This research project is funded by the Spanish National Cybersecurity Institute (INCIBE) within the Public Invitation for collaboration in the promotion of Strategic Cybersecurity Projects in Spain. The specific website for this research project with more information is this (in Spanish).
A series of activities are proposed and grouped into six different actions, with different specific objectives, and directly related to the strategic objectives set by INCIBE. Each of these actions corresponds to a strategic line of research in cybersecurity that is intended to be carried out in our team at the University of Zaragoza.
These initiatives are carried out within the framework of the funds of the Recovery, Transformation and Resilience Plan, financed by the European Union (Next Generation), the project of the Government of Spain that outlines the roadmap for the modernization of the Spanish economy, the recovery of economic growth and job creation, for solid, inclusive and resilient economic reconstruction after the COVID19 crisis, and to respond to the challenges of the next decade.
Specifically, these proposed initiatives are:
- Efficient and improved detection of algorithmically generated domains. Under this action, activities related to the study, development, and implementation of models based on machine learning for the detection of algorithmically generated domains are defined. These types of domains are commonly used by malicious actors to avoid identification and blocking of the domain names they use to control the systems they have infected.
- Automatic system for network protocol grammar inference and message format. This action contemplates activities related to the study, development, and implementation of an automatic system for the inference of network protocol grammar and message format. This project, which focuses mainly on reverse engineering of protocols, seeks to develop a distributed software system that allows automatically inferring the protocol grammar and message format of network protocols used by malware
- Integration of security micropolicies in compilers. This action defines activities related to new mitigation techniques against security problems, since it is proposed to improve the security of software systems by integrating security micropolicies directly into the compiler infrastructure. This project attempts, by defining a micropolicy specification language and an intermediate representation, to achieve a mechanism that can be easily integrated into the software compilation process in order to improve the security of software systems.
- Analysis of risks and threats in the Android supply chain. The Android operating system is open source. This property allows device manufacturers (e.g., Samsung, HTC, LG) to introduce improvements to the operating system that allow them to differentiate themselves from their competitors in the market, but it can also allow the entry of malicious actors, third-party code with practices intrusive from a privacy perspective, and vulnerabilities. In this action, new analysis techniques will be developed to detect and measure the possible customizations of the different manufacturers at the operating system level, as well as a scientific study that studies systematically and at scale the possible risks to the privacy and security of users. Among other aspects, customizations implemented by Android device manufacturers in network libraries and other critical security components such as the permission system will be detected and evaluated.
- Empirical risk analysis for emerging technologies. In this action, activities will be carried out that will design, implement and apply new methodologies and static and dynamic analysis tools to detect and evaluate new risks to the privacy and security of users in emerging technologies such as the Internet of Things or the Metaverse. The tools will allow obtaining empirical data to inform the design of new user protection mechanisms and regulatory efforts, while also obtaining empirical data to carry out two complementary scientific studies: one on the Internet of Things in the domestic sphere. and another about the Metaverse. The tools and methodologies developed will enable new methods for the certification of products based on black box techniques as required by the new EU Cyber Resilience Act independently, or for commercial purposes such as the certification of devices independently within the efforts established by the IoXT Alliance, an initiative led by industrial players such as Google and Intel for the certification of digital devices and products.
- Response to crypto ransomware incidents. This action defines activities related to post-execution response techniques after crypto-ransomware attacks. This project seeks, through the development of appropriate software components, to have an EDR software system that allows the recovery of files encrypted by cryptoransomware after an attack, extracting from the system memory the keys used by the malware during the encryption processes. Therefore, the activities of this action propose not only knowing what the current state of the art is in this field, but also developing various software components that can be used by third parties to improve the security of their systems.