Security assessment of the Spanish contactless identity card

The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies Recently, the Spanish identity card, which provides enough information to hire online products such as mortgages or loans, was updated to incorporate a near-field communication chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the radio-frequency identification communication to virtually steal personal information. In this study, the authors consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, they evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defences against online brute-force attacks were incorporated. They then suggest two countermeasures to protect against these attacks. Furthermore, they also analysed the pseudo-random number generator within the card, which passed all the performed tests with good results

Quantification and compensation of the impact of faults in system throughput

Performability relates the performance (throughput) and reliability of software systems whose normal behaviour may degrade owing to the existence of faults. These systems, naturally modelled as discrete event systems using shared resources, can incorporate fault-tolerant techniques to mitigate such a degradation. In this article, compositional faulttolerant models based on Petri nets, which make its sensitive performability analysis easier, are proposed. Besides, two methods to compensate existence of faults are provided: an iterative algorithm to compute the number of extra resources needed, and an integer-linear programming problem that minimises the cost of incrementing resources and/or decrementing fault-tolerant activities. The applicability of the developed methods is shown on a Petri net that models a secure database system. Keywords Performability, fault-tolerant techniques, Petri nets, integer-linear programmin

Detection of algorithmically generated malicious domain names using masked N-grams

Malware detection is a challenge that has increased in complexity in the last few years. A widely adopted strategy is to detect malware by means of analyzing network traffic, capturing the communications with their command and control (C&C) servers. However, some malware families have shifted to a stealthier communication strategy, since anti-malware companies maintain blacklists of known malicious locations. Instead of using static IP addresses or domain names, they algorithmically generate domain names that may host their C&C servers. Hence, blacklist approaches become ineffective since the number of domain names to block is large and varies from time to time. In this paper, we introduce a machine learning approach using Random Forest that relies on purely lexical features of the domain names to detect algorithmically generated domains. In particular, we propose using masked N-grams, together with other statistics obtained from the domain name. Furthermore, we provide a dataset built for experimentation that contains regular and algorithmically generated domain names, coming from different malware families. We also classify these families according to their type of domain generation algorithm. Our findings show that masked N-grams provide detection accuracy that is comparable to that of other existing techniques, but with much better performance

Empirical study to fingerprint public malware analysis services

The evolution of malicious software (malware) analysis tools provided controlled, isolated, and virtual environments to analyze malware samples. Several services are found on the Internet that provide to users automatic system to analyze malware samples, as VirusTotal, Jotti, or ClamAV, to name a few. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment. When analysis environment is detected, malware behave as a benign application or even show no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services. In particular, we consider 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments. Finally, we propose a method to mitigate fingerprinting

Profiling the publish/subscribe paradigm for automated analysis using colored Petri nets

UML sequence diagrams are used to graphically describe the message interactions between the objects participating in a certain scenario. Combined fragments extend the basic functionality of UML sequence diagrams with control structures, such as sequences, alternatives, iterations, or parallels. In this paper, we present a UML profile to annotate sequence diagrams with combined fragments to model timed Web services with distributed resources under the publish/subscribe paradigm. This profile is exploited to automatically obtain a representation of the system based on Colored Petri nets using a novel model-to-model (M2M) transformation. This M2M transformation has been specified using QVT and has been integrated in a new add-on extending a state-of-the-art UML modeling tool. Generated Petri nets can be immediately used in well-known Petri net software, such as CPN Tools, to analyze the system behavior. Hence, our model-to-model transformation tool allows for simulating the system and finding design errors in early stages of system development, which enables us to fix them at these early phases and thus potentially saving development costs

Model-based sensitivity analysis of IaaS cloud availability

The increasing shift of various critical services towards Infrastructure-as-a-Service (IaaS) cloud data centers (CDCs) creates a need for analyzing CDCs’ availability, which is affected by various factors including repair policy and system parameters. This paper aims to apply analytical modeling and sensitivity analysis techniques to investigate the impact of these factors on the availability of a large-scale IaaS CDC, which (1) consists of active and two kinds of standby physical machines (PMs), (2) allows PM moving among active and two kinds of standby PM pools, and (3) allows active and two kinds of standby PMs to have different mean repair times. Two repair policies are considered: (P1) all pools share a repair station and (P2) each pool uses its own repair station. We develop monolithic availability models for each repair policy by using Stochastic Reward Nets and also develop the corresponding scalable two-level models in order to overcome the monolithic model''s limitations, caused by the large-scale feature of a CDC and the complicated interactions among CDC components. We also explore how to apply differential sensitivity analysis technique to conduct parametric sensitivity analysis in the case of interacting sub-models. Numerical results of monolithic models and simulation results are used to verify the approximate accuracy of interacting sub-models, which are further applied to examine the sensitivity of the large-scale CDC availability with respect to repair policy and system parameters

LSGAN-AT: enhancing malware detector robustness against adversarial examples

Adversarial Malware Example (AME)-based adversarial training can effectively enhance the robustness of Machine Learning (ML)-based malware detectors against AME. AME quality is a key factor to the robustness enhancement. Generative Adversarial Network (GAN) is a kind of AME generation method, but the existing GAN-based AME generation methods have the issues of inadequate optimization, mode collapse and training instability. In this paper, we propose a novel approach (denote as LSGAN-AT) to enhance ML-based malware detector robustness against Adversarial Examples, which includes LSGAN module and AT module. LSGAN module can generate more effective and smoother AME by utilizing brand-new network structures and Least Square (LS) loss to optimize boundary samples. AT module makes adversarial training using AME generated by LSGAN to generate ML-based Robust Malware Detector (RMD). Extensive experiment results validate the better transferability of AME in terms of attacking 6 ML detectors and the RMD transferability in terms of resisting the MalGAN black-box attack. The results also verify the performance of the generated RMD in the recognition rate of AME. © 2021, The Author(s)

Using quantitative dynamic adaptive policy pathways to manage climate change-induced coastal erosion

ABSTRACT: Adaptation requires planning strategies that consider the combined effect of climatic and non-climatic drivers, which are deeply uncertain. This uncertainty arises from many sources, cascades and accumulates in risk estimates. A prominent trend to incorporate this uncertainty in adaptation planning is through adaptive approaches such as the dynamic adaptive policy pathways (DAPP). We present a quantitative DAPP application for coastal erosion management to increase its utilisation in this field. We adopt an approach in which adaptation objectives and actions have continuous quantitative metrics that evolve over time as conditions change. The approach hinges on an adaptation information system that comprises hazard and impact modelling and systematic monitoring to assess changing risks and adaptation signals in the light of adaptation pathway choices. Using an elaborated case study, we force a shoreline evolution model with waves and storm surges generated by means of stochastic modelling from 2010 to 2100, considering uncertainty in extreme weather events, climate variability and mean sea-level rise. We produce a new type of adaptation pathways map showing a set of 90-year probabilistic trajectories that link changing objectives (e.g., no adaptation, limit risk increase, avoid risk increase) and nourishment placement over time. This DAPP approach could be applied to other domains of climate change adaptation bringing a new perspective in adaptive planning under deep uncertainty.Alexandra Toimil acknowledges the financial support from the FENIX Project funded by the Government of Cantabria. This research was also funded by the Spanish Government through the grant RISKCOADAPT (BIA2017-89401-R)