Carrillo-Mondéjar, Javier; Rodríguez, Ricardo J.
Identifying Runtime Libraries in Statically Linked Linux Binaries Journal Article
In: Future Generation Computer Systems, vol. 164, pp. 107602, 2025, ISSN: 0167-739X.
Abstract | Links | BibTeX | Tags: Binary code analysis, IoT, malware, Runtime library identification, Statically linked binaries
@article{CarrilloR-FGCS-25,
title = {Identifying Runtime Libraries in Statically Linked Linux Binaries},
author = {Javier Carrillo-Mondéjar and Ricardo J. Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/CarrilloR-FGCS-25.pdf},
doi = {10.1016/j.future.2024.107602},
issn = {0167-739X},
year = {2025},
date = {2025-01-01},
journal = {Future Generation Computer Systems},
volume = {164},
pages = {107602},
abstract = {Vulnerabilities in unpatched applications can originate from third-party dependencies in statically linked applications, as they must be relinked each time to take advantage of libraries that have been updated to fix any vulnerability. Despite this, malware binaries are often statically linked to ensure they run on target platforms and to complicate malware analysis. In this sense, identification of libraries in malware analysis becomes crucial to help filter out those library functions and focus on malware function analysis. In this paper, we introduce tt MANTILLA, a system for identifying runtime libraries in statically linked Linux-based binaries. Our system is based on radare2 to identify functions and extract their features (independent of the underlying architecture of the binary) through static binary analysis and on the K-nearest neighbors supervised machine learning model and a majority rule to predict final values. tt MANTILLA is evaluated on a dataset consisting of binaries built for different architectures (tt MIPSeb, tt ARMel, tt Intel x86, and tt Intel x86-64) and different runtime libraries (tt uClibc, tt glibc, and tt musl), achieving very high accuracy. We also evaluate it in two case studies. First, using a dataset of binary files belonging to the tt binutils collection and second, using an IoT malware dataset. In both cases, good accuracy results are obtained both in terms of runtime library detection ($94.4%$ and $95.5%$, respectively) and architecture identification ($100%$ and $98.6%$, respectively).},
keywords = {Binary code analysis, IoT, malware, Runtime library identification, Statically linked binaries},
pubstate = {published},
tppubtype = {article}
}
Vulnerabilities in unpatched applications can originate from third-party dependencies in statically linked applications, as they must be relinked each time to take advantage of libraries that have been updated to fix any vulnerability. Despite this, malware binaries are often statically linked to ensure they run on target platforms and to complicate malware analysis. In this sense, identification of libraries in malware analysis becomes crucial to help filter out those library functions and focus on malware function analysis. In this paper, we introduce tt MANTILLA, a system for identifying runtime libraries in statically linked Linux-based binaries. Our system is based on radare2 to identify functions and extract their features (independent of the underlying architecture of the binary) through static binary analysis and on the K-nearest neighbors supervised machine learning model and a majority rule to predict final values. tt MANTILLA is evaluated on a dataset consisting of binaries built for different architectures (tt MIPSeb, tt ARMel, tt Intel x86, and tt Intel x86-64) and different runtime libraries (tt uClibc, tt glibc, and tt musl), achieving very high accuracy. We also evaluate it in two case studies. First, using a dataset of binary files belonging to the tt binutils collection and second, using an IoT malware dataset. In both cases, good accuracy results are obtained both in terms of runtime library detection ($94.4%$ and $95.5%$, respectively) and architecture identification ($100%$ and $98.6%$, respectively).
Huici, Daniel; Rodríguez, Ricardo J.; Mena, Eduardo
APOTHEOSIS: An efficient approximate similarity search system Journal Article
In: SoftwareX, vol. 29, pp. 102016, 2025, ISSN: 2352-7110.
Abstract | Links | BibTeX | Tags: Approximate K-nearest neighbors, Approximate matching, Approximate search methods, Data similarity analysis, similarity digest algorithms
@article{HuiciRM-SoftX-25,
title = {APOTHEOSIS: An efficient approximate similarity search system},
author = {Daniel Huici and Ricardo J. Rodríguez and Eduardo Mena},
url = {https://webdiis.unizar.es/~ricardo/files/papers/HuiciRM-SoftX-25.pdf},
doi = {10.1016/j.softx.2024.102016},
issn = {2352-7110},
year = {2025},
date = {2025-02-01},
urldate = {2025-02-01},
journal = {SoftwareX},
volume = {29},
pages = {102016},
abstract = {APOTHEOSIS is a tool for efficiently identifying and comparing data similarity in large datasets, addressing challenges faced by traditional methods such as scalability and speed. APOTHEOSIS overcomes them by combining advanced algorithms and data structures, enabling fast and accurate similarity analysis. Specifically, it uses a custom hierarchical small navigation world as an approximate $K$-nearest neighbors search method, and approximate similarity digests algorithms to find common features between similar data items, also supporting various distance metrics beyond vector-based approaches. Our software tool is designed for seamless integration into research workflows, improving reproducibility and facilitating the comparison of large-scale, high-dimensional data comparison across multiple domains.},
keywords = {Approximate K-nearest neighbors, Approximate matching, Approximate search methods, Data similarity analysis, similarity digest algorithms},
pubstate = {published},
tppubtype = {article}
}
APOTHEOSIS is a tool for efficiently identifying and comparing data similarity in large datasets, addressing challenges faced by traditional methods such as scalability and speed. APOTHEOSIS overcomes them by combining advanced algorithms and data structures, enabling fast and accurate similarity analysis. Specifically, it uses a custom hierarchical small navigation world as an approximate $K$-nearest neighbors search method, and approximate similarity digests algorithms to find common features between similar data items, also supporting various distance metrics beyond vector-based approaches. Our software tool is designed for seamless integration into research workflows, improving reproducibility and facilitating the comparison of large-scale, high-dimensional data comparison across multiple domains.
Uroz, Daniel; Rodr'ıguez, Ricardo J.; Gañán, Carlos H.
Poster: Empirical Analysis of Lifespan Increase of IoT C&C Domains Proceedings Article
In: Proceedings of the 2024 ACM on Internet Measurement Conference, pp. 767–768, Association for Computing Machinery, Madrid, Spain, 2024, ISBN: 9798400705922.
