INVESTIGACIÓN EN (JNIC2021 LIVE) - Manuel A. Serrano - Eduardo Fernández-Medina Cristina Alcaraz - Noemí de Castro - Guillermo Calvo - UCLM
←
→
Transcripción del contenido de la página
Si su navegador no muestra la página correctamente, lea el contenido de la página a continuación
EDITORES:
Manuel A. Serrano - Eduardo Fernández-Medina
Cristina Alcaraz - Noemí de Castro - Guillermo Calvo
Actas de las VI Jornadas Nacionales
(JNIC2021 LIVE)
INVESTIGACIÓN EN
Investigación en Ciberseguridad
Actas de las VI Jornadas Nacionales
( JNIC2021 LIVE)
Online 9-10 de junio de 2021
Universidad de Castilla-La Mancha
Investigación en Ciberseguridad
Actas de las VI Jornadas Nacionales
( JNIC2021 LIVE)
Online 9-10 de junio de 2021
Universidad de Castilla-La Mancha
Editores:
Manuel A. Serrano,
Eduardo Fernández-Medina,
Cristina Alcaraz
Noemí de Castro
Guillermo Calvo
Cuenca, 2021© de los textos e ilustraciones: sus autores
© de la edición: Universidad de Castilla-La Mancha
Edita: Ediciones de la Universidad de Castilla-La Mancha.
Colección JORNADAS Y CONGRESOS n.º 34
© de los textos: sus autores.
© de la edición: Universidad de Castilla-La Mancha.
© de los textos e ilustraciones: sus autores
© de la edición: Universidad de Castilla-La Mancha
Edita: Ediciones Esta
de la Universidad
editorial esdemiembro
Castilla-Lade
Mancha
la UNE, lo que garantiza la difusión y
comercialización de sus publicaciones a nivel nacional e internacional
Colección JORNADAS
Edita: Ediciones de YlaCONGRESOS
Universidad de n.º Castilla-La
34 Mancha.
Colección JORNADAS Y CONGRESOS n.º 34
I.S.B.N.: 978-84-9044-463-4
Esta editorial es miembro de la UNE, lo que garantiza la difusión y comercialización de sus publi-
caciones a nivel nacional e internacional.
D.O.I.: http://doi.org/10.18239/jornadas_2021.34.00
Esta editorial es miembro de la UNE, lo que garantiza la difusión y
I.S.B.N.: 978-84-9044-463-4
comercialización de sus publicaciones a nivel
nacional e internacional
D.O.I.: http://doi.org/10.18239/jornadas_2021.34.00
I.S.B.N.:
Esta obra 978-84-9044-463-4
se encuentra bajo una licencia internacional Creative Commons CC BY 4.0.
D.O.I.: http://doi.org/10.18239/jornadas_2021.34.00
Cualquier forma de reproducción, distribución, comunicación pública o transformación de esta
Esta obra se encuentra bajo una licencia internacional Creative Commons CC BY 4.0.
obra no incluida en la licencia Creative Commons CC BY 4.0 solo puede ser realizada con la
Cualquier forma de reproducción, distribución, comunicación pública o transformación de esta obra no incluida
autorización
en expresa
la licencia Creative de los CC
Commons titulares, salvopuede
BY 4.0 solo excepción prevista
ser realizada con la por la ley. Puede
autorización Vd.
expresa de losacceder
titulares, al
texto completo de la licencia en este enlace:
salvo excepción prevista por la ley. Puede Vd. acceder al texto completo de la licencia en este enlace: https://
https://creativecommons.org/licenses/by/4.0/deed.es
creativecommons.org/licenses/by/4.0/deed.es
Esta obra se encuentra bajo una licencia internacional Creative Commons CC BY 4.0.
Hecho en España (U.E.) – Made in Spain (E.U.)
Hecho en España
Cualquier forma de(U.E.) – Made indistribución,
reproducción, Spain (E.U.)comunicación pública o transformación de esta
obra no incluida en la licencia Creative Commons CC BY 4.0 solo puede ser realizada con la
autorización expresa de los titulares, salvo excepción prevista por la ley. Puede Vd. acceder al
texto completo de la licencia en este enlace:
https://creativecommons.org/licenses/by/4.0/deed.es
Hecho en España (U.E.) – Made in Spain (E.U.)Bienvenida del Comité Organizador
Tras la parada provocada por la pandemia en 2020, las VI Jornadas Nacionales de Investiga-
ción en Ciberseguridad ( JNIC) vuelven el 9 y 10 de Junio del 2021 con energías renovadas, y por
primera vez en su historia, en un formato 100% online. Esta edición de las JNIC es organizada
por los grupos GSyA y Alarcos de la Universidad de Castilla-La Mancha en Ciudad Real, y
con la activa colaboración del comité ejecutivo, de los presidentes de los distintos comités de
programa y del Instituto Nacional de Ciberseguridad (INCIBE). Continúa de este modo la
senda de consolidación de unas jornadas que se celebraron por primera vez en León en 2015 y
le siguieron Granada, Madrid, San Sebastián y Cáceres, consecutivamente hasta 2019, y que,
en condiciones normales se habrían celebrado en Ciudad Real en 2020.
