract

Trust has become essential in computer science as a way of assisting the process of decision-making, such as access control. In any system, several tasks may be performed, and each of these tasks might pose different associated trust values between the entities of the system. For instance, in a file system, reading and overwriting a file are two tasks that pose different trust values between the users who can carry out these tasks. In this paper, we propose a simple model for automatically establishing trust relationships between entities considering an established order among tasks.

PDF icon Moyano_ESSoS12.pdf (526.84 KB)
A. Nieto, and J. Lopez, "Traffic Classifier for Heterogeneous and Cooperative Routing through Wireless Sensor Networks",
Advanced Information Networking and Applications Workshops (WAINA), 2012 26th International Conference on, IEEE, pp. 607-612, 03/2012. DOI More..

Abstract

 

Wireless Sensor Networks (WSN) are networks composed of autonomous devices manufactured to solve a specific problem, with limited computational capabilities and resource-constrained (e.g. limited battery). WSN are used to monitor physical or environmental conditions within an area (e.g. temperature, humidity). The popularity of the WSN is growing, precisely due to the wide range of sensors available. As a result, these networks are being deployed as part of several infrastructures. However, sensors are designed to collaborate only with sensors of the same type. In this sense, taking advantage of the heterogeneity of WSN in order to provide common services, like it is the case of routing, has not been sufficiently considered. For this reason, in this paper we propose a routing protocol based on traffic classification and role-assignment to enable heterogeneous WSN for cooperation. Our approach considers both QoS requirements and lifetime maximization to allow the coexistence of different applications in the heterogeneous network infrastructure.

 

PDF icon Nieto2012a.pdf (372.72 KB)
J. Clarke, R. Roman, A. Sharma, J. Lopez, and N. Suri, "Trust & Security RTD in the Internet of Things: Opportunities for International Cooperation",
Proceedings of the First International Conference on Security of Internet of Things, ACM, pp. 172–178, 2012. DOI More..

Abstract

While there has been considerable progress in the research and technological development (RTD) of the Internet of Things (IoT), there is still considerable RTD required by international communities for the trust, privacy and security research challenges arising from the constitution of the IoT architectures, infrastructures, communications, devices, objects, applications and services. In this paper, we present an thorough analysis of the ongoing and future RTD work, specifically in Europe, regarding trust, privacy and security of the Internet of Things with a view towards enabling international cooperation efforts around the globe to solve these major research challenges.

O. Leon, R. Roman, and J. Hernandez Serrano, "Towards a Cooperative Intrusion Detection System for Cognitive Radio Networks",
Workshop on Wireless Cooperative Network Security (WCNS’11), Springer, May, 2011. DOI More..

Abstract

Cognitive Radio Networks (CRNs) arise as a promising solution to the scarcity of spectrum. By means of cooperation and smart decisions influenced by previous knowledge, CRNs are able to detect and profit from the best spectrum opportunities without interfering primary licensed users. However, besides the well-known attacks to wireless networks, new attacks threat this type of networks. In this paper we analyze these threats and propose a set of intrusion detection modules targeted to detect them. Provided method will allow a CRN to identify attack sources and types of attacks, and to properly react against them.

PDF icon Leon11.pdf (179.51 KB)
S. K. Katsikas, J. Lopez, and G. Pernul, "Trust, Privacy and Security in E-business: Requirements and Solutions",
10th Panhellenic Conference in Informatics (PCI’05), LNCS 3746, Springer, pp. 548-558, November, 2005. More..

Abstract

  An important aspect of e-business is the area of e-commerce. One of the most severe restraining factors for the proliferation of e-commerce, is the lack of trust between customers and sellers, consumer privacy concerns and the lack of security measures required to assure both businesses and customers that their business relationship and transactions will be carried out in privacy, correctly, and timely. This paper considers trust privacy and security issues in e-commerce applications and discusses methods and technologies that can be used to fulfil the pertinent requirements.

PDF icon SokratisKatsikas2005.pdf (240.98 KB)
J. Lopez, J. A. Montenegro, R. Oppliger, and G. Pernul, "On a Taxonomy of Systems for Authentication and/or Authorization Services",
TERENA Networking Conference, June, 2004. More..

Abstract

In this work we elaborate on a taxonomy of systems that provide either joint solutions for both authentication and authorization problems, or solutions for only one of the problems. Basically, we do not focus our work on theoretical systems that have been proposed only in the literature. On the other hand, we focus on: (i) systems that are already developed; (ii) systems that are under development or deployment; and (iii) systems that are still in the initial stages of design but are supported by international working groups or bodies. More precisely, we elaborate on a taxonomy of systems that are (or will be soon) available to final users.