Abstract | Links | BibTeX | Tags: c&c lifetime, iot malware
@inproceedings{UrozRG-IMC-24,
title = {Poster: Empirical Analysis of Lifespan Increase of IoT C&C Domains},
author = {Daniel Uroz and Ricardo J. Rodr'ıguez and Carlos H. Gañán},
doi = {10.1145/3646547.3689670},
isbn = {9798400705922},
year = {2024},
date = {2024-01-01},
booktitle = {Proceedings of the 2024 ACM on Internet Measurement Conference},
pages = {767–768},
publisher = {Association for Computing Machinery},
address = {Madrid, Spain},
series = {IMC '24},
abstract = {The increasing prevalence of Internet of Things (IoT) devices have made them attractive targets for malware, highlighting the critical need to understand the dynamics of IoT Command and Control (C&C). While previous research observed short-lived C&Cs, recent observations indicate that the lifespan of domain names linked to IoT botnets is extending, deviating from previously recorded survival rates. To understand and characterize this emerging trend, we collected and examined 1049 IoT malware samples from late 2022 to early 2023, identifying 549 unique domains contacted by these samples. Domains were classified as malicious if detected by VirusTotal or followed a Domain Generation Algorithm pattern. Using data from WhoisXMLAPI and DNSDB Scout, we analyzed registration information and historical DNS resolutions, and identified relationships. Our findings reveal that the majority of C&C domains belong to Qsnatch and Mirai malware families, with an average lifespan of 2.7 years. Notably, seven active domains had an average lifespan of 5.7 years. We also observed a significant number of domains under the .vg and .ws TLDs, but with lack of passive DNS and registration information.},
keywords = {c&c lifetime, iot malware},
pubstate = {published},
tppubtype = {inproceedings}
}
The increasing prevalence of Internet of Things (IoT) devices have made them attractive targets for malware, highlighting the critical need to understand the dynamics of IoT Command and Control (C&C). While previous research observed short-lived C&Cs, recent observations indicate that the lifespan of domain names linked to IoT botnets is extending, deviating from previously recorded survival rates. To understand and characterize this emerging trend, we collected and examined 1049 IoT malware samples from late 2022 to early 2023, identifying 549 unique domains contacted by these samples. Domains were classified as malicious if detected by VirusTotal or followed a Domain Generation Algorithm pattern. Using data from WhoisXMLAPI and DNSDB Scout, we analyzed registration information and historical DNS resolutions, and identified relationships. Our findings reveal that the majority of C&C domains belong to Qsnatch and Mirai malware families, with an average lifespan of 2.7 years. Notably, seven active domains had an average lifespan of 5.7 years. We also observed a significant number of domains under the .vg and .ws TLDs, but with lack of passive DNS and registration information.
Cambronero, María Emilia; Martínez, Miguel A.; Llana, Luis; Rodríguez, Ricardo J.; Russo, Alejandro
Towards a GDPR-compliant cloud architecture with data privacy controlled through sticky policies Journal Article
In: PeerJ Computer Science, vol. 10:e1898, pp. 1–44, 2024.
Abstract | Links | BibTeX | Tags: Cloud computing, Data privacy, Datatracking, General data protection regulation, Model validation, Object Constraint Language, Sticky policies, UMLprofiling, Unified Modeling Language
@article{CMLRR-PeerJ-24,
title = {Towards a GDPR-compliant cloud architecture with data privacy controlled through sticky policies},
author = {María Emilia Cambronero and Miguel A. Martínez and Luis Llana and Ricardo J. Rodríguez and Alejandro Russo},
url = {http://webdiis.unizar.es/~ricardo/files/papers/CMLRR-PeerJ-24.pdf},
doi = {10.7717/peerj-cs.1898},
year = {2024},
date = {2024-03-01},
journal = {PeerJ Computer Science},
volume = {10:e1898},
pages = {1–44},
abstract = {Data privacy is one of the biggest challenges facing system architects at the systemdesign stage. Especially when certain laws, such as the General Data ProtectionRegulation (GDPR), have to be complied with by cloud environments. In this article,we want to help cloud providers comply with the GDPR by proposing aGDPR-compliant cloud architecture. To do this, we use model-driven engineeringtechniques to design cloud architecture and analyze cloud interactions. In particular,we develop a complete framework, called MDCT, which includes a Unified ModelingLanguage profile that allows us to define specific cloud scenarios and profilevalidation to ensure that certain required properties are met. The validation processis implemented through the Object Constraint Language (OCL) rules, which allow usto describe the constraints in these models. To comply with many GDPR articles, theproposed cloud architecture considers data privacy and data tracking, enabling safeand secure data management and tracking in the context of the cloud. For thispurpose, sticky policies associated with the data are incorporated to definepermission for third parties to access the data and track instances of data access. As aresult, a cloud architecture designed with MDCT contains a set of OCL rules tovalidate it as a GDPR-compliant cloud architecture. Our tool models key GDPRpoints such as user consent/withdrawal, the purpose of access, and data transparencyand auditing, and considers data privacy and data tracking with the help of stickypolicies.},
keywords = {Cloud computing, Data privacy, Datatracking, General data protection regulation, Model validation, Object Constraint Language, Sticky policies, UMLprofiling, Unified Modeling Language},
pubstate = {published},
tppubtype = {article}
}
Data privacy is one of the biggest challenges facing system architects at the systemdesign stage. Especially when certain laws, such as the General Data ProtectionRegulation (GDPR), have to be complied with by cloud environments. In this article,we want to help cloud providers comply with the GDPR by proposing aGDPR-compliant cloud architecture. To do this, we use model-driven engineeringtechniques to design cloud architecture and analyze cloud interactions. In particular,we develop a complete framework, called MDCT, which includes a Unified ModelingLanguage profile that allows us to define specific cloud scenarios and profilevalidation to ensure that certain required properties are met. The validation processis implemented through the Object Constraint Language (OCL) rules, which allow usto describe the constraints in these models. To comply with many GDPR articles, theproposed cloud architecture considers data privacy and data tracking, enabling safeand secure data management and tracking in the context of the cloud. For thispurpose, sticky policies associated with the data are incorporated to definepermission for third parties to access the data and track instances of data access. As aresult, a cloud architecture designed with MDCT contains a set of OCL rules tovalidate it as a GDPR-compliant cloud architecture. Our tool models key GDPRpoints such as user consent/withdrawal, the purpose of access, and data transparencyand auditing, and considers data privacy and data tracking with the help of stickypolicies.