Estas jornadas se han convertido en un foro de encuentro de los actores más relevantes en
el ámbito de la ciberseguridad en España. En ellas, no sólo se presentan algunos de los trabajos
científicos punteros en las diversas áreas de ciberseguridad, sino que se presta especial atención
a la formación e innovación educativa en materia de ciberseguridad, y también a la conexión
con la industria, a través de propuestas de transferencia de tecnología. Tanto es así que, este año
se presentan en el Programa de Transferencia algunas modificaciones sobre su funcionamiento
y desarrollo que han sido diseñadas con la intención de mejorarlo y hacerlo más valioso para
toda la comunidad investigadora en ciberseguridad.
Además de lo anterior, en las JNIC estarán presentes excepcionales ponentes (Soledad
Antelada, del Lawrence Berkeley National Laboratory, Ramsés Gallego, de Micro Focus y
Mónica Mateos, del Mando Conjunto de Ciberdefensa) mediante tres charlas invitadas y se
desarrollarán dos mesas redondas. Éstas contarán con la participación de las organizaciones
más relevantes en el panorama industrial, social y de emprendimiento en relación con la ciber-
seguridad, analizando y debatiendo el papel que está tomando la ciberseguridad en distintos
ámbitos relevantes.
En esta edición de JNIC se han establecido tres modalidades de contribuciones de inves-
tigación, los clásicos artículos largos de investigación original, los artículos cortos con investi-
gación en un estado más preliminar, y resúmenes extendidos de publicaciones muy relevantes
y de alto impacto en materia de ciberseguridad publicados entre los años 2019 y 2021. En el
caso de contribuciones de formación e innovación educativa, y también de transferencias se
han considerado solamente artículos largos. Se han recibido para su valoración un total de 86
7Bienvenida del Comité Organizador
contribuciones organizadas en 26, 27 y 33 artículos largos, cortos y resúmenes ya publicados,
de los que los respectivos comités de programa han aceptado 21, 19 y 27, respectivamente. En
total se ha contado con una ratio de aceptación del 77%. Estas cifras indican una participación
en las jornadas que continúa creciendo, y una madurez del sector español de la ciberseguridad
que ya cuenta con un volumen importante de publicaciones de alto impacto.
El formato online de esta edición de las jornadas nos ha motivado a organizar las jornadas
de modo más compacto, distinguiendo por primera vez entre actividades plenarias (charlas
invitadas, mesas redondas, sesión de formación e innovación educativa, sesión de transfe-
rencia de tecnología, junto a inauguración y clausura) y sesiones paralelas de presentación de
artículos científicos. En concreto, se han organizado 10 sesiones de presentación de artículos
científicos en dos líneas paralelas, sobre las siguientes temáticas: detección de intrusos y gestión
de anomalías (I y II), ciberataques e inteligencia de amenazas, análisis forense y cibercrimen,
ciberseguridad industrial, inteligencia artificial y ciberseguridad, gobierno y riesgo, tecnologías
emergentes y entrenamiento, criptografía, y finalmente privacidad.
En esta edición de las jornadas se han organizado dos números especiales de revistas con
elevado factor de impacto para que los artículos científicos mejor valorados por el comité de
programa científico puedan enviar versiones extendidas de dichos artículos. Adicionalmente, se
han otorgado premios al mejor artículo en cada una de las categorías. En el marco de las JNIC
también hemos contado con la participación de la Red de Excelencia Nacional de Investigación
en Ciberseguridad (RENIC), impulsando la ciberseguridad a través de la entrega de los premios
al Mejor Trabajo Fin de Máster en Ciberseguridad y a la Mejor Tesis Doctoral en Ciberseguridad. Tam-
bién se ha querido acercar a los jóvenes talentos en ciberseguridad a las JNIC, a través de un CTF
(Capture The Flag) organizado por la Universidad de Extremadura y patrocinado por Viewnext.
