INVESTIGACIÓN EN (JNIC2021 LIVE) - Manuel A. Serrano - Eduardo Fernández-Medina Cristina Alcaraz - Noemí de Castro - Guillermo Calvo - UCLM
←
→
Transcripción del contenido de la página
Si su navegador no muestra la página correctamente, lea el contenido de la página a continuación
EDITORES: Manuel A. Serrano - Eduardo Fernández-Medina Cristina Alcaraz - Noemí de Castro - Guillermo Calvo Actas de las VI Jornadas Nacionales (JNIC2021 LIVE) INVESTIGACIÓN EN
Investigación en Ciberseguridad Actas de las VI Jornadas Nacionales ( JNIC2021 LIVE) Online 9-10 de junio de 2021 Universidad de Castilla-La Mancha
Investigación en Ciberseguridad Actas de las VI Jornadas Nacionales ( JNIC2021 LIVE) Online 9-10 de junio de 2021 Universidad de Castilla-La Mancha Editores: Manuel A. Serrano, Eduardo Fernández-Medina, Cristina Alcaraz Noemí de Castro Guillermo Calvo Cuenca, 2021
© de los textos e ilustraciones: sus autores © de la edición: Universidad de Castilla-La Mancha Edita: Ediciones de la Universidad de Castilla-La Mancha. Colección JORNADAS Y CONGRESOS n.º 34 © de los textos: sus autores. © de la edición: Universidad de Castilla-La Mancha. © de los textos e ilustraciones: sus autores © de la edición: Universidad de Castilla-La Mancha Edita: Ediciones Esta de la Universidad editorial esdemiembro Castilla-Lade Mancha la UNE, lo que garantiza la difusión y comercialización de sus publicaciones a nivel nacional e internacional Colección JORNADAS Edita: Ediciones de YlaCONGRESOS Universidad de n.º Castilla-La 34 Mancha. Colección JORNADAS Y CONGRESOS n.º 34 I.S.B.N.: 978-84-9044-463-4 Esta editorial es miembro de la UNE, lo que garantiza la difusión y comercialización de sus publi- caciones a nivel nacional e internacional. D.O.I.: http://doi.org/10.18239/jornadas_2021.34.00 Esta editorial es miembro de la UNE, lo que garantiza la difusión y I.S.B.N.: 978-84-9044-463-4 comercialización de sus publicaciones a nivel nacional e internacional D.O.I.: http://doi.org/10.18239/jornadas_2021.34.00 I.S.B.N.: Esta obra 978-84-9044-463-4 se encuentra bajo una licencia internacional Creative Commons CC BY 4.0. D.O.I.: http://doi.org/10.18239/jornadas_2021.34.00 Cualquier forma de reproducción, distribución, comunicación pública o transformación de esta Esta obra se encuentra bajo una licencia internacional Creative Commons CC BY 4.0. obra no incluida en la licencia Creative Commons CC BY 4.0 solo puede ser realizada con la Cualquier forma de reproducción, distribución, comunicación pública o transformación de esta obra no incluida autorización en expresa la licencia Creative de los CC Commons titulares, salvopuede BY 4.0 solo excepción prevista ser realizada con la por la ley. Puede autorización Vd. expresa de losacceder titulares, al texto completo de la licencia en este enlace: salvo excepción prevista por la ley. Puede Vd. acceder al texto completo de la licencia en este enlace: https:// https://creativecommons.org/licenses/by/4.0/deed.es creativecommons.org/licenses/by/4.0/deed.es Esta obra se encuentra bajo una licencia internacional Creative Commons CC BY 4.0. Hecho en España (U.E.) – Made in Spain (E.U.) Hecho en España Cualquier forma de(U.E.) – Made indistribución, reproducción, Spain (E.U.)comunicación pública o transformación de esta obra no incluida en la licencia Creative Commons CC BY 4.0 solo puede ser realizada con la autorización expresa de los titulares, salvo excepción prevista por la ley. Puede Vd. acceder al texto completo de la licencia en este enlace: https://creativecommons.org/licenses/by/4.0/deed.es Hecho en España (U.E.) – Made in Spain (E.U.)