Carrillo-Mondéjar, Javier; Suárez-Tangil, Guillermo; Costin, Andrei; Rodríguez, Ricardo J.
Exploring Shifting Patterns in Recent IoT Malware Proceedings Article
In: Proceedings of the 23rd European Conference on Cyber Warfare and Security (ECCWS), pp. 96–106, ACI, 2024.
Abstract | Links | BibTeX | Tags: Dynamic Analysis, Malware Evolution, Malware IoT, Malware lineage, Static Analysis
@inproceedings{CSCR-ECCWS-24b,
title = {Exploring Shifting Patterns in Recent IoT Malware},
author = {Javier Carrillo-Mondéjar and Guillermo Suárez-Tangil and Andrei Costin and Ricardo J. Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/CSCR-ECCWS-24.pdf},
doi = {10.34190/eccws.23.1.2280},
year = {2024},
date = {2024-07-01},
booktitle = {Proceedings of the 23rd European Conference on Cyber Warfare and Security (ECCWS)},
volume = {23},
number = {1},
pages = {96–106},
publisher = {ACI},
abstract = {The rise of malware targeting interconnected infrastructures has surged in recent years, driven largely by the widespread presence of vulnerable legacy IoT devices and inadequately secured networks. Despite the strong interest attackers have in targeting this infrastructure, a significant gap remains in understanding how the landscape has recently evolved. Addressing this knowledge gap is essential to thwarting the proliferation of massive botnets, thereby safeguarding end-users and preventing disruptions in critical infrastructures. This work offers a contemporary analysis of Linux-based malware, specifically tailored to IoT malware operating in 2021-2023. Using automated techniques involving both static and dynamic analysis, we classify malware into related threats. By scrutinizing the most recent dataset of Linux-based malware and comparing it to previous studies, we unveil distinctive insights into emerging trends, offering an unparalleled understanding of the evolving landscape. Although Mirai and Gafgyt remain the most prominent families and present a large number of variants, our results show that (i) there is an increase in the sophistication of malware, (ii) malware authors are adding new exploits to their arsenal, and (iii) malware families that originally attacked Windows systems have been adapted to attack Linux-based devices.},
keywords = {Dynamic Analysis, Malware Evolution, Malware IoT, Malware lineage, Static Analysis},
pubstate = {published},
tppubtype = {inproceedings}
}
The rise of malware targeting interconnected infrastructures has surged in recent years, driven largely by the widespread presence of vulnerable legacy IoT devices and inadequately secured networks. Despite the strong interest attackers have in targeting this infrastructure, a significant gap remains in understanding how the landscape has recently evolved. Addressing this knowledge gap is essential to thwarting the proliferation of massive botnets, thereby safeguarding end-users and preventing disruptions in critical infrastructures. This work offers a contemporary analysis of Linux-based malware, specifically tailored to IoT malware operating in 2021-2023. Using automated techniques involving both static and dynamic analysis, we classify malware into related threats. By scrutinizing the most recent dataset of Linux-based malware and comparing it to previous studies, we unveil distinctive insights into emerging trends, offering an unparalleled understanding of the evolving landscape. Although Mirai and Gafgyt remain the most prominent families and present a large number of variants, our results show that (i) there is an increase in the sophistication of malware, (ii) malware authors are adding new exploits to their arsenal, and (iii) malware families that originally attacked Windows systems have been adapted to attack Linux-based devices.
Mlot, Esteban Damián Gutiérrez; Saldana, Jose; Rodríguez, Ricardo J.; Kotsiuba, Igor; Gañan, Carlos H.
A dataset to train intrusion detection systems based on machine learning models for electrical substations Journal Article
In: Data in Brief, vol. 57, pp. 111153, 2024, ISSN: 2352-3409.
Abstract | Links | BibTeX | Tags: critical infrastructure, cybersecurity, IEC104, IEC60870-5-104, IEC61850, testbed
@article{MlotSRKG-DIB-24,
title = {A dataset to train intrusion detection systems based on machine learning models for electrical substations},
author = {Esteban Damián Gutiérrez Mlot and Jose Saldana and Ricardo J. Rodríguez and Igor Kotsiuba and Carlos H. Gañan},
url = {https://webdiis.unizar.es/~ricardo/files/papers/GutierrezMlotSRKG-DIB-24.pdf},
doi = {10.1016/j.dib.2024.111153},
issn = {2352-3409},
year = {2024},
date = {2024-12-01},
journal = {Data in Brief},
volume = {57},
pages = {111153},
abstract = {The growing integration of Information and Communication Technology into Operational Technology environments in electrical substations exposes them to new cybersecurity threats. This paper presents a comprehensive dataset of substation traffic, aimed at improving the training and benchmarking of Intrusion Detection Systems (IDS) installed in these facilities that are based on machine learning techniques. The dataset includes raw network captures and flows from real substations, filtered and anonymized to ensure privacy. It covers the main protocols and standards used in substation environments: IEC61850, IEC104, NTP, and PTP. Additionally, the dataset includes traces obtained during several cyberattacks, which were simulated in a controlled laboratory environment, providing a rich resource for developing and testing machine learning models for cybersecurity applications in substations. A set of complementary tools for dataset creation and preprocessing are also included to standardize the methodology, ensuring consistency and reproducibility. In summary, the dataset addresses the critical need for high-quality, targeted data for tuning IDS at electrical substations and contributes to the advancement of secure and reliable power distribution networks.},
keywords = {critical infrastructure, cybersecurity, IEC104, IEC60870-5-104, IEC61850, testbed},
pubstate = {published},
tppubtype = {article}
}
The growing integration of Information and Communication Technology into Operational Technology environments in electrical substations exposes them to new cybersecurity threats. This paper presents a comprehensive dataset of substation traffic, aimed at improving the training and benchmarking of Intrusion Detection Systems (IDS) installed in these facilities that are based on machine learning techniques. The dataset includes raw network captures and flows from real substations, filtered and anonymized to ensure privacy. It covers the main protocols and standards used in substation environments: IEC61850, IEC104, NTP, and PTP. Additionally, the dataset includes traces obtained during several cyberattacks, which were simulated in a controlled laboratory environment, providing a rich resource for developing and testing machine learning models for cybersecurity applications in substations. A set of complementary tools for dataset creation and preprocessing are also included to standardize the methodology, ensuring consistency and reproducibility. In summary, the dataset addresses the critical need for high-quality, targeted data for tuning IDS at electrical substations and contributes to the advancement of secure and reliable power distribution networks.