Desde el equipo que hemos organizado las JNIC2021 queremos agradecer a todas aquellas
personas y entidades que han hecho posible su celebración, comenzando por los autores de
los distintos trabajos enviados y los asistentes a las jornadas, los tres ponentes invitados, las
personas y organizaciones que han participado en las dos mesas redondas, los integrantes de
los distintos comités de programa por sus interesantes comentarios en los procesos de revisión
y por su colaboración durante las fases de discusión y debate interno, los presidentes de las
sesiones, la Universidad de Extremadura por organizar el CTF y la empresa Viewnext por
patrocinarlo, los técnicos del área TIC de la UCLM por el apoyo con la plataforma de comu-
nicación, los voluntarios de la UCLM y al resto de organizaciones y entidades patrocinadoras,
entre las que se encuentra la Escuela Superior de Informática, el Departamento de Tecnologías
y Sistemas de Información y el Instituto de Tecnologías y Sistemas de Información, todos ellos
de la Universidad de Castilla-La Mancha, la red RENIC, las cátedras (Telefónica e Indra)
y aulas (Avanttic y Alpinia) de la Escuela Superior de Informática, la empresa Cojali, y muy
especialmente por su apoyo y contribución al propio INCIBE.
Manuel A. Serrano, Eduardo Fernández-Medina
Presidentes del Comité Organizador
Cristina Alcaraz
Presidenta del Comité de Programa Científico
Noemí de Castro
Presidenta del Comité de Programa de Formación e Innovación Educativa
Guillermo Calvo Flores
Presidente del Comité de Transferencia Tecnológica
8Índice General
Comité Ejecutivo.............................................................................................. 11
Comité Organizador........................................................................................ 12
Comité de Programa Científico....................................................................... 13
Comité de Programa de Formación e Innovación Educativa........................... 15
Comité de Transferencia Tecnológica............................................................... 17
Comunicaciones
Sesión de Investigación A1: Detección de intrusiones y gestión de anomalías I 21
Sesión de Investigación A2: Detección de intrusiones y gestión de anomalías II 55
Sesión de Investigación A3: Ciberataques e inteligencia de amenazas............. 91
Sesión de Investigación A4: Análisis forense y cibercrimen............................. 107
Sesión de Investigación A5: Ciberseguridad industrial y aplicaciones.............. 133
Sesión de Investigación B1: Inteligencia Artificial en ciberseguridad............... 157
Sesión de Investigación B2: Gobierno y gestión de riesgos.............................. 187
Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en
ciberseguridad................................................................................................... 215
Sesión de Investigación B4: Criptografía.......................................................... 235
Sesión de Investigación B5: Privacidad............................................................. 263
Sesión de Transferencia Tecnológica................................................................ 291
Sesión de Formación e Innovación Educativa.................................................. 301
Premios RENIC.............................................................................................. 343
Patrocinadores................................................................................................. 349
9Comité Ejecutivo
Juan Díez González INCIBE
Luis Javier García Villalba Universidad de Complutense de Madrid
Eduardo Fernández-Medina Patón Universidad de Castilla-La Mancha
Guillermo Suárez-Tangil IMDEA Networks Institute
Andrés Caro Lindo Universidad de Extremadura
Pedro García Teodoro Universidad de Granada. Representante
de red RENIC
Noemí de Castro García Universidad de León
Rafael María Estepa Alonso Universidad de Sevilla
Pedro Peris López Universidad Carlos III de Madrid
11Comité Organizador
Presidentes del Comité Organizador
Eduardo Fernández-Medina Patón Universidad de Castilla-la Mancha
Manuel Ángel Serrano Martín Universidad de Castilla-la Mancha
Finanzas
David García Rosado Universidad de Castilla-la Mancha
Luis Enrique Sánchez Crespo Universidad de Castilla-la Mancha
Actas
Antonio Santos-Olmo Parra Universidad de Castilla-la Mancha
Difusión
Julio Moreno García-Nieto Universidad de Castilla-la Mancha
