Uroz, Daniel; Rodríguez, Ricardo J
Evaluation of the Executional Power in Windows using Return Oriented Programming Inproceedings
In: Proceedings of the 15th IEEE Workshop on Offensive Technologies (WOOT), pp. 361–372, IEEE, 2021.
Abstract | Links | BibTeX | Tags: automatic exploit, evaluation, ROP chain, Turing-completeness, Windows
@inproceedings{UR-WOOT-21b,
title = {Evaluation of the Executional Power in Windows using Return Oriented Programming},
author = {Daniel Uroz and Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-WOOT-21.pdf},
doi = {10.1109/SPW53761.2021.00056},
year = {2021},
date = {2021-01-01},
booktitle = {Proceedings of the 15th IEEE Workshop on Offensive Technologies (WOOT)},
pages = {361--372},
publisher = {IEEE},
abstract = {Code-reuse techniques have emerged as a way to defeat the control-flow defenses that prevent the injection and execution of new code, as they allow an adversary to hijack the control flow of a victim program without injected code. A well-known code-reuse attack technique is Return-Oriented-Programming (ROP), which considers and links together (relatively short) code snippets, named ROP gadgets, already present in the victim's memory address space through a controlled use of the stack values of the victim program. Although ROP attacks are known to be Turing-complete, there are still open question such as the quantification of the executional power of an adversary, which is determined by whatever code exists in the memory of a victim program, and whether an adversary can build a ROP chain, made up of ROP gadgets, for any kind of algorithm. To fill these gaps, in this paper we first define a virtual language, dubbed ROPLang, that defines a set of operations (specifically, arithmetic, assignment, dereference, logical, and branching operations) which are mapped to ROP gadgets. We then use it to evaluate the executional power of an adversary in Windows 7 and Windows 10, in both 32- and 64-bit versions. In addition, we have developed rop3, a tool that accepts a set of program files and a ROP chain described with our language and returns the code snippets that make up the ROP chain. Our results show that there are enough ROP gadgets to simulate any virtual operation and that branching operations are the less frequent ones. As expected, our results also indicate that the larger a program file is, the more likely to find ROP gadgets within it for every virtual operation.},
keywords = {automatic exploit, evaluation, ROP chain, Turing-completeness, Windows},
pubstate = {published},
tppubtype = {inproceedings}
}
Martín-Pérez, Miguel; Rodríguez, Ricardo J
Quantifying Paging on Recoverable Data from Windows User-Space Modules Inproceedings
In: Proceedings of the 12th EAI International Conference on Digital Forensics & Cyber Crime, Springer, 2021, (Accepted for publication. To appear).
Abstract | Links | BibTeX | Tags: digital forensics, malware, memory forensics, paging, Windows modules
@inproceedings{MR-ICDF2C-21,
title = {Quantifying Paging on Recoverable Data from Windows User-Space Modules},
author = {Miguel Martín-Pérez and Ricardo J Rodríguez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/MR-ICDF2C-21.pdf},
year = {2021},
date = {2021-01-01},
booktitle = {Proceedings of the 12th EAI International Conference on Digital Forensics & Cyber Crime},
publisher = {Springer},
abstract = {Memory forensic analysis enables a forensic examiner to retrieve evidence of a security incident, such as encryption keys, or analyze malware that resides solely in memory. During this process, the current state of system memory is acquired and saved to a file denoted as memory dump, which is then analyzed with dedicated software for evidence. Although a memory dump contains large amounts of data for analysis, its content can be inaccurate and incomplete due to how an operating system's memory management subsystem works: page swapping, on-demand paging, or page smearing are some of the problems that can affect the data that resides in memory. In this paper, we evaluate how these issues affect user-mode modules by measuring the ratio of modules that reside in memory on a Windows 10 system under different memory workloads. On Windows, a module represents an image (that is, an executable, shared dynamic library, or driver) that was loaded as part of the kernel or a user-mode process. We show that this ratio is particularly low in shared dynamic library modules, as opposed to executable modules. We also discuss the issues of memory forensics that can affect scanning for malicious evidences in particular. Additionally, we have developed a Volatility plugin, dubbed pluginName, which helps forensic analysts obtain paging information from a memory dump for each process running at the time of acquisition, providing them with information on the amount of data that cannot be properly analyzed.},
note = {Accepted for publication. To appear},
keywords = {digital forensics, malware, memory forensics, paging, Windows modules},
pubstate = {published},
tppubtype = {inproceedings}
}
Selvi, Jose; Rodríguez, Ricardo J; Soria-Olivas, Emilio
Towards Optimal LSTM Neural Networks for Detecting Algorithmically Generated Domain Names Journal Article
In: IEEE Access, vol. 9, pp. 126446–126456, 2021.