Bienvenida del Comité Organizador Tras la parada provocada por la pandemia en 2020, las VI Jornadas Nacionales de Investiga- ción en Ciberseguridad ( JNIC) vuelven el 9 y 10 de Junio del 2021 con energías renovadas, y por primera vez en su historia, en un formato 100% online. Esta edición de las JNIC es organizada por los grupos GSyA y Alarcos de la Universidad de Castilla-La Mancha en Ciudad Real, y con la activa colaboración del comité ejecutivo, de los presidentes de los distintos comités de programa y del Instituto Nacional de Ciberseguridad (INCIBE). Continúa de este modo la senda de consolidación de unas jornadas que se celebraron por primera vez en León en 2015 y le siguieron Granada, Madrid, San Sebastián y Cáceres, consecutivamente hasta 2019, y que, en condiciones normales se habrían celebrado en Ciudad Real en 2020. Estas jornadas se han convertido en un foro de encuentro de los actores más relevantes en el ámbito de la ciberseguridad en España. En ellas, no sólo se presentan algunos de los trabajos científicos punteros en las diversas áreas de ciberseguridad, sino que se presta especial atención a la formación e innovación educativa en materia de ciberseguridad, y también a la conexión con la industria, a través de propuestas de transferencia de tecnología. Tanto es así que, este año se presentan en el Programa de Transferencia algunas modificaciones sobre su funcionamiento y desarrollo que han sido diseñadas con la intención de mejorarlo y hacerlo más valioso para toda la comunidad investigadora en ciberseguridad. Además de lo anterior, en las JNIC estarán presentes excepcionales ponentes (Soledad Antelada, del Lawrence Berkeley National Laboratory, Ramsés Gallego, de Micro Focus y Mónica Mateos, del Mando Conjunto de Ciberdefensa) mediante tres charlas invitadas y se desarrollarán dos mesas redondas. Éstas contarán con la participación de las organizaciones más relevantes en el panorama industrial, social y de emprendimiento en relación con la ciber- seguridad, analizando y debatiendo el papel que está tomando la ciberseguridad en distintos ámbitos relevantes. En esta edición de JNIC se han establecido tres modalidades de contribuciones de inves- tigación, los clásicos artículos largos de investigación original, los artículos cortos con investi- gación en un estado más preliminar, y resúmenes extendidos de publicaciones muy relevantes y de alto impacto en materia de ciberseguridad publicados entre los años 2019 y 2021. En el caso de contribuciones de formación e innovación educativa, y también de transferencias se han considerado solamente artículos largos. Se han recibido para su valoración un total de 86 7
Bienvenida del Comité Organizador contribuciones organizadas en 26, 27 y 33 artículos largos, cortos y resúmenes ya publicados, de los que los respectivos comités de programa han aceptado 21, 19 y 27, respectivamente. En total se ha contado con una ratio de aceptación del 77%. Estas cifras indican una participación en las jornadas que continúa creciendo, y una madurez del sector español de la ciberseguridad que ya cuenta con un volumen importante de publicaciones de alto impacto. El formato online de esta edición de las jornadas nos ha motivado a organizar las jornadas de modo más compacto, distinguiendo por primera vez entre actividades plenarias (charlas invitadas, mesas redondas, sesión de formación e innovación educativa, sesión de transfe- rencia de tecnología, junto a inauguración y clausura) y sesiones paralelas de presentación de artículos científicos. En concreto, se han organizado 10 sesiones de presentación de artículos científicos en dos líneas paralelas, sobre las siguientes temáticas: detección de intrusos y gestión de anomalías (I y II), ciberataques e inteligencia de amenazas, análisis forense y cibercrimen, ciberseguridad industrial, inteligencia artificial y ciberseguridad, gobierno y riesgo, tecnologías emergentes y entrenamiento, criptografía, y finalmente privacidad. En esta edición de las jornadas se han organizado dos números especiales de revistas con elevado factor de impacto para que los artículos científicos mejor valorados por el comité de programa científico puedan enviar versiones extendidas de dichos artículos. Adicionalmente, se han otorgado premios al mejor artículo en cada una de las categorías. En el marco de las JNIC también hemos contado con la participación de la Red de Excelencia Nacional de Investigación en Ciberseguridad (RENIC), impulsando la ciberseguridad a través de la entrega de los premios al Mejor Trabajo Fin de Máster en Ciberseguridad y a la Mejor Tesis Doctoral en Ciberseguridad. Tam- bién se ha querido acercar a los jóvenes talentos en ciberseguridad a las JNIC, a través de un CTF (Capture The Flag) organizado por la Universidad de Extremadura y patrocinado por Viewnext. Desde el equipo que hemos organizado las JNIC2021 queremos agradecer a todas aquellas personas y entidades que han hecho posible su celebración, comenzando por los autores de los distintos trabajos enviados y los asistentes a las jornadas, los tres ponentes invitados, las personas y organizaciones