INVESTIGACIÓN EN (JNIC2021 LIVE) - Manuel A. Serrano - Eduardo Fernández-Medina Cristina Alcaraz - Noemí de Castro - Guillermo Calvo - UCLM

Página creada Andreo Valles
 
SEGUIR LEYENDO
INVESTIGACIÓN EN (JNIC2021 LIVE) - Manuel A. Serrano - Eduardo Fernández-Medina Cristina Alcaraz - Noemí de Castro - Guillermo Calvo - UCLM
EDITORES:
  Manuel A. Serrano - Eduardo Fernández-Medina
Cristina Alcaraz - Noemí de Castro - Guillermo Calvo

        Actas de las VI Jornadas Nacionales
                   (JNIC2021 LIVE)

          INVESTIGACIÓN EN
INVESTIGACIÓN EN (JNIC2021 LIVE) - Manuel A. Serrano - Eduardo Fernández-Medina Cristina Alcaraz - Noemí de Castro - Guillermo Calvo - UCLM
INVESTIGACIÓN EN (JNIC2021 LIVE) - Manuel A. Serrano - Eduardo Fernández-Medina Cristina Alcaraz - Noemí de Castro - Guillermo Calvo - UCLM
Investigación en Ciberseguridad
 Actas de las VI Jornadas Nacionales
         ( JNIC2021 LIVE)

     Online 9-10 de junio de 2021
   Universidad de Castilla-La Mancha
INVESTIGACIÓN EN (JNIC2021 LIVE) - Manuel A. Serrano - Eduardo Fernández-Medina Cristina Alcaraz - Noemí de Castro - Guillermo Calvo - UCLM
Investigación en Ciberseguridad
  Actas de las VI Jornadas Nacionales
          ( JNIC2021 LIVE)

       Online 9-10 de junio de 2021
    Universidad de Castilla-La Mancha

                Editores:
           Manuel A. Serrano,
       Eduardo Fernández-Medina,
             Cristina Alcaraz
            Noemí de Castro
            Guillermo Calvo

                Cuenca, 2021
© de los textos e ilustraciones: sus autores
© de la edición: Universidad de Castilla-La Mancha

Edita: Ediciones de la Universidad de Castilla-La Mancha.

Colección JORNADAS Y CONGRESOS n.º 34
© de los textos: sus autores.
© de la edición: Universidad de Castilla-La Mancha.
© de los textos e ilustraciones: sus autores
© de la edición: Universidad de Castilla-La Mancha
Edita: Ediciones Esta
                 de la Universidad
                       editorial esdemiembro
                                     Castilla-Lade
                                                 Mancha
                                                   la UNE, lo que garantiza la difusión y
comercialización de sus publicaciones a nivel nacional e internacional
Colección JORNADAS
Edita: Ediciones     de YlaCONGRESOS
                           Universidad de n.º Castilla-La
                                              34          Mancha.

Colección JORNADAS Y CONGRESOS n.º 34
I.S.B.N.: 978-84-9044-463-4
          Esta editorial es miembro de la UNE, lo que garantiza la difusión y comercialización de sus publi-
          caciones a nivel nacional e internacional.
D.O.I.: http://doi.org/10.18239/jornadas_2021.34.00

                 Esta editorial es miembro de la UNE, lo que garantiza la difusión y
I.S.B.N.: 978-84-9044-463-4
comercialización      de sus publicaciones a nivel
                                                nacional e internacional
D.O.I.: http://doi.org/10.18239/jornadas_2021.34.00

I.S.B.N.:
Esta obra 978-84-9044-463-4
          se encuentra bajo una licencia internacional Creative Commons CC BY 4.0.
D.O.I.: http://doi.org/10.18239/jornadas_2021.34.00
Cualquier forma de reproducción, distribución, comunicación pública o transformación de esta
Esta obra se encuentra bajo una licencia internacional Creative Commons CC BY 4.0.
obra no incluida en la licencia Creative Commons CC BY 4.0 solo puede ser realizada con la
Cualquier forma de reproducción, distribución, comunicación pública o transformación de esta obra no incluida
autorización
en               expresa
   la licencia Creative    de los CC
                        Commons   titulares,  salvopuede
                                      BY 4.0 solo    excepción     prevista
                                                         ser realizada con la por la ley. Puede
                                                                              autorización         Vd.
                                                                                           expresa de losacceder
                                                                                                          titulares, al
texto    completo    de la licencia  en este  enlace:
salvo excepción prevista por la ley. Puede Vd. acceder al texto completo de la licencia en este enlace: https://
https://creativecommons.org/licenses/by/4.0/deed.es
creativecommons.org/licenses/by/4.0/deed.es

