Fernández-Álvarez, Pedro; Rodríguez, Ricardo J.
Module Extraction and DLL Hijacking Detection via Single or Multiple Memory Dumps Journal Article
In: Forensic Science International: Digital Investigation, vol. PP, pp. PP, 2023, ISSN: 2666-2817, (Accepted for publication. To appear. Selected Papers of the Tenth Annual DFRWS Europe Conference).
Abstract | Links | BibTeX | Tags: digital forensics, DLL hijacking, memory forensics, Volatility, Windows
@article{FR-FSIDI-23,
title = {Module Extraction and DLL Hijacking Detection via Single or Multiple Memory Dumps},
author = {Pedro Fernández-Álvarez and Ricardo J. Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/FR-FSIDI-23.pdf},
doi = {10.1016/j.fsidi.2023.301505},
issn = {2666-2817},
year = {2023},
date = {2023-01-01},
journal = {Forensic Science International: Digital Investigation},
volume = {PP},
pages = {PP},
abstract = {A memory dump contains the current state of a system's physical memory at the time of its acquisition. Among other things, it contains the processes that were running at the time of acquisition. These processes can share certain functionalities provided by shared object files, which are internally represented by modules in Windows. However, each process only maps in its address space the functionalities it needs, and not the entire shared object file. In this way, the current tools for extracting modules from existing processes in a memory dump from a Windows system obtain the partial content of the shared object files instead of the entire file. In this paper we present two tools, dubbed Modex and Intermodex, which are built on top of the Volatility 3 framework. These tools allow a forensic analyst to extract a 64-bit module from one or more Windows memory dumps as completely as possible. To achieve this, they aggregate the contents of the same module loaded by multiple processes that were running in the same memory dump or in different dumps (we called it intradump and interdump, respectively). Additionally, we also show how our developed tools are useful to detect dynamic-link library (DLL) hijacking attacks, a widely used attack on Windows where attackers trick processes into loading a malicious DLL instead of the benign one.},
note = {Accepted for publication. To appear. Selected Papers of the Tenth Annual DFRWS Europe Conference},
keywords = {digital forensics, DLL hijacking, memory forensics, Volatility, Windows},
pubstate = {published},
tppubtype = {article}
}
A memory dump contains the current state of a system's physical memory at the time of its acquisition. Among other things, it contains the processes that were running at the time of acquisition. These processes can share certain functionalities provided by shared object files, which are internally represented by modules in Windows. However, each process only maps in its address space the functionalities it needs, and not the entire shared object file. In this way, the current tools for extracting modules from existing processes in a memory dump from a Windows system obtain the partial content of the shared object files instead of the entire file. In this paper we present two tools, dubbed Modex and Intermodex, which are built on top of the Volatility 3 framework. These tools allow a forensic analyst to extract a 64-bit module from one or more Windows memory dumps as completely as possible. To achieve this, they aggregate the contents of the same module loaded by multiple processes that were running in the same memory dump or in different dumps (we called it intradump and interdump, respectively). Additionally, we also show how our developed tools are useful to detect dynamic-link library (DLL) hijacking attacks, a widely used attack on Windows where attackers trick processes into loading a malicious DLL instead of the benign one.
Filho, Ailton Santos; Rodríguez, Ricardo J; Feitosa, Eduardo L
Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks Journal Article
In: Digital Threats: Research and Practice, vol. 3, no. 2, pp. 28, 2022.
Abstract | Links | BibTeX | Tags: analysis evasion, Analysis-aware malware, Dynamic binary instrumentation
@article{SRF-DTRAP-22,
title = {Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks},
author = {Ailton Santos Filho and Ricardo J Rodríguez and Eduardo L Feitosa},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SRF-DTRAP-21.pdf},
doi = {10.1145/3480463},
year = {2022},
date = {2022-01-01},
journal = {Digital Threats: Research and Practice},
volume = {3},
number = {2},
pages = {28},
abstract = {Dynamic Binary Instrumentation (DBI) is a dynamic analysis technique that allows arbitrary code to be executed when a program is running. DBI frameworks have started to be used to analyze malicious applications. As a result, different approaches have merged to detect and avoid them. Commonly referred to as split personality malware or evasive malware are pieces of malicious software that incorporate snippets of code to detect when they are under DBI framework analysis and thus mimic benign behavior. Recent studies have questioned the use of DBI in malware analysis, arguing that it increases the attack surface. In this paper, we examine the anti-instrumentation techniques that abuse desktop-based DBI frameworks and existing countermeasures to determine if it is possible to reduce the exploitable attack surface introduced by these DBI frameworks. In particular, we review the related literature to identify (i) the existing set of DBI framework evasion techniques and (ii) the existing set of countermeasures to avoid them. We also analyze and compare the taxonomies introduced in the literature, and propose a new taxonomy that expands and completes the previous taxonomies. Our findings demonstrate that despite advances in DBI framework protections that make them quite suitable for system security purposes, more efforts are needed to reduce the attack surface that they add during application analysis. Only 12 of the 26 evasion techniques covered in this document have countermeasures, threatening the transparency of DBI frameworks. Furthermore, the impact in terms of performance overhead and effectiveness of these countermeasures in real-world situations is unknown. Finally, there are only proofs of concept for 9 of these 26 techniques, which makes it difficult to validate and study how they evade the analysis in order to counter them. We also point out some relevant issues in this context and outline ways of future research directions in the use of DBI frameworks for system security purposes.},
keywords = {analysis evasion, Analysis-aware malware, Dynamic binary instrumentation},
pubstate = {published},
tppubtype = {article}
}
Dynamic Binary Instrumentation (DBI) is a dynamic analysis technique that allows arbitrary code to be executed when a program is running. DBI frameworks have started to be used to analyze malicious applications. As a result, different approaches have merged to detect and avoid them. Commonly referred to as split personality malware or evasive malware are pieces of malicious software that incorporate snippets of code to detect when they are under DBI framework analysis and thus mimic benign behavior. Recent studies have questioned the use of DBI in malware analysis, arguing that it increases the attack surface. In this paper, we examine the anti-instrumentation techniques that abuse desktop-based DBI frameworks and existing countermeasures to determine if it is possible to reduce the exploitable attack surface introduced by these DBI frameworks. In particular, we review the related literature to identify (i) the existing set of DBI framework evasion techniques and (ii) the existing set of countermeasures to avoid them. We also analyze and compare the taxonomies introduced in the literature, and propose a new taxonomy that expands and completes the previous taxonomies. Our findings demonstrate that despite advances in DBI framework protections that make them quite suitable for system security purposes, more efforts are needed to reduce the attack surface that they add during application analysis. Only 12 of the 26 evasion techniques covered in this document have countermeasures, threatening the transparency of DBI frameworks. Furthermore, the impact in terms of performance overhead and effectiveness of these countermeasures in real-world situations is unknown. Finally, there are only proofs of concept for 9 of these 26 techniques, which makes it difficult to validate and study how they evade the analysis in order to counter them. We also point out some relevant issues in this context and outline ways of future research directions in the use of DBI frameworks for system security purposes.
