Ransomware: An Interdisciplinary Technical and Legal Approach

Ransomware constitutes a prevalent global cybersecurity threat since several years ago, but it is almost pandemic at present. To a larger extent, the growth of this criminal practice is due to its high economic efficiency and high degree of impunity. Efficiency in general is mainly a consequence of its high and sophisticated technical development more varieties, more devices to use it on and more functional complexity, while impunity is mostly the result of shortcomings and gaps in legal regulation. However, both of the aspects are closely related, as combating ransomware requires adopting and integrating technical solutions and legal sanctions with an interdisciplinary approach. Regretfully, the analyze of the ransomware’s background, theoretical framework and practice shows a vast majority of technical proposals and a lack of either interdisciplinary or legal studies. +e technical as well as the legal dimensions of ransomware need to be addressed to properly understand the scope and nature of the problem and its potential solutions. Following this approach, some basic guidelines about defense, mitigation and sanction methods are proposed in order to reach a feasible response to the challenge of defeating ransomware. +ese include the definition of ransomware as an autonomous offence. After setting out the main results of the doctrine, the conclusion section specifies the solutions drawn from such an interdisciplinary technical-legal approach.Spanish GovernmentEuropean Commission PID2020-114495RB-I0

Inhibiting crypto‐ransomware on windows platforms through a honeyfile‐based approach with R‐Locker

Ministerio de Economia y Competitividad, Grant/Award Number: TIN2017-83494-RAfter several years, crypto‐ransomware attacks still constitute a principal threat for individuals and organisations worldwide. Despite the fact that a number of solutions are deployed to fight against this plague, one main challenge is that of early reaction, as merely detecting its occurrence can be useless to avoid the pernicious effects of the malware. With this aim, the authors introduced in a previous work a novel antiransomware tool for Unix platforms named R‐Locker. The proposal is supported on a honeyfile‐based approach, where ‘infinite’ trap files are disseminated around the target filesystem for early detection and to effectively block the ransomware action. The authors extend here the tool with three main new contributions. First, R‐Locker is migrated to Windows platforms, where specific differences exist regarding FIFO handling. Second, the global management of the honeyfiles around the target filesystem is now improved to maximise protection. Finally, blocking suspicious ransomware is (semi)automated through the dynamic use of white‐/black‐lists. As in the original work for Unix systems, the new Windows version of R‐Locker shows high effectivity and efficiency in thwarting ransomware action.Spanish Government TIN2017-83494-

Multi-Labeling of Complex, Multi-Behavioral Malware Samples

The use of malware samples is usually required to test cyber security solutions. For that, the correct typology of the samples is of interest to properly estimate the exhibited performance of the tools under evaluation. Although several malware datasets are publicly available at present, most of them are not labeled or, if so, only one class or tag is assigned to each malware sample. We defend that just one label is not enough to represent the usual complex behavior exhibited by most of current malware. With this hypothesis in mind, and based on the varied classification generally provided by automatic detection engines per sample, we introduce here a simple multi-labeling approach to automatically tag the usual multiple behavior of malware samples. In the paper, we first analyze the coherence between the behaviors exhibited by a specific number of well-known malware samples dissected in the literature and the multiple tags provided for them by our labeling proposal. After that, the automatic multi-labeling scheme is executed over four public Android malware datasets, the different results and statistics obtained regarding their composition and representativeness being discussed. We share in a GitHub repository the multi-labeling tool developed, for public usage

Monitorización y selección de incidentes en seguridad de redes mediante EDA

Uno de los mayores retos a los que se enfrentan los sistemas de monitorización de seguridad en redes es el gran volumen de datos de diversa naturaleza y relevancia que deben procesar para su presentación adecuada al equipo administrador del sistema, tratando de incorporar la información semántica más relevante. En este artículo se propone la aplicación de herramientas derivadas de técnicas de análisis exploratorio de datos para la selección de los eventos críticos en los que el administrador debe focalizar su atención. Adicionalmente, estas herramientas son capaces de proporcionar información semántica en relación a los elementos involucrados y su grado de implicación en los eventos seleccionados. La propuesta se presenta y evalúa utilizando el desafío VAST 2012 como caso de estudio, obteniéndose resultados altamente satisfactorios.Este trabajo ha sido parcialmente financiado por el MICINN a través del proyecto TEC2011-22579