que han participado en las dos mesas redondas, los integrantes de los distintos comités de programa por sus interesantes comentarios en los procesos de revisión y por su colaboración durante las fases de discusión y debate interno, los presidentes de las sesiones, la Universidad de Extremadura por organizar el CTF y la empresa Viewnext por patrocinarlo, los técnicos del área TIC de la UCLM por el apoyo con la plataforma de comu- nicación, los voluntarios de la UCLM y al resto de organizaciones y entidades patrocinadoras, entre las que se encuentra la Escuela Superior de Informática, el Departamento de Tecnologías y Sistemas de Información y el Instituto de Tecnologías y Sistemas de Información, todos ellos de la Universidad de Castilla-La Mancha, la red RENIC, las cátedras (Telefónica e Indra) y aulas (Avanttic y Alpinia) de la Escuela Superior de Informática, la empresa Cojali, y muy especialmente por su apoyo y contribución al propio INCIBE. Manuel A. Serrano, Eduardo Fernández-Medina Presidentes del Comité Organizador Cristina Alcaraz Presidenta del Comité de Programa Científico Noemí de Castro Presidenta del Comité de Programa de Formación e Innovación Educativa Guillermo Calvo Flores Presidente del Comité de Transferencia Tecnológica 8
Índice General Comité Ejecutivo.............................................................................................. 11 Comité Organizador........................................................................................ 12 Comité de Programa Científico....................................................................... 13 Comité de Programa de Formación e Innovación Educativa........................... 15 Comité de Transferencia Tecnológica............................................................... 17 Comunicaciones Sesión de Investigación A1: Detección de intrusiones y gestión de anomalías I 21 Sesión de Investigación A2: Detección de intrusiones y gestión de anomalías II 55 Sesión de Investigación A3: Ciberataques e inteligencia de amenazas............. 91 Sesión de Investigación A4: Análisis forense y cibercrimen............................. 107 Sesión de Investigación A5: Ciberseguridad industrial y aplicaciones.............. 133 Sesión de Investigación B1: Inteligencia Artificial en ciberseguridad............... 157 Sesión de Investigación B2: Gobierno y gestión de riesgos.............................. 187 Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad................................................................................................... 215 Sesión de Investigación B4: Criptografía.......................................................... 235 Sesión de Investigación B5: Privacidad............................................................. 263 Sesión de Transferencia Tecnológica................................................................ 291 Sesión de Formación e Innovación Educativa.................................................. 301 Premios RENIC.............................................................................................. 343 Patrocinadores................................................................................................. 349 9
Comité Ejecutivo Juan Díez González INCIBE Luis Javier García Villalba Universidad de Complutense de Madrid Eduardo Fernández-Medina Patón Universidad de Castilla-La Mancha Guillermo Suárez-Tangil IMDEA Networks Institute Andrés Caro Lindo Universidad de Extremadura Pedro García Teodoro Universidad de Granada. Representante de red RENIC Noemí de Castro García Universidad de León Rafael María Estepa Alonso Universidad de Sevilla Pedro Peris López Universidad Carlos III de Madrid 11
Comité Organizador Presidentes del Comité Organizador Eduardo Fernández-Medina Patón Universidad de Castilla-la Mancha Manuel Ángel Serrano Martín Universidad de Castilla-la Mancha Finanzas David García Rosado Universidad de Castilla-la Mancha Luis Enrique Sánchez Crespo Universidad de Castilla-la Mancha Actas Antonio Santos-Olmo Parra Universidad de Castilla-la Mancha Difusión Julio Moreno García-Nieto Universidad de Castilla-la Mancha José Antonio Cruz Lemus Universidad de Castilla-la Mancha María A Moraga de la Rubia Universidad de Castilla-la Mancha Webmaster Aurelio José Horneros Cano Universidad de Castilla-la Mancha Logística y Organización Ignacio García-Rodriguez de Guzmán Universidad de Castilla-la Mancha Ismael Caballero Muñoz-Reja Universidad de Castilla-la Mancha Gregoria Romero Grande Universidad de Castilla-la Mancha Natalia Sanchez Pinilla Universidad de Castilla-la Mancha 12