Fernández-Álvarez, Pedro; Rodríguez, Ricardo J
Extraction and Analysis of Retrievable Memory Artifacts from Windows Telegram Desktop Application Journal Article
In: Forensic Science International: Digital Investigation, vol. 40, pp. 301342, 2022, ISBN: 2666-2817.
Abstract | Links | BibTeX | Tags: digital forensics, instant messaging, memory forensics, Telegram Desktop, Windows
@article{FR-FSIDI-22,
title = {Extraction and Analysis of Retrievable Memory Artifacts from Windows Telegram Desktop Application},
author = {Pedro Fernández-Álvarez and Ricardo J Rodríguez },
url = {http://webdiis.unizar.es/~ricardo/files/papers/FR-FSIDI-22.pdf},
doi = {10.1016/j.fsidi.2022.301342},
isbn = {2666-2817},
year = {2022},
date = {2022-01-01},
journal = {Forensic Science International: Digital Investigation},
volume = {40},
pages = {301342},
abstract = {Instant messaging applications have become a very common way of communicating, and today there are many applications of this type. The forensic analysis of these applications can help provide essential clues to solve or clarify a possible crime. This type of applications generally store their data in a secure way or transmit it through encrypted channels and thus, the forensic analysis of memory takes on special relevance to analyze them. Following a three-phase forensic analysis methodology, this work has developed a forensic analysis environment for instant messaging applications composed of two tools. One of the tools is responsible for extracting the content of a process that runs on a Windows system, while the other focuses on studying the information present in the process memory of an instant messaging application. This second tool can be easily adapted and extended to provide analysis support for any instant messaging application. As a case study, we focus on the Telegram application for Windows systems called Telegram Desktop. Adapting these tools to this application, their joint use allows obtaining forensic artifacts of interest for an investigation, such as user contacts or the content of conversations that have taken place, among others, even when the application is blocked. Obtaining these data is of great help for a forensic analyst, since the analysis of these data can be vital to clarify the events that occurred in some type of criminal act. Both tools are open source under the GNU/GPLv3 license to promote their use and extensibility to applications of other instant messaging services.},
keywords = {digital forensics, instant messaging, memory forensics, Telegram Desktop, Windows},
pubstate = {published},
tppubtype = {article}
}
Instant messaging applications have become a very common way of communicating, and today there are many applications of this type. The forensic analysis of these applications can help provide essential clues to solve or clarify a possible crime. This type of applications generally store their data in a secure way or transmit it through encrypted channels and thus, the forensic analysis of memory takes on special relevance to analyze them. Following a three-phase forensic analysis methodology, this work has developed a forensic analysis environment for instant messaging applications composed of two tools. One of the tools is responsible for extracting the content of a process that runs on a Windows system, while the other focuses on studying the information present in the process memory of an instant messaging application. This second tool can be easily adapted and extended to provide analysis support for any instant messaging application. As a case study, we focus on the Telegram application for Windows systems called Telegram Desktop. Adapting these tools to this application, their joint use allows obtaining forensic artifacts of interest for an investigation, such as user contacts or the content of conversations that have taken place, among others, even when the application is blocked. Obtaining these data is of great help for a forensic analyst, since the analysis of these data can be vital to clarify the events that occurred in some type of criminal act. Both tools are open source under the GNU/GPLv3 license to promote their use and extensibility to applications of other instant messaging services.
Uroz, Daniel; Rodríguez, Ricardo J
Characterization and Evaluation of IoT Protocols for Data Exfiltration Journal Article
In: IEEE Internet of Things Journal, vol. PP, pp. PP, 2022, (Accepted for publication. To appear in press.).