Abstract | Links | BibTeX | Tags: deep learning, domain generation algorithms, LSTM, malware
@article{SRS-ACCESS-21,
title = {Towards Optimal LSTM Neural Networks for Detecting Algorithmically Generated Domain Names},
author = {Jose Selvi and Ricardo J Rodríguez and Emilio Soria-Olivas},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SRS-ACCESS-21.pdf},
doi = {10.1109/ACCESS.2021.3111307},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
journal = {IEEE Access},
volume = {9},
pages = {126446--126456},
abstract = {Malware detection is a problem that has become particularly challenging over the last decade. A common strategy for detecting malware is to scan network traffic for malicious connections between infected devices and their command and control (C&C) servers. However, malware developers are aware of this detection method and begin to incorporate new strategies to go unnoticed. In particular, they generate domain names instead of using static Internet Protocol addresses or regular domain names pointing to their C&C servers. By using a domain generation algorithm, the effectiveness of the blacklisting of domains is reduced, as the large number of domain names that must be blocked greatly increases the size of the blacklist. In this paper, we study different Long Short-Term Memory neural network hyperparameters to find the best network configuration for algorithmically generated domain name detection. In particular, we focus on determining whether the (complex) feature engineering efforts required when using other deep learning techniques, such as Random Forest, can be avoided. In this regard, we have conducted a comparative analysis to study the effect of using different network sizes and configurations on network performance metrics. Our results show an accuracy of 97:62% and an area under the receiver operating characteristic curve of 0:9956 in the test dataset, indicating that it is possible to obtain good classification results despite avoiding the feature engineering process and additional readjustments required in other machine learning techniques.},
keywords = {deep learning, domain generation algorithms, LSTM, malware},
pubstate = {published},
tppubtype = {article}
}
Wang, Jianhua; Chang, Xiaolin; Wang, Yixiang; Rodríguez, Ricardo J; Zhang, Jianan
LSGAN-AT: Enhancing Malware Detector Robustness against Adversarial Examples Journal Article
In: Cybersecurity, vol. 4:38, no. 1, pp. 15, 2021, ISSN: 2523-3246.
