Publications

Export results:
Author Title [ Type(Asc)] Year
Filters: First Letter Of Last Name is Z  [Clear All Filters]
Conference Paper
J. E. Rubio, R. Roman, C. Alcaraz, and Y. Zhang, "Tracking Advanced Persistent Threats in Critical Infrastructures through Opinion Dynamics",
European Symposium on Research in Computer Security (ESORICS 2018), vol. 11098, Springer, pp. 555-574, 08/2018. DOI More..

Abstract

Advanced persistent threats pose a serious issue for modern industrial environments, due to their targeted and complex attack vectors that are difficult to detect. This is especially severe in critical infrastructures that are accelerating the integration of IT technologies. It is then essential to further develop effective monitoring and response systems that ensure the continuity of business to face the arising set of cyber-security threats. In this paper, we study the practical applicability of a novel technique based on opinion dynamics, that permits to trace the attack throughout all its stages along the network by correlating different anomalies measured over time, thereby taking the persistence of threats and the criticality of resources into consideration. The resulting information is of essential importance to monitor the overall health of the control system and correspondingly deploy accurate response procedures.

PDF icon RubioRomanAlcarazZhang2018.pdf (1.21 MB)
M. Carbonell, J. A. Onieva, J. Lopez, D. Galpert, and J. Zhou, "Timeout Estimation using a Simulation Model for Non-repudiation Protocols",
2nd Workshop on Internet Communications Security (WICS’04), (within Computational Science and its Applications International Conference), LNCS 3043, Springer, pp. 903-914, May, 2004. More..

Abstract

An essential issue for the best operation of non-repudiation protocols is to figure out their timeouts. In this paper, we propose a simulation model for this purpose since timeouts depend on specific scenario features such as network speed, TTP characteristics, number of originators and recipients, etc. Based on a one-to-many Markowicth’s protocol simulation model as a specific example, we have worked out various simulation experiments.

PDF icon MildreyCarbonell2004.pdf (324.28 KB)
J. Zhou, J. A. Onieva, and J. Lopez, "A Synchronous Multi-Party Contract Signing Protocol Improving Lower Bound of Steps",
21st International Information Security Conference (IFIP SEC’06), no. 201, Springer, pp. 221-232, May, 2006. More..

Abstract

Contract signing is a fundamental service in doing business. The Internet has facilitated the electronic commerce, and it is necessary to find appropriate mechanisms for contract signing in the digital world. A number of two-party contract signing protocols have been proposed with various features. Nevertheless, in some applications, a contract may need to be signed by multiple parties. Less research has been done on multi-party contract signing. In this paper, we propose a new synchronous multi-party contract signing protocol that, with n parties, it reaches a lower bound of 3(n − 1) steps in the all-honest case and 4n − 2 steps in the worst case (i.e., all parties contact the trusted third party). This is so far the most efficient synchronous multi-party contract signing protocol in terms of the number of messages required. We further consider the additional features like timeliness and abuse-freeness in the improved version.

PDF icon JianyingZhou2006.pdf (165.89 KB)
F.. Siddiqui, S.. Zeadally, C. Alcaraz, and S.. Galvao, "Smart Grid Privacy: Issues and Solutions",
21st International Conference on Computer Communications and Networks (ICCCN), IEEE Computer Society, pp. 1-5, Jul 2012. DOI More..

Abstract

Migration to an electronically controlled electrical grid to transmit, distribute, and deliver power to consumers has helped enhance the reliability and efficiency of conventional electricity systems. At the same time, this digitally enabled technology called the Smart Grid has brought new challenges to businesses and consumers alike. A key component of such a grid is the smart-metering technology, which is used to collect energy consumption data from homes and transmitting it back to power distributors. A crucial concern is the privacy related to the collection and use of energy consumption data. We present an analysis of Smart Grid privacy issues and discuss recently proposed solutions that can protect the privacy of Smart Grid users.

R. Roman, J. Zhou, and J. Lopez, "On the Security of Wireless Sensor Networks",
Computational Science and Its Applications (ICCSA’05), LNCS 3482, Springer, pp. 681-690, May, 2005. DOI More..

Abstract

Wireless Sensor Networks are extremely vulnerable against any kind of internal or external attacks, due to several factors such as resource-constrained nodes and lack of tamper-resistant packages. As a result, security must be an important factor to have in mind when designing the infrastructure and protocols of sensor networks. In this paper we survey the state-of-the-art security issues in sensor networks and highlight the open areas of research.security issues in sensor networks and highlight the open areas of research.

