Tecnologies de la Informació i de Xarxes

Information and Network Security and Privacy

Proposta de tesi Investigadors/es Grup de recerca

Digital media security, privacy and forensics (steganography, watermarking, fingerprinting and steganalysis)

The security and privacy of digital media content has been attracting the attention of academia and industry for the past two decades. Since copies of digital content can be made without any loss and with no cost, content vendors and producers are trying to design mechanisms either to avoid or to detect unauthorized copies. Steganography, watermarking and fingerprinting, for images, audio and video content are being investigated by different groups worldwide in order to produce practical solutions to these kinds of problems while at the same time satisfying requirements such as security, privacy, capacity, robustness and transparency.

Steganography is also used to send concealed messages in an apparently innocent cover object. Steganalysis techniques are being developed in order to detect whether a multimedia object contains secret information which may be used for malicious purposes.

In general, these topics belong to computer forensic techniques that can be used to provide legal evidence of illegal or criminal actions. This line of research is related to all these issues, with a special focus on networked distribution systems such as online social networks or peer-to-peer applications.

Dr David Megías



Security and Privacy in the Internet of Things (SP@IoT)

The Internet of things (IoT) refers to the internetworking of devices (including smartphones), vehicles, embedded systems, sensors, actuators, and other hardware and software components, which enable these objects to collect and exchange data. These data can be used later on (or in real time) for a wide variety of applications. For example, samples on the mobility patterns of a group of people can be used for designing new and more efficient public transportation systems.

Despite the advantages that this information can provide –for example, to advise individuals for specific routes to avoid traffic jams–, it is clear that the collection and storage of such data raises important ethical issues, such as those concerned with the information security and users’ privacy. It is essential that the storage and processing of this information is carried out in a way that ensures the privacy of individuals whose data are collected or who want to enjoy the benefits of this technology.

The project involves designing systems that allow data collection with the required degree of privacy through the use of specific cryptographic protocols, combined with data mining and managing large amounts of data (big data).

Dr David Megías



Privacy-preserving in Data Mining

In recent years, an explosive increase of data has been made publicly available. Embedded within this data there is private information about users and, therefore, data owners must respect users’ privacy when releasing datasets to third parties. In this scenario, anonymization processes become an important concern. Privacy may be breached in various ways, depending on data types. For instance, medical datasets are published as database tables, so linking this information with publicly available datasets may disclose the identity of some individuals; social network data is usually published as graphs and there are adversaries that can infer the identity of the users by solving a set of restricted graph isomorphism problems; location privacy concerns the data from phone call networks or applications like Foursquare; and so on.

The simple technique of anonymizing networks by removing identifiers before publishing the actual data does not guarantee privacy. Therefore, various approaches and methods have been developed to deal with each data type and each breach of privacy. The aim of this research is to develop privacy-preserving methods and algorithms that guarantee the users' privacy while keeping data utility as close as possible to the original data. These methods have to achieve a trade-off between data privacy and data utility. Consequently, several data mining tasks must be considered in order to quantify the information loss produced on anonymous data.

Due to its nature, PPDM involves some very relevant and interesting topics, such as security and privacy issues to ensure anonymity, data mining and machine learning to evaluate data utility and information loss, and also aspects related to big data.

[1] Casas-Roma, J., Herrera-Joancomartí, J. & Torra, V. Artif Intell Rev (2017) 47: 341. https://doi.org/10.1007/s10462-016-9484-8

[2] Torra V. (2009) Privacy in Data Mining. In: Maimon O., Rokach L. (eds) Data Mining and Knowledge Discovery Handbook. Springer, Boston, MA

[3] Torra, V. and Navarro-Arribas, G. (2014), Data privacy. WIREs Data Mining Knowl Discov, 4: 269–280. doi:10.1002/widm.1129

Dr Jordi Casas

Mail: jcasasr@uoc.edu

Privacy in community networks

Many online communities exist nowadays: social networks, open source development, Wikipedia, Wikileaks etc. These communities generate and share a lot of data which is commonly hosted in resources belonging to entities not directly related with participants in the community. This poses a privacy risk for the users, whose profile (friends, beliefs, political tendencies, hobbies), as well as their routines can be publicly exposed and inappropriately used.