Abstract | Links | BibTeX | Tags: Adversarial malware example, Generative adversarial network, Machine learning, Malware detector, Transferability
@article{WCWRZ-CYSE-21,
title = {LSGAN-AT: Enhancing Malware Detector Robustness against Adversarial Examples},
author = {Jianhua Wang and Xiaolin Chang and Yixiang Wang and Ricardo J Rodríguez and Jianan Zhang},
url = {http://webdiis.unizar.es/~ricardo/files/papers/WCWRZ-CYSE-21.pdf},
doi = {10.1186/s42400-021-00102-9},
issn = {2523-3246},
year = {2021},
date = {2021-01-01},
journal = {Cybersecurity},
volume = {4:38},
number = {1},
pages = {15},
abstract = {Adversarial Malware Example (AME)-based adversarial training can effectively enhance the robustness of Machine Learning (ML)-based malware detectors against AME. AME quality is a key factor to the robustness enhancement. Generative Adversarial Network (GAN) is a kind of AME generation method, but the existing GAN-based AME generation methods have the issues of inadequate optimization, mode collapse and training instability. In this paper, we propose a novel approach (denote as LSGAN-AT) to enhance ML-based malware detector robustness against Adversarial Examples, which includes LSGAN module and AT module. LSGAN module can generate more effective and smoother AME by utilizing brand-new network structures and Least Square (LS) loss to optimize boundary samples. AT module makes adversarial training using AME generated by LSGAN to generate ML-based Robust Malware Detector (RMD). Extensive experiment results validate the better transferability of AME in terms of attacking 6 ML detectors and the RMD transferability in terms of resisting the MalGAN black-box attack. The results also verify the performance of the generated RMD in the recognition rate of AME.},
keywords = {Adversarial malware example, Generative adversarial network, Machine learning, Malware detector, Transferability},
pubstate = {published},
tppubtype = {article}
}
Filho, Ailton Santos; Rodríguez, Ricardo J; Feitosa, Eduardo L
Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks Inproceedings
In: Developments and Advances in Defense and Security, pp. 3–13, Springer Singapore, Singapore, 2020, ISBN: 978-981-13-9155-2.
Abstract | Links | BibTeX | Tags: Analysis-aware malware, Anti-analysis, Anti-instrumentation, Dynamic binary instrumentation
@inproceedings{SRF-MICRADS-19,
title = {Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks},
author = {Ailton Santos Filho and Ricardo J Rodríguez and Eduardo L Feitosa},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SRF-MICRADS-19.pdf},
doi = {10.1007/978-981-13-9155-2_1},
isbn = {978-981-13-9155-2},
year = {2020},
date = {2020-01-01},
booktitle = {Developments and Advances in Defense and Security},
volume = {152},
pages = {3--13},
publisher = {Springer Singapore},
address = {Singapore},
abstract = {Malicious applications pose as one of the most relevant issues in today's technology scenario, being considered the root of many Internet security threats. In part, this owes the ability of malware developers to promptly respond to the emergence of new security solutions by developing artifacts to detect and avoid them. In this work, we present three countermeasures to mitigate recent mechanisms used by malware to detect analysis environments. Among these techniques, this work focuses on those that enable a malware to detect dynamic binary instrumentation frameworks, thus increasing their attack surface. To ensure the effectiveness of the proposed countermeasures, proofs of concept were developed and tested in a controlled environment with a set of anti-instrumentation techniques. Finally, we evaluated the performance impact of using such countermeasures.},
keywords = {Analysis-aware malware, Anti-analysis, Anti-instrumentation, Dynamic binary instrumentation},
pubstate = {published},
tppubtype = {inproceedings}
}
Uroz, Daniel; Rodríguez, Ricardo J
On Challenges in Verifying Trusted Executable Files in Memory Forensics Journal Article
In: Forensic Science International: Digital Investigation, vol. 32, pp. 300917, 2020.
Abstract | Links | BibTeX | Tags: Authenticode, code signing, digital signature verification, memory forensics, Volatility
@article{UR-FSIDI-20,
title = {On Challenges in Verifying Trusted Executable Files in Memory Forensics},
author = {Daniel Uroz and Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-FSIDI-20.pdf},
doi = {10.1016/j.fsidi.2020.300917},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
journal = {Forensic Science International: Digital Investigation},
volume = {32},
pages = {300917},
abstract = {Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. The memory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, a memory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time.},
keywords = {Authenticode, code signing, digital signature verification, memory forensics, Volatility},
pubstate = {published},
tppubtype = {article}
}
Shi, Yu; Chang, Xiaolin; Rodríguez, Ricardo J; Zhang, Zhenjiang; Trivedi, Kishor S
Quantitative security analysis of a dynamic network system under lateral movement-based attacks Journal Article
In: Reliability Engineering & System Safety, vol. 183, pp. 213–225, 2019, ISSN: 0951-8320.