PDF icon Roman2005e.pdf (111.92 KB)
R. Roman, J. Zhou, and J. Lopez, "Protection Against Spam using Pre-Challenges",
20th IFIP International Information Security Conference (IFIP-SEC’05), R. Sasaki, S. Qing, E. Okamoto, and H. Yoshiura Eds., Springer, pp. 281-294, May, 2005. More..

Abstract

Spam turns out to be an increasingly serious problem to email users. A number of anti-spam schemes have been proposed and deployed, but the problem has yet been well addressed. One of those schemes is challenge-response, in which a challenge is imposed on an email sender. However, such a scheme introduces new problems for the users, e.g., delay of service and denial of service attacks. In this paper, we introduce a pre-challenge scheme that avoids those problems. It assumes each user has a challenge that is defined by the user himself/herself and associated with his/her email address, in such a way that an email sender can simultaneously retrieve a new receiver’s email address and challenge before sending an email in the first contact. Some new mechanisms are employed to reach a good balance between security against spam and convenience to email users.

PDF icon Roman2005d.pdf (174.76 KB)
J. Zhou, J. A. Onieva, and J. Lopez, "Protecting Free Roaming Agents against Result-Truncation Attack",
60th IEEE Vehicular Technology Conference (VTC’04), IEEE Vehicular Technology Society Press, pp. 3271-3274, 2004. More..

Abstract

Mobile agents are especially useful in electronic commerce, for both wired and wireless environments. Nevertheless, there are still many security issues on mobile agents to be addressed, for example, data confidentiality, non-repudiability, forward privacy, publicly verifiable forward integrity, insertion defense, truncation defense, etc. One of the hardest security problems for free roaming agents is truncation defense where two visited hosts (or one revisited host) can collude to discard the partial results collected between their respective visits. We present a new scheme satisfying those security requirements, especially protecting free roaming agents against result-truncation attack.

PDF icon Zhou2004.pdf (95.34 KB)
R. Roman, J. Lopez, and J. Zhou, "Protección contra el Spam Utilizando Desafíos a Priori",
V Jornadas de Ingeniería Telemática (JITEL’05), pp. 375-382, September, 2005. More..

Abstract

Spam is considered to be one of the biggest problems in messaging systems. In the area of email Spam, A high number of anti-spam schemes have been proposed and deployed, but the problem has yet been well addressed. In this paper, we introduce a new scheme, called pre-challenge scheme, which avoids problems that exists in other schemes such as delay of service and denial of service. Some new mechanisms are employed to reach a good balance between security against Spam and convenience to email users. In addition, our scheme can be used for protecting other types of messaging systems, such as Instant Messaging (IM) and Blogs, against Spam.

PDF icon Roman2005a.pdf (280.64 KB)
J. A. Onieva, J. Zhou, and J. Lopez, "Practical Service Charge for P2P Content Distribution",
Fifth International Conference on Information and Communications Security, LNCS 2836, Springer, pp. 112 - 123, October, 2003. More..

Abstract

With emerging decentralized technologies, peer-to-peer (P2P) content distribution arises as a new model for storage and transmission of data. In this scenario, one peer can be playing different roles, either as a distributor or as a receiver of digital contents. In order to incentivize the legal distribution of these contents and prevent the network from free riders, we propose a charging model where distributors become merchants and receivers become customers. To help in the advertisement of digital contents and collection of payment details, an intermediary agent is introduced. An underlying P2P payment protocol presented in [1] is applied to this scenario without total trust on the intermediary agent.

PDF icon Onieva2003a.pdf (185.68 KB)
N. Dai, et al., "OSAMI Commons: An open dynamic services platform for ambient intelligence",
IEEE 16th Conference on Emerging Technologies Factory Automation (ETFA 2011), IEEE, pp. 1-10, Sep 2011. DOI More..

Abstract

Today we live in an environment surrounded with networked converging devices. Human computer interactions are becoming personalized and a new concept of a global and cross-domain platform is emerging to exploit the full potential of the network in all business areas. In this convergence process, the software platform should be able to personalize itself dynamically in devices according to the context. OSAmI-Commons, an ITEA2 project for developing an open-source common approach to such a dynamic service-based platform, allows any type of device to connect and exchange information and services. OSAMI consortium is contributing to defining the foundations of a cross-platform open-services ecosystem. The sustainability of this platform is an objective beyond the project duration.