Esta obra se encuentra bajo una licencia internacional Creative Commons CC BY 4.0.
Hecho en España (U.E.) – Made in Spain (E.U.)
Hecho   en España
Cualquier  forma de(U.E.)  – Made indistribución,
                    reproducción,     Spain (E.U.)comunicación pública o transformación de esta
obra no incluida en la licencia Creative Commons CC BY 4.0 solo puede ser realizada con la
autorización expresa de los titulares, salvo excepción prevista por la ley. Puede Vd. acceder al
texto completo de la licencia en este enlace:
https://creativecommons.org/licenses/by/4.0/deed.es

Hecho en España (U.E.) – Made in Spain (E.U.)
Bienvenida del Comité Organizador

    Tras la parada provocada por la pandemia en 2020, las VI Jornadas Nacionales de Investiga-
ción en Ciberseguridad ( JNIC) vuelven el 9 y 10 de Junio del 2021 con energías renovadas, y por
primera vez en su historia, en un formato 100% online. Esta edición de las JNIC es organizada
por los grupos GSyA y Alarcos de la Universidad de Castilla-La Mancha en Ciudad Real, y
con la activa colaboración del comité ejecutivo, de los presidentes de los distintos comités de
programa y del Instituto Nacional de Ciberseguridad (INCIBE). Continúa de este modo la
senda de consolidación de unas jornadas que se celebraron por primera vez en León en 2015 y
le siguieron Granada, Madrid, San Sebastián y Cáceres, consecutivamente hasta 2019, y que,
en condiciones normales se habrían celebrado en Ciudad Real en 2020.
    Estas jornadas se han convertido en un foro de encuentro de los actores más relevantes en
el ámbito de la ciberseguridad en España. En ellas, no sólo se presentan algunos de los trabajos
científicos punteros en las diversas áreas de ciberseguridad, sino que se presta especial atención
a la formación e innovación educativa en materia de ciberseguridad, y también a la conexión
con la industria, a través de propuestas de transferencia de tecnología. Tanto es así que, este año
se presentan en el Programa de Transferencia algunas modificaciones sobre su funcionamiento
y desarrollo que han sido diseñadas con la intención de mejorarlo y hacerlo más valioso para
toda la comunidad investigadora en ciberseguridad.
   Además de lo anterior, en las JNIC estarán presentes excepcionales ponentes (Soledad
Antelada, del Lawrence Berkeley National Laboratory, Ramsés Gallego, de Micro Focus y
Mónica Mateos, del Mando Conjunto de Ciberdefensa) mediante tres charlas invitadas y se
desarrollarán dos mesas redondas. Éstas contarán con la participación de las organizaciones
más relevantes en el panorama industrial, social y de emprendimiento en relación con la ciber-
seguridad, analizando y debatiendo el papel que está tomando la ciberseguridad en distintos
ámbitos relevantes.
    En esta edición de JNIC se han establecido tres modalidades de contribuciones de inves-
tigación, los clásicos artículos largos de investigación original, los artículos cortos con investi-
gación en un estado más preliminar, y resúmenes extendidos de publicaciones muy relevantes
y de alto impacto en materia de ciberseguridad publicados entre los años 2019 y 2021. En el
caso de contribuciones de formación e innovación educativa, y también de transferencias se
han considerado solamente artículos largos. Se han recibido para su valoración un total de 86

                                                 7
Bienvenida del Comité Organizador

contribuciones organizadas en 26, 27 y 33 artículos largos, cortos y resúmenes ya publicados,
de los que los respectivos comités de programa han aceptado 21, 19 y 27, respectivamente. En
total se ha contado con una ratio de aceptación del 77%. Estas cifras indican una participación
en las jornadas que continúa creciendo, y una madurez del sector español de la ciberseguridad
que ya cuenta con un volumen importante de publicaciones de alto impacto.
    El formato online de esta edición de las jornadas nos ha motivado a organizar las jornadas
de modo más compacto, distinguiendo por primera vez entre actividades plenarias (charlas
invitadas, mesas redondas, sesión de formación e innovación educativa, sesión de transfe-
rencia de tecnología, junto a inauguración y clausura) y sesiones paralelas de presentación de
artículos científicos. En concreto, se han organizado 10 sesiones de presentación de artículos
científicos en dos líneas paralelas, sobre las siguientes temáticas: detección de intrusos y gestión
de anomalías (I y II), ciberataques e inteligencia de amenazas, análisis forense y cibercrimen,
ciberseguridad industrial, inteligencia artificial y ciberseguridad, gobierno y riesgo, tecnologías
emergentes y entrenamiento, criptografía, y finalmente privacidad.
    En esta edición de las jornadas se han organizado dos números especiales de revistas con
elevado factor de impacto para que los artículos científicos mejor valorados por el comité de
programa científico puedan enviar versiones extendidas de dichos artículos. Adicionalmente, se
han otorgado premios al mejor artículo en cada una de las categorías. En el marco de las JNIC
también hemos contado con la participación de la Red de Excelencia Nacional de Investigación
en Ciberseguridad (RENIC), impulsando la ciberseguridad a través de la entrega de los premios
al Mejor Trabajo Fin de Máster en Ciberseguridad y a la Mejor Tesis Doctoral en Ciberseguridad. Tam-
bién se ha querido acercar a los jóvenes talentos en ciberseguridad a las JNIC, a través de un CTF
(Capture The Flag) organizado por la Universidad de Extremadura y patrocinado por Viewnext.
    Desde el equipo que hemos organizado las JNIC2021 queremos agradecer a todas aquellas
personas y entidades que han hecho posible su celebración, comenzando por los autores de
los distintos trabajos enviados y los asistentes a las jornadas, los tres ponentes invitados, las
personas y organizaciones que han participado en las dos mesas redondas, los integrantes de
los distintos comités de programa por sus interesantes comentarios en los procesos de revisión
y por su colaboración durante las fases de discusión y debate interno, los presidentes de las
sesiones, la Universidad de Extremadura por organizar el CTF y la empresa Viewnext por
patrocinarlo, los técnicos del área TIC de la UCLM por el apoyo con la plataforma de comu-
nicación, los voluntarios de la UCLM y al resto de organizaciones y entidades patrocinadoras,
entre las que se encuentra la Escuela Superior de Informática, el Departamento de Tecnologías
y Sistemas de Información y el Instituto de Tecnologías y Sistemas de Información, todos ellos
de la Universidad de Castilla-La Mancha, la red RENIC, las cátedras (Telefónica e Indra)
y aulas (Avanttic y Alpinia) de la Escuela Superior de Informática, la empresa Cojali, y muy
especialmente por su apoyo y contribución al propio INCIBE.

