Wang, Yixiang; Liu, Jiqiang; Chang, Xiaolin; Wang, Jianhua; Rodríguez, Ricardo J.
AB-FGSM: AdaBelief Optimizer and FGSM-Based Approach to Generate Adversarial Examples Journal Article
In: Journal of Information Security and Applications, vol. 68, pp. 103227, 2022, ISSN: 2214-2126.
Abstract | Links | BibTeX | Tags: adversarial examples, deep learning, generalization, optimization, Security, Transferability
@article{WLCWR-JISA-22,
title = {AB-FGSM: AdaBelief Optimizer and FGSM-Based Approach to Generate Adversarial Examples},
author = {Yixiang Wang and Jiqiang Liu and Xiaolin Chang and Jianhua Wang and Ricardo J. Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/WLCWR-JISA-22.pdf},
doi = {10.1016/j.jisa.2022.103227},
issn = {2214-2126},
year = {2022},
date = {2022-08-01},
journal = {Journal of Information Security and Applications},
volume = {68},
pages = {103227},
abstract = {Deep neural networks (DNNs) can be misclassified by adversarial examples, which are legitimate inputs integrated with imperceptible perturbations at the testing stage. Extensive research has made progress for white-box adversarial attacks to craft adversarial examples with a high success rate. However, these crafted examples have a low success rate in misleading black-box models with defensive mechanisms. To tackle this problem, we design an AdaBelief based iterative Fast Gradient Sign Method (AB-FGSM) to generalize adversarial examples. By integrating the AdaBelief optimizer into the iterative-FGSM (I-FGSM), the generalization of adversarial examples is boosted, considering that the AdaBelief method can find the transferable adversarial point in the ε ball around the legitimate input on different optimization surfaces. We carry out white-box and black-box attacks on various adversarially trained models and ensemble models to verify the effectiveness and transferability of the adversarial examples crafted by AB-FGSM. Our experimental results indicate that the proposed AB-FGSM can efficiently and effectively craft adversarial examples in the white-box setting compared with state-of-the-art attacks. In addition, the transfer rate of adversarial examples is 4% to 21% higher than that of state-of-the-art attacks in the black-box manner.},
keywords = {adversarial examples, deep learning, generalization, optimization, Security, Transferability},
pubstate = {published},
tppubtype = {article}
}
Deep neural networks (DNNs) can be misclassified by adversarial examples, which are legitimate inputs integrated with imperceptible perturbations at the testing stage. Extensive research has made progress for white-box adversarial attacks to craft adversarial examples with a high success rate. However, these crafted examples have a low success rate in misleading black-box models with defensive mechanisms. To tackle this problem, we design an AdaBelief based iterative Fast Gradient Sign Method (AB-FGSM) to generalize adversarial examples. By integrating the AdaBelief optimizer into the iterative-FGSM (I-FGSM), the generalization of adversarial examples is boosted, considering that the AdaBelief method can find the transferable adversarial point in the ε ball around the legitimate input on different optimization surfaces. We carry out white-box and black-box attacks on various adversarially trained models and ensemble models to verify the effectiveness and transferability of the adversarial examples crafted by AB-FGSM. Our experimental results indicate that the proposed AB-FGSM can efficiently and effectively craft adversarial examples in the white-box setting compared with state-of-the-art attacks. In addition, the transfer rate of adversarial examples is 4% to 21% higher than that of state-of-the-art attacks in the black-box manner.
Chang, Xiaolin; Lv, Shaohua; Rodríguez, Ricardo J; Trivedi, Kishor
Survivability Model for Security and Dependability Analysis of a Vulnerable Critical System Proceedings Article
In: Proceedings of the 2018 27th International Conference on Computer Communication and Networks (ICCCN), pp. 1–6, 2018, ISSN: 1095-2055.