Abstract | Links | BibTeX | Tags: AMQP 1.0, CoAP 1.0, Data Exfiltration, IoT Protocols, MQTT 3.1.1, MQTT 5.0
@article{UR-IOTJ-22,
title = {Characterization and Evaluation of IoT Protocols for Data Exfiltration},
author = {Daniel Uroz and Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-IOTJ-22.pdf},
doi = {10.1109/JIOT.2022.3163469},
year = {2022},
date = {2022-01-01},
journal = {IEEE Internet of Things Journal},
volume = {PP},
pages = {PP},
abstract = {Data exfiltration relies primarily on network protocols for unauthorized data transfers from information systems. In addition to well-established Internet protocols (such as DNS, ICMP, or NTP, among others), adversaries can use newer protocols such as Internet of Things (IoT) protocols to inadvertently exfiltrate data. These IoT protocols are specifically designed to meet the limitations of IoT devices and networks, where minimal bandwidth usage and low power consumption are desirable. In this paper, we review the suitability of IoT protocols for exfiltrating data. In particular, we focus on the Constrained Application Protocol (CoAP; version 1.0), the Message Queuing Telemetry Transport protocol (MQTT; in its versions 3.1.1 and 5.0), and Advanced Message Queuing Protocol (AMQP; version 1.0). For each protocol, we review its specification and calculate the overhead and available space to exfiltrate data in each protocol packet. In addition, we empirically measure the elapsed time to exfiltrate different amounts of data. In this regard, we develop a software tool (dubbed chiton) to encapsulate and exfiltrate data within the IoT protocol packets. Our results show that both MQTT and AMQP outperform CoAP. Additionally, MQTT and AMQP protocols are best suited for exfiltrating data, as both are commonly used to connect to IoT cloud providers through IoT gateways and are therefore more likely to be allowed in business networks. Finally, we also provide suggestions and recommendations to detect data exfiltration in IoT protocols.},
note = {Accepted for publication. To appear in press.},
keywords = {AMQP 1.0, CoAP 1.0, Data Exfiltration, IoT Protocols, MQTT 3.1.1, MQTT 5.0},
pubstate = {published},
tppubtype = {article}
}
Data exfiltration relies primarily on network protocols for unauthorized data transfers from information systems. In addition to well-established Internet protocols (such as DNS, ICMP, or NTP, among others), adversaries can use newer protocols such as Internet of Things (IoT) protocols to inadvertently exfiltrate data. These IoT protocols are specifically designed to meet the limitations of IoT devices and networks, where minimal bandwidth usage and low power consumption are desirable. In this paper, we review the suitability of IoT protocols for exfiltrating data. In particular, we focus on the Constrained Application Protocol (CoAP; version 1.0), the Message Queuing Telemetry Transport protocol (MQTT; in its versions 3.1.1 and 5.0), and Advanced Message Queuing Protocol (AMQP; version 1.0). For each protocol, we review its specification and calculate the overhead and available space to exfiltrate data in each protocol packet. In addition, we empirically measure the elapsed time to exfiltrate different amounts of data. In this regard, we develop a software tool (dubbed chiton) to encapsulate and exfiltrate data within the IoT protocol packets. Our results show that both MQTT and AMQP outperform CoAP. Additionally, MQTT and AMQP protocols are best suited for exfiltrating data, as both are commonly used to connect to IoT cloud providers through IoT gateways and are therefore more likely to be allowed in business networks. Finally, we also provide suggestions and recommendations to detect data exfiltration in IoT protocols.
Raducu, Razvan; Rodríguez, Ricardo J; Alvarez, Pedro
Defense and Attack Techniques against File-based TOCTOU Vulnerabilities: a Systematic Review Journal Article
In: IEEE Access, vol. 10, pp. 21742–21758, 2022.
Abstract | Links | BibTeX | Tags: avoidance techniques, file-based race condition, TOCTOU vulnerability
@article{RRA-ACCESS-22,
title = {Defense and Attack Techniques against File-based TOCTOU Vulnerabilities: a Systematic Review},
author = {Razvan Raducu and Ricardo J Rodríguez and Pedro Alvarez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RRA-ACCESS-22.pdf},
doi = {10.1109/ACCESS.2022.3153064},
year = {2022},
date = {2022-01-01},
journal = {IEEE Access},
volume = {10},
pages = {21742--21758},
abstract = {File-based Time-of-Check to Time-of-Use (TOCTOU) race conditions are a well-known type of security vulnerability. A wide variety of techniques have been proposed to detect, mitigate, avoid, and exploit these vulnerabilities over the past 35 years. However, despite these research efforts, TOCTOU vulnerabilities remain unsolved due to their non-deterministic nature and the particularities of the different filesystems involved in running vulnerable programs, especially in Unix-like operating system environments. In this paper, we present a systematic literature review on defense and attack techniques related to the file-based TOCTOU vulnerability. We apply a reproducible methodology to search, filter, and analyze the most relevant research proposals to define a global and understandable vision of existing solutions. The results of this analysis are finally used to discuss future research directions that can be explored to move towards a universal solution to this type of vulnerability.},
keywords = {avoidance techniques, file-based race condition, TOCTOU vulnerability},
pubstate = {published},
tppubtype = {article}
}
File-based Time-of-Check to Time-of-Use (TOCTOU) race conditions are a well-known type of security vulnerability. A wide variety of techniques have been proposed to detect, mitigate, avoid, and exploit these vulnerabilities over the past 35 years. However, despite these research efforts, TOCTOU vulnerabilities remain unsolved due to their non-deterministic nature and the particularities of the different filesystems involved in running vulnerable programs, especially in Unix-like operating system environments. In this paper, we present a systematic literature review on defense and attack techniques related to the file-based TOCTOU vulnerability. We apply a reproducible methodology to search, filter, and analyze the most relevant research proposals to define a global and understandable vision of existing solutions. The results of this analysis are finally used to discuss future research directions that can be explored to move towards a universal solution to this type of vulnerability.
Wang, Yixiang; Liu, Jiqiang; Chang, Xiaolin; Wang, Jianhua; Rodríguez, Ricardo J.
AB-FGSM: AdaBelief Optimizer and FGSM-Based Approach to Generate Adversarial Examples Journal Article
In: Journal of Information Security and Applications, vol. 68, pp. 103227, 2022, ISSN: 2214-2126.