                                            Manuel A. Serrano, Eduardo Fernández-Medina
                                                            Presidentes del Comité Organizador
                                                                                 Cristina Alcaraz
                                                 Presidenta del Comité de Programa Científico
                                                                                Noemí de Castro
                   Presidenta del Comité de Programa de Formación e Innovación Educativa
                                                                        Guillermo Calvo Flores
                                           Presidente del Comité de Transferencia Tecnológica

                                                 8
Índice General

Comité Ejecutivo..............................................................................................       11
Comité Organizador........................................................................................           12
Comité de Programa Científico.......................................................................                 13
Comité de Programa de Formación e Innovación Educativa...........................                                    15
Comité de Transferencia Tecnológica...............................................................                   17

Comunicaciones
Sesión de Investigación A1: Detección de intrusiones y gestión de anomalías I                                        21
Sesión de Investigación A2: Detección de intrusiones y gestión de anomalías II                                       55
Sesión de Investigación A3: Ciberataques e inteligencia de amenazas.............                                     91
Sesión de Investigación A4: Análisis forense y cibercrimen.............................                             107
Sesión de Investigación A5: Ciberseguridad industrial y aplicaciones..............                                  133
Sesión de Investigación B1: Inteligencia Artificial en ciberseguridad...............                                157
Sesión de Investigación B2: Gobierno y gestión de riesgos..............................                             187
Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en
ciberseguridad...................................................................................................   215
Sesión de Investigación B4: Criptografía..........................................................                  235
Sesión de Investigación B5: Privacidad.............................................................                 263
Sesión de Transferencia Tecnológica................................................................                 291
Sesión de Formación e Innovación Educativa..................................................                        301

Premios RENIC..............................................................................................         343

Patrocinadores.................................................................................................     349

                                                                 9
Comité Ejecutivo

Juan Díez González                 INCIBE
Luis Javier García Villalba        Universidad de Complutense de Madrid
Eduardo Fernández-Medina Patón     Universidad de Castilla-La Mancha
Guillermo Suárez-Tangil            IMDEA Networks Institute
Andrés Caro Lindo                  Universidad de Extremadura
Pedro García Teodoro               Universidad de Granada. Representante
                                   de red RENIC
Noemí de Castro García             Universidad de León
Rafael María Estepa Alonso         Universidad de Sevilla
Pedro Peris López                  Universidad Carlos III de Madrid

                                    11
Comité Organizador

Presidentes del Comité Organizador
   Eduardo Fernández-Medina Patón       Universidad de Castilla-la Mancha
   Manuel Ángel Serrano Martín          Universidad de Castilla-la Mancha

Finanzas
   David García Rosado                  Universidad de Castilla-la Mancha
   Luis Enrique Sánchez Crespo          Universidad de Castilla-la Mancha

Actas
  Antonio Santos-Olmo Parra             Universidad de Castilla-la Mancha

Difusión
   Julio Moreno García-Nieto            Universidad de Castilla-la Mancha
   José Antonio Cruz Lemus              Universidad de Castilla-la Mancha
   María A Moraga de la Rubia           Universidad de Castilla-la Mancha

Webmaster
  Aurelio José Horneros Cano            Universidad de Castilla-la Mancha

Logística y Organización
  Ignacio García-Rodriguez de Guzmán    Universidad de Castilla-la Mancha
  Ismael Caballero Muñoz-Reja           Universidad de Castilla-la Mancha
  Gregoria Romero Grande                Universidad de Castilla-la Mancha
  Natalia Sanchez Pinilla               Universidad de Castilla-la Mancha