J. A. Onieva, J. Zhou, M. Carbonell, and J. Lopez, "A Multi-Party Non-Repudiation Protocol for Exchange of Different Messages",
18th IFIP International Information Security Conference. Security and Privacy in the Age of Uncertainty (IFIP SEC’03), IFIP, pp. 37-48, May, 2003. More..

Abstract

Non-repudiation is a security service that provides cryptographic evidence to support the settlement of disputes. In this paper, we introduce the state-of-the-art of multi-party non-repudiation protocols, and analyze the previous work where one originator is able to send the same message to many recipients. We propose a new multi-party non-repudiation protocol for sending different messages to many recipients. We also discuss the improvements achieved with respect to the multiple instances of a two-party non-repudiation protocol, and present some applications that would benefit from them.

PDF icon Onieva2003.pdf (203.9 KB)
M. Carbonell, J. A. Onieva, J. Lopez, and J. Zhou, "Modelo de Simulacion para la Estimacion de Parametros en los protocolos de no Repudio",
III Simposio Español de Comercio Electronico (SCE’05), Universitat de les Illes Balears, pp. 151-164, 2005. More..

Abstract

El no repudio es un requisito de seguridad cuya importancia se ha hecho evidente con el crecimiento del comercio electrónico. Muchos protocolos se han desarrollado como solución a este requisito. La gran mayoría incluye en su especificación parámetros cuyos valores no son fáciles de especificar pues dependen de las condiciones reales de implementación del mismo como los tiempos límites, las características de la TTP, tiempo de publicación de las claves, etc. En este trabajo proponemos un modelo que nos ayudará en la estimación de esos parámetros basado en la simulación del escenario real. Para la explicación y prueba del modelo mostramos un conjunto de experimentos.

PDF icon MildreyCarbonell2005.pdf (360.56 KB)
J. A. Onieva, J. Lopez, and J. Zhou, "Mejorando Servicios de Correo Electronico Certificado con Prontitud Temporal y Multicasting",
VIII Reunión Española sobre Criptología y Seguridad de la información (RECSI’04). Avances en Criptologia y Seguridad de la Informacion, Diaz de Santos, pp. 537-546, 2004. More..

Abstract

El correo electrónico certificado es un servicio añadido al correo electrónico estándar, en el cual el remitente desea obtener un recibo procedente del destinatario. Para este servicio, encontramos que los protocolos de intercambio (justo) son un componente principal para asegurar la corrección en la ejecución de los servicios de correo electrónico certificado, ya que los ítems que ambas partes presentan (en este caso específico, el mensaje de correo y el recibo del mismo) deben ser intercambiados sin que ninguna de las partes obtenga una ventaja durante el proceso sobre la otra. Podemos encontrar en esta línea de investigación protocolos optimistas eficientes para el intercambio electrónico, y mas concretamente para Correo Electrónico Certificado (CEC) y Firma Electrónica de Contratos (FEC). Realizando un estudio adecuado hemos observado que algunos aspectos de dichos protocolos podrían ser mejorados. En este artículo proponemos una solución que permite a ambas entidades terminar el protocolo de forma asíncrona. También extendemos el protocolo a múltiples usuarios.

PDF icon JoseA.Onieva2004d.pdf (139.28 KB)
J. A. Onieva, J. Zhou, M. Carbonell, and J. Lopez, "Intermediary Non-Repudiation Protocols",
5th Conference on Electronic Commerce, IEEE Computer Society, pp. 207-214, June, 2003. More..

Abstract

n commercial transactions, an intermediary might be involved to help transacting parties to conduct their business. Nevertheless, the intermediary may not be fully trusted. In this paper, we introduce the concept of intermediary (or agent) in a non-repudiation protocol, define the aims of intermediary non-repudiation protocols, and analyze their security requirements. We present a simple scenario with only one recipient, followed by a more complicated framework where multiple recipients are involved and collusion between them is possible.

PDF icon Onieva2003b.pdf (134.78 KB)
J. A. Onieva, J. Lopez, R. Roman, and J. Zhou, "Extension de una plataforma DRM basada en OMA con servicios de No Repudio",
IX Reunion Española sobre Criptologia y Seguridad de la Informacion (RECSI’06), UOC S.L., pp. 129-141, 2006. More..