Abstract | Links | BibTeX | Tags: adversarial examples, deep learning, generalization, optimization, Security, Transferability
@article{WLCWR-JISA-22,
title = {AB-FGSM: AdaBelief Optimizer and FGSM-Based Approach to Generate Adversarial Examples},
author = {Yixiang Wang and Jiqiang Liu and Xiaolin Chang and Jianhua Wang and Ricardo J. Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/WLCWR-JISA-22.pdf},
doi = {10.1016/j.jisa.2022.103227},
issn = {2214-2126},
year = {2022},
date = {2022-08-01},
journal = {Journal of Information Security and Applications},
volume = {68},
pages = {103227},
abstract = {Deep neural networks (DNNs) can be misclassified by adversarial examples, which are legitimate inputs integrated with imperceptible perturbations at the testing stage. Extensive research has made progress for white-box adversarial attacks to craft adversarial examples with a high success rate. However, these crafted examples have a low success rate in misleading black-box models with defensive mechanisms. To tackle this problem, we design an AdaBelief based iterative Fast Gradient Sign Method (AB-FGSM) to generalize adversarial examples. By integrating the AdaBelief optimizer into the iterative-FGSM (I-FGSM), the generalization of adversarial examples is boosted, considering that the AdaBelief method can find the transferable adversarial point in the ε ball around the legitimate input on different optimization surfaces. We carry out white-box and black-box attacks on various adversarially trained models and ensemble models to verify the effectiveness and transferability of the adversarial examples crafted by AB-FGSM. Our experimental results indicate that the proposed AB-FGSM can efficiently and effectively craft adversarial examples in the white-box setting compared with state-of-the-art attacks. In addition, the transfer rate of adversarial examples is 4% to 21% higher than that of state-of-the-art attacks in the black-box manner.},
keywords = {adversarial examples, deep learning, generalization, optimization, Security, Transferability},
pubstate = {published},
tppubtype = {article}
}
Deep neural networks (DNNs) can be misclassified by adversarial examples, which are legitimate inputs integrated with imperceptible perturbations at the testing stage. Extensive research has made progress for white-box adversarial attacks to craft adversarial examples with a high success rate. However, these crafted examples have a low success rate in misleading black-box models with defensive mechanisms. To tackle this problem, we design an AdaBelief based iterative Fast Gradient Sign Method (AB-FGSM) to generalize adversarial examples. By integrating the AdaBelief optimizer into the iterative-FGSM (I-FGSM), the generalization of adversarial examples is boosted, considering that the AdaBelief method can find the transferable adversarial point in the ε ball around the legitimate input on different optimization surfaces. We carry out white-box and black-box attacks on various adversarially trained models and ensemble models to verify the effectiveness and transferability of the adversarial examples crafted by AB-FGSM. Our experimental results indicate that the proposed AB-FGSM can efficiently and effectively craft adversarial examples in the white-box setting compared with state-of-the-art attacks. In addition, the transfer rate of adversarial examples is 4% to 21% higher than that of state-of-the-art attacks in the black-box manner.
Wang, Jianhua; Chang, Xialoin; Rodríguez, Ricardo J.; Wang, Yixiang
Assessing Anonymous and Selfish Free-rider Attacks in Federated Learning Inproceedings
In: Proceedings of the 2022 IEEE Symposium on Computers and Communications, pp. 6, IEEE, 2022.
Abstract | Links | BibTeX | Tags: federated learning, free-rider attack, privacy data
@inproceedings{WCRW-ISCC-22,
title = {Assessing Anonymous and Selfish Free-rider Attacks in Federated Learning},
author = {Jianhua Wang and Xialoin Chang and Ricardo J. Rodríguez and Yixiang Wang},
url = {http://webdiis.unizar.es/~ricardo/files/papers/WCRW-ISCC-22.pdf},
doi = {10.1109/ISCC55528.2022.9912903},
year = {2022},
date = {2022-01-01},
booktitle = {Proceedings of the 2022 IEEE Symposium on Computers and Communications},
pages = {6},
publisher = {IEEE},
abstract = {Federated Learning (FL) is a distributed learning framework and gains interest due to protecting the privacy of participants. Thus, if some participants are free-riders who are attackers without contributing any computation resources and privacy data, the model faces privacy leakage and inferior performance. In this paper, we explore and define two free-rider attack scenarios, anonymous and selfish free-rider attacks. Then we propose two methods, namely novel and advanced methods, to construct these two attacks. Extensive experiment results reveal the effectiveness in terms of the less deviation with conventional FL using the novel method, and high false positive rate to puzzle defense model using the advanced method.},
keywords = {federated learning, free-rider attack, privacy data},
pubstate = {published},
tppubtype = {inproceedings}
}
Federated Learning (FL) is a distributed learning framework and gains interest due to protecting the privacy of participants. Thus, if some participants are free-riders who are attackers without contributing any computation resources and privacy data, the model faces privacy leakage and inferior performance. In this paper, we explore and define two free-rider attack scenarios, anonymous and selfish free-rider attacks. Then we propose two methods, namely novel and advanced methods, to construct these two attacks. Extensive experiment results reveal the effectiveness in terms of the less deviation with conventional FL using the novel method, and high false positive rate to puzzle defense model using the advanced method.
Wang, Yixiang; Liu, Jiqiang; Chang, Xiaolin; Rodríguez, Ricardo J.; Wang, Jianhua
DI-AA: An Interpretable White-box Attack for Fooling Deep Neural Networks Journal Article
In: Information Sciences, vol. 610, pp. 14–32, 2022, ISSN: 0020-0255.