Comité de Programa Científico Presidenta Cristina Alcaraz Tello Universidad de Málaga Miembros Aitana Alonso Nogueira INCIBE Marcos Arjona Fernández ElevenPaths Ana Ayerbe Fernández-Cuesta Tecnalia Marta Beltrán Pardo Universidad Rey Juan Carlos Carlos Blanco Bueno Universidad de Cantabria Jorge Blasco Alís Royal Holloway, University of London Pino Caballero-Gil Universidad de La Laguna Andrés Caro Lindo Universidad de Extremadura Jordi Castellà Roca Universitat Rovira i Virgili José M. de Fuentes García-Romero de Tejada Universidad Carlos III de Madrid Jesús Esteban Díaz Verdejo Universidad de Granada Josep Lluis Ferrer Gomila Universitat de les Illes Balears Dario Fiore IMDEA Software Institute David García Rosado Universidad de Castilla-La Mancha Pedro García Teodoro Universidad de Granada Luis Javier García Villalba Universidad Complutense de Madrid Iñaki Garitano Garitano Mondragon Unibertsitatea Félix Gómez Mármol Universidad de Murcia Lorena González Manzano Universidad Carlos III de Madrid María Isabel González Vasco Universidad Rey Juan Carlos I Julio César Hernández Castro University of Kent Luis Hernández Encinas CSIC Jorge López Hernández-Ardieta Banco Santander Javier López Muñoz Universidad de Málaga Rafael Martínez Gasca Universidad de Sevilla Gregorio Martínez Pérez Universidad de Murcia 13
David Megías Jiménez Universitat Oberta de Cataluña Luis Panizo Alonso Universidad de León Fernando Pérez González Universidad de Vigo Aljosa Pasic ATOS Ricardo J. Rodríguez Universidad de Zaragoza Fernando Román Muñoz Universidad Complutense de Madrid Luis Enrique Sánchez Crespo Universidad de Castilla-La Mancha José Soler Technical University of Denmark-DTU Miguel Soriano Ibáñez Universidad Politécnica de Cataluña Victor A. Villagrá González Universidad Politécnica de Madrid Urko Zurutuza Ortega Mondragon Unibertsitatea Lilian Adkinson Orellana Gradiant Juan Hernández Serrano Universitat Politécnica de Cataluña 14
Comité de Programa de Formación e Innovación Educativa Presidenta Noemí De Castro García Universidad de León Miembros Adriana Suárez Corona Universidad de León Raquel Poy Castro Universidad de León José Carlos Sancho Núñez Universidad de Extremadura Isaac Agudo Ruiz Universidad de Málaga Ana Isabel González-Tablas Ferreres Universidad Carlos III de Madrid Xavier Larriva Universidad Politécnica de Madrid Ana Lucila Sandoval Orozco Universidad Complutense de Madrid Lorena González Manzano Universidad Carlos III de Madrid María Isabel González Vasco Universidad Rey Juan Carlos David García Rosado Universidad de Castilla - La Mancha Sara García Bécares INCIBE 15
Comité de Transferencia Tecnológica Presidente Guillermo Calvo Flores INCIBE Miembros José Luis González Sánchez COMPUTAEX Marcos Arjona Fernández ElevenPaths Victor Villagrá González Universidad Politécnica de Madrid Luis Enrique Sánchez Crespo Universidad de Castilla – La Mancha 17
Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad http://doi.org/10.18239/jornadas_2021.34.52 Exploring the Affordances of Multimodal Data to Improve Cybersecurity Training with Cyber Range Environments Mariano Albaladejo-González , Sofia Strukova , José A. Ruipérez-Valiente , Félix Gómez Mármol Department of Information and Communications Engineering, University of Murcia Calle Campus Universitario, 30100 Murcia (Spain) {mariano.albaladejog, strukovas, jruiperez, felixgm}@um.es Abstract—During the last years, the constant cybersecurity trainees can attempt to attack a network system (red team) breaches being reported are remarking the necessity of raising or defend a system against an adversary attack (blue team). the number of cybersecurity experts that can tackle such threats. These cyberexercises resemble much better the real world In this sense, educational technology environments can help to generate more immersive and realistic environments, and within situations that these professionals will need to face when an this context, cyber range systems are one of the foremost solu- actual threat emerges. tions. However, these systems might not provide rich and detailed However, one of the handicaps that the current state of the feedback to instructors and students regarding the performance art of these environments shows is a low emphasis on perform- in each cyberexercise. In this paper we discuss the potential of multimodal data, including clickstream, console commands, ing effective automatic evaluations and feedback provision biometrics, and other sensor data, to improve the feedback and based on the trainee performance in the cyberexercise. For ex- evaluation process in cyber range environments. We present the ample, a recent literature review on cyber range environments affordances that these techniques can bring to cybersecurity that inspected all the existing ones until today, only mentioned training as well as a preliminary architecture to implement them. that the evaluation can be either done manually (with human We argue that these technologies can become a new generation of high-quality, realistic, and adaptive cybersecurity training that intervention) or automatically (based on an algorithm and key can have a dual (civil and military) impact on our society. variables of the cyberexercise) [7]. The majority of cyber Index Terms—Cyber range, cybersecurity training, multi- ranges provide very limited feedback on the process that modal learning analytics, educational technology. the trainee followed to solve or fail the cyberexercise. For Tipo de contribución: Investigación en desarrollo example, a capture-the-flag cyberexercise where an attacker needs to gain admin privileges and access a hidden