Abstract

Digital Rights Management (DRM) es un término general para cualesquiera de las soluciones que permite a un vendedor de contenido en forma electrónica controlar el material y restringir su uso de distintas maneras. Estas soluciones son posibles, por un lado gracias a técnicas de la Seguridad de la Información, principalmente cifrado de datos, y por otro a la distribución, de manera independiente, de contenido y derechos digitales. Esto permite que los consumidores puedan acceder libremente al contenido, pero sólo aquellos que adquieran el derecho digital apropiado (RO) podrán procesarlo. Como servicio de seguridad considerado en diversas capas del marco de seguridad definido por la recomendación ITU X.805, casi todas las aplicaciones necesitan considerar la propiedad de no repudio en las etapas iniciales de su diseño. Desafortunadamente, esto no ha sido así en general, y más concretamente en especificaciones DRM; debido a consideraciones en la práctica y al tipo de contenido a distribuir. Analizamos este servicio para un marco de DRM y proporcionamos una solución que permita que la adquisición de derechos digitales sea un operación que no pueda repudiarse.

PDF icon JoseA.Onieva2006a.pdf (230.13 KB)
J. A. Onieva, J. Zhou, J. Lopez, and R. Roman, "Extending an OMA-based DRM Framework with Non-Repudiation Services",
5th Symposium on Signal Processing and Information Technology (ISSPIT’05), IEEE, pp. 472-477, 2005. More..

Abstract

Digital Rights Management (DRM) is an umbrella term for any of several arrangements which allows a vendor of content in electronic form to control the material and restrict its usage in various ways that can be specified by the vendor. These arrangements are provided through security techniques, mainly encryption, and the distribution, in a detached manner, of content and rights. This allows free access to the content by the consumers, but only those carrying the proper Right Object (RO) will be able to process such content. As a security service considered in different layers of the security framework defined by ITU X.805, almost all applications need to consider non-repudiation in the very beginning of their design. Unfortunately this has not been done so far in DRM specifications due to practical issues and the type of content distributed. We analyze this service for the a DRM framework and provide a solution which allows the right objects acquisition to be undeniable.

PDF icon Onieva2005.pdf (226.67 KB)
M. Carbonell, J. Maria Sierra, J. A. Onieva, J. Lopez, and J. Zhou, "Estimation of TTP Features in Non-repudiation Service",
7th International Conference on Computational Science and Its Applications (ICCSA’07), LNCS 4706, Springer, pp. 549-558, 2007. More..

Abstract

In order to achieve a high performance in a real implementation of the non-repudiation service it is necessary to estimate timeouts, TTP features, publication key time, number of originators and recipients, and other relevant parameters. An initial work of the authors focused on a basic event-oriented simulation model for the estimation of timeouts. In the actual work, we present a set of extensions to that basic model for the estimation of the TTP features (storage capacity and ftp connection capacity). We present and analyze the new and valuable results obtained.

J. A. Onieva, J. Zhou, and J. Lopez, "Enhancing Certified Email Service for Timeliness and Multicast",
Fourth International Network Conference, University of Plymouth, pp. 327-335, 2004. More..

Abstract

Certified email is a value-added service of ordinary email, in which a sender wants to obtain a receipt from a recipient. Fair exchange protocols are a key component for certified email service to ensure fairness, i.e., the items held by two parties are exchanged without one party obtaining an advantage. We can find in the literature simple and fast optimistic protocols for fair electronic exchange and, more specifically, for certified electronic mail (CEM) and electronic contract signing (ECS). We have observed that some aspects of those protocols could be substantially improved. This paper presents two major contributions. Firstly, we provide a solution that allows both parties to end the protocol timely in an asynchronous way. Then, we extend the certified email service to the multicast scenario.

PDF icon Onieva2004b.pdf (87.54 KB)
J. A. Onieva, J. Zhou, and J. Lopez, "Attacking an asynchronous multi-party contract signing protocol",
Proceedings of 6th International Conference on Cryptology in India, LNCS 3797, Springer, pp. 311–321, Decemeber, 2005. More..

Abstract

Contract signing is a fundamental service in doing business. The Internet has facilitated the electronic commerce, and it is necessary to find appropriate mechanisms for contract signing in the digital world. From a designing point of view, digital contract signing is a particular form of electronic fair exchange. Protocols for generic exchange of digital signatures exist. There are also specific protocols for two-party contract signing. Nevertheless, in some applications, a contract may need to be signed by multiple parties. Less research has been done on multi-party contract signing. In this paper, we analyze an optimistic N-party contract signing protocol, and point out its security problem, thus demonstrating further work needs to be done on the design and analysis of secure and optimistic multi-party contract signing protocols.