                                       12
Comité de Programa Científico

Presidenta
   Cristina Alcaraz Tello                 Universidad de Málaga

Miembros
  Aitana Alonso Nogueira                  INCIBE
  Marcos Arjona Fernández                 ElevenPaths
  Ana Ayerbe Fernández-Cuesta             Tecnalia
  Marta Beltrán Pardo                     Universidad Rey Juan Carlos
  Carlos Blanco Bueno                     Universidad de Cantabria
  Jorge Blasco Alís                       Royal Holloway, University of London
  Pino Caballero-Gil                      Universidad de La Laguna
  Andrés Caro Lindo                       Universidad de Extremadura
  Jordi Castellà Roca                     Universitat Rovira i Virgili
  José M. de Fuentes García-Romero
  de Tejada                               Universidad Carlos III de Madrid
  Jesús Esteban Díaz Verdejo              Universidad de Granada
  Josep Lluis Ferrer Gomila               Universitat de les Illes Balears
  Dario Fiore                             IMDEA Software Institute
  David García Rosado                     Universidad de Castilla-La Mancha
  Pedro García Teodoro                    Universidad de Granada
  Luis Javier García Villalba             Universidad Complutense de Madrid
  Iñaki Garitano Garitano                 Mondragon Unibertsitatea
  Félix Gómez Mármol                      Universidad de Murcia
  Lorena González Manzano                 Universidad Carlos III de Madrid
  María Isabel González Vasco             Universidad Rey Juan Carlos I
  Julio César Hernández Castro            University of Kent
  Luis Hernández Encinas                  CSIC
  Jorge López Hernández-Ardieta           Banco Santander
  Javier López Muñoz                      Universidad de Málaga
  Rafael Martínez Gasca                   Universidad de Sevilla
  Gregorio Martínez Pérez                 Universidad de Murcia

                                     13
David Megías Jiménez               Universitat Oberta de Cataluña
Luis Panizo Alonso                 Universidad de León
Fernando Pérez González            Universidad de Vigo
Aljosa Pasic                       ATOS
Ricardo J. Rodríguez               Universidad de Zaragoza
Fernando Román Muñoz               Universidad Complutense de Madrid
Luis Enrique Sánchez Crespo        Universidad de Castilla-La Mancha
José Soler                         Technical University of Denmark-DTU
Miguel Soriano Ibáñez              Universidad Politécnica de Cataluña
Victor A. Villagrá González        Universidad Politécnica de Madrid
Urko Zurutuza Ortega               Mondragon Unibertsitatea
Lilian Adkinson Orellana           Gradiant
Juan Hernández Serrano             Universitat Politécnica de Cataluña

                              14
Comité de Programa de Formación e Innovación Educativa

Presidenta
   Noemí De Castro García                Universidad de León

Miembros
   Adriana Suárez Corona                 Universidad de León
   Raquel Poy Castro                     Universidad de León
   José Carlos Sancho Núñez              Universidad de Extremadura
   Isaac Agudo Ruiz                      Universidad de Málaga
   Ana Isabel González-Tablas Ferreres   Universidad Carlos III de Madrid
   Xavier Larriva                        Universidad Politécnica de Madrid
   Ana Lucila Sandoval Orozco            Universidad Complutense de Madrid
   Lorena González Manzano               Universidad Carlos III de Madrid
   María Isabel González Vasco           Universidad Rey Juan Carlos
   David García Rosado                   Universidad de Castilla - La Mancha
   Sara García Bécares                   INCIBE

                                          15
Comité de Transferencia Tecnológica

Presidente
   Guillermo Calvo Flores        INCIBE

Miembros
   José Luis González Sánchez    COMPUTAEX
   Marcos Arjona Fernández       ElevenPaths
   Victor Villagrá González      Universidad Politécnica de Madrid
   Luis Enrique Sánchez Crespo   Universidad de Castilla – La Mancha

                                        17
Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad
                                        http://doi.org/10.18239/jornadas_2021.34.52

  Exploring the Affordances of Multimodal Data to
 Improve Cybersecurity Training with Cyber Range
                   Environments
   Mariano Albaladejo-González          , Sofia Strukova      , José A. Ruipérez-Valiente      , Félix Gómez Mármol
                     Department of Information and Communications Engineering, University of Murcia
                                     Calle Campus Universitario, 30100 Murcia (Spain)
                                {mariano.albaladejog, strukovas, jruiperez, felixgm}@um.es