The aim of this research is the design of a system that allows for powerful community networks while protecting end-users from surveillance and censorship. The system must allow a free data interchange between the trusted community members, but must guarantee that users can keep a desired degree of anonymity and unlinkability within the community members and external users, and that no sensible information can be inferred by means of data mining or traffic analysis.


Dr Joan Manuel Marquès

Mail: jmarquesp@uoc.edu

Dr Helena Rifà

Mail: hrifa@uoc.edu






Blockchain, and more broadly Distributed Ledger Technology (DLT), has proven to go far beyond cryptocurrencies and it is transforming certain industries, enabling new business models based on decentralized services. Blockchain can contribute to security and privacy and helps removing intermediaries, empowering final users, and making possible new use cases that were not feasible until then. Currently, blockchain projects include proposals in many areas, such as cryptocurrencies, payment systems, supply chains, e-health,  e-voting, decentralized identity, collaborative economy, etc.

Within this area of research, we seek not only to improve current blockchain technology, researching on ways to enhance security, privacy, scalability, efficiency and other properties of current systems, but also to propose innovative decentralized services, where blockchain is a key component.

Moreover, blockchains are no longer only used to transact within the chain, but are also used as a base for building second layer protocols, that benefit from the security properties the blockchain offers while overcoming some of their limitations. The Lightning Network is one of the best well-known second layer protocols, allowing fast payments over Bitcoin. Enforcing the security and privacy properties of these layer-two protocols while being deployed on real settings is a topic of huge interest, that currently captures the enthusiasm of an important part of the cryptocurrency research community. Projects related to security and privacy of existing second layer protocols as well as designing new layer two protocols are also covered by this research line.

Dr Víctor García Font

Mail: vgarciafo@uoc.edu


Dr Cristina Pérez Solà

Mail: cperezsola@uoc.edu

Security in Cyber-physical Systems
In recent years, there has been an exponential growth in the development and deployment of cyber-physical systems (CPSs), which are systems that can effectively integrate cyber and physical components using the modern sensor, computing and network technologies. Data captured from physical objects is transferred through networks to a control system. Architectures composed of edge, fog and cloud computing handle the data, process it and resulting decisions are issued as actions to the physical objects.
Various vulnerabilities, threats, attacks, and controls have been introduced in CPS.
One of the main characteristics of cyber threats is that they are scalable, i.e. they are easily automated and replicated, and even they can be distributed freely through unreliable domains. Example of threats are:
- Creation of botnets to perform DDoS attacks
- Eavesdropping communication channels between the sensors and the controller, and between the controller and the actuator
- Perverting data provenance, which deals with the recording, management and retrieval of information about the origin and history of data etc.
This research line focuses on developing methodologies and protocols that can meet the security properties (data authentication, confidentiality, integrity, reliability, non-repudiation, accountability and availability) of a sensor-edge-fog-cloud architecture. 
[1] Humayed, Abdulmalik, et al. "Cyber-physical systems security—A survey." IEEE Internet of Things Journal 4.6 (2017): 1802-1831.
[2] Ashibani, Yosef, and Qusay H. Mahmoud. "Cyber physical systems security: Analysis, challenges and solutions." Computers & Security 68 (2017): 81-97.
[3] Zhang, PeiYun, MengChu Zhou, and Giancarlo Fortino. "Security and trust issues in Fog computing: A survey." Future Generation Computer Systems 88 (2018): 16-27.


Dr. Carles Garrigues

Mail: cgarrigueso@uoc.edu


Dr Helena Rifà

Mail: hrifa@uoc.edu

Digital Chain of Custody in computer forensics
The thesis is focused on the proposal to create a "Digital Chain of Custody" to ensure that the digital evidence (information or data, stored or trans-mitted in binary form which has been determined, through the process of analysis, to be relevant to the investigation) will be accepted in international court proceedings, so in it will be guaranteed the principles of identification, preservation, securing and posterior analysis.
After to establish a clear procedure, it will proceed with the second part: to create an artifice which it is able to comply with the procedure and it should take into account a set of items as: digital evidence acquisition and metadata associated (video, audio, photographs or files in general), probe localization, timestamp and secure communication capabilities. This device will be the starting point of the "Chain".