Abstract | Links | BibTeX | Tags: Quantitative analysis, Reactive defense strategy, Security, Stochastic reward nets, Survivability
@inproceedings{CLRT-ICCCN-18,
title = {Survivability Model for Security and Dependability Analysis of a Vulnerable Critical System},
author = {Xiaolin Chang and Shaohua Lv and Ricardo J Rodríguez and Kishor Trivedi},
url = {http://webdiis.unizar.es/~ricardo/files/papers/CLRT-ICCCN-18.pdf},
doi = {10.1109/ICCCN.2018.8487446},
issn = {1095-2055},
year = {2018},
date = {2018-01-01},
booktitle = {Proceedings of the 2018 27th International Conference on Computer Communication and Networks (ICCCN)},
pages = {1--6},
abstract = {This paper aims to analyze transient security and dependability of a vulnerable critical system, under vulnerability-related attack and two reactive defensestrategies, from a severe vulnerability announcement untilthe vulnerability is fully removed from the system. By severe, we mean that the vulnerability-based malware could causesignificant damage to the infected system in terms ofsecurity and dependability while infecting more and morenew vulnerable computer systems. We propose a Markov chain-based survivability model for capturing thevulnerable critical system behaviors during the vulnerability elimination process. A high-level formalism based on Stochastic Reward Nets is applied to automaticallygenerate and solve the survivability model. Survivabilitymetrics are defined to quantify system attributes. The proposed model and metrics not only enable us toquantitatively assess the system survivability in terms ofsecurity risk and dependability, but also provide insights onthe system investment decision. Numerical experiments areconstructed to study the impact of key parameters on systemsecurity, dependability and profit.},
keywords = {Quantitative analysis, Reactive defense strategy, Security, Stochastic reward nets, Survivability},
pubstate = {published},
tppubtype = {inproceedings}
}
This paper aims to analyze transient security and dependability of a vulnerable critical system, under vulnerability-related attack and two reactive defensestrategies, from a severe vulnerability announcement untilthe vulnerability is fully removed from the system. By severe, we mean that the vulnerability-based malware could causesignificant damage to the infected system in terms ofsecurity and dependability while infecting more and morenew vulnerable computer systems. We propose a Markov chain-based survivability model for capturing thevulnerable critical system behaviors during the vulnerability elimination process. A high-level formalism based on Stochastic Reward Nets is applied to automaticallygenerate and solve the survivability model. Survivabilitymetrics are defined to quantify system attributes. The proposed model and metrics not only enable us toquantitatively assess the system survivability in terms ofsecurity risk and dependability, but also provide insights onthe system investment decision. Numerical experiments areconstructed to study the impact of key parameters on systemsecurity, dependability and profit.
Rodríguez, Ricardo J; Garcia-Escartin, Juan Carlos
Security Assessment of the Spanish Contactless Identity Card Journal Article
In: IET Information Security, vol. 11, no. 6, pp. 386–393(7), 2017, ISSN: 1751-8709.
Abstract | Links | BibTeX | Tags: contactless cards, identity cards, NFC, Security
@article{RG-IFS-17,
title = {Security Assessment of the Spanish Contactless Identity Card},
author = {Ricardo J Rodríguez and Juan Carlos Garcia-Escartin},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RG-IFS-17.pdf},
doi = {10.1049/iet-ifs.2017.0299},
issn = {1751-8709},
year = {2017},
date = {2017-01-01},
journal = {IET Information Security},
volume = {11},
number = {6},
pages = {386--393(7)},
publisher = {Institution of Engineering and Technology},
abstract = {The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies. Recently, the Spanish identity card, which provides enough information to hire on-line products such as mortgages or loans, was updated to incorporate a Near Field Communication (NFC) chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the RFID communication to virtually steal personal information. In this paper, we consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, we evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defenses against on-line brute-force attacks were incorporated. We then suggest two countermeasures to protect against these attacks. Furthermore, we also analyzed the pseudo-random number generator within the card, which passed all the performed tests with good results.},
keywords = {contactless cards, identity cards, NFC, Security},
pubstate = {published},
tppubtype = {article}
}
The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies. Recently, the Spanish identity card, which provides enough information to hire on-line products such as mortgages or loans, was updated to incorporate a Near Field Communication (NFC) chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the RFID communication to virtually steal personal information. In this paper, we consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, we evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defenses against on-line brute-force attacks were incorporated. We then suggest two countermeasures to protect against these attacks. Furthermore, we also analyzed the pseudo-random number generator within the card, which passed all the performed tests with good results.