   Abstract—During the last years, the constant cybersecurity       trainees can attempt to attack a network system (red team)
breaches being reported are remarking the necessity of raising      or defend a system against an adversary attack (blue team).
the number of cybersecurity experts that can tackle such threats.   These cyberexercises resemble much better the real world
In this sense, educational technology environments can help to
generate more immersive and realistic environments, and within      situations that these professionals will need to face when an
this context, cyber range systems are one of the foremost solu-     actual threat emerges.
tions. However, these systems might not provide rich and detailed      However, one of the handicaps that the current state of the
feedback to instructors and students regarding the performance      art of these environments shows is a low emphasis on perform-
in each cyberexercise. In this paper we discuss the potential
of multimodal data, including clickstream, console commands,
                                                                    ing effective automatic evaluations and feedback provision
biometrics, and other sensor data, to improve the feedback and      based on the trainee performance in the cyberexercise. For ex-
evaluation process in cyber range environments. We present the      ample, a recent literature review on cyber range environments
affordances that these techniques can bring to cybersecurity        that inspected all the existing ones until today, only mentioned
training as well as a preliminary architecture to implement them.   that the evaluation can be either done manually (with human
We argue that these technologies can become a new generation of
high-quality, realistic, and adaptive cybersecurity training that
                                                                    intervention) or automatically (based on an algorithm and key
can have a dual (civil and military) impact on our society.         variables of the cyberexercise) [7]. The majority of cyber
   Index Terms—Cyber range, cybersecurity training, multi-          ranges provide very limited feedback on the process that
modal learning analytics, educational technology.                   the trainee followed to solve or fail the cyberexercise. For
  Tipo de contribución: Investigación en desarrollo               example, a capture-the-flag cyberexercise where an attacker
                                                                    needs to gain admin privileges and access a hidden code
                      I. I NTRODUCTION                              [8], might provide as only feedback to the instructor that the
   The last decade has made exceptionally clear the upmost          trainee knows said hidden code. Therefore, instructors cannot
necessity of growing the number and quality of cyberse-             provide detailed and adapted feedback, nor perform a rich
curity experts that can design secure systems and respond           evaluation of the trainee taking into account diverse factors
to potential threats. Every week we hear of new security            and actions that happened during the learning process.
breaches and scandals, that jeopardize entire companies and            To face this ambitious challenge, in this paper we argue
the privacy of their users. The respondents of the ISACA’s          on the potential of using multimodal data to improve such
State of Cybersecurity of 2020 indicated that 53% of them           evaluation within the context of cyber ranges. To do so,
were expecting a cyberattack within 12 months. Moreover,            we collect data from multiple sources, including clickstream
Cybersecury Ventures predicted that cybercrime will produce         data, console commands, biometrics and other sensor data.
damages totaling $6 million USD globally in 2021, a predic-         Then, we apply multimodal learning analytics conducting
tion which is based on recent year-over-year growth [1]. To         signal processing and artificial intelligence to transform the
face this problem, there is an overall agreement on the need        raw multimodal data into rich information [9]. In the paper
to increase the quality of the training that these specialists      at hand, we present our current advances regarding how
receive [2]. However, a research report that interviewed over       these multimodal data can be used to improve the evaluation
300 cybersecurity professionals indicated that only 38% of          and feedback of trainees in cyber range environments. More
them are happy with the level of training that they are             specifically, we have the following two objectives:
receiving [3].
   In this sense, educational technology training tools can play      •   To present the affordances of multimodal data to improve
a pivotal role in the training quality that professionals can             the training process in cyber range environments.
receive. Within this context, we are especially focused on            •   To propose a preliminary architecture adapted to this
cyber ranges, which are well-defined virtualized environments             specific scenario to accomplish such goal.
where trainees can develop practical hands-on-activities that          The remainder of this paper is organized as follows: In
resemble much better real cybersecurity operations. There are       Section II we present an overview of the affordances of
a good number of prominent cyber range examples in the              multimodal data in cyber range environments, while in Section
literature [4], [5], [6]. These can represent realistic cyber-      III we discuss our preliminary architecture. We finalize the
security scenarios in safe sandbox environments where the           paper in Section IV with conclusions and future research lines.

