Silvia Sebastián

Silvia Sebastián

Cybersecurity Researcher

IMDEA Software Institute

Biography

I hold a Ph.D. in Cybersecurity and seven years of experience in Attribution, Web Security, and Threat Intelligence. I am a Cybersecurity Researcher who specializes in building automatic frameworks for cybersecurity analysts who want to carry out tasks such as tracking malware campaigns in mobile markets, labeling massive malware datasets, attributing domains, or identifying impersonation. By pioneering these automatic frameworks, my fellow malware analysts have experienced significant productivity gains while avoiding manual tedious tasks.

Interests
  • Attribution
  • Cyber Intelligence
  • Web Security
  • Privacy
  • Software Development
Education

  • PhD in Software, Systems, and Computing, 2023

    Universidad Politécnica de Madrid

  • Master in Cybersecurity, 2018

    Universidad Carlos III de Madrid

  • BSc in Computer Engineering, 2017

    Universidad Politécnica de Madrid

Skills

Programming Languages

Python, Java, Assembly, SQL, MongoDB, Docker

Threat Intelligence

OSINT, IOC extraction and correlation, Malware Labeling, Data Science, NLP, Clustering, Machine Learning

Web Security

Privacy, Tracker Attribution, Phishing Analysis

Projects

WhoseDomain
Python command line tool to attribute domains and websites, i.e., to identify the entity that owns the domain or website. Given a domain name, if the WHOIS record does not identify a valid owner, then it tries to identify websites hosted on the domain and analyzes their infrastructure and web content to identify the identity of the owner.
Tool
WhoseDomain
IOC Searcher
Python tool to extract indicators of compromise (IOCs), also known as cyber observables, from HTML, PDF, and text files. It can identify both defanged (e.g., URL hxxp://example[DOT]com) and unmodified IOCs (e.g., URL http://example.com).
Code
IOC Searcher
Retriever
A cross-platform and cross-market attribution framework to identify developer accounts in mobile markets that belong to an operation. This approach automatically applies OSINT expansions to build an attribution graph that captures the indicators and how they were discovered, preserving the chain of inferences. Retriever finds more accounts than AV vendors (that use conventional methods) for 94% of the cases.
Poster
Retriever
AVClass
Malware labeling tool that extracts tags from malware samples, enabling rich searches. It is open source and greatly used by the community with more than 500 references and 400 stars on GitHub.
Code
AVClass

Work Experience

 
 
 
 
 
IMDEA Software Institute
Predoctoral Researcher
IMDEA Software Institute
November 2018 – Present Madrid, Spain
  • PhD candidate under the supervision of Juan Caballero at IMDEA Software Institute.
  • Gained extensive knowledge and expertise in Cybersecurity. More specifically in Attribution, Web Security and Cyber Intelligence.
  • Published my research findings in three major conferences within my field.
  • Developed 4 tools to automatize manual process carried out by cybersecurity analysts.

ACHIEVEMENTS:

  • 2018 FPU Grant
  • 2022 JNIC Best Work in Progress
 
 
 
 
 
Eurecom | Norton Research Group
Predoctoral Stay
Eurecom | Norton Research Group
October 2021 – December 2021 Sophia Antipolis, France
  • Industry collaboration (Norton Research Group).
  • Web Security and Online Privacy project.
  • Analyzed the intricate web of trackers.
  • Developed WhoseDomain, an automatic tool to automatically attribute domains (and it’s is publicly available).
  • Research findings are published in the paper “Domain and Website Attribution Beyond Whois” presented at ACSAC 2023.
 
 
 
 
 
Universidad Politécnica de Madrid
Teaching Assistance
Universidad Politécnica de Madrid
September 2019 – August 2021 Madrid, Spain
  • Taught “Concurrency” and “Algorithms and Data Structures” subjects at BSc. in Computer Engineering.
  • In charge of laboratory sessions.
  • Project Design and Evaluation for laboratories.
  • Tutorships.
  • Code Review.
 
 
 
 
 
IMDEA Software Institute
Cybersecurity Internship
IMDEA Software Institute
September 2016 – June 2017 Madrid, Spain
  • Research first contact. It shaped the foundation for my Ph.D. thesis.
  • Working with Telefonica’s application crawler, Tacyt.
  • Deepened in skills such as clustering, API development, and database querying.
  • First approach to peer-review.

ACHIEVEMENTS:

  • The project was recognized as “Best Final Term Project” by Siemens Gamesa and ETSI Informáticos UPM.
 
 
 
 
 
Ontology Engineering Group, Universidad Politécnica de Madrid
Ontology Internship
Ontology Engineering Group, Universidad Politécnica de Madrid
April 2016 – September 2017 Madrid, Spain
  • Ontology background.
  • ReTeLe Project: Linguistic Linked Open Data for the official languages in Spain.

Publications

Silvia Sebastián, Raluca-Georgia Diugan, Juan Caballero, Iskander Sanchez-Rola, Leyla Bilge (2023). Domain and Website Attribution beyond WHOIS. ACSAC'23.

Cite Code Project

Juan Caballero, Gibran Gomez, Srdjan Matic, Gustavo Sanchez, Silvia Sebastián, Arturo Villacañas (2023). The Rise of GoodFATR: A Novel Accuracy Comparison Methodology for Indicator Extraction Tools. FGCS.