code I. I NTRODUCTION [8], might provide as only feedback to the instructor that the The last decade has made exceptionally clear the upmost trainee knows said hidden code. Therefore, instructors cannot necessity of growing the number and quality of cyberse- provide detailed and adapted feedback, nor perform a rich curity experts that can design secure systems and respond evaluation of the trainee taking into account diverse factors to potential threats. Every week we hear of new security and actions that happened during the learning process. breaches and scandals, that jeopardize entire companies and To face this ambitious challenge, in this paper we argue the privacy of their users. The respondents of the ISACA’s on the potential of using multimodal data to improve such State of Cybersecurity of 2020 indicated that 53% of them evaluation within the context of cyber ranges. To do so, were expecting a cyberattack within 12 months. Moreover, we collect data from multiple sources, including clickstream Cybersecury Ventures predicted that cybercrime will produce data, console commands, biometrics and other sensor data. damages totaling $6 million USD globally in 2021, a predic- Then, we apply multimodal learning analytics conducting tion which is based on recent year-over-year growth [1]. To signal processing and artificial intelligence to transform the face this problem, there is an overall agreement on the need raw multimodal data into rich information [9]. In the paper to increase the quality of the training that these specialists at hand, we present our current advances regarding how receive [2]. However, a research report that interviewed over these multimodal data can be used to improve the evaluation 300 cybersecurity professionals indicated that only 38% of and feedback of trainees in cyber range environments. More them are happy with the level of training that they are specifically, we have the following two objectives: receiving [3]. In this sense, educational technology training tools can play • To present the affordances of multimodal data to improve a pivotal role in the training quality that professionals can the training process in cyber range environments. receive. Within this context, we are especially focused on • To propose a preliminary architecture adapted to this cyber ranges, which are well-defined virtualized environments specific scenario to accomplish such goal. where trainees can develop practical hands-on-activities that The remainder of this paper is organized as follows: In resemble much better real cybersecurity operations. There are Section II we present an overview of the affordances of a good number of prominent cyber range examples in the multimodal data in cyber range environments, while in Section literature [4], [5], [6]. These can represent realistic cyber- III we discuss our preliminary architecture. We finalize the security scenarios in safe sandbox environments where the paper in Section IV with conclusions and future research lines. 231
Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad II. M ULTIMODAL DATA IN C YBER R ANGE E NVIRONMENTS The essential feature of a cyber range is the development of isolated and safe environments. For this reason, the core of a cyber range is virtualization, simulation and/or containeriza- tion technologies that support these environments. In addition to these technologies, a cyber range might also include front- end technologies to provide easy access to such environments. Their architecture isolates the users’ computers and external networks from the environments that are running malware [10]. We find that in cyber range platforms, it is rare to find the presence of front-end dashboards that can monitor the results of the cyberexercises. The few cyber ranges that offer a dashboard show shallow information, measuring whether the user has completed the exercise successfully and the time required to do so. Our system aims to expand this state of the Fig. 1. Potential devices used to monitor the user during the cyberexercises. art with new measures of user skills and performance when interacting with cyber ranges. The system requires data that can come from different through the accelerometers and gyroscopes, among others. sources to generate these news measures. For example, the Figure 1 represents different devices collecting data cyber range can generate data related to the users’ solution, throughout the cyberexercises. The system uses all the col- along with the number of attempts, the typed commands, the lected data to calculate additional user performance metrics proportion of unnecessary commands, and the quality of the and skills. The users’ emotions during the cyberexercises solutions. Furthermore, it is easy to collect data related to can be estimated and classified depending on the valence user’s telemetry adding keyboard and mouse monitoring tools and arousal degrees [15]. The valence represents the level in the front-end technologies, this is a common practice in of positive or negative affectivity and arousal, the calming or websites and apps