Abstract | Links | BibTeX | Tags: Dynamic transient analysis, Lateral movement-based attack, Non-homogeneous continuous-time Markov chain, Piecewise constant approximation
@article{SCRZT-RESS-19,
title = {Quantitative security analysis of a dynamic network system under lateral movement-based attacks},
author = {Yu Shi and Xiaolin Chang and Ricardo J Rodríguez and Zhenjiang Zhang and Kishor S Trivedi},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SCRZT-RESS-19.pdf},
doi = {10.1016/j.ress.2018.11.022},
issn = {0951-8320},
year = {2019},
date = {2019-01-01},
journal = {Reliability Engineering & System Safety},
volume = {183},
pages = {213--225},
abstract = {Malicious lateral movement-based attacks have become a potential risk for many systems, bringing highly likely threats to critical infrastructures and national security. When launching this kind of attacks, adversaries first compromise a fraction of the targeted system and then move laterally to the rest of the system until the whole system is infected. Various approaches were proposed to study and/or defend against lateral movement-based attacks. However, few of them studied transient behaviors of dynamic attacking and dynamic targeted systems. This paper aims to analyze the transient security of a dynamic network system under lateral movement-based attacks from the time that attack-related abnormity in the system is detected until mechanisms are designed and deployed to defend against attacks. We explore state-space modeling techniques to construct a survivability model for quantitative analysis. A phased piecewise constant approximation approach is also proposed to derive the formulas for calculating model state transient probabilities, with which we derive formulas for calculating metrics of interest. The proposed approach allows both model state transition rates and the number of model states to be time-varying during the system recovery. Numerical analysis is carried out for investigating the impact of various dynamic system parameters on system security.},
keywords = {Dynamic transient analysis, Lateral movement-based attack, Non-homogeneous continuous-time Markov chain, Piecewise constant approximation},
pubstate = {published},
tppubtype = {article}
}
Selvi, Jose; Rodríguez, Ricardo J; Soria-Olivas, Emilio
Detection of Algorithmically Generated Malicious Domain Names using Masked N-Grams Journal Article
In: Expert Systems with Applications, vol. 124, pp. 156–163, 2019, ISSN: 0957-4174.
Abstract | Links | BibTeX | Tags: Domain-generated algorithms, malware, Random Forest
@article{SRS-ESWA-19,
title = {Detection of Algorithmically Generated Malicious Domain Names using Masked N-Grams},
author = {Jose Selvi and Ricardo J Rodríguez and Emilio Soria-Olivas},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SRS-ESWA-19.pdf},
doi = {10.1016/j.eswa.2019.01.050},
issn = {0957-4174},
year = {2019},
date = {2019-01-01},
journal = {Expert Systems with Applications},
volume = {124},
pages = {156--163},
abstract = {Malware detection is a challenge that has increased in complexity in the last few years. A widely adopted strategy is to detect malware by means of analyzing network traffic, capturing the communications with their command and control (C&C) servers. However, some malware families have shifted to a stealthier communication strategy, since anti-malware companies maintain blacklists of known malicious locations. Instead of using static IP addresses or domain names, they algorithmically generate domain names that may host their C&C servers. Hence, blacklist approaches become ineffective since the number of domain names to block is large and varies from time to time. In this paper, we introduce a machine learning approach using Random Forest that relies on purely lexical features of the domain names to detect algorithmically generated domains. In particular, we propose using masked N-grams, together with other statistics obtained from the domain name. Furthermore, we provide a dataset built for experimentation that contains regular and algorithmically generated domain names, coming from different malware families. We also classify these families according to their type of domain generation algorithm. Our findings show that masked N-grams provide detection accuracy that is comparable to that of other existing techniques, but with much better performance.},
keywords = {Domain-generated algorithms, malware, Random Forest},
pubstate = {published},
tppubtype = {article}
}
Uroz, Daniel; Rodríguez, Ricardo J
Characteristics and Detectability of Windows Auto-Start Extensibility Points in Memory Forensics Journal Article
In: Digital Investigation, vol. 28, pp. S95–S104, 2019, ISSN: 1742-2876.