PDF icon Onieva2005a.pdf (150.72 KB)
J.. Zhou, K. T. Das, and J. Lopez, "An Asynchronous Node Replication Attack in Wireless Sensor Networks",
23rd International Information Security Conference (SEC 2008), vol. 278, pp. 125-139, 2008.
R. Roman, J. Zhou, and J. Lopez, "Applying Intrusion Detection Systems to Wireless Sensor Networks",
IEEE Consumer Communications & Networking Conference (CCNC 2006), IEEE, pp. 640-644, January, 2006. DOI More..

Abstract

The research of Intrusion Detection Systems (IDS) is a mature area in wired networks, and has also attracted many attentions in wireless ad hoc networks recently. Nevertheless, there is no previous work reported in the literature about IDS architectures in wireless sensor networks. In this paper, we discuss the general guidelines for applying IDS to static sensor networks, and introduce a novel technique to optimally watch over the communications of the sensors’ neighborhood on certain scenarios.

PDF icon Roman2006.pdf (144.74 KB)
R. Roman, J. Lopez, and J. Zhou, "Aplicación de Sistemas de Detección de Intrusiones en Redes de Sensores",
Simposio sobre Computación Ubicua e Inteligencia Ambiental (UCAmI’05), pp. 113-120, September, 2005. More..

Abstract

Los sistemas de detección de intrusiones (IDS) son una herramienta imprescindible de seguridad a la hora de proteger una red. Recientemente se han investigado y desarrollado arquitecturas de IDS para redes inalámbricas, en concreto para redes "Ad Hoc". No obstante, no existe un trabajo previo que desarrolle una arquitectura de IDS para una red de sensores. En este artículo, analizamos porque los sistemas IDS de redes "Ad Hoc" no pueden aplicarse a redes de sensores, e introducimos una arquitectura de IDS para redes de sensores que incorpora una nueva técnica para vigilar las comunicaciones de la red en ciertos escenarios.

PDF icon Roman2005b.pdf (467.35 KB)
J. Zhou, J. A. Onieva, and J. Lopez, "Analysis of a Free Roaming Agent Result-Truncation Defense Scheme",
6th Conference on E-Commerce (CEC’04), IEEE Computer Society, pp. 221-226, June, 2004. More..

Abstract

Mobile agents play an important role in electronic commerce. Security in free-roaming agents is especially hard to achieve when the mobile code is executed in hosts that may behave maliciously. Some schemes have been proposed to protect agent data (or computation results). However, a known vulnerability of these techniques is the truncation attack where two visited hosts (or one revisited host) can collude to discard the partial results collected between their respective visits. Cheng and Wei proposed a scheme in ICICS’02 to defense against the truncation of computation results of free-roaming agents. Cheng-Wei scheme is effective against such an attack in most cases. However, we demonstrate that it still suffers from the truncation attack when a special loop is established on the path of a free-roaming agent. We further propose two amendments to Cheng-Wei scheme to avoid such an attack.

PDF icon JianyingZhou2004.pdf (115 KB)
R. Roman, J. Lopez, and J. Zhou, "Análisis de Seguridad en Redes Inalámbricas de Sensores",
V Jornadas de Ingenería Telemática (JITEL’05), pp. 335-343, Septiembre, 2005. More..

Abstract

The design and development of security infrastructures and protocols for Wireless Sensor Networks is a difficult task, due to several factors like the constraints of the sensor nodes and the public nature of the communication channels. The intrinsic features of these networks create numerous security problems. In this paper, we analyze and put into perspective those problems.

PDF icon R.Roman2005.pdf (233.58 KB)
R. Rios, and J. Lopez, "Adecuación de soluciones de anonimato al problema de la privacidad de localización en WSN",
XII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2012), U.. Zurutuza, R.. Uribeetxeberria, and I.. Arenaza-Nuño Eds., pp. 309-314, Sep 2012. More..

Abstract

Los patrones de tráfico característicos de las redes inalámbricas de sensores (WSNs) dan lugar al problema de la privacidad de localización. De manera similar, el tráfico de los usuarios en Internet revela información sensible que puede ser protegida mediante sistemas de comunicación anónima (ACS). Por ello, este trabajo analiza la posibilidad de adaptar las soluciones de anonimato tradicionales al problema particular de las redes de sensores. Hasta el momento estas soluciones habían sido rechazadas sin un análisis riguroso, argumentando simplemente que eran demasiado exigentes computacionalmente para los nodos sensores. Nuestros resultados demuestran que, en general, algunos ACS no cumplen los requisitos de privacidad necesarios en WSNs mientras que otros, que si los cumplen, se valen de una cantidad de recursos que superan la capacidad de los sensores.

PDF icon Rios2012b.pdf (156.9 KB)