Fernández-Álvarez, Pedro; Rodríguez, Ricardo J.
Module Extraction and DLL Hijacking Detection via Single or Multiple Memory Dumps Journal Article
In: Forensic Science International: Digital Investigation, vol. 44, pp. 301505, 2023, ISSN: 2666-2817, (Accepted for publication. To appear. Selected Papers of the Tenth Annual DFRWS Europe Conference).
Abstract | Links | BibTeX | Tags: digital forensics, DLL hijacking, memory forensics, Volatility, Windows
@article{FR-FSIDI-23,
title = {Module Extraction and DLL Hijacking Detection via Single or Multiple Memory Dumps},
author = {Pedro Fernández-Álvarez and Ricardo J. Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/FR-FSIDI-23.pdf},
doi = {10.1016/j.fsidi.2023.301505},
issn = {2666-2817},
year = {2023},
date = {2023-01-01},
urldate = {2023-01-01},
journal = {Forensic Science International: Digital Investigation},
volume = {44},
pages = {301505},
abstract = {A memory dump contains the current state of a system's physical memory at the time of its acquisition. Among other things, it contains the processes that were running at the time of acquisition. These processes can share certain functionalities provided by shared object files, which are internally represented by modules in Windows. However, each process only maps in its address space the functionalities it needs, and not the entire shared object file. In this way, the current tools for extracting modules from existing processes in a memory dump from a Windows system obtain the partial content of the shared object files instead of the entire file. In this paper we present two tools, dubbed Modex and Intermodex, which are built on top of the Volatility 3 framework. These tools allow a forensic analyst to extract a 64-bit module from one or more Windows memory dumps as completely as possible. To achieve this, they aggregate the contents of the same module loaded by multiple processes that were running in the same memory dump or in different dumps (we called it intradump and interdump, respectively). Additionally, we also show how our developed tools are useful to detect dynamic-link library (DLL) hijacking attacks, a widely used attack on Windows where attackers trick processes into loading a malicious DLL instead of the benign one.},
note = {Accepted for publication. To appear. Selected Papers of the Tenth Annual DFRWS Europe Conference},
keywords = {digital forensics, DLL hijacking, memory forensics, Volatility, Windows},
pubstate = {published},
tppubtype = {article}
}
A memory dump contains the current state of a system's physical memory at the time of its acquisition. Among other things, it contains the processes that were running at the time of acquisition. These processes can share certain functionalities provided by shared object files, which are internally represented by modules in Windows. However, each process only maps in its address space the functionalities it needs, and not the entire shared object file. In this way, the current tools for extracting modules from existing processes in a memory dump from a Windows system obtain the partial content of the shared object files instead of the entire file. In this paper we present two tools, dubbed Modex and Intermodex, which are built on top of the Volatility 3 framework. These tools allow a forensic analyst to extract a 64-bit module from one or more Windows memory dumps as completely as possible. To achieve this, they aggregate the contents of the same module loaded by multiple processes that were running in the same memory dump or in different dumps (we called it intradump and interdump, respectively). Additionally, we also show how our developed tools are useful to detect dynamic-link library (DLL) hijacking attacks, a widely used attack on Windows where attackers trick processes into loading a malicious DLL instead of the benign one.
Bai, Jing; Chang, Xiaolin; Rodríguez, Ricardo J.; Trivedi, Kishor; Li, Shupan
Towards UAV-based MEC Service Chain Resilience Evaluation: A Quantitative Modeling Approach Journal Article
In: IEEE Transactions on Vehicular Technology, vol. 72, no. 4, pp. 5181–5194, 2023.