Abstract | Links | BibTeX | Tags: Auto-start extensibility points, malware, memory forensics, System persistence, Volatility, Windows registry
@article{UR-DIIN-19,
title = {Characteristics and Detectability of Windows Auto-Start Extensibility Points in Memory Forensics},
author = {Daniel Uroz and Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-DIIN-19.pdf},
doi = {10.1016/j.diin.2019.01.026},
issn = {1742-2876},
year = {2019},
date = {2019-01-01},
journal = {Digital Investigation},
volume = {28},
pages = {S95--S104},
abstract = {Computer forensics is performed during a security incident response process on disk devices or on the memory of the compromised system. The latter case, known as memory forensics, consists in dumping the memory to a file and analyzing it with the appropriate tools. Many security incidents are caused by malware that targets and persists as long as possible in a Windows system within an organization. The persistence is achieved using Auto-Start Extensibility Points (ASEPs), the subset of OS and application extensibility points that allow a program to auto-start without any explicit user invocation. In this paper, we propose a taxonomy of the Windows ASEPs, considering the features that are used or abused by malware to achieve persistence. This taxonomy splits into four categories: system persistence mechanisms, program loader abuse, application abuse, and system behavior abuse. We detail the characteristics of each extensibility point (namely, write permissions, execution privileges, detectability in memory forensics, freshness of system requirements, and execution and configuration scopes). Many of these ASEPs rely on the Windows Registry. We also introduce the tool Winesap, a Volatility plugin that analyzes the registry-based Windows ASEPs in a memory dump. Furthermore, we state the order of execution of some of these registry-based extensibility points and evaluate the effectiveness of our tool in memory dumps taken from a Windows OS where extensibility points were used. Winesap was successful in marking all the registry-based Windows ASEPs as suspicious registry keys.},
keywords = {Auto-start extensibility points, malware, memory forensics, System persistence, Volatility, Windows registry},
pubstate = {published},
tppubtype = {article}
}
Botas, Álvaro; Rodríguez, Ricardo J; Matellan, Vicente; Garcia, Juan F; Trobajo, M T; Carriegos, Miguel V
On Fingerprinting of Public Malware Analysis Services Journal Article
In: Logic Journal of the IGPL, 2019, ISSN: 1367-0751.
Abstract | Links | BibTeX | Tags: Analysis-aware malware, characterization, Malware analysis service, sandbox, unlikeability
@article{BRMGTC-IGPL-19,
title = {On Fingerprinting of Public Malware Analysis Services},
author = {Álvaro Botas and Ricardo J Rodríguez and Vicente Matellan and Juan F Garcia and M T Trobajo and Miguel V Carriegos},
url = {http://webdiis.unizar.es/~ricardo/files/papers/BRMGTC-IGPL-19.pdf},
doi = {10.1093/jigpal/jzz050},
issn = {1367-0751},
year = {2019},
date = {2019-01-01},
journal = {Logic Journal of the IGPL},
abstract = {Automatic Public Malware Analysis Services (PMAS, e.g. VirusTotal, Jotti, or ClamAV, to name a few) provide controlled, isolated, and virtual environments to analyse malicious software (malware) samples. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment; when an analysis environment is detected, malware behaves as a benign application or even shows no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services, considering 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments; the lower the unlikeability of these features, the easier for us (and thus for malware) to fingerprint the analysis service they belong to. Finally, we propose a method for these analysis services to counter or at least mitigate our proposal.},
keywords = {Analysis-aware malware, characterization, Malware analysis service, sandbox, unlikeability},
pubstate = {published},
tppubtype = {article}
}
Rodríguez, Ricardo J; Martín-Pérez, Miguel; Abadía, Iñaki
A Tool to Compute Approximation Matching between Windows Processes Inproceedings
In: Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS), pp. 313–318, 2018.