PDF Cite Code Project DOI

Silvia Sebastián, Juan Caballero (2020). AVclass2: Massive Malware Tag Extraction from AV Labels. ACSAC'20.

Cite Code Project Video DOI

Silvia Sebastián, Juan Caballero (2020). Towards Attribution in Mobile Markets: Identifying Developer Account Polymorphism. CCS'20.

Cite Project Poster Video DOI

Recent & Upcoming Talks

Domain and Website Attribution Beyond WHOIS
Currently, WHOIS is the main method for identifying which company or individual owns a domain or website. But, WHOIS useful- ness is limited due to privacy protection services and data redaction. We present a novel automated approach for domain and website attribution. When WHOIS data does not reveal the owner, our approach leverages information from multiple other sources such as passive DNS, TLS certificates, and the analysis of website content. We propose a novel ranking technique to select the domain owner among multiple identified entities. Our approach identifies the domain owner with an F1 score of 0.94 compared to 0.54 for WHOIS. When applied on 3,001 tracker domains from the popular Disconnect list, it identifies needed updates to the list. It also attributes 84% of previously unattributed tracker domains.
Dec 6, 2023 1:45 PM 2023 Annual Computer Security Applications Conference Austin, Texas, USA
Silvia Sebastián
Project Follow
Domain and Website Attribution Beyond WHOIS
An Automated Framework for Cybersecurity Attribution and Artefact Relationship Identification
I’m thrilled to announce that my PhD Defense is finally happening! It’s been a road of hard work, long hours, and many cups of tea, but I’m grateful for the opportunity to share my research with the world. 🤓 🕵‍♀️
Nov 20, 2023 3:00 PM Thesis Defense ETSI Informáticos, UPM, Madrid, Spain
Silvia Sebastián
Follow AVClass Retriever WhoseDomain
An Automated Framework for Cybersecurity Attribution and Artefact Relationship Identification
[ES] Atribución de Ciberataques
Os presento mi participación como Finalista en la competición del Simposio de Doctorado 2021 organizado por la Universidad Politécnica de Madrid, cuyo foco es presentar la tesis doctoral en menos de 3 minutos. Aproveché esta oportunidad para dar a conocer mis avances en el área de Atribución de Ciberataques. Os comparto el vídeo que me seleccionó como finalista para el evento así como la presentación en directo de la final.
Jun 25, 2021 9:30 AM Cuéntanos tu tesis / My tesis in a nutshell Madrid, Spain
Silvia Sebastián
Project Video Follow
[ES] Atribución de Ciberataques
AVclass2: Massive Malware Tag Extraction from AV Labels
Tags can be used by malware repositories and analysis services to enable searches for samples of interest across different dimensions. Automatically extracting tags from AV labels is an efficient approach to categorize and index massive amounts of samples. Recent tools like AVclass and Euphony have demonstrated that, despite their noisy nature, it is possible to extract family names from AV labels. However, beyond the family name, AV labels contain much valuable information such as malware classes, file properties, and behaviors. This work presents AVclass2, an automatic malware tagging tool that given the AV labels for a potentially massive number of samples, extracts clean tags that categorize the samples. AVclass2 uses, and helps building, an open taxonomy that organizes concepts in AV labels, but is not constrained to a predefined set of tags. To keep itself updated as AV vendors introduce new tags, it provides an update module that automatically identifies new taxonomy entries, as well as tagging and expansion rules that capture relations between tags. We have evaluated AVclass2 on 42M samples and showed how it enables advanced malware searches and to maintain an updated knowledge base of malware concepts in AV labels.
Dec 9, 2020 12:45 PM 2020 Annual Computer Security Applications Conference Online
Silvia Sebastián
Project Video Follow
AVclass2: Massive Malware Tag Extraction from AV Labels
Towards Attribution in Mobile Markets: Identifying Developer Account Polymorphism
Malicious developers may succeed at publishing their apps in mobile markets, including the official ones. If reported, the apps will be taken down and the developer accounts possibly be banned. Unfortunately, such take-downs do not prevent the attackers to use other developer accounts to publish variations of their malicious apps. This work presents a novel approach for identifying developer accounts, and other indicators of compromise (IOCs) in mobile markets, that belong to the same operation, i.e., to the same owners. Given a set of seed IOCs, our approach explores app and version metadata to identify new IOCs that belong to the same operation. It outputs an attribution graph, which details the attribution inferences, so that they can be reviewed. We have implemented our approach into Retriever, a tool that supports multiple mobile markets including the official GooglePlay and AppleStore. We have evaluated Retriever on 17 rogueware and adware operations. In 94% of the operations, Retriever discovers at least one previously unknown developer account. Furthermore, Retriever reveals that operations that look dead still have active developer accounts.
Nov 11, 2020 1:00 PM 2020 ACM Conference on Computer and Communications Security (ACM CCS'20) Online
Silvia Sebastián
Project Poster Video Follow
Towards Attribution in Mobile Markets: Identifying Developer Account Polymorphism

Contact

If you want to know more about me or exchange ideas, do not hesitate in contacting me.