Abstract | Links | BibTeX | Tags: resilience, Resource Degradation, Semi-Markov Process, Unmanned Aerial Vehicle
@article{BCRTL-TVT-23,
title = {Towards UAV-based MEC Service Chain Resilience Evaluation: A Quantitative Modeling Approach},
author = {Jing Bai and Xiaolin Chang and Ricardo J. Rodríguez and Kishor Trivedi and Shupan Li},
url = {http://webdiis.unizar.es/~ricardo/files/papers/BCRTL-TVT-23.pdf},
doi = {10.1109/TVT.2022.3225564},
year = {2023},
date = {2023-04-19},
urldate = {2022-01-01},
journal = {IEEE Transactions on Vehicular Technology},
volume = {72},
number = {4},
pages = {5181--5194},
abstract = {Unmanned aerial vehicle (UAV) and network function virtualization (NFV) facilitate the deployment of multiaccess edge computing (MEC). In the UAV-based MEC (UMEC) network, virtualized network function (VNF) can be implemented as a lightweight container running on UMEC host operating system (OS). However, UMEC network is vulnerable to attack, which can result in resource degradation and even UMEC service disruption. Rejuvenation techniques, such as failover technique and live container migration technique, can mitigate the impact of resource degradation but their effectiveness to improve the resilience of UMEC services should be evaluated. This paper presents a quantitative modeling approach based on semi-Markov process to investigate the resilience of a UMEC service chain consisting of any number of VNFs executed in any number of UMEC hosts in terms of availability and reliability. Unlike existing studies, the semi-Markov model constructed in this paper can capture the time-dependent behaviors between VNFs, between host OSes, and between VNFs and host OSes on the condition that the holding times of the recovery and failure events follow any kind of distribution. We perform the sensitivity analysis to identify potential resilience bottlenecks. The results highlight that migration time is the parameter significantly affecting the resilience, which shed the insight on designing the UMEC service chain with high-grade resilience requirements. In addition, we carry out the numerical experiments to reveal that: (i) the type of failure time distribution has a significant effect on the resilience; and (ii) the resilience increases with decreasing number of VNFs, while the availability increases with increasing number of UMEC hosts and the reliability decreases with increasing number of UMEC hosts, which can provide meaningful guidance for the UAV placement optimization in the UMEC network.},
keywords = {resilience, Resource Degradation, Semi-Markov Process, Unmanned Aerial Vehicle},
pubstate = {published},
tppubtype = {article}
}
Unmanned aerial vehicle (UAV) and network function virtualization (NFV) facilitate the deployment of multiaccess edge computing (MEC). In the UAV-based MEC (UMEC) network, virtualized network function (VNF) can be implemented as a lightweight container running on UMEC host operating system (OS). However, UMEC network is vulnerable to attack, which can result in resource degradation and even UMEC service disruption. Rejuvenation techniques, such as failover technique and live container migration technique, can mitigate the impact of resource degradation but their effectiveness to improve the resilience of UMEC services should be evaluated. This paper presents a quantitative modeling approach based on semi-Markov process to investigate the resilience of a UMEC service chain consisting of any number of VNFs executed in any number of UMEC hosts in terms of availability and reliability. Unlike existing studies, the semi-Markov model constructed in this paper can capture the time-dependent behaviors between VNFs, between host OSes, and between VNFs and host OSes on the condition that the holding times of the recovery and failure events follow any kind of distribution. We perform the sensitivity analysis to identify potential resilience bottlenecks. The results highlight that migration time is the parameter significantly affecting the resilience, which shed the insight on designing the UMEC service chain with high-grade resilience requirements. In addition, we carry out the numerical experiments to reveal that: (i) the type of failure time distribution has a significant effect on the resilience; and (ii) the resilience increases with decreasing number of VNFs, while the availability increases with increasing number of UMEC hosts and the reliability decreases with increasing number of UMEC hosts, which can provide meaningful guidance for the UAV placement optimization in the UMEC network.
Rodríguez, Ricardo J.; Marrone, Stefano; Marcos, Ibai; Porzio, Giuseppe
MOSTO: A Toolkit to Facilitate Security Auditing of ICS Devices using Modbus/TCP Journal Article
In: Computers & Security, vol. 132, pp. 103373, 2023.
Abstract | Links | BibTeX | Tags: Industrial Control Systems, Modbus, Penetration Testing, Security Auditing
@article{RMMP-COSE-23,
title = {MOSTO: A Toolkit to Facilitate Security Auditing of ICS Devices using Modbus/TCP},
author = {Ricardo J. Rodríguez and Stefano Marrone and Ibai Marcos and Giuseppe Porzio},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RMMP-COSE-23.pdf},
doi = {10.1016/j.cose.2023.103373},
year = {2023},
date = {2023-01-01},
urldate = {2023-01-01},
journal = {Computers & Security},
volume = {132},
pages = {103373},
abstract = {The integration of the Internet into industrial plants has connected Industrial Control Systems (ICS) worldwide, resulting in an increase in the number of attack surfaces and the exposure of software and devices not originally intended for networking. In addition, the heterogeneity and technical obsolescence of ICS architectures, legacy hardware, and outdated software pose significant challenges. Since these systems control essential infrastructure such as power grids, water treatment plants, and transportation networks, security is of the utmost importance. Unfortunately, current methods for evaluating the security of ICS are often ad-hoc and difficult to formalize into a systematic evaluation methodology with predictable results. In this paper, we propose a practical method supported by a concrete toolkit for performing penetration testing in an industrial setting. The primary focus is on the Modbus/TCP protocol as the field control protocol. Our approach relies on a toolkit, named MOSTO, which is licensed under GNU GPL and enables auditors to assess the security of existing industrial control settings without interfering with ICS workflows. Furthermore, we present a model-driven framework that combines formal methods, testing techniques, and simulation to (formally) test security properties in ICS networks.},
keywords = {Industrial Control Systems, Modbus, Penetration Testing, Security Auditing},
pubstate = {published},
tppubtype = {article}
}
The integration of the Internet into industrial plants has connected Industrial Control Systems (ICS) worldwide, resulting in an increase in the number of attack surfaces and the exposure of software and devices not originally intended for networking. In addition, the heterogeneity and technical obsolescence of ICS architectures, legacy hardware, and outdated software pose significant challenges. Since these systems control essential infrastructure such as power grids, water treatment plants, and transportation networks, security is of the utmost importance. Unfortunately, current methods for evaluating the security of ICS are often ad-hoc and difficult to formalize into a systematic evaluation methodology with predictable results. In this paper, we propose a practical method supported by a concrete toolkit for performing penetration testing in an industrial setting. The primary focus is on the Modbus/TCP protocol as the field control protocol. Our approach relies on a toolkit, named MOSTO, which is licensed under GNU GPL and enables auditors to assess the security of existing industrial control settings without interfering with ICS workflows. Furthermore, we present a model-driven framework that combines formal methods, testing techniques, and simulation to (formally) test security properties in ICS networks.
Filho, Ailton Santos; Rodríguez, Ricardo J; Feitosa, Eduardo L
Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks Journal Article
In: Digital Threats: Research and Practice, vol. 3, no. 2, pp. 28, 2022.