Dr Jordi Serra

Mail: jserrai@uoc.edu


Tampering detection in multimedia content

A new study of methods and applications in order to detect tampered multimedia content. Using Machine Learning and Artificial Intelligence techniques, the final method and application will be detect all modification media content, sound, video or images. Using techniques of steganography and steganalysis.


Dr Jordi Serra

Mail: jserrai@uoc.edu

User-centered privacy-enhancing technologies
Data mining technologies have been constantly improving from last 20 years, the increasing computational power and storage capacity have allowed impressive accomplishments on the Artificial Intelligence and Machine Learning algorithms. 
This progress has been powered by the data collection through pervasive sensing by the Internet of Things and of smart-devices (such as smart-watches, smart-meters, etc.). As users’ data is collected in real-time, this must be carried out in a privacy-preserving manner not only to fulfill legal and ethical requirements but also individuals’ expectations. A user-centered (or local) approach for privacy protection may increase users’ confidence, through transparency and control. 
The aim of this proposal is to develop user-centered technologies for privacy protection of time-series obtained from sensors (such as location, health, behavioral or relational data).
We will study the guarantees provided by aggregation and randomized response methods to attain Local Differential Privacy. We will apply them to protect data that may be used for recommender systems, sequential pattern mining, complex networks analysis, predictions and decision making. 
The main contributions of this project will be to provide local algorithms for data protection and to analyze and develop strong guarantees of privacy for dynamic data.
Some relevant of differentialy private technologies, are google’s RAPPOR (Randomized Aggregatable Privacy-Preserving Ordinal Response) [1] or the US Census Bureau product called OnTheMap [2].
[1] U. Erlingsson, V. Pihur, and A. Korolova. Rappor: Randomized aggregatable privacy-preserving ordinal response. In CCS, 2014.
[2] A. Machanavajjhala, D. Kifer, J. Abowd, J. Gehrke, and L. Vilhuber. Privacy: Theory meets practice on the map. In ICDE, 2008.
Mail: dmegias@uoc.edu
Mail: jsalaspi@uoc.edu
Security and Privacy in Named Data Networking
Named Data Networking (NDN) is emerging as one of the most promising information-centric future Internet architectures. The project was funded by the U.S. National Science Foundation under its Future Internet Architecture Program and investigates how to evolve the today's host-centric network architecture (IP) to a data-centric one (NDN). The goal is to provide a network infrastructure service that is better suited for efficiently accessing and distributing content and that better cope with disconnections, disruptions, and flash crowd effects in the communication service. NDN changes the network model from the current IP that delivers the packets to a given destination address to fetching data identified by a given name. Data is retrieved from any source holding a copy of the object, enabling efficient and application-independent caching as part of the network service. The authenticity and integrity of the delivered data is established by requiring all data packets to be signed when produced and this is independent of the
delivering host, which can be untrusted.
In NDN security is established by design and so, the network is more robust and resilient than traditional IP networks. Yet, it encompasses more traffic and computational costs to transmit and validate signatures and its related trust data.
Also, it has privacy concerns since data caching encompasses some risks of information leakage, censorship and surveillance.
This research line focuses on analysing some of the security and privacy issues of NDNs and proposing solutions that minimize the risks.
[1] Z.   Zhang,   Y.   Yu,   H.   Zhang,   E.   Newberry,   S.   Mastorakis,   Y.   Li,A. Afanasyev, and L. Zhang, “An overview of security support in nameddata networking,” IEEE Communications Magazine, vol. 56, no. 11, pp.62–68, 2018.
[2] Lauinger, Tobias, et al. "Privacy risks in named data networking: What is the cost of performance?." ACM SIGCOMM Computer Communication Review 42.5 (2012): 54-57.
[3] Tourani, Reza, et al. "Security, privacy, and access control in information-centric networking: A survey." IEEE communications surveys & tutorials 20.1 (2017): 566-600.

Dr Helena Rifà

Mail: hrifa@uoc.edu

Mail: dmegias@uoc.edu
Mail: jsalaspi@uoc.edu