PDF icon JavierLopez2004a.pdf (19.35 KB)
M. Carbonell, J. A. Onieva, J. Lopez, D. Galpert, and J. Zhou, "Timeout Estimation using a Simulation Model for Non-repudiation Protocols",
2nd Workshop on Internet Communications Security (WICS’04), (within Computational Science and its Applications International Conference), LNCS 3043, Springer, pp. 903-914, May, 2004. More..

Abstract

An essential issue for the best operation of non-repudiation protocols is to figure out their timeouts. In this paper, we propose a simulation model for this purpose since timeouts depend on specific scenario features such as network speed, TTP characteristics, number of originators and recipients, etc. Based on a one-to-many Markowicth’s protocol simulation model as a specific example, we have worked out various simulation experiments.

PDF icon MildreyCarbonell2004.pdf (324.28 KB)
J. A. Montenegro, and J. Lopez, "Taxonomía de las Infraestructuras de Autorización y Autentificación",
XIII Jornadas TELECOM I+D 2003, Noviembre, 2003.
J. L. Vivas, J. A. Montenegro, and J. Lopez, "Towards Business Process-Driven Framework for Security Engineering with the UML",
6th International Conference on Information Security (ISC’03), LNCS 2851, Springer-Verlag, pp. 381-395, October, 2003. More..

Abstract

A challenging task in security engineering concerns the specification and integration of security with other requirements at the top level of requirements engineering. Empirical studies show that it is commonly at the business process level that customers and end users are able to express their security needs. In addition, systems are often developed by automating existing manual business processes. Since many security notions belongs conceptually to the world of business processes, it is natural to try to capture and express them in the context of business models in which moreover customers and end users feel most comfortable. In this paper, based on experience drawn from an ongoing work within the CASENET project \cite{CASENET}, we propose a UML-based business process-driven framework for the development of security-critical systems.

PDF icon josevivas2003.pdf (206.96 KB)
J. Lopez, A. Mana, J. A. Montenegro, J. J. Ortega, and J. M. Troya, "Towards a Trustful and Flexible Environment for Secure Communications with Public Administrations",
First International Conference on Electronic Government (EGOV’02), LNCS 2456, Springer, pp. 211-214, September, 2002. More..

Abstract

Interaction of citizens and private organizations with Public Administrations can produce meaningful benefits in the accessibility, efficiency and availability of documents, regardless of time, location and quantity. Although there are some experiences in the field of e-government there are still some technological and legal difficulties that avoid a higher rate of communications with Public Administrations through Internet, not only from citizens, but also from private companies. We have studied two of the technological problems, the need to work in a trustful environment and the creation of tools to manage electronic versions of the paper-based forms.

PDF icon JavierLopez2002g.pdf (72.46 KB)
A. Mana, J. Lopez, J. Martinez, and S. Matamoros, "Ticketing Genérico y Seguro Sobre GSM",
Simposio en Informática y Telecomunicaciones 2001 (SIT’01), pp. 297-305, Septiembre, 2001. More..

Abstract

La confianza en el comercio electrónico se ha reforzado, sin duda, gracias a la difusión de las tarjetas inteligentes. Estos elementos clave, que mejoran en gran medida la seguridad de los sistemas informáticos, tienen usos que van desde la simple identificación del usuario hasta complejos mecanismos de pago. Dentro del comercio electrónico, uno de los servicios de valor añadido más interesantes para cualquier usuario es el de ticketing. La seguridad de este sistema puede beneficiarse del uso de las tarjetas inteligentes en los procesos de venta, almacenamiento y uso de los tickets electrónicos. Uno de los puntos críticos para conseguir una amplia aceptación de este servicio será su capacidad de llegar a la gran mayoría de usuarios. En esta línea, parece apropiado pensar en los teléfonos móviles como la mejor plataforma sobre la que implantar el sistema. Este trabajo presenta los resultados del proyecto GSM-ticket, en el que se introducen, por una parte, un esquema de tickets electrónicos seguros, eficientes y fáciles de usar, y por otra el conjunto de servicios adicionales de venta, pago y distribución junto con sus protocolos correspondientes.

L. Pino, J. Lopez, F. Lopez, and C. Maraval, "A Tool for Functions Approximation by Neural Networks",
5th European Congress of Intelligent Techniques and Soft Computing (EUFIT ’97), pp. 557-564, 1997.
Modify or remove your filters and try again.