José Antonio Cruz Lemus Universidad de Castilla-la Mancha
María A Moraga de la Rubia Universidad de Castilla-la Mancha
Webmaster
Aurelio José Horneros Cano Universidad de Castilla-la Mancha
Logística y Organización
Ignacio García-Rodriguez de Guzmán Universidad de Castilla-la Mancha
Ismael Caballero Muñoz-Reja Universidad de Castilla-la Mancha
Gregoria Romero Grande Universidad de Castilla-la Mancha
Natalia Sanchez Pinilla Universidad de Castilla-la Mancha
12Comité de Programa Científico
Presidenta
Cristina Alcaraz Tello Universidad de Málaga
Miembros
Aitana Alonso Nogueira INCIBE
Marcos Arjona Fernández ElevenPaths
Ana Ayerbe Fernández-Cuesta Tecnalia
Marta Beltrán Pardo Universidad Rey Juan Carlos
Carlos Blanco Bueno Universidad de Cantabria
Jorge Blasco Alís Royal Holloway, University of London
Pino Caballero-Gil Universidad de La Laguna
Andrés Caro Lindo Universidad de Extremadura
Jordi Castellà Roca Universitat Rovira i Virgili
José M. de Fuentes García-Romero
de Tejada Universidad Carlos III de Madrid
Jesús Esteban Díaz Verdejo Universidad de Granada
Josep Lluis Ferrer Gomila Universitat de les Illes Balears
Dario Fiore IMDEA Software Institute
David García Rosado Universidad de Castilla-La Mancha
Pedro García Teodoro Universidad de Granada
Luis Javier García Villalba Universidad Complutense de Madrid
Iñaki Garitano Garitano Mondragon Unibertsitatea
Félix Gómez Mármol Universidad de Murcia
Lorena González Manzano Universidad Carlos III de Madrid
María Isabel González Vasco Universidad Rey Juan Carlos I
Julio César Hernández Castro University of Kent
Luis Hernández Encinas CSIC
Jorge López Hernández-Ardieta Banco Santander
Javier López Muñoz Universidad de Málaga
Rafael Martínez Gasca Universidad de Sevilla
Gregorio Martínez Pérez Universidad de Murcia
13David Megías Jiménez Universitat Oberta de Cataluña
Luis Panizo Alonso Universidad de León
Fernando Pérez González Universidad de Vigo
Aljosa Pasic ATOS
Ricardo J. Rodríguez Universidad de Zaragoza
Fernando Román Muñoz Universidad Complutense de Madrid
Luis Enrique Sánchez Crespo Universidad de Castilla-La Mancha
José Soler Technical University of Denmark-DTU
Miguel Soriano Ibáñez Universidad Politécnica de Cataluña
Victor A. Villagrá González Universidad Politécnica de Madrid
Urko Zurutuza Ortega Mondragon Unibertsitatea
Lilian Adkinson Orellana Gradiant
Juan Hernández Serrano Universitat Politécnica de Cataluña
14Comité de Programa de Formación e Innovación Educativa
Presidenta
Noemí De Castro García Universidad de León
Miembros
Adriana Suárez Corona Universidad de León
Raquel Poy Castro Universidad de León
José Carlos Sancho Núñez Universidad de Extremadura
Isaac Agudo Ruiz Universidad de Málaga
Ana Isabel González-Tablas Ferreres Universidad Carlos III de Madrid
Xavier Larriva Universidad Politécnica de Madrid
Ana Lucila Sandoval Orozco Universidad Complutense de Madrid
Lorena González Manzano Universidad Carlos III de Madrid
María Isabel González Vasco Universidad Rey Juan Carlos
David García Rosado Universidad de Castilla - La Mancha
Sara García Bécares INCIBE
15Comité de Transferencia Tecnológica
Presidente
Guillermo Calvo Flores INCIBE
Miembros
José Luis González Sánchez COMPUTAEX
Marcos Arjona Fernández ElevenPaths
Victor Villagrá González Universidad Politécnica de Madrid
Luis Enrique Sánchez Crespo Universidad de Castilla – La Mancha
17Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad
http://doi.org/10.18239/jornadas_2021.34.52
Exploring the Affordances of Multimodal Data to
Improve Cybersecurity Training with Cyber Range
Environments
Mariano Albaladejo-González , Sofia Strukova , José A. Ruipérez-Valiente , Félix Gómez Mármol
Department of Information and Communications Engineering, University of Murcia
Calle Campus Universitario, 30100 Murcia (Spain)
{mariano.albaladejog, strukovas, jruiperez, felixgm}@um.es
Abstract—During the last years, the constant cybersecurity trainees can attempt to attack a network system (red team)
breaches being reported are remarking the necessity of raising or defend a system against an adversary attack (blue team).
the number of cybersecurity experts that can tackle such threats. These cyberexercises resemble much better the real world
In this sense, educational technology environments can help to
generate more immersive and realistic environments, and within situations that these professionals will need to face when an
this context, cyber range systems are one of the foremost solu- actual threat emerges.