Abstract | Links | BibTeX | Tags: analysis evasion, Analysis-aware malware, Dynamic binary instrumentation
@article{SRF-DTRAP-22,
title = {Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks},
author = {Ailton Santos Filho and Ricardo J Rodríguez and Eduardo L Feitosa},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SRF-DTRAP-21.pdf},
doi = {10.1145/3480463},
year = {2022},
date = {2022-01-01},
journal = {Digital Threats: Research and Practice},
volume = {3},
number = {2},
pages = {28},
abstract = {Dynamic Binary Instrumentation (DBI) is a dynamic analysis technique that allows arbitrary code to be executed when a program is running. DBI frameworks have started to be used to analyze malicious applications. As a result, different approaches have merged to detect and avoid them. Commonly referred to as split personality malware or evasive malware are pieces of malicious software that incorporate snippets of code to detect when they are under DBI framework analysis and thus mimic benign behavior. Recent studies have questioned the use of DBI in malware analysis, arguing that it increases the attack surface. In this paper, we examine the anti-instrumentation techniques that abuse desktop-based DBI frameworks and existing countermeasures to determine if it is possible to reduce the exploitable attack surface introduced by these DBI frameworks. In particular, we review the related literature to identify (i) the existing set of DBI framework evasion techniques and (ii) the existing set of countermeasures to avoid them. We also analyze and compare the taxonomies introduced in the literature, and propose a new taxonomy that expands and completes the previous taxonomies. Our findings demonstrate that despite advances in DBI framework protections that make them quite suitable for system security purposes, more efforts are needed to reduce the attack surface that they add during application analysis. Only 12 of the 26 evasion techniques covered in this document have countermeasures, threatening the transparency of DBI frameworks. Furthermore, the impact in terms of performance overhead and effectiveness of these countermeasures in real-world situations is unknown. Finally, there are only proofs of concept for 9 of these 26 techniques, which makes it difficult to validate and study how they evade the analysis in order to counter them. We also point out some relevant issues in this context and outline ways of future research directions in the use of DBI frameworks for system security purposes.},
keywords = {analysis evasion, Analysis-aware malware, Dynamic binary instrumentation},
pubstate = {published},
tppubtype = {article}
}
Dynamic Binary Instrumentation (DBI) is a dynamic analysis technique that allows arbitrary code to be executed when a program is running. DBI frameworks have started to be used to analyze malicious applications. As a result, different approaches have merged to detect and avoid them. Commonly referred to as split personality malware or evasive malware are pieces of malicious software that incorporate snippets of code to detect when they are under DBI framework analysis and thus mimic benign behavior. Recent studies have questioned the use of DBI in malware analysis, arguing that it increases the attack surface. In this paper, we examine the anti-instrumentation techniques that abuse desktop-based DBI frameworks and existing countermeasures to determine if it is possible to reduce the exploitable attack surface introduced by these DBI frameworks. In particular, we review the related literature to identify (i) the existing set of DBI framework evasion techniques and (ii) the existing set of countermeasures to avoid them. We also analyze and compare the taxonomies introduced in the literature, and propose a new taxonomy that expands and completes the previous taxonomies. Our findings demonstrate that despite advances in DBI framework protections that make them quite suitable for system security purposes, more efforts are needed to reduce the attack surface that they add during application analysis. Only 12 of the 26 evasion techniques covered in this document have countermeasures, threatening the transparency of DBI frameworks. Furthermore, the impact in terms of performance overhead and effectiveness of these countermeasures in real-world situations is unknown. Finally, there are only proofs of concept for 9 of these 26 techniques, which makes it difficult to validate and study how they evade the analysis in order to counter them. We also point out some relevant issues in this context and outline ways of future research directions in the use of DBI frameworks for system security purposes.
Fernández-Álvarez, Pedro; Rodríguez, Ricardo J
Extraction and Analysis of Retrievable Memory Artifacts from Windows Telegram Desktop Application Journal Article
In: Forensic Science International: Digital Investigation, vol. 40, pp. 301342, 2022, ISBN: 2666-2817.
Abstract | Links | BibTeX | Tags: digital forensics, instant messaging, memory forensics, Telegram Desktop, Windows
@article{FR-FSIDI-22,
title = {Extraction and Analysis of Retrievable Memory Artifacts from Windows Telegram Desktop Application},
author = {Pedro Fernández-Álvarez and Ricardo J Rodríguez },
url = {http://webdiis.unizar.es/~ricardo/files/papers/FR-FSIDI-22.pdf},
doi = {10.1016/j.fsidi.2022.301342},
isbn = {2666-2817},
year = {2022},
date = {2022-01-01},
journal = {Forensic Science International: Digital Investigation},
volume = {40},
pages = {301342},
abstract = {Instant messaging applications have become a very common way of communicating, and today there are many applications of this type. The forensic analysis of these applications can help provide essential clues to solve or clarify a possible crime. This type of applications generally store their data in a secure way or transmit it through encrypted channels and thus, the forensic analysis of memory takes on special relevance to analyze them. Following a three-phase forensic analysis methodology, this work has developed a forensic analysis environment for instant messaging applications composed of two tools. One of the tools is responsible for extracting the content of a process that runs on a Windows system, while the other focuses on studying the information present in the process memory of an instant messaging application. This second tool can be easily adapted and extended to provide analysis support for any instant messaging application. As a case study, we focus on the Telegram application for Windows systems called Telegram Desktop. Adapting these tools to this application, their joint use allows obtaining forensic artifacts of interest for an investigation, such as user contacts or the content of conversations that have taken place, among others, even when the application is blocked. Obtaining these data is of great help for a forensic analyst, since the analysis of these data can be vital to clarify the events that occurred in some type of criminal act. Both tools are open source under the GNU/GPLv3 license to promote their use and extensibility to applications of other instant messaging services.},
keywords = {digital forensics, instant messaging, memory forensics, Telegram Desktop, Windows},
pubstate = {published},
tppubtype = {article}
}
Instant messaging applications have become a very common way of communicating, and today there are many applications of this type. The forensic analysis of these applications can help provide essential clues to solve or clarify a possible crime. This type of applications generally store their data in a secure way or transmit it through encrypted channels and thus, the forensic analysis of memory takes on special relevance to analyze them. Following a three-phase forensic analysis methodology, this work has developed a forensic analysis environment for instant messaging applications composed of two tools. One of the tools is responsible for extracting the content of a process that runs on a Windows system, while the other focuses on studying the information present in the process memory of an instant messaging application. This second tool can be easily adapted and extended to provide analysis support for any instant messaging application. As a case study, we focus on the Telegram application for Windows systems called Telegram Desktop. Adapting these tools to this application, their joint use allows obtaining forensic artifacts of interest for an investigation, such as user contacts or the content of conversations that have taken place, among others, even when the application is blocked. Obtaining these data is of great help for a forensic analyst, since the analysis of these data can be vital to clarify the events that occurred in some type of criminal act. Both tools are open source under the GNU/GPLv3 license to promote their use and extensibility to applications of other instant messaging services.