Abstract | Links | BibTeX | Tags: adversarial example, deep learning, interpretability, robustness, white-box attack
@article{WLCRW-INS-22,
title = {DI-AA: An Interpretable White-box Attack for Fooling Deep Neural Networks},
author = {Yixiang Wang and Jiqiang Liu and Xiaolin Chang and Ricardo J. Rodríguez and Jianhua Wang},
url = {http://webdiis.unizar.es/~ricardo/files/papers/WLCRW-INS-22.pdf},
doi = {10.1016/j.ins.2022.07.157},
issn = {0020-0255},
year = {2022},
date = {2022-09-01},
journal = {Information Sciences},
volume = {610},
pages = {14--32},
abstract = {White-box adversarial example (AE) attacks on deep neural networks (DNNs) have a more powerful destructive capacity than black-box attacks using AE strategies. However, few studies have been conducted on the generation of low-perturbation adversarial examples from the interpretability perspective. Specifically, adversaries who conducted attacks lacked interpretation from the point of view of DNNs, and the perturbation was not further considered. To address these, we propose an interpretable white-box AE attack approach, DI-AA, which not only explores the application of the interpretable method of deep Taylor decomposition in selecting the most contributing features but also adopts the Lagrangian relaxation optimization of the logit output and norm to make the perturbation more unnoticeable. We compare DI-AA with eight baseline attacks on four representative datasets. Experimental results reveal that our approach can (1) attack nonrobust models with low perturbation, where the perturbation is closer to or lower than that of the state-of-the-art white-box AE attacks; (2) evade the detection of the adversarial-training robust models with the highest success rate; (3) be flexible in the degree of AE generation saturation. Additionally, the AE generated by DI-AA can reduce the accuracy of the robust black-box models by 16%~31% in the black-box manner.},
keywords = {adversarial example, deep learning, interpretability, robustness, white-box attack},
pubstate = {published},
tppubtype = {article}
}
White-box adversarial example (AE) attacks on deep neural networks (DNNs) have a more powerful destructive capacity than black-box attacks using AE strategies. However, few studies have been conducted on the generation of low-perturbation adversarial examples from the interpretability perspective. Specifically, adversaries who conducted attacks lacked interpretation from the point of view of DNNs, and the perturbation was not further considered. To address these, we propose an interpretable white-box AE attack approach, DI-AA, which not only explores the application of the interpretable method of deep Taylor decomposition in selecting the most contributing features but also adopts the Lagrangian relaxation optimization of the logit output and norm to make the perturbation more unnoticeable. We compare DI-AA with eight baseline attacks on four representative datasets. Experimental results reveal that our approach can (1) attack nonrobust models with low perturbation, where the perturbation is closer to or lower than that of the state-of-the-art white-box AE attacks; (2) evade the detection of the adversarial-training robust models with the highest success rate; (3) be flexible in the degree of AE generation saturation. Additionally, the AE generated by DI-AA can reduce the accuracy of the robust black-box models by 16%~31% in the black-box manner.
Blanco, Roberto; Rodríguez, Ricardo J.
OCamello: A Course and Summer School with Learn-OCaml Inproceedings
In: pp. 2, 2022, (Accepted for publication. To appear).
Abstract | Links | BibTeX | Tags: learning outcomes, OCaml, summer school
@inproceedings{BR-OUDW-22,
title = {OCamello: A Course and Summer School with Learn-OCaml},
author = {Roberto Blanco and Ricardo J. Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/BR-OCamlWorkshopDay-22.pdf},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
journal = {OCaml Users and Developers Workshop 2022},
volume = {PP},
number = {PP},
pages = {2},
abstract = {We report on an (at the time of this writing, forthcoming) week-long summer school on functional programming and OCaml, entitled {em Advanced Programming Techniques: The Functional Paradigm}, part of the 95th Annual Edition of the interdisciplinary summer university of the University of Zaragoza. We develop new custom learning materials using Learn-OCaml as an integrated learning platform and bring together academic and industrial members of the OCaml community for an associated outreach event.},
note = {Accepted for publication. To appear},
keywords = {learning outcomes, OCaml, summer school},
pubstate = {published},
tppubtype = {inproceedings}
}
We report on an (at the time of this writing, forthcoming) week-long summer school on functional programming and OCaml, entitled {em Advanced Programming Techniques: The Functional Paradigm}, part of the 95th Annual Edition of the interdisciplinary summer university of the University of Zaragoza. We develop new custom learning materials using Learn-OCaml as an integrated learning platform and bring together academic and industrial members of the OCaml community for an associated outreach event.
Raducu, Razvan; Rodríguez, Ricardo J.; Álvarez, Pedro
Resource Consumption Evaluation of C++ Cryptographic Libraries on Resource-Constrained Devices Inproceedings
In: Applied Cryptography in Computer and Communications, pp. 65–75, Springer Nature Switzerland, Cham, 2022, ISBN: 978-3-031-17081-2.