tions. However, these systems might not provide rich and detailed However, one of the handicaps that the current state of the
feedback to instructors and students regarding the performance art of these environments shows is a low emphasis on perform-
in each cyberexercise. In this paper we discuss the potential
of multimodal data, including clickstream, console commands,
ing effective automatic evaluations and feedback provision
biometrics, and other sensor data, to improve the feedback and based on the trainee performance in the cyberexercise. For ex-
evaluation process in cyber range environments. We present the ample, a recent literature review on cyber range environments
affordances that these techniques can bring to cybersecurity that inspected all the existing ones until today, only mentioned
training as well as a preliminary architecture to implement them. that the evaluation can be either done manually (with human
We argue that these technologies can become a new generation of
high-quality, realistic, and adaptive cybersecurity training that
intervention) or automatically (based on an algorithm and key
can have a dual (civil and military) impact on our society. variables of the cyberexercise) [7]. The majority of cyber
Index Terms—Cyber range, cybersecurity training, multi- ranges provide very limited feedback on the process that
modal learning analytics, educational technology. the trainee followed to solve or fail the cyberexercise. For
Tipo de contribución: Investigación en desarrollo example, a capture-the-flag cyberexercise where an attacker
needs to gain admin privileges and access a hidden code
I. I NTRODUCTION [8], might provide as only feedback to the instructor that the
The last decade has made exceptionally clear the upmost trainee knows said hidden code. Therefore, instructors cannot
necessity of growing the number and quality of cyberse- provide detailed and adapted feedback, nor perform a rich
curity experts that can design secure systems and respond evaluation of the trainee taking into account diverse factors
to potential threats. Every week we hear of new security and actions that happened during the learning process.
breaches and scandals, that jeopardize entire companies and To face this ambitious challenge, in this paper we argue
the privacy of their users. The respondents of the ISACA’s on the potential of using multimodal data to improve such
State of Cybersecurity of 2020 indicated that 53% of them evaluation within the context of cyber ranges. To do so,
were expecting a cyberattack within 12 months. Moreover, we collect data from multiple sources, including clickstream
Cybersecury Ventures predicted that cybercrime will produce data, console commands, biometrics and other sensor data.
damages totaling $6 million USD globally in 2021, a predic- Then, we apply multimodal learning analytics conducting
tion which is based on recent year-over-year growth [1]. To signal processing and artificial intelligence to transform the
face this problem, there is an overall agreement on the need raw multimodal data into rich information [9]. In the paper
to increase the quality of the training that these specialists at hand, we present our current advances regarding how
receive [2]. However, a research report that interviewed over these multimodal data can be used to improve the evaluation
300 cybersecurity professionals indicated that only 38% of and feedback of trainees in cyber range environments. More
them are happy with the level of training that they are specifically, we have the following two objectives:
receiving [3].
In this sense, educational technology training tools can play • To present the affordances of multimodal data to improve
a pivotal role in the training quality that professionals can the training process in cyber range environments.
receive. Within this context, we are especially focused on • To propose a preliminary architecture adapted to this
cyber ranges, which are well-defined virtualized environments specific scenario to accomplish such goal.
where trainees can develop practical hands-on-activities that The remainder of this paper is organized as follows: In
resemble much better real cybersecurity operations. There are Section II we present an overview of the affordances of
a good number of prominent cyber range examples in the multimodal data in cyber range environments, while in Section
literature [4], [5], [6]. These can represent realistic cyber- III we discuss our preliminary architecture. We finalize the
security scenarios in safe sandbox environments where the paper in Section IV with conclusions and future research lines.
231Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad
II. M ULTIMODAL DATA IN C YBER R ANGE
E NVIRONMENTS
The essential feature of a cyber range is the development of
isolated and safe environments. For this reason, the core of a
cyber range is virtualization, simulation and/or containeriza-
tion technologies that support these environments. In addition
to these technologies, a cyber range might also include front-
end technologies to provide easy access to such environments.
Their architecture isolates the users’ computers and external
networks from the environments that are running malware
[10]. We find that in cyber range platforms, it is rare to find
the presence of front-end dashboards that can monitor the
results of the cyberexercises. The few cyber ranges that offer
a dashboard show shallow information, measuring whether
the user has completed the exercise successfully and the time
required to do so. Our system aims to expand this state of the Fig. 1. Potential devices used to monitor the user during the cyberexercises.
art with new measures of user skills and performance when
interacting with cyber ranges.