                                                              231
Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad

        II. M ULTIMODAL DATA IN C YBER R ANGE
                    E NVIRONMENTS
   The essential feature of a cyber range is the development of
isolated and safe environments. For this reason, the core of a
cyber range is virtualization, simulation and/or containeriza-
tion technologies that support these environments. In addition
to these technologies, a cyber range might also include front-
end technologies to provide easy access to such environments.
Their architecture isolates the users’ computers and external
networks from the environments that are running malware
[10]. We find that in cyber range platforms, it is rare to find
the presence of front-end dashboards that can monitor the
results of the cyberexercises. The few cyber ranges that offer
a dashboard show shallow information, measuring whether
the user has completed the exercise successfully and the time
required to do so. Our system aims to expand this state of the    Fig. 1. Potential devices used to monitor the user during the cyberexercises.
art with new measures of user skills and performance when
interacting with cyber ranges.
   The system requires data that can come from different          through the accelerometers and gyroscopes, among others.
sources to generate these news measures. For example, the            Figure 1 represents different devices collecting data
cyber range can generate data related to the users’ solution,     throughout the cyberexercises. The system uses all the col-
along with the number of attempts, the typed commands, the        lected data to calculate additional user performance metrics
proportion of unnecessary commands, and the quality of the        and skills. The users’ emotions during the cyberexercises
solutions. Furthermore, it is easy to collect data related to     can be estimated and classified depending on the valence
user’s telemetry adding keyboard and mouse monitoring tools       and arousal degrees [15]. The valence represents the level
in the front-end technologies, this is a common practice in       of positive or negative affectivity and arousal, the calming or
websites and apps for real-time and asynchronous tracking         excitement level. Thereby, we could infer states like anger,
[11]. These telemetry data can provide the following infor-       joy, sadness, and pleasure.
mation:                                                              In addition to the user emotions, the system could mea-
   • Keyboard patterns. These data are generated when the         sure more advanced skills closely related to the necessities
      user writes commands. It includes the typing speed and      of cybersecurity professionals. In real-world environments,
      the keystroke duration.                                     cybersecurity professionals can be under much pressure due
   • Clickstream. It represents how the user interacts with       to the impact of their decisions; for example, failing to
      the graphic interface of the environment. The clickstream   detect sniffers on an online shop can end up causing a data
      includes the clicked elements, the click frequency, the     breach of 40 million card numbers and 70 million personal
      click duration, and the mouse movement speed.               records stolen [16]. For this reason, it is interesting to evaluate
   Our system aims to go further, including data collected by     the capacity to work under pressure, for example, through
sensors and devices external to the cyber range. A camera         user stress or the attention level [17]. Moreover, cyberattacks
and/or a kinetic device can get many interesting measures         and their consequences can take place over an extended
such as eye-tracking, the users’ pose, position, and expression   period of time [18]; for this reason, it is also interesting to
[12], [13]. Furthermore, we can add microphones to record the     measure the user fatigue [19]. Teamwork skills are critical
communication between the users [14].                             for cybersecurity professionals as they will often be part of a
   In addition, we propose to measure physiological signals       larger and multidisciplinary team. The proposed multimodal
to get richer information about the users’ state during the       system can be used to evaluate teamwork skills and how
cyberexercises. Depending on the original context for which       teamwork affects each user. All of these metrics aim to
they are used, there are three types of devices to measure        empower instructors with additional information to provide a
physiological signals: the devices used in the medical field      more nuanced feedback and assessment to the cybersecurity
for diagnosis purposes, the devices used for research purposes,   students. The final goal is to improve the readiness of the
and the commercial devices focused on the daily use of end        cybersecurity professionals to detect and resolve cybersecurity
users. Additionally, these devices can be placed in different     breaches.
parts of the body: for example, we can have wristbands,              To implement the proposed system is essential to consider
chest straps, and brain-computer interfaces (BCIs) that are       how invasive the devices are and whether they can be used
placed as a helmet. BCIs measure the electrical activity of the   for extended periods of time. Devices that are too invasive
brain and can estimate the emotions and moods of the users        might endanger data recollection by reducing user freedom
during the cyberexercises. The wristbands and chest straps can    of movement and making the cyber range experience more
have different types of sensors to measure the heart rate, the    uncomfortable. Furthermore, it is important to consider the
blood pressure, the skin temperature, the oxygen saturation,      devices’ cost because since some of them are quite expensive,
the electrodermal activity (the measurement of the electrical     and can be used only by a single user at a time. Microphones,
activity of the skin), and the movement of the user measured      cameras, kinetics, and wearables are affordable solutions with