Uroz, Daniel; Rodríguez, Ricardo J
Characterization and Evaluation of IoT Protocols for Data Exfiltration Journal Article
In: IEEE Internet of Things Journal, vol. PP, pp. PP, 2022, (Accepted for publication. To appear in press.).
Abstract | Links | BibTeX | Tags: AMQP 1.0, CoAP 1.0, Data Exfiltration, IoT Protocols, MQTT 3.1.1, MQTT 5.0
@article{UR-IOTJ-22,
title = {Characterization and Evaluation of IoT Protocols for Data Exfiltration},
author = {Daniel Uroz and Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-IOTJ-22.pdf},
doi = {10.1109/JIOT.2022.3163469},
year = {2022},
date = {2022-01-01},
journal = {IEEE Internet of Things Journal},
volume = {PP},
pages = {PP},
abstract = {Data exfiltration relies primarily on network protocols for unauthorized data transfers from information systems. In addition to well-established Internet protocols (such as DNS, ICMP, or NTP, among others), adversaries can use newer protocols such as Internet of Things (IoT) protocols to inadvertently exfiltrate data. These IoT protocols are specifically designed to meet the limitations of IoT devices and networks, where minimal bandwidth usage and low power consumption are desirable. In this paper, we review the suitability of IoT protocols for exfiltrating data. In particular, we focus on the Constrained Application Protocol (CoAP; version 1.0), the Message Queuing Telemetry Transport protocol (MQTT; in its versions 3.1.1 and 5.0), and Advanced Message Queuing Protocol (AMQP; version 1.0). For each protocol, we review its specification and calculate the overhead and available space to exfiltrate data in each protocol packet. In addition, we empirically measure the elapsed time to exfiltrate different amounts of data. In this regard, we develop a software tool (dubbed chiton) to encapsulate and exfiltrate data within the IoT protocol packets. Our results show that both MQTT and AMQP outperform CoAP. Additionally, MQTT and AMQP protocols are best suited for exfiltrating data, as both are commonly used to connect to IoT cloud providers through IoT gateways and are therefore more likely to be allowed in business networks. Finally, we also provide suggestions and recommendations to detect data exfiltration in IoT protocols.},
note = {Accepted for publication. To appear in press.},
keywords = {AMQP 1.0, CoAP 1.0, Data Exfiltration, IoT Protocols, MQTT 3.1.1, MQTT 5.0},
pubstate = {published},
tppubtype = {article}
}
Data exfiltration relies primarily on network protocols for unauthorized data transfers from information systems. In addition to well-established Internet protocols (such as DNS, ICMP, or NTP, among others), adversaries can use newer protocols such as Internet of Things (IoT) protocols to inadvertently exfiltrate data. These IoT protocols are specifically designed to meet the limitations of IoT devices and networks, where minimal bandwidth usage and low power consumption are desirable. In this paper, we review the suitability of IoT protocols for exfiltrating data. In particular, we focus on the Constrained Application Protocol (CoAP; version 1.0), the Message Queuing Telemetry Transport protocol (MQTT; in its versions 3.1.1 and 5.0), and Advanced Message Queuing Protocol (AMQP; version 1.0). For each protocol, we review its specification and calculate the overhead and available space to exfiltrate data in each protocol packet. In addition, we empirically measure the elapsed time to exfiltrate different amounts of data. In this regard, we develop a software tool (dubbed chiton) to encapsulate and exfiltrate data within the IoT protocol packets. Our results show that both MQTT and AMQP outperform CoAP. Additionally, MQTT and AMQP protocols are best suited for exfiltrating data, as both are commonly used to connect to IoT cloud providers through IoT gateways and are therefore more likely to be allowed in business networks. Finally, we also provide suggestions and recommendations to detect data exfiltration in IoT protocols.
Raducu, Razvan; Rodríguez, Ricardo J; Alvarez, Pedro
Defense and Attack Techniques against File-based TOCTOU Vulnerabilities: a Systematic Review Journal Article
In: IEEE Access, vol. 10, pp. 21742–21758, 2022.
Abstract | Links | BibTeX | Tags: avoidance techniques, file-based race condition, TOCTOU vulnerability
@article{RRA-ACCESS-22,
title = {Defense and Attack Techniques against File-based TOCTOU Vulnerabilities: a Systematic Review},
author = {Razvan Raducu and Ricardo J Rodríguez and Pedro Alvarez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RRA-ACCESS-22.pdf},
doi = {10.1109/ACCESS.2022.3153064},
year = {2022},
date = {2022-01-01},
journal = {IEEE Access},
volume = {10},
pages = {21742--21758},
abstract = {File-based Time-of-Check to Time-of-Use (TOCTOU) race conditions are a well-known type of security vulnerability. A wide variety of techniques have been proposed to detect, mitigate, avoid, and exploit these vulnerabilities over the past 35 years. However, despite these research efforts, TOCTOU vulnerabilities remain unsolved due to their non-deterministic nature and the particularities of the different filesystems involved in running vulnerable programs, especially in Unix-like operating system environments. In this paper, we present a systematic literature review on defense and attack techniques related to the file-based TOCTOU vulnerability. We apply a reproducible methodology to search, filter, and analyze the most relevant research proposals to define a global and understandable vision of existing solutions. The results of this analysis are finally used to discuss future research directions that can be explored to move towards a universal solution to this type of vulnerability.},
keywords = {avoidance techniques, file-based race condition, TOCTOU vulnerability},
pubstate = {published},
tppubtype = {article}
}
File-based Time-of-Check to Time-of-Use (TOCTOU) race conditions are a well-known type of security vulnerability. A wide variety of techniques have been proposed to detect, mitigate, avoid, and exploit these vulnerabilities over the past 35 years. However, despite these research efforts, TOCTOU vulnerabilities remain unsolved due to their non-deterministic nature and the particularities of the different filesystems involved in running vulnerable programs, especially in Unix-like operating system environments. In this paper, we present a systematic literature review on defense and attack techniques related to the file-based TOCTOU vulnerability. We apply a reproducible methodology to search, filter, and analyze the most relevant research proposals to define a global and understandable vision of existing solutions. The results of this analysis are finally used to discuss future research directions that can be explored to move towards a universal solution to this type of vulnerability.