The system requires data that can come from different through the accelerometers and gyroscopes, among others.
sources to generate these news measures. For example, the Figure 1 represents different devices collecting data
cyber range can generate data related to the users’ solution, throughout the cyberexercises. The system uses all the col-
along with the number of attempts, the typed commands, the lected data to calculate additional user performance metrics
proportion of unnecessary commands, and the quality of the and skills. The users’ emotions during the cyberexercises
solutions. Furthermore, it is easy to collect data related to can be estimated and classified depending on the valence
user’s telemetry adding keyboard and mouse monitoring tools and arousal degrees [15]. The valence represents the level
in the front-end technologies, this is a common practice in of positive or negative affectivity and arousal, the calming or
websites and apps for real-time and asynchronous tracking excitement level. Thereby, we could infer states like anger,
[11]. These telemetry data can provide the following infor- joy, sadness, and pleasure.
mation: In addition to the user emotions, the system could mea-
• Keyboard patterns. These data are generated when the sure more advanced skills closely related to the necessities
user writes commands. It includes the typing speed and of cybersecurity professionals. In real-world environments,
the keystroke duration. cybersecurity professionals can be under much pressure due
• Clickstream. It represents how the user interacts with to the impact of their decisions; for example, failing to
the graphic interface of the environment. The clickstream detect sniffers on an online shop can end up causing a data
includes the clicked elements, the click frequency, the breach of 40 million card numbers and 70 million personal
click duration, and the mouse movement speed. records stolen [16]. For this reason, it is interesting to evaluate
Our system aims to go further, including data collected by the capacity to work under pressure, for example, through
sensors and devices external to the cyber range. A camera user stress or the attention level [17]. Moreover, cyberattacks
and/or a kinetic device can get many interesting measures and their consequences can take place over an extended
such as eye-tracking, the users’ pose, position, and expression period of time [18]; for this reason, it is also interesting to
[12], [13]. Furthermore, we can add microphones to record the measure the user fatigue [19]. Teamwork skills are critical
communication between the users [14]. for cybersecurity professionals as they will often be part of a
In addition, we propose to measure physiological signals larger and multidisciplinary team. The proposed multimodal
to get richer information about the users’ state during the system can be used to evaluate teamwork skills and how
cyberexercises. Depending on the original context for which teamwork affects each user. All of these metrics aim to
they are used, there are three types of devices to measure empower instructors with additional information to provide a
physiological signals: the devices used in the medical field more nuanced feedback and assessment to the cybersecurity
for diagnosis purposes, the devices used for research purposes, students. The final goal is to improve the readiness of the
and the commercial devices focused on the daily use of end cybersecurity professionals to detect and resolve cybersecurity
users. Additionally, these devices can be placed in different breaches.
parts of the body: for example, we can have wristbands, To implement the proposed system is essential to consider
chest straps, and brain-computer interfaces (BCIs) that are how invasive the devices are and whether they can be used
placed as a helmet. BCIs measure the electrical activity of the for extended periods of time. Devices that are too invasive
brain and can estimate the emotions and moods of the users might endanger data recollection by reducing user freedom
during the cyberexercises. The wristbands and chest straps can of movement and making the cyber range experience more
have different types of sensors to measure the heart rate, the uncomfortable. Furthermore, it is important to consider the
blood pressure, the skin temperature, the oxygen saturation, devices’ cost because since some of them are quite expensive,
the electrodermal activity (the measurement of the electrical and can be used only by a single user at a time. Microphones,
activity of the skin), and the movement of the user measured cameras, kinetics, and wearables are affordable solutions with
232Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad
potential to measure useful constructs. according to the General Data Protection Regulation
Finally, all the aforementioned types of data generated (GDPR).
by trainees while using cyber range environments hold the • Data processing and analytics. This step aims to mea-
potential for being used to adjust the cyberexercises to the sure and evaluate the development of the trainees regard-
current status of each specific trainee. This process, which ing their cybersecurity skills. An Extract, Transform, and
is known as adaptive learning, has the goal of addressing Load (ETL) procedure is employed in order to extract
the unique needs of each user [20]. In our case, we aim to the needed data from the database, transform them into
dynamically adapt current cyberexercises to the knowledge of a proper storage structure for querying and analysis, and
the trainee. Commands and clickstream data along with the finally load them into a final database. Due to its large
biometric signals of trainees will allow us to analyze and com- size, the processing cannot be performed in real-time.
pare the results of the different simulations to progressively Therefore, we make use of cron jobs to launch the data
improve subsequent training sessions and, therefore, maintain processing scripts at scheduled times.
the optimal balance between the trainees’ knowledge and the • Visualization dashboard. The last step consists in pro-
difficulty of each exercise. viding useful and effective visualizations to both the
trainees and the instructors. This is done through the
III. P RELIMINARY A RCHITECTURE
dashboard that represents an activity and performance
A. Description of the training process measurement interface. Specifically, we can see general
Our system is used by: 1) the trainees, who interact with statistics presenting the overall progress across the cy-
the learning contents and generate the raw data, and 2) the berexercises, or active time, to name some examples. We
instructors, who are experienced teachers in the cybersecurity can also see more complex measurements such as the
field responsible for keeping track of how the trainees are capacity to work under pressure and concentration level.