Abstract | Links | BibTeX | Tags: bytewise approximate matching, forensic memory analysis, Volatility, Windows
@inproceedings{RMA-ISDFS-18,
title = {A Tool to Compute Approximation Matching between Windows Processes},
author = {Ricardo J Rodríguez and Miguel Martín-Pérez and Iñaki Abadía},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RMA-ISDFS-18.pdf},
doi = {10.1109/ISDFS.2018.8355372},
year = {2018},
date = {2018-01-01},
booktitle = {Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS)},
pages = {313--318},
abstract = {Finding identical digital objects (or artifacts) during a forensic analysis is commonly achieved by means of cryptographic hashing functions, such as MD5, SHA1, or SHA-256, to name a few. However, these functions suffer from the em avalanche effect property, which guarantees that if an input is changed slightly the output changes significantly. Hence, these functions are unsuitable for typical digital forensics scenarios where a forensics memory image from a likely compromised machine shall be analyzed. This memory image file contains a snapshot of processes (instances of executable files) which were up on execution when the dumping process was done. However, processes are relocated at memory and contain dynamic data that depend on the current execution and environmental conditions. Therefore, the comparison of cryptographic hash values of different processes from the same executable file will be negative. Bytewise approximation matching algorithms may help in these scenarios, since they provide a similarity measurement in the range $[0,1]$ between similar inputs instead of a yes/no answer (in the range $0,1$). In this paper, we introduce ProcessFuzzyHash, a Volatility plugin that enables us to compute approximation hash values of processes contained in a Windows memory dump.},
keywords = {bytewise approximate matching, forensic memory analysis, Volatility, Windows},
pubstate = {published},
tppubtype = {inproceedings}
}
Chang, Xiaolin; Lv, Shaohua; Rodríguez, Ricardo J; Trivedi, Kishor
Survivability Model for Security and Dependability Analysis of a Vulnerable Critical System Inproceedings
In: Proceedings of the 2018 27th International Conference on Computer Communication and Networks (ICCCN), pp. 1–6, 2018, ISSN: 1095-2055.
Abstract | Links | BibTeX | Tags: Quantitative analysis, Reactive defense strategy, Security, Stochastic reward nets, Survivability
@inproceedings{CLRT-ICCCN-18,
title = {Survivability Model for Security and Dependability Analysis of a Vulnerable Critical System},
author = {Xiaolin Chang and Shaohua Lv and Ricardo J Rodríguez and Kishor Trivedi},
url = {http://webdiis.unizar.es/~ricardo/files/papers/CLRT-ICCCN-18.pdf},
doi = {10.1109/ICCCN.2018.8487446},
issn = {1095-2055},
year = {2018},
date = {2018-01-01},
booktitle = {Proceedings of the 2018 27th International Conference on Computer Communication and Networks (ICCCN)},
pages = {1--6},
abstract = {This paper aims to analyze transient security and dependability of a vulnerable critical system, under vulnerability-related attack and two reactive defensestrategies, from a severe vulnerability announcement untilthe vulnerability is fully removed from the system. By severe, we mean that the vulnerability-based malware could causesignificant damage to the infected system in terms ofsecurity and dependability while infecting more and morenew vulnerable computer systems. We propose a Markov chain-based survivability model for capturing thevulnerable critical system behaviors during the vulnerability elimination process. A high-level formalism based on Stochastic Reward Nets is applied to automaticallygenerate and solve the survivability model. Survivabilitymetrics are defined to quantify system attributes. The proposed model and metrics not only enable us toquantitatively assess the system survivability in terms ofsecurity risk and dependability, but also provide insights onthe system investment decision. Numerical experiments areconstructed to study the impact of key parameters on systemsecurity, dependability and profit.},
keywords = {Quantitative analysis, Reactive defense strategy, Security, Stochastic reward nets, Survivability},
pubstate = {published},
tppubtype = {inproceedings}
}
Rodríguez, Ricardo J; de Quirós, Jorge García
Desanonimización y categorización de servicios ocultos de la red Tor Inproceedings
In: Actas del VI Congreso Nacional de i+d en Defensa y Seguridad (DESEi+d 2018), pp. 259, 2018.