Protocolo para la notificación y alerta de eventos de seguridad en redes ad-hoc

Las líneas de defensa de seguridad tradicionales para proteger un sistema dado son prevención, detección y respuesta. A pesar de que sobre el papel dichos módulos deben inter-operar a fin de conseguir una seguridad integral, por lo general se plantean y adoptan como soluciones independientes. El presente trabajo aborda el estudio y desarrollo de un protocolo de notificación y alerta de eventos de seguridad cuyo fin principal es servir de interfaz entre los módulos de detección y respuesta. Ideado específicamente para redes ad-hoc, su uso posibilita poner en conocimiento de los elementos constitutivos del entorno monitorizado la ocurrencia de un cierto comportamiento malicioso detectado. Este conocimiento será clave para la ejecución posterior de los mecanismos de respuesta oportunos. También susceptible de ser usada para la distribución de información en procesos de detección/respuesta colaborativos, nuestra propuesta viene a cubrir una carencia manifiesta en el campo objeto de estudio.Este trabajo ha sido parcialmente financiado por el MICINN a través del proyecto TEC2011-22579 y por el MECD a través de la beca del programa de “Formación de Profesorado Universitario” (FPU, Ref.: AP2009-2926)

Group-Wise Principal Component Analysis for Exploratory Intrusion Detection

Intrusion detection is a relevant layer of cybersecurity to prevent hacking and illegal activities from happening on the assets of corporations. Anomaly-based Intrusion Detection Systems perform an unsupervised analysis on data collected from the network and end systems, in order to identify singular events. While this approach may produce many false alarms, it is also capable of identifying new (zeroday) security threats. In this context, the use of multivariate approaches such as Principal Component Analysis (PCA) provided promising results in the past. PCA can be used in exploratory mode or in learning mode. Here, we propose an exploratory intrusion detection that replaces PCA with Group-wise PCA (GPCA), a recently proposed data analysis technique with additional exploratory characteristics. A main advantage of GPCA over PCA is that the former yields simple models, easy to understand by security professionals not trained in multivariate tools. Besides, the workflow in the intrusion detection with GPCA is more coherent with dominant strategies in intrusion detection. We illustrate the application of GPCA in two case studies.This work was supported in part by the Spanish Government-MINECO (Ministerio de Economía y Competitividad), using the Fondo Europeo de Desarrollo Regional (FEDER), under Projects TIN2014-60346-R and Project TIN2017-83494-R

Uso de valores de confianza y expectativas en el sistema de diálogo SAPLEN

El sistema SAPLEN (Sistema Automático de Pedidos en LEnguaje Natural) es un sistema de diálogo en lenguaje natural capaz de atender consultas y peticiones de productos de los clientes de los restaurantes de comida rápida. En este trabajo presentamos en primer lugar la metodología empleada para realizar el reconocimiento de las palabras de las frases de los usuarios durante el desarrollo y test del sistema. A continuación comentamos los tipos de fenómenos relacionados con el reconocimiento de palabras tratados por el sistema. Posteriormente describimos el uso de valores de confianza y expectativas para tratar apropiadamente algunos errores de reconocimiento. Finalmente, comentamos algunas líneas de trabajo futuro y conclusiones

A Novel Zero-Trust Network Access Control Scheme based on the Security Profile of Devices and Users

Security constitutes a principal concern for communication networks and services at present. This way, threats should be under control to minimize risks over time in real environments. With this aim, we introduce here a new approach for access control aimed to strengthen security in corporate networks and service providers related environments. Our proposal, named SADAC (Security Attribute-based Dynamic Access Control) presents three main novel features: (i) security related attributes regarding both configuration and operation are considered for network access control of final devices/users; (ii) a dynamic supervision procedure is implemented to evaluate the security profile associated to devices/users over time and, if so, to apply corresponding access restrictions; and (iii) a supervision procedure that also permits to diagnose the causes of inadequate security behaviours, so that the final devices/users can adapt their configuration and/or operation. We describe the overall access control methodology as well as the aspects for its implementation. In particular, we present and evaluate the specific deployment of SADAC for a corporate WiFi environment supported on a Raspberry Pi-based AP to provide Internet access to mobile devices. Through this experimentation we can conclude the convenience of adopting the approach for improving security by minimizing risks in network and communication environments

PCA-based Multivariate Statistical Network Monitoring for Anomaly Detection

The multivariate approach based on Principal Component Analysis (PCA) for anomaly detection received a lot of attention from the networking community one decade ago mainly thanks to the work of Lakhina and co-workers. However, this work was criticized by several authors that claimed a number of limitations of the approach. Neither the original proposal nor the critic publications were completely aware of the established methodology for PCA anomaly detection, which by that time had been developed for more than three decades in the area of industrial monitoring and chemometrics as part of the Multivariate Statistical Process Control (MSPC) theory. In this paper, the main steps of the MSPC approach based on PCA are introduced; related networking literature is reviewed, highlighting some differences with MSPC and drawbacks in their approaches; and specificities and challenges in the application of MSPC to networking are analyzed. All of this is demonstrated through illustrative experimentation that supports our discussion and reasoning