progressing and providing them with relevant feedback. Ac- Trainees can access only their own data, while instructors
cordingly, the instructor first provides the trainees with the cy- can access the information of each trainee individually
berexercises they must solve and afterward reviews the results or see the aggregation of the entire class. At the same
represented in the dashboard in an easy and understandable time, we also develop models that can evaluate trainees’
way. This helps to build the feedback that the trainees will competencies based on which cyberexercises they have
receive and choose the most suitable cyberexercises for the been able to complete.
future users with similar knowledge.
IV. C ONCLUSIONS AND FUTURE WORK
The training process starts when the instructor distributes
the cyberexercises across the trainees. While the latter are Raising a new generation of cybersecurity professionals
solving the tasks, our system collects various data types de- during the 21st century is vital to have a secure digitized
scribed in the previous section. Then, these data are processed world and economy. However, the specialized training of
and analyzed in order to visualize the dashboard with all these professionals is a challenging task. Cyber range en-
the information about the cybersecurity development of each vironments represent a great asset that complements more
trainee. traditional cybersecurity training in order to practice hands-on
cyberexercises that can resemble real scenarios where trainees
B. Overview of the Architecture need to attack and/or defend a system in real time. However,
Figure 2 presents the overview of the architecture of the current feedback that cyber ranges provide to instructors
the cyber range environment with the multimodal learning regarding the performance of their trainees is quite scarce. In
analytics, and how the following components are connected some cases we find that the instructors do not know more
within the system: than whether the cyberexercise was completed or not, with
• Cyber range. The cyber range system is the origin of the
no information about the process at all. This approach is
learning process. When trainees interact in their cyber definitely not sufficient to provide a just-in-time support and
range environment, a large amount of raw multimodal feedback to the students in order to improve the learning
data is generated, issued, collected, and stored in the process, specially when we want to scale cyber range case
webserver. We implement the event emission process studies with entire classes getting trained simultaneously.
using experience API schema (xAPI 1 ) to make the rest In this paper we have argued on the potential that multi-
of parts of the architecture agnostic of the specific cyber modal data can have to improve the training process when
range system implemented. using cyber ranges. We can collect different data in various
• Data collection. The data collected within the cyber
modalities like clickstream, console commands, biometrics
range include a wide variety of trainee actions, as well or audiovisual data, apply signal processing and artificial
as the external sensors and devices. We use REpresenta- intelligence techniques, and produce measures to assess ideal
tional State Transfer API (RESTful API) endpoints to solution pathways, capacity to work under pressure, or con-
send these data to the web server. There are several centration, which are key capacities to become a successful
challenges regarding the ethical and security consider- cybersecurity professional. Moreover, these techniques can
ations of obtaining that data from the trainees. Thus, the have a dual impact on our society. First, on the civil side, we
collected personal data is encrypted and protected by ap- can use them to improve the academic training of students
plying appropriate technical and organizational measures under-taking degrees related to cybersecurity and also on
professional programs training cybersecurity professionals.
1 https://xapi.com/ Second, on the military side, we can use the same approach
233Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad
INSTRUCTOR
T WEB APPLICATION
R SYSTEM
A
I Data Commands,
clickstream,
collection
N and biometric
data
E Cyber Individual Class
E range Databases
Data
processing Visualization
and analytics dashboard
Fig. 2. Preliminary architecture of the cyber range environment with the multimodal learning analytics web application.
to improve the cyberdefence capabilities that a state may have [7] E. Ukwandu, M. A. B. Farah, H. Hindy, D. Brosset, D. Kavallieros,
to protect the cyberspace. Depending on the critical nature of R. Atkinson, C. Tachtatzis, M. Bures, I. Andonovic, and X. Bellekens,
“A review of cyber-ranges and test-beds: current and future trends,”
the position of each professional getting trained, more or less Sensors, vol. 20, no. 24, p. 7148, 2020.
invasive data collection approaches can be applied. [8] K. Leune and S. J. Petrilli Jr, “Using capture-the-flag to enhance the
The future steps that we envision are multifaceted. First, effectiveness of cybersecurity education,” in Proceedings of the 18th
Annual Conference on Information Technology Education, 2017, pp.
we are working on developing this architecture as generic 47–52.
as possible, using different data sources and sensors. Then, [9] X. Ochoa and M. Worsley, “Augmenting learning analytics with multi-
we are planning to deploy several cyber ranges on controlled modal sensory data,” Journal of Learning Analytics, vol. 3, no. 2, pp.