Abstract | Links | BibTeX | Tags: cryptographic libraries, memory usage, performance evaluation, resource-constrained devices
@inproceedings{RRA-AC3-22,
title = {Resource Consumption Evaluation of C++ Cryptographic Libraries on Resource-Constrained Devices},
author = {Razvan Raducu and Ricardo J. Rodríguez and Pedro Álvarez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RRA-AC3-22.pdf},
doi = {10.1007/978-3-031-17081-2_5},
isbn = {978-3-031-17081-2},
year = {2022},
date = {2022-01-01},
booktitle = {Applied Cryptography in Computer and Communications},
pages = {65--75},
publisher = {Springer Nature Switzerland},
address = {Cham},
abstract = {With the constant growth of IoT devices, software performance and memory usage have become relevant aspects when choosing the most suitable and optimal configuration of these resource-constrained devices. Moreover, in certain scenarios security must be guaranteed to protect data confidentiality, which imposes another resource consumption overhead. In this work-in-progress we evaluate the resource consumption of two widely-used block ciphers (AES and 3DES) and stream ciphers (Salsa20 and Chacha20), implemented in two C++ libraries (Crypto++ and Botan), to find out which library and algorithms are the most efficient for such devices. In addition, we also evaluate whether the type of input data affects the resource consumption. Our results show that the memory consumption is similar across both libraries and algorithms. In terms of CPU, Crypto++ outperforms Botan, with ChaCha20 achieving the best performance rates. Regarding the type of input data, no major impact has been noticed.},
keywords = {cryptographic libraries, memory usage, performance evaluation, resource-constrained devices},
pubstate = {published},
tppubtype = {inproceedings}
}
With the constant growth of IoT devices, software performance and memory usage have become relevant aspects when choosing the most suitable and optimal configuration of these resource-constrained devices. Moreover, in certain scenarios security must be guaranteed to protect data confidentiality, which imposes another resource consumption overhead. In this work-in-progress we evaluate the resource consumption of two widely-used block ciphers (AES and 3DES) and stream ciphers (Salsa20 and Chacha20), implemented in two C++ libraries (Crypto++ and Botan), to find out which library and algorithms are the most efficient for such devices. In addition, we also evaluate whether the type of input data affects the resource consumption. Our results show that the memory consumption is similar across both libraries and algorithms. In terms of CPU, Crypto++ outperforms Botan, with ChaCha20 achieving the best performance rates. Regarding the type of input data, no major impact has been noticed.
Mlot, Esteban Damián Gutiérrez; Saldana, Jose; Rodrı́guez, Ricardo J.
Towards a Testbed for Critical Industrial Systems: SunSpec Protocol on DER Systems as a Case Study Inproceedings
In: Proceedings of the 27th International Conference on Emerging Technologies and Factory Automation, pp. 1–4, IEEE, 2022.
Abstract | Links | BibTeX | Tags: critical infrastructure, cybersecurity, testbed
@inproceedings{GSR-ETFA-22,
title = {Towards a Testbed for Critical Industrial Systems: SunSpec Protocol on DER Systems as a Case Study},
author = {Esteban Damián Gutiérrez Mlot and Jose Saldana and Ricardo J. Rodrı́guez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/GSR-ETFA-22.pdf},
doi = {10.1109/ETFA52439.2022.9921522},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
booktitle = {Proceedings of the 27th International Conference on Emerging Technologies and Factory Automation},
pages = {1--4},
publisher = {IEEE},
abstract = {Control systems in critical infrastructures have usually been considered safe as long as they were totally isolated from the outside world. However, today many of these systems are connected to the outside world and use open and standardized communication protocols designed with little or no security measures, such as Modbus or its variants such as SunSpec, widely used in distributed energy resources systems. This work-in-progress presents a testbed based on open source tools and docker containers to easily evaluate cybersecurity measures against cyberattacks on critical infrastructures without affecting their availability. This testbed is validated in a use case based on the SunSpec protocol in DER systems to detect person-in-the-middle attacks, and is implemented on a hardware-constrained appliance dubbed Energy Box.},
keywords = {critical infrastructure, cybersecurity, testbed},
pubstate = {published},
tppubtype = {inproceedings}
}
Control systems in critical infrastructures have usually been considered safe as long as they were totally isolated from the outside world. However, today many of these systems are connected to the outside world and use open and standardized communication protocols designed with little or no security measures, such as Modbus or its variants such as SunSpec, widely used in distributed energy resources systems. This work-in-progress presents a testbed based on open source tools and docker containers to easily evaluate cybersecurity measures against cyberattacks on critical infrastructures without affecting their availability. This testbed is validated in a use case based on the SunSpec protocol in DER systems to detect person-in-the-middle attacks, and is implemented on a hardware-constrained appliance dubbed Energy Box.
Bai, Jing; Chang, Xiaolin; Rodríguez, Ricardo J.; Trivedi, Kishor; Li, Shupan
Towards UAV-based MEC Service Chain Resilience Evaluation: A Quantitative Modeling Approach Journal Article
In: IEEE Transactions on Vehicular Technology, vol. PP, no. PP, pp. 1–14, 2022.
Abstract | Links | BibTeX | Tags: resilience, Resource Degradation, Semi-Markov Process, Unmanned Aerial Vehicle
@article{BCRTL-TVT-22,
title = {Towards UAV-based MEC Service Chain Resilience Evaluation: A Quantitative Modeling Approach},
author = {Jing Bai and Xiaolin Chang and Ricardo J. Rodríguez and Kishor Trivedi and Shupan Li},
url = {http://webdiis.unizar.es/~ricardo/files/papers/BCRTL-TVT-22.pdf},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
journal = {IEEE Transactions on Vehicular Technology},
volume = {PP},
number = {PP},
pages = {1--14},