Wang, Yixiang; Liu, Jiqiang; Chang, Xiaolin; Wang, Jianhua; Rodríguez, Ricardo J.
AB-FGSM: AdaBelief Optimizer and FGSM-Based Approach to Generate Adversarial Examples Journal Article
In: Journal of Information Security and Applications, vol. 68, pp. 103227, 2022, ISSN: 2214-2126.
Abstract | Links | BibTeX | Tags: adversarial examples, deep learning, generalization, optimization, Security, Transferability
@article{WLCWR-JISA-22,
title = {AB-FGSM: AdaBelief Optimizer and FGSM-Based Approach to Generate Adversarial Examples},
author = {Yixiang Wang and Jiqiang Liu and Xiaolin Chang and Jianhua Wang and Ricardo J. Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/WLCWR-JISA-22.pdf},
doi = {10.1016/j.jisa.2022.103227},
issn = {2214-2126},
year = {2022},
date = {2022-08-01},
journal = {Journal of Information Security and Applications},
volume = {68},
pages = {103227},
abstract = {Deep neural networks (DNNs) can be misclassified by adversarial examples, which are legitimate inputs integrated with imperceptible perturbations at the testing stage. Extensive research has made progress for white-box adversarial attacks to craft adversarial examples with a high success rate. However, these crafted examples have a low success rate in misleading black-box models with defensive mechanisms. To tackle this problem, we design an AdaBelief based iterative Fast Gradient Sign Method (AB-FGSM) to generalize adversarial examples. By integrating the AdaBelief optimizer into the iterative-FGSM (I-FGSM), the generalization of adversarial examples is boosted, considering that the AdaBelief method can find the transferable adversarial point in the ε ball around the legitimate input on different optimization surfaces. We carry out white-box and black-box attacks on various adversarially trained models and ensemble models to verify the effectiveness and transferability of the adversarial examples crafted by AB-FGSM. Our experimental results indicate that the proposed AB-FGSM can efficiently and effectively craft adversarial examples in the white-box setting compared with state-of-the-art attacks. In addition, the transfer rate of adversarial examples is 4% to 21% higher than that of state-of-the-art attacks in the black-box manner.},
keywords = {adversarial examples, deep learning, generalization, optimization, Security, Transferability},
pubstate = {published},
tppubtype = {article}
}
Deep neural networks (DNNs) can be misclassified by adversarial examples, which are legitimate inputs integrated with imperceptible perturbations at the testing stage. Extensive research has made progress for white-box adversarial attacks to craft adversarial examples with a high success rate. However, these crafted examples have a low success rate in misleading black-box models with defensive mechanisms. To tackle this problem, we design an AdaBelief based iterative Fast Gradient Sign Method (AB-FGSM) to generalize adversarial examples. By integrating the AdaBelief optimizer into the iterative-FGSM (I-FGSM), the generalization of adversarial examples is boosted, considering that the AdaBelief method can find the transferable adversarial point in the ε ball around the legitimate input on different optimization surfaces. We carry out white-box and black-box attacks on various adversarially trained models and ensemble models to verify the effectiveness and transferability of the adversarial examples crafted by AB-FGSM. Our experimental results indicate that the proposed AB-FGSM can efficiently and effectively craft adversarial examples in the white-box setting compared with state-of-the-art attacks. In addition, the transfer rate of adversarial examples is 4% to 21% higher than that of state-of-the-art attacks in the black-box manner.
Wang, Jianhua; Chang, Xialoin; Rodríguez, Ricardo J.; Wang, Yixiang
Assessing Anonymous and Selfish Free-rider Attacks in Federated Learning Proceedings Article
In: Proceedings of the 2022 IEEE Symposium on Computers and Communications, pp. 6, IEEE, 2022.
Abstract | Links | BibTeX | Tags: federated learning, free-rider attack, privacy data
@inproceedings{WCRW-ISCC-22,
title = {Assessing Anonymous and Selfish Free-rider Attacks in Federated Learning},
author = {Jianhua Wang and Xialoin Chang and Ricardo J. Rodríguez and Yixiang Wang},
url = {http://webdiis.unizar.es/~ricardo/files/papers/WCRW-ISCC-22.pdf},
doi = {10.1109/ISCC55528.2022.9912903},
year = {2022},
date = {2022-01-01},
booktitle = {Proceedings of the 2022 IEEE Symposium on Computers and Communications},
pages = {6},
publisher = {IEEE},
abstract = {Federated Learning (FL) is a distributed learning framework and gains interest due to protecting the privacy of participants. Thus, if some participants are free-riders who are attackers without contributing any computation resources and privacy data, the model faces privacy leakage and inferior performance. In this paper, we explore and define two free-rider attack scenarios, anonymous and selfish free-rider attacks. Then we propose two methods, namely novel and advanced methods, to construct these two attacks. Extensive experiment results reveal the effectiveness in terms of the less deviation with conventional FL using the novel method, and high false positive rate to puzzle defense model using the advanced method.},
keywords = {federated learning, free-rider attack, privacy data},
pubstate = {published},
tppubtype = {inproceedings}
}
Federated Learning (FL) is a distributed learning framework and gains interest due to protecting the privacy of participants. Thus, if some participants are free-riders who are attackers without contributing any computation resources and privacy data, the model faces privacy leakage and inferior performance. In this paper, we explore and define two free-rider attack scenarios, anonymous and selfish free-rider attacks. Then we propose two methods, namely novel and advanced methods, to construct these two attacks. Extensive experiment results reveal the effectiveness in terms of the less deviation with conventional FL using the novel method, and high false positive rate to puzzle defense model using the advanced method.