for real-time and asynchronous tracking excitement level. Thereby, we could infer states like anger, [11]. These telemetry data can provide the following infor- joy, sadness, and pleasure. mation: In addition to the user emotions, the system could mea- • Keyboard patterns. These data are generated when the sure more advanced skills closely related to the necessities user writes commands. It includes the typing speed and of cybersecurity professionals. In real-world environments, the keystroke duration. cybersecurity professionals can be under much pressure due • Clickstream. It represents how the user interacts with to the impact of their decisions; for example, failing to the graphic interface of the environment. The clickstream detect sniffers on an online shop can end up causing a data includes the clicked elements, the click frequency, the breach of 40 million card numbers and 70 million personal click duration, and the mouse movement speed. records stolen [16]. For this reason, it is interesting to evaluate Our system aims to go further, including data collected by the capacity to work under pressure, for example, through sensors and devices external to the cyber range. A camera user stress or the attention level [17]. Moreover, cyberattacks and/or a kinetic device can get many interesting measures and their consequences can take place over an extended such as eye-tracking, the users’ pose, position, and expression period of time [18]; for this reason, it is also interesting to [12], [13]. Furthermore, we can add microphones to record the measure the user fatigue [19]. Teamwork skills are critical communication between the users [14]. for cybersecurity professionals as they will often be part of a In addition, we propose to measure physiological signals larger and multidisciplinary team. The proposed multimodal to get richer information about the users’ state during the system can be used to evaluate teamwork skills and how cyberexercises. Depending on the original context for which teamwork affects each user. All of these metrics aim to they are used, there are three types of devices to measure empower instructors with additional information to provide a physiological signals: the devices used in the medical field more nuanced feedback and assessment to the cybersecurity for diagnosis purposes, the devices used for research purposes, students. The final goal is to improve the readiness of the and the commercial devices focused on the daily use of end cybersecurity professionals to detect and resolve cybersecurity users. Additionally, these devices can be placed in different breaches. parts of the body: for example, we can have wristbands, To implement the proposed system is essential to consider chest straps, and brain-computer interfaces (BCIs) that are how invasive the devices are and whether they can be used placed as a helmet. BCIs measure the electrical activity of the for extended periods of time. Devices that are too invasive brain and can estimate the emotions and moods of the users might endanger data recollection by reducing user freedom during the cyberexercises. The wristbands and chest straps can of movement and making the cyber range experience more have different types of sensors to measure the heart rate, the uncomfortable. Furthermore, it is important to consider the blood pressure, the skin temperature, the oxygen saturation, devices’ cost because since some of them are quite expensive, the electrodermal activity (the measurement of the electrical and can be used only by a single user at a time. Microphones, activity of the skin), and the movement of the user measured cameras, kinetics, and wearables are affordable solutions with 232
Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad potential to measure useful constructs. according to the General Data Protection Regulation Finally, all the aforementioned types of data generated (GDPR). by trainees while using cyber range environments hold the • Data processing and analytics. This step aims to mea- potential for being used to adjust the cyberexercises to the sure and evaluate the development of the trainees regard- current status of each specific trainee. This process, which ing their cybersecurity skills. An Extract, Transform, and is known as adaptive learning, has the goal of addressing Load (ETL) procedure is employed in order to extract the unique needs of each user [20]. In our case, we aim to the needed data from the database, transform them into dynamically adapt current cyberexercises to the knowledge of a proper storage structure for querying and analysis, and the trainee. Commands and clickstream data along with the finally load them into a final database. Due to its large biometric signals of trainees will allow us to analyze and com- size, the processing cannot be performed in real-time. pare the results of the different simulations to progressively Therefore, we make use of cron jobs to launch the data improve subsequent training sessions and, therefore, maintain processing scripts at scheduled times. the optimal balance between the trainees’ knowledge and the • Visualization dashboard. The last step consists in pro- difficulty of each exercise. viding useful and effective visualizations to both the trainees and the instructors. This is done through the III. P RELIMINARY A RCHITECTURE dashboard that represents an activity and performance A. Description of the training process measurement interface. Specifically, we can see general Our system is used by: 1) the trainees, who interact with statistics presenting the overall progress across the cy- the learning contents and generate the raw data, and 2) the berexercises, or active time, to name some examples. We instructors, who are experienced teachers in the cybersecurity can also see more complex measurements such as the field responsible for keeping track of how the trainees are capacity to work under pressure and concentration level. progressing and providing them with relevant feedback. Ac- Trainees can access only their own data, while instructors cordingly, the instructor first provides the trainees with the cy- can access the information of each trainee individually berexercises they must solve and afterward reviews the results or see the aggregation of the entire class. At the same represented in the dashboard in an easy and understandable time, we also develop models that can evaluate trainees’ way. This helps to build the feedback that the trainees will competencies based on which cyberexercises they have receive and choose the most suitable cyberexercises for the been able to complete. future users with similar knowledge. IV. C ONCLUSIONS AND FUTURE WORK The training process starts when the instructor distributes the cyberexercises across the trainees. While the latter are Raising a new generation of cybersecurity professionals solving the tasks, our system collects various data types de- during the 21st century is vital to have a secure digitized scribed in the previous section. Then, these data are processed world and economy. However, the specialized training of and analyzed in order to visualize the dashboard with all these professionals is a challenging task. Cyber range en- the information about the cybersecurity development of each vironments represent a great asset that complements more trainee. traditional cybersecurity training in order to practice hands-on cyberexercises that can resemble real scenarios where trainees B. Overview of the Architecture need to attack and/or defend a system in real time. However, Figure 2 presents the overview of the architecture of the current feedback that cyber ranges provide to instructors the cyber range environment with the multimodal learning regarding the performance of their trainees is quite scarce. In analytics, and how the following components are connected some cases we find that the instructors do not know more within the system: than whether the cyberexercise was completed or not, with • Cyber range. The cyber range system is the origin of the no information about the process at all. This approach is learning process. When trainees interact in their cyber definitely not sufficient to provide a just-in-time support and range environment, a large amount of raw multimodal feedback to the students in order to improve the learning data is generated, issued, collected, and stored in the process, specially when we want to scale cyber range case webserver. We implement the event emission process studies with entire classes getting trained simultaneously. using experience API schema (xAPI 1 ) to make the rest In this paper we have argued on the potential that multi- of parts of the architecture agnostic of the specific cyber modal data can have to improve the training process when range system implemented. using cyber ranges. We can collect different data in various • Data collection. The data collected within the cyber modalities like clickstream, console commands, biometrics range include a wide variety of trainee actions, as well or audiovisual data, apply signal processing and artificial as the external sensors and devices. We use REpresenta- intelligence techniques, and produce measures to assess ideal tional State Transfer API (RESTful API) endpoints to solution pathways, capacity to work under pressure, or con- send these data to the web server. There are several centration, which are key capacities to become a successful challenges regarding the ethical and security consider- cybersecurity professional. Moreover, these techniques can ations of obtaining that data from the trainees. Thus, the have a dual impact on our society. First, on the civil side, we collected personal data is encrypted and protected by ap- can use them to improve the academic training of students plying appropriate technical and organizational measures under-taking degrees related to cybersecurity and also on professional programs training cybersecurity professionals. 1 https://xapi.com/ Second, on the military side, we can use the same approach 233