abstract = {Unmanned aerial vehicle (UAV) and network function virtualization (NFV) facilitate the deployment of multiaccess edge computing (MEC). In the UAV-based MEC (UMEC) network, virtualized network function (VNF) can be implemented as a lightweight container running on UMEC host operating system (OS). However, UMEC network is vulnerable to attack, which can result in resource degradation and even UMEC service disruption. Rejuvenation techniques, such as failover technique and live container migration technique, can mitigate the impact of resource degradation but their effectiveness to improve the resilience of UMEC services should be evaluated. This paper presents a quantitative modeling approach based on semi-Markov process to investigate the resilience of a UMEC service chain consisting of any number of VNFs executed in any number of UMEC hosts in terms of availability and reliability. Unlike existing studies, the semi-Markov model constructed in this paper can capture the time-dependent behaviors between VNFs, between host OSes, and between VNFs and host OSes on the condition that the holding times of the recovery and failure events follow any kind of distribution. We perform the sensitivity analysis to identify potential resilience bottlenecks. The results highlight that migration time is the parameter significantly affecting the resilience, which shed the insight on designing the UMEC service chain with high-grade resilience requirements. In addition, we carry out the numerical experiments to reveal that: (i) the type of failure time distribution has a significant effect on the resilience; and (ii) the resilience increases with decreasing number of VNFs, while the availability increases with increasing number of UMEC hosts and the reliability decreases with increasing number of UMEC hosts, which can provide meaningful guidance for the UAV placement optimization in the UMEC network.},
keywords = {resilience, Resource Degradation, Semi-Markov Process, Unmanned Aerial Vehicle},
pubstate = {published},
tppubtype = {article}
}
Unmanned aerial vehicle (UAV) and network function virtualization (NFV) facilitate the deployment of multiaccess edge computing (MEC). In the UAV-based MEC (UMEC) network, virtualized network function (VNF) can be implemented as a lightweight container running on UMEC host operating system (OS). However, UMEC network is vulnerable to attack, which can result in resource degradation and even UMEC service disruption. Rejuvenation techniques, such as failover technique and live container migration technique, can mitigate the impact of resource degradation but their effectiveness to improve the resilience of UMEC services should be evaluated. This paper presents a quantitative modeling approach based on semi-Markov process to investigate the resilience of a UMEC service chain consisting of any number of VNFs executed in any number of UMEC hosts in terms of availability and reliability. Unlike existing studies, the semi-Markov model constructed in this paper can capture the time-dependent behaviors between VNFs, between host OSes, and between VNFs and host OSes on the condition that the holding times of the recovery and failure events follow any kind of distribution. We perform the sensitivity analysis to identify potential resilience bottlenecks. The results highlight that migration time is the parameter significantly affecting the resilience, which shed the insight on designing the UMEC service chain with high-grade resilience requirements. In addition, we carry out the numerical experiments to reveal that: (i) the type of failure time distribution has a significant effect on the resilience; and (ii) the resilience increases with decreasing number of VNFs, while the availability increases with increasing number of UMEC hosts and the reliability decreases with increasing number of UMEC hosts, which can provide meaningful guidance for the UAV placement optimization in the UMEC network.
Martín-Pérez, Miguel; Rodríguez, Ricardo J; Balzarotti, Davide
Pre-processing Memory Dumps to Improve Similarity Score of Windows Modules Journal Article
In: Computers & Security, vol. 101, pp. 102119, 2021, ISSN: 0167-4048.
Abstract | Links | BibTeX | Tags: memory forensics, relocation, similarity digest algorithms, Windows
@article{MRB-COSE-21,
title = {Pre-processing Memory Dumps to Improve Similarity Score of Windows Modules},
author = {Miguel Martín-Pérez and Ricardo J Rodríguez and Davide Balzarotti},
url = {http://webdiis.unizar.es/~ricardo/files/papers/MRB-COSE-21.pdf},
doi = {10.1016/j.cose.2020.102119},
issn = {0167-4048},
year = {2021},
date = {2021-01-01},
journal = {Computers & Security},
volume = {101},
pages = {102119},
abstract = {Memory forensics is useful to provide a fast triage on running processes at the time of memory acquisition in order to avoid unnecessary forensic analysis. However, due to the effects of the execution of the process itself, traditional cryptographic hashes, normally used in disk forensics to identify files, are unsuitable in memory forensics. Similarity digest algorithms allow an analyst to compute a similarity score of inputs that can be slightly different. In this paper, we focus on the issues caused by relocation of Windows processes and system libraries when computing similarities between them. To overcome these issues, we introduce two methods (Guided De-relocation and Linear Sweep De-relocation) to pre-process a memory dump. The goal of both methods is to identify and undo the effect of relocation in every module contained in the dump, providing sanitized inputs to similarity digest algorithms that improve similarity scores between modules. Guided De-relocation relies on specific structures of the Windows PE format, while Linear Sweep De-relocation relies on a disassembling process to identify assembly instructions having memory operands that address to the memory range of the module. We have integrated both methods in a Volatility plugin and evaluated them in different scenarios. Our results demonstrate that pre-processing memory dumps with these methods significantly improves similarity scores between memory modules.},
keywords = {memory forensics, relocation, similarity digest algorithms, Windows},
pubstate = {published},
tppubtype = {article}
}
Memory forensics is useful to provide a fast triage on running processes at the time of memory acquisition in order to avoid unnecessary forensic analysis. However, due to the effects of the execution of the process itself, traditional cryptographic hashes, normally used in disk forensics to identify files, are unsuitable in memory forensics. Similarity digest algorithms allow an analyst to compute a similarity score of inputs that can be slightly different. In this paper, we focus on the issues caused by relocation of Windows processes and system libraries when computing similarities between them. To overcome these issues, we introduce two methods (Guided De-relocation and Linear Sweep De-relocation) to pre-process a memory dump. The goal of both methods is to identify and undo the effect of relocation in every module contained in the dump, providing sanitized inputs to similarity digest algorithms that improve similarity scores between modules. Guided De-relocation relies on specific structures of the Windows PE format, while Linear Sweep De-relocation relies on a disassembling process to identify assembly instructions having memory operands that address to the memory range of the module. We have integrated both methods in a Volatility plugin and evaluated them in different scenarios. Our results demonstrate that pre-processing memory dumps with these methods significantly improves similarity scores between memory modules.
Martín-Pérez, Miguel; Rodríguez, Ricardo J; Breitinger, Frank
Bringing Order to Approximate Matching: Classification and Attacks on Similarity Digest Algorithms Journal Article
In: Forensic Science International: Digital Investigation, vol. 36, pp. 301120, 2021, ISSN: 2666-2817.