                                                            232
Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad

potential to measure useful constructs.                                     according to the General Data Protection Regulation
   Finally, all the aforementioned types of data generated                  (GDPR).
by trainees while using cyber range environments hold the               •   Data processing and analytics. This step aims to mea-
potential for being used to adjust the cyberexercises to the                sure and evaluate the development of the trainees regard-
current status of each specific trainee. This process, which                ing their cybersecurity skills. An Extract, Transform, and
is known as adaptive learning, has the goal of addressing                   Load (ETL) procedure is employed in order to extract
the unique needs of each user [20]. In our case, we aim to                  the needed data from the database, transform them into
dynamically adapt current cyberexercises to the knowledge of                a proper storage structure for querying and analysis, and
the trainee. Commands and clickstream data along with the                   finally load them into a final database. Due to its large
biometric signals of trainees will allow us to analyze and com-             size, the processing cannot be performed in real-time.
pare the results of the different simulations to progressively              Therefore, we make use of cron jobs to launch the data
improve subsequent training sessions and, therefore, maintain               processing scripts at scheduled times.
the optimal balance between the trainees’ knowledge and the             •   Visualization dashboard. The last step consists in pro-
difficulty of each exercise.                                                viding useful and effective visualizations to both the
                                                                            trainees and the instructors. This is done through the
               III. P RELIMINARY A RCHITECTURE
                                                                            dashboard that represents an activity and performance
A. Description of the training process                                      measurement interface. Specifically, we can see general
   Our system is used by: 1) the trainees, who interact with                statistics presenting the overall progress across the cy-
the learning contents and generate the raw data, and 2) the                 berexercises, or active time, to name some examples. We
instructors, who are experienced teachers in the cybersecurity              can also see more complex measurements such as the
field responsible for keeping track of how the trainees are                 capacity to work under pressure and concentration level.
progressing and providing them with relevant feedback. Ac-                  Trainees can access only their own data, while instructors
cordingly, the instructor first provides the trainees with the cy-          can access the information of each trainee individually
berexercises they must solve and afterward reviews the results              or see the aggregation of the entire class. At the same
represented in the dashboard in an easy and understandable                  time, we also develop models that can evaluate trainees’
way. This helps to build the feedback that the trainees will                competencies based on which cyberexercises they have
receive and choose the most suitable cyberexercises for the                 been able to complete.
future users with similar knowledge.
                                                                                 IV. C ONCLUSIONS AND FUTURE WORK
   The training process starts when the instructor distributes
the cyberexercises across the trainees. While the latter are             Raising a new generation of cybersecurity professionals
solving the tasks, our system collects various data types de-         during the 21st century is vital to have a secure digitized
scribed in the previous section. Then, these data are processed       world and economy. However, the specialized training of
and analyzed in order to visualize the dashboard with all             these professionals is a challenging task. Cyber range en-
the information about the cybersecurity development of each           vironments represent a great asset that complements more
trainee.                                                              traditional cybersecurity training in order to practice hands-on
                                                                      cyberexercises that can resemble real scenarios where trainees
B. Overview of the Architecture                                       need to attack and/or defend a system in real time. However,
  Figure 2 presents the overview of the architecture of               the current feedback that cyber ranges provide to instructors
the cyber range environment with the multimodal learning              regarding the performance of their trainees is quite scarce. In
analytics, and how the following components are connected             some cases we find that the instructors do not know more
within the system:                                                    than whether the cyberexercise was completed or not, with
  • Cyber range. The cyber range system is the origin of the
                                                                      no information about the process at all. This approach is
     learning process. When trainees interact in their cyber          definitely not sufficient to provide a just-in-time support and
     range environment, a large amount of raw multimodal              feedback to the students in order to improve the learning
     data is generated, issued, collected, and stored in the          process, specially when we want to scale cyber range case
     webserver. We implement the event emission process               studies with entire classes getting trained simultaneously.
     using experience API schema (xAPI 1 ) to make the rest              In this paper we have argued on the potential that multi-
     of parts of the architecture agnostic of the specific cyber      modal data can have to improve the training process when
     range system implemented.                                        using cyber ranges. We can collect different data in various
  • Data collection. The data collected within the cyber
                                                                      modalities like clickstream, console commands, biometrics
     range include a wide variety of trainee actions, as well         or audiovisual data, apply signal processing and artificial
     as the external sensors and devices. We use REpresenta-          intelligence techniques, and produce measures to assess ideal
     tional State Transfer API (RESTful API) endpoints to             solution pathways, capacity to work under pressure, or con-
     send these data to the web server. There are several             centration, which are key capacities to become a successful
     challenges regarding the ethical and security consider-          cybersecurity professional. Moreover, these techniques can
     ations of obtaining that data from the trainees. Thus, the       have a dual impact on our society. First, on the civil side, we
     collected personal data is encrypted and protected by ap-        can use them to improve the academic training of students
     plying appropriate technical and organizational measures         under-taking degrees related to cybersecurity and also on
                                                                      professional programs training cybersecurity professionals.
  1 https://xapi.com/                                                 Second, on the military side, we can use the same approach

                                                                233
Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad

                                                                             INSTRUCTOR

T                                                                                            WEB APPLICATION
R                                          SYSTEM
A
I                                                              Data        Commands,
                                                                           clickstream,
                                                             collection
N                                                                         and biometric
                                                                               data
E                                            Cyber                                                                           Individual           Class
E                                            range                     Databases
                                                                                                   Data
                                                                                                processing                         Visualization
                                                                                               and analytics                        dashboard

                 Fig. 2.   Preliminary architecture of the cyber range environment with the multimodal learning analytics web application.