Links | BibTeX | Tags: deanonymization, hidden services, privacy, Tor
@inproceedings{RG-DESEid-18,
title = {Desanonimización y categorización de servicios ocultos de la red Tor},
author = {Ricardo J Rodríguez and Jorge García de Quirós},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RG-DESEid-18.pdf},
year = {2018},
date = {2018-01-01},
booktitle = {Actas del VI Congreso Nacional de i+d en Defensa y Seguridad (DESEi+d 2018)},
pages = {259},
keywords = {deanonymization, hidden services, privacy, Tor},
pubstate = {published},
tppubtype = {inproceedings}
}
Rodríguez, Ricardo J
Evolution and Characterization of Point-of-Sale RAM Scraping Malware Journal Article
In: Journal in Computer Virology and Hacking Techniques, vol. 13, no. 3, pp. 179–192, 2017, ISSN: 2263-8733.
Abstract | Links | BibTeX | Tags: Evolution, malware, POS RAM scraping, Software security, Taxonomy
@article{R-CVHT-17,
title = {Evolution and Characterization of Point-of-Sale RAM Scraping Malware},
author = {Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/R-CVHT-17.pdf},
doi = {10.1007/s11416-016-0280-4},
issn = {2263-8733},
year = {2017},
date = {2017-01-01},
journal = {Journal in Computer Virology and Hacking Techniques},
volume = {13},
number = {3},
pages = {179--192},
abstract = {Credit and debit cards are becoming the primary payment method for purchases. These payments are normally performed in merchant's in-store systems as known as Point-of-Sale (POS) systems. Since these systems handle payment card data while processing the customer transactions, they are becoming a primary target for cybercriminals. These data, when remain at memory, are scraped and exfiltrated by specially crafted malicious software named POS RAM scraping malware. In recent years, large data breaches occurred in well-known US retail companies were caused by this kind of malware. In this paper, we study the features of these malware based on their behavior on different stages: infection and persistence, process and data of interest search, and exfiltration. Then, we classify samples of 22 known POS RAM scraping malware families from 2009 to 2015 according to these features. Our findings show these malware are still immature and use well-defined behavioral patterns for data acquirement and exfiltration, which may make their malicious activity easily detectable by process and network monitoring tools.},
keywords = {Evolution, malware, POS RAM scraping, Software security, Taxonomy},
pubstate = {published},
tppubtype = {article}
}
Rodríguez, Ricardo J; Garcia-Escartin, Juan Carlos
Security Assessment of the Spanish Contactless Identity Card Journal Article
In: IET Information Security, vol. 11, no. 6, pp. 386–393(7), 2017, ISSN: 1751-8709.
Abstract | Links | BibTeX | Tags: contactless cards, identity cards, NFC, Security
@article{RG-IFS-17,
title = {Security Assessment of the Spanish Contactless Identity Card},
author = {Ricardo J Rodríguez and Juan Carlos Garcia-Escartin},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RG-IFS-17.pdf},
doi = {10.1049/iet-ifs.2017.0299},
issn = {1751-8709},
year = {2017},
date = {2017-01-01},
journal = {IET Information Security},
volume = {11},
number = {6},
pages = {386--393(7)},
publisher = {Institution of Engineering and Technology},
abstract = {The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies. Recently, the Spanish identity card, which provides enough information to hire on-line products such as mortgages or loans, was updated to incorporate a Near Field Communication (NFC) chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the RFID communication to virtually steal personal information. In this paper, we consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, we evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defenses against on-line brute-force attacks were incorporated. We then suggest two countermeasures to protect against these attacks. Furthermore, we also analyzed the pseudo-random number generator within the card, which passed all the performed tests with good results.},
keywords = {contactless cards, identity cards, NFC, Security},
pubstate = {published},
tppubtype = {article}
}