Rodríguez, Ricardo J; Merseguer, José; Bernardi, Simona
Modelling Security of Critical Infrastructures: A Survivability Assessment Journal Article
In: The Computer Journal, vol. 58, no. 10, pp. 2313–2327, 2015.
Abstract | Links | BibTeX | Tags: Security, sensitive analysis, software system engineering, Survivability, UML
@article{RMB-COMPJ-15,
title = {Modelling Security of Critical Infrastructures: A Survivability Assessment},
author = {Ricardo J Rodríguez and José Merseguer and Simona Bernardi},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RMB-COMPJ-15.pdf},
doi = {10.1093/comjnl/BXU096},
year = {2015},
date = {2015-10-01},
journal = {The Computer Journal},
volume = {58},
number = {10},
pages = {2313--2327},
abstract = {Critical infrastructures, usually designed to handle disruptions caused by human errors or random acts of nature, define assets whose normal operation must be guaranteed to maintain its essential services for human daily living. Malicious intended attacks to these targets need to be considered during system design. To face with these situations, defense plans must be developed in advance. In this paper, we present a UML profile, named SecAM, that enables the modelling and security specification for critical infrastructures during the early phases (requirements, design) of systems development life-cycle. SecAM endows security assessment, through survivability analysis, of different security solutions before system deployment. As a case study, we evaluate the survivability of the Saudi Arabia crude-oil pipeline network under two different attack scenarios. The stochastic analysis, carried out with Generalized Stochastic Petri nets, quantitatively estimates the minimisation of attack damages into the crude-oil network.},
keywords = {Security, sensitive analysis, software system engineering, Survivability, UML},
pubstate = {published},
tppubtype = {article}
}
Critical infrastructures, usually designed to handle disruptions caused by human errors or random acts of nature, define assets whose normal operation must be guaranteed to maintain its essential services for human daily living. Malicious intended attacks to these targets need to be considered during system design. To face with these situations, defense plans must be developed in advance. In this paper, we present a UML profile, named SecAM, that enables the modelling and security specification for critical infrastructures during the early phases (requirements, design) of systems development life-cycle. SecAM endows security assessment, through survivability analysis, of different security solutions before system deployment. As a case study, we evaluate the survivability of the Saudi Arabia crude-oil pipeline network under two different attack scenarios. The stochastic analysis, carried out with Generalized Stochastic Petri nets, quantitatively estimates the minimisation of attack damages into the crude-oil network.
Vila, José; Rodríguez, Ricardo J
Practical Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited Proceedings Article
In: Proceedings of the 11th International Workshop on RFID Security (RFIDsec), pp. 87–103, Springer, 2015.