Sesión de Investigación B3: Tecnologías emergentes y entrenamiento en ciberseguridad INSTRUCTOR T WEB APPLICATION R SYSTEM A I Data Commands, clickstream, collection N and biometric data E Cyber Individual Class E range Databases Data processing Visualization and analytics dashboard Fig. 2. Preliminary architecture of the cyber range environment with the multimodal learning analytics web application. to improve the cyberdefence capabilities that a state may have [7] E. Ukwandu, M. A. B. Farah, H. Hindy, D. Brosset, D. Kavallieros, to protect the cyberspace. Depending on the critical nature of R. Atkinson, C. Tachtatzis, M. Bures, I. Andonovic, and X. Bellekens, “A review of cyber-ranges and test-beds: current and future trends,” the position of each professional getting trained, more or less Sensors, vol. 20, no. 24, p. 7148, 2020. invasive data collection approaches can be applied. [8] K. Leune and S. J. Petrilli Jr, “Using capture-the-flag to enhance the The future steps that we envision are multifaceted. First, effectiveness of cybersecurity education,” in Proceedings of the 18th Annual Conference on Information Technology Education, 2017, pp. we are working on developing this architecture as generic 47–52. as possible, using different data sources and sensors. Then, [9] X. Ochoa and M. Worsley, “Augmenting learning analytics with multi- we are planning to deploy several cyber ranges on controlled modal sensory data,” Journal of Learning Analytics, vol. 3, no. 2, pp. 213–219, 2016. premises and make this architecture as inter-operable as [10] E. Ukwandu, M. A. B. Farah, H. Hindy, D. Brosset, D. Kavallieros, possible. Then, we will conduct case studies with students R. Atkinson, C. Tachtatzis, M. Bures, I. Andonovic, and X. Bellekens, undertaking security classes and with cybersecurity profes- “A review of cyber-ranges and test-beds: Current and future trends,” Sensors, vol. 20, no. 24, 2020. sionals in order to collect data and prove the viability of the [11] Whatpulse. Accessed: 2021-03-21. [Online]. Available: https: architecture. Finally, we will validate that this approach is /whatpulse.org improving the overall training process. [12] P. Joshi, OpenCV by example : enhance your understanding of computer vision and image processing by developing real-world projects in ACKNOWLEDGMENTS OpenCV 3. Birmingham: Packt Publishing, 2016. [13] J. St. Jean, Kinect hacks, 1st ed., ser. Hacks. Beijing ; Sebastopol, This work has been partially funded by project COBRA CA: O’Reilly, 2012, oCLC: ocn764382938. (10032/20/0035/00), awarded by the Spanish Ministry of [14] D. Yu and L. Deng, Automatic Speech Recognition. Springer London, 2015. Defense, as well as the fellowships FJCI-2017-34926 and [15] L. Santamaria-Granados, M. Munoz-Organero, G. Ramirez-González, RYC-2015-18210, awarded by the Govern of Spain and co- E. Abdulhay, and N. Arunkumar, “Using deep convolutional neural net- funded by European Social Funds. work for emotion detection on a physiological signals dataset (amigos),” IEEE Access, vol. 7, pp. 57–67, 2019. R EFERENCES [16] X. Shu, K. Tian, A. Ciambrone, and D. Yao, “Breaking the target: An analysis of target data breach and lessons learned,” CoRR, vol. [1] P. Morgan, “Cybercrime facts and statistics. 2021 Report: Cyberwarfare abs/1701.04940, 2017. in the C-Suite,” Cybersecurity Ventures, Tech. Rep., 2021. [17] S. Sriramprakash, V. D. Prasanna, and O. R. Murthy, “Stress detection [2] B. E. Endicott-Popovsky and V. M. Popovsky, “Application of ped- in working people,” Procedia Computer Science, vol. 115, pp. 359– agogical fundamentals for the holistic development of cybersecurity 366, 2017, 7th International Conference on Advances in Computing & professionals,” ACM Inroads, vol. 5, no. 1, pp. 57–68, 2014. Communications, ICACC-2017, 22-24 August 2017, Cochin, India. [3] J. Oltsik, C. Alexander, and C. CISM, “The life and times of cyberse- [18] G. Somani, M. S. Gaur, D. Sanghi, M. Conti, and R. Buyya, “Ddos curity professionals,” ESG and ISSA: Research Report, 2017. attacks in cloud computing: Issues, taxonomy, and future directions,” [4] J. Vykopal, M. Vizváry, R. Oslejsek, P. Celeda, and D. Tovarnak, Computer Communications, vol. 107, pp. 30–48, 2017. “Lessons learned from complex hands-on defence exercises in a cyber [19] S. Huang, J. Li, P. Zhang, and W. Zhang, “Detection of mental fatigue range,” in 2017 IEEE Frontiers in Education Conference (FIE). IEEE, state with wearable ecg devices,” International Journal of Medical 2017, pp. 1–8. Informatics, vol. 119, pp. 39–46, 2018. [5] C. Pham, D. Tang, K.-i. Chinen, and R. Beuran, “Cyris: a cyber range [20] M. Liu, E. McKelroy, S. B. Corliss, and J. Carrigan, “Investigating instantiation system for facilitating security training,” in Proceedings of the effect of an adaptive learning intervention on students’ learning,” the Seventh Symposium on Information and Communication Technology, Educational technology research and development, vol. 65, no. 6, pp. 2016, pp. 251–258. 1605–1625, 2017. [6] M. Rosenstein and F. Corvese, “A secure architecture for the range- level command and control system of a national cyber range testbed,” in Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test, 2012, pp. 1–1. 234
También puede leer