Abstract | Links | BibTeX | Tags: Approximate matching, Bytewise, Classification scheme, Fuzzy hashing, Similarity digest algorithm, Similarity hashing
@article{MRB-FSIDI-21,
title = {Bringing Order to Approximate Matching: Classification and Attacks on Similarity Digest Algorithms},
author = {Miguel Martín-Pérez and Ricardo J Rodríguez and Frank Breitinger},
url = {http://webdiis.unizar.es/~ricardo/files/papers/MRB-FSIDI-21.pdf},
doi = {10.1016/j.fsidi.2021.301120},
issn = {2666-2817},
year = {2021},
date = {2021-01-01},
journal = {Forensic Science International: Digital Investigation},
volume = {36},
pages = {301120},
abstract = {Bytewise approximate matching algorithms (a.k.a.~fuzzy hashing or similarity hashing) convert digital artifacts into an intermediate representation to allow a faster comparison them. They gained a lot of popularity over the past decade with new algorithms being developed and released to the digital forensics community. When releasing algorithms (e.g., as part of a scientific article), they are frequently compared with other algorithms to outline the benefits and sometimes also the weaknesses of the proposed approach. However, given the wide variety of algorithms and approaches, it is impossible to provide direct comparisons with all existing algorithms.
In this paper, we present the first classification of approximate matching algorithms which allows an easier description and comparisons.
Therefore, we first reviewed existing literature to understand the techniques various algorithms use and to familiarize ourselves with the common terminology. Our findings allowed us to develop a categorization relying heavily on the terminology proposed by NIST SP 800-168. In addition to the categorization, this article also presents an abstract set of attacks against algorithms and why they are feasible. Lastly, we detail the characteristics needed to build robust algorithms to prevent attacks. We believe that this article helps newcomers, practitioners, and experts alike to better compare algorithms, understand their potential, as well as characteristics and implications they may have on forensic investigations.},
keywords = {Approximate matching, Bytewise, Classification scheme, Fuzzy hashing, Similarity digest algorithm, Similarity hashing},
pubstate = {published},
tppubtype = {article}
}
Bytewise approximate matching algorithms (a.k.a.~fuzzy hashing or similarity hashing) convert digital artifacts into an intermediate representation to allow a faster comparison them. They gained a lot of popularity over the past decade with new algorithms being developed and released to the digital forensics community. When releasing algorithms (e.g., as part of a scientific article), they are frequently compared with other algorithms to outline the benefits and sometimes also the weaknesses of the proposed approach. However, given the wide variety of algorithms and approaches, it is impossible to provide direct comparisons with all existing algorithms.
In this paper, we present the first classification of approximate matching algorithms which allows an easier description and comparisons.
Therefore, we first reviewed existing literature to understand the techniques various algorithms use and to familiarize ourselves with the common terminology. Our findings allowed us to develop a categorization relying heavily on the terminology proposed by NIST SP 800-168. In addition to the categorization, this article also presents an abstract set of attacks against algorithms and why they are feasible. Lastly, we detail the characteristics needed to build robust algorithms to prevent attacks. We believe that this article helps newcomers, practitioners, and experts alike to better compare algorithms, understand their potential, as well as characteristics and implications they may have on forensic investigations.
In this paper, we present the first classification of approximate matching algorithms which allows an easier description and comparisons.
Therefore, we first reviewed existing literature to understand the techniques various algorithms use and to familiarize ourselves with the common terminology. Our findings allowed us to develop a categorization relying heavily on the terminology proposed by NIST SP 800-168. In addition to the categorization, this article also presents an abstract set of attacks against algorithms and why they are feasible. Lastly, we detail the characteristics needed to build robust algorithms to prevent attacks. We believe that this article helps newcomers, practitioners, and experts alike to better compare algorithms, understand their potential, as well as characteristics and implications they may have on forensic investigations.
Hernández-Bejarano, Miguel; Rodríguez, Ricardo J; Merseguer, José
A Vision for Improving Business Continuity through Cyber-resilience Mechanisms and Frameworks Inproceedings
In: Proceedings of the 16th Iberian Conference on Information Systems and Technologies (CISTI), pp. 1–5, 2021.
Abstract | Links | BibTeX | Tags: cyber-attacks, cybersecurity, menaces, resilience, vulnerabilities
@inproceedings{HRM-CISTI-21,
title = {A Vision for Improving Business Continuity through Cyber-resilience Mechanisms and Frameworks},
author = {Miguel Hernández-Bejarano and Ricardo J Rodríguez and José Merseguer},
url = {http://webdiis.unizar.es/~ricardo/files/papers/HRM-CISTI-21.pdf},
doi = {10.23919/CISTI52073.2021.9476324},
year = {2021},
date = {2021-01-01},
booktitle = {Proceedings of the 16th Iberian Conference on Information Systems and Technologies (CISTI)},
pages = {1--5},
abstract = {Nowadays, business organizations support daily operations using Information and Communication Technologies. They serve as a basis to have a con- trolled management of resources, services and business goals, aligned with the mission of the organization. In this paper, we review standards and frameworks for achieving cyber-resilience in organizations, such as the NIST framework, ENISA, or international standards as the ISO/IEC 27032. We then envision the need of a new cyber-resilience framework that leveraging machine learning techniques contributes to improve business continuity.},
keywords = {cyber-attacks, cybersecurity, menaces, resilience, vulnerabilities},
pubstate = {published},
tppubtype = {inproceedings}
}
Nowadays, business organizations support daily operations using Information and Communication Technologies. They serve as a basis to have a con- trolled management of resources, services and business goals, aligned with the mission of the organization. In this paper, we review standards and frameworks for achieving cyber-resilience in organizations, such as the NIST framework, ENISA, or international standards as the ISO/IEC 27032. We then envision the need of a new cyber-resilience framework that leveraging machine learning techniques contributes to improve business continuity.