to improve the cyberdefence capabilities that a state may have                      [7] E. Ukwandu, M. A. B. Farah, H. Hindy, D. Brosset, D. Kavallieros,
to protect the cyberspace. Depending on the critical nature of                          R. Atkinson, C. Tachtatzis, M. Bures, I. Andonovic, and X. Bellekens,
                                                                                        “A review of cyber-ranges and test-beds: current and future trends,”
the position of each professional getting trained, more or less                         Sensors, vol. 20, no. 24, p. 7148, 2020.
invasive data collection approaches can be applied.                                 [8] K. Leune and S. J. Petrilli Jr, “Using capture-the-flag to enhance the
   The future steps that we envision are multifaceted. First,                           effectiveness of cybersecurity education,” in Proceedings of the 18th
                                                                                        Annual Conference on Information Technology Education, 2017, pp.
we are working on developing this architecture as generic                               47–52.
as possible, using different data sources and sensors. Then,                        [9] X. Ochoa and M. Worsley, “Augmenting learning analytics with multi-
we are planning to deploy several cyber ranges on controlled                            modal sensory data,” Journal of Learning Analytics, vol. 3, no. 2, pp.
                                                                                        213–219, 2016.
premises and make this architecture as inter-operable as                           [10] E. Ukwandu, M. A. B. Farah, H. Hindy, D. Brosset, D. Kavallieros,
possible. Then, we will conduct case studies with students                              R. Atkinson, C. Tachtatzis, M. Bures, I. Andonovic, and X. Bellekens,
undertaking security classes and with cybersecurity profes-                             “A review of cyber-ranges and test-beds: Current and future trends,”
                                                                                        Sensors, vol. 20, no. 24, 2020.
sionals in order to collect data and prove the viability of the                    [11] Whatpulse. Accessed: 2021-03-21. [Online]. Available: https:
architecture. Finally, we will validate that this approach is                           /whatpulse.org
improving the overall training process.                                            [12] P. Joshi, OpenCV by example : enhance your understanding of computer
                                                                                        vision and image processing by developing real-world projects in
                  ACKNOWLEDGMENTS                                                       OpenCV 3. Birmingham: Packt Publishing, 2016.
                                                                                   [13] J. St. Jean, Kinect hacks, 1st ed., ser. Hacks. Beijing ; Sebastopol,
  This work has been partially funded by project COBRA                                  CA: O’Reilly, 2012, oCLC: ocn764382938.
(10032/20/0035/00), awarded by the Spanish Ministry of                             [14] D. Yu and L. Deng, Automatic Speech Recognition. Springer London,
                                                                                        2015.
Defense, as well as the fellowships FJCI-2017-34926 and                            [15] L. Santamaria-Granados, M. Munoz-Organero, G. Ramirez-González,
RYC-2015-18210, awarded by the Govern of Spain and co-                                  E. Abdulhay, and N. Arunkumar, “Using deep convolutional neural net-
funded by European Social Funds.                                                        work for emotion detection on a physiological signals dataset (amigos),”
                                                                                        IEEE Access, vol. 7, pp. 57–67, 2019.
                              R EFERENCES                                          [16] X. Shu, K. Tian, A. Ciambrone, and D. Yao, “Breaking the target:
                                                                                        An analysis of target data breach and lessons learned,” CoRR, vol.
 [1] P. Morgan, “Cybercrime facts and statistics. 2021 Report: Cyberwarfare             abs/1701.04940, 2017.
     in the C-Suite,” Cybersecurity Ventures, Tech. Rep., 2021.                    [17] S. Sriramprakash, V. D. Prasanna, and O. R. Murthy, “Stress detection
 [2] B. E. Endicott-Popovsky and V. M. Popovsky, “Application of ped-                   in working people,” Procedia Computer Science, vol. 115, pp. 359–
     agogical fundamentals for the holistic development of cybersecurity                366, 2017, 7th International Conference on Advances in Computing &
     professionals,” ACM Inroads, vol. 5, no. 1, pp. 57–68, 2014.                       Communications, ICACC-2017, 22-24 August 2017, Cochin, India.
 [3] J. Oltsik, C. Alexander, and C. CISM, “The life and times of cyberse-         [18] G. Somani, M. S. Gaur, D. Sanghi, M. Conti, and R. Buyya, “Ddos
     curity professionals,” ESG and ISSA: Research Report, 2017.                        attacks in cloud computing: Issues, taxonomy, and future directions,”
 [4] J. Vykopal, M. Vizváry, R. Oslejsek, P. Celeda, and D. Tovarnak,                  Computer Communications, vol. 107, pp. 30–48, 2017.
     “Lessons learned from complex hands-on defence exercises in a cyber           [19] S. Huang, J. Li, P. Zhang, and W. Zhang, “Detection of mental fatigue
     range,” in 2017 IEEE Frontiers in Education Conference (FIE). IEEE,                state with wearable ecg devices,” International Journal of Medical
     2017, pp. 1–8.                                                                     Informatics, vol. 119, pp. 39–46, 2018.
 [5] C. Pham, D. Tang, K.-i. Chinen, and R. Beuran, “Cyris: a cyber range          [20] M. Liu, E. McKelroy, S. B. Corliss, and J. Carrigan, “Investigating
     instantiation system for facilitating security training,” in Proceedings of        the effect of an adaptive learning intervention on students’ learning,”
     the Seventh Symposium on Information and Communication Technology,                 Educational technology research and development, vol. 65, no. 6, pp.
     2016, pp. 251–258.                                                                 1605–1625, 2017.
 [6] M. Rosenstein and F. Corvese, “A secure architecture for the range-
     level command and control system of a national cyber range testbed,”
     in Proceedings of the 5th USENIX conference on Cyber Security
     Experimentation and Test, 2012, pp. 1–1.

                                                                             234
También puede leer