213–219, 2016.
premises and make this architecture as inter-operable as [10] E. Ukwandu, M. A. B. Farah, H. Hindy, D. Brosset, D. Kavallieros,
possible. Then, we will conduct case studies with students R. Atkinson, C. Tachtatzis, M. Bures, I. Andonovic, and X. Bellekens,
undertaking security classes and with cybersecurity profes- “A review of cyber-ranges and test-beds: Current and future trends,”
Sensors, vol. 20, no. 24, 2020.
sionals in order to collect data and prove the viability of the [11] Whatpulse. Accessed: 2021-03-21. [Online]. Available: https:
architecture. Finally, we will validate that this approach is /whatpulse.org
improving the overall training process. [12] P. Joshi, OpenCV by example : enhance your understanding of computer
vision and image processing by developing real-world projects in
ACKNOWLEDGMENTS OpenCV 3. Birmingham: Packt Publishing, 2016.
[13] J. St. Jean, Kinect hacks, 1st ed., ser. Hacks. Beijing ; Sebastopol,
This work has been partially funded by project COBRA CA: O’Reilly, 2012, oCLC: ocn764382938.
(10032/20/0035/00), awarded by the Spanish Ministry of [14] D. Yu and L. Deng, Automatic Speech Recognition. Springer London,
2015.
Defense, as well as the fellowships FJCI-2017-34926 and [15] L. Santamaria-Granados, M. Munoz-Organero, G. Ramirez-González,
RYC-2015-18210, awarded by the Govern of Spain and co- E. Abdulhay, and N. Arunkumar, “Using deep convolutional neural net-
funded by European Social Funds. work for emotion detection on a physiological signals dataset (amigos),”
IEEE Access, vol. 7, pp. 57–67, 2019.
R EFERENCES [16] X. Shu, K. Tian, A. Ciambrone, and D. Yao, “Breaking the target:
An analysis of target data breach and lessons learned,” CoRR, vol.
[1] P. Morgan, “Cybercrime facts and statistics. 2021 Report: Cyberwarfare abs/1701.04940, 2017.
in the C-Suite,” Cybersecurity Ventures, Tech. Rep., 2021. [17] S. Sriramprakash, V. D. Prasanna, and O. R. Murthy, “Stress detection
[2] B. E. Endicott-Popovsky and V. M. Popovsky, “Application of ped- in working people,” Procedia Computer Science, vol. 115, pp. 359–
agogical fundamentals for the holistic development of cybersecurity 366, 2017, 7th International Conference on Advances in Computing &
professionals,” ACM Inroads, vol. 5, no. 1, pp. 57–68, 2014. Communications, ICACC-2017, 22-24 August 2017, Cochin, India.
[3] J. Oltsik, C. Alexander, and C. CISM, “The life and times of cyberse- [18] G. Somani, M. S. Gaur, D. Sanghi, M. Conti, and R. Buyya, “Ddos
curity professionals,” ESG and ISSA: Research Report, 2017. attacks in cloud computing: Issues, taxonomy, and future directions,”
[4] J. Vykopal, M. Vizváry, R. Oslejsek, P. Celeda, and D. Tovarnak, Computer Communications, vol. 107, pp. 30–48, 2017.
“Lessons learned from complex hands-on defence exercises in a cyber [19] S. Huang, J. Li, P. Zhang, and W. Zhang, “Detection of mental fatigue
range,” in 2017 IEEE Frontiers in Education Conference (FIE). IEEE, state with wearable ecg devices,” International Journal of Medical
2017, pp. 1–8. Informatics, vol. 119, pp. 39–46, 2018.
[5] C. Pham, D. Tang, K.-i. Chinen, and R. Beuran, “Cyris: a cyber range [20] M. Liu, E. McKelroy, S. B. Corliss, and J. Carrigan, “Investigating
instantiation system for facilitating security training,” in Proceedings of the effect of an adaptive learning intervention on students’ learning,”
the Seventh Symposium on Information and Communication Technology, Educational technology research and development, vol. 65, no. 6, pp.
2016, pp. 251–258. 1605–1625, 2017.
[6] M. Rosenstein and F. Corvese, “A secure architecture for the range-
level command and control system of a national cyber range testbed,”
in Proceedings of the 5th USENIX conference on Cyber Security
Experimentation and Test, 2012, pp. 1–1.
234También puede leer