Abstract | Links | BibTeX | Tags: Android, contactless cards, contactless payment, NFC, relay attacks, Security
@inproceedings{VR-RFIDsec-15,
title = {Practical Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited},
author = {José Vila and Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/VR-RFIDsec-15.pdf},
doi = {10.1007/978-3-319-24837-0_6},
year = {2015},
date = {2015-01-01},
booktitle = {Proceedings of the 11th International Workshop on RFID Security (RFIDsec)},
volume = {9440},
pages = {87--103},
publisher = {Springer},
series = {Lecture Notes in Computer Science},
abstract = {Near Field Communication (NFC) is a short-range contactless communication standard recently emerging as cashless payment technology. However, NFC has been proved vulnerable to several threats, such as eavesdropping, data modification, and relay attacks. A relay attack forwards the entire wireless communication, thus communicating over larger distances. In this paper, we review and discuss feasibility limitations when performing these attacks in Google's Android OS. We show an experiment proving its feasibility using off-the-shelf NFC-enabled Android devices (i.e., no custom firmware nor root required). Thus, Android NFC-capable malicious software might appear before long to virtually pickpocket contactless payment cards within its proximity.},
keywords = {Android, contactless cards, contactless payment, NFC, relay attacks, Security},
pubstate = {published},
tppubtype = {inproceedings}
}
Near Field Communication (NFC) is a short-range contactless communication standard recently emerging as cashless payment technology. However, NFC has been proved vulnerable to several threats, such as eavesdropping, data modification, and relay attacks. A relay attack forwards the entire wireless communication, thus communicating over larger distances. In this paper, we review and discuss feasibility limitations when performing these attacks in Google's Android OS. We show an experiment proving its feasibility using off-the-shelf NFC-enabled Android devices (i.e., no custom firmware nor root required). Thus, Android NFC-capable malicious software might appear before long to virtually pickpocket contactless payment cards within its proximity.
Rodríguez, Ricardo J; Merseguer, José; Bernardi, Simona
Modelling and Analysing Resilience as a Security Issue within UML Proceedings Article
In: Proceedings of the 2nd International Workshop on Software Engineering for Resilient Systems (SERENE), pp. 42–51, ACM, London, United Kingdom, 2010.
Abstract | Links | BibTeX | Tags: Petri nets, Petri nets, Security, software system engineering, UML
@inproceedings{RMB-SERENE-10,
title = {Modelling and Analysing Resilience as a Security Issue within UML},
author = {Ricardo J Rodríguez and José Merseguer and Simona Bernardi},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RMB-SERENE-10.pdf},
doi = {10.1145/2401736.2401741},
year = {2010},
date = {2010-04-01},
booktitle = {Proceedings of the 2nd International Workshop on Software Engineering for Resilient Systems (SERENE)},
pages = {42--51},
publisher = {ACM},
address = {London, United Kingdom},
abstract = {Modelling system security is not common practise in software projects yet. Among other problems, there is not a widely accepted methodology which unifies the actual heterogeneity of security issues when addressing a whole security specification. Certainly, the reality is even worse since there is not an accepted or standard common notation for carrying out the security specification. In this work, we study how modelling security issues, specifically resilience, could be integrated in the MARTE-DAM framework, which allows the expression of performance and dependability requirements in UML models. We base this claim on the close relationship between security and dependability. Indeed, MARTE proposes a framework for non-functional properties specification (NFP), while DAM exploits it for dependability purposes. So, our goal is to take advantage of the common NFP framework while the dependability and security concerns are modelled in a unified view. On the other hand, we consider that the resulting security specification will be useful for developing model in which security related properties, such as availability, will be analysed. We will clarify these claims by means of an example.},
keywords = {Petri nets, Petri nets, Security, software system engineering, UML},
pubstate = {published},
tppubtype = {inproceedings}
}
Modelling system security is not common practise in software projects yet. Among other problems, there is not a widely accepted methodology which unifies the actual heterogeneity of security issues when addressing a whole security specification. Certainly, the reality is even worse since there is not an accepted or standard common notation for carrying out the security specification. In this work, we study how modelling security issues, specifically resilience, could be integrated in the MARTE-DAM framework, which allows the expression of performance and dependability requirements in UML models. We base this claim on the close relationship between security and dependability. Indeed, MARTE proposes a framework for non-functional properties specification (NFP), while DAM exploits it for dependability purposes. So, our goal is to take advantage of the common NFP framework while the dependability and security concerns are modelled in a unified view. On the other hand, we consider that the resulting security specification will be useful for developing model in which security related properties, such as availability, will be analysed. We will clarify these claims by means of an example.