Person: Berrueta Irigoyen, Eduardo
Loading...
Email Address
person.page.identifierURI
Birth Date
Research Projects
Organizational Units
Job Title
Last Name
Berrueta Irigoyen
First Name
Eduardo
person.page.departamento
Ingeniería Eléctrica, Electrónica y de Comunicación
person.page.instituteName
ORCID
0000-0002-0076-4479
person.page.upna
811478
Name
9 results
Search Results
Now showing 1 - 9 of 9
Publication Open Access A survey on detection techniques for cryptographic ransomware(IEEE, 2019) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónCrypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for a ransom to recover the hijacked documents. It is a cyber threat that targets both companies and residential users, and has spread in recent years because of its lucrative results. Several articles have presented classifications of ransomware families and their typical behaviour. These insights have stimulated the creation of detection techniques for antivirus and firewall software. However, because the ransomware scene evolves quickly and aggressively, these studies quickly become outdated. In this study, we surveyed the detection techniques that the research community has developed in recent years. We compared the different approaches and classified the algorithms based on the input data they obtain from ransomware actions, and the decision procedures they use to reach a classification decision between benign or malign applications. This is a detailed survey that focuses on detection algorithms, compared to most previous studies that offer a survey of ransomware families or isolated proposals of detection algorithms. We also compared the results of these proposals.Publication Open Access Ransomware early detection by the analysis of file sharing traffic(Elsevier, 2018) Morató Osés, Daniel; Berrueta Irigoyen, Eduardo; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónCrypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company. We propose an algorithm that can detect ransomware action and prevent further activity over shared documents. The algorithm is based on the analysis of passively monitored traffic by a network probe. 19 different ransomware families were used for testing the algorithm in action. The results show that it can detect ransomware activity in less than 20 s, before more than 10 files are lost. Recovery of even those files was also possible because their content was stored in the traffic monitored by the network probe. Several days of traffic from real corporate networks were used to validate a low rate of false alarms. This paper offers also analytical models for the probability of early detection and the probability of false alarms for an arbitrarily large population of users.Publication Open Access Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic(Elsevier, 2022) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Universidad Pública de Navarra / Nafarroako Unibertsitate PublikoaRansomware is considered as a significant threat for home users and enterprises. In corporate scenarios, users’ computers usually store only system and program files, while all the documents are accessed from shared servers. In these scenarios, one crypto-ransomware infected host is capable of locking the access to all shared files it has access to, which can be the whole set of files from a workgroup of users. We propose a tool to detect and block crypto-ransomware activity based on file-sharing traffic analysis. The tool monitors the traffic exchanged between the clients and the file servers and using machine learning techniques it searches for patterns in the traffic that betray ransomware actions while reading and overwriting files. This is the first proposal designed to work not only for clear text protocols but also for encrypted file-sharing protocols. We extract features from network traffic that describe the activity opening, closing, and modifying files. The features allow the differentiation between ransomware activity and high activity from benign applications. We train and test the detection model using a large set of more than 70 ransomware binaries from 33 different strains and more than 2,400 h of ‘not infected’ traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries described, including those not used in the training phase. This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detectedPublication Open Access Open repository for the evaluation of ransomware detection tools(IEEE, 2020) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónCrypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for ransom to recover the hijacked documents. Several articles have presented detection techniques for this type of malware; these techniques are applied before the ransomware encrypts files or during its action in an infected host. The evaluation of these proposals has always been accomplished using sets of ransomware samples that are prepared locally for the research article, without making the data available. Different studies use different sets of samples and different evaluation metrics, resulting in insufficient comparability. In this paper, we describe a public data repository containing the file access operations of more than 70 ransomware samples during the encryption of a large network shared directory. These data have already been used successfully in the evaluation of a network-based ransomware detection algorithm. Now, we are making these data available to the community and describing their details, how they were captured, and how they can be used in the evaluation and comparison of the results of most ransomware detection techniques.Publication Open Access High-speed analysis of SMB2 file sharing traffic without TCP stream reconstruction(IEEE, 2019) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónThis paper presents a file sharing traffic analysis methodology for Server Message Block (SMB), a common protocol in the corporate environment. The design is focused on improving the traffic analysis rate that can be obtained per CPU core in the analysis machine. SMB is most commonly transported over Transmission Control Protocol (TCP) and therefore its analysis requires TCP stream reconstruction. We evaluate a traffic analysis design which does not require stream reconstruction. We compare the results obtained to a reference full reconstruction analysis, both in accuracy of the measurements and maximum rate per CPU core. We achieve an increment of 30% in the traffic processing rate, at the expense of a small loss in accuracy computing the probability distribution function for the protocol response times.Publication Open Access Testing tool of SDN controllers’ performance(2016) Berrueta Irigoyen, Eduardo; Serrano Arriezu, Luis Javier; Bianco, Andrea; Giaccone, Paolo; Escuela Técnica Superior de Ingenieros Industriales y de Telecomunicación; Telekomunikazio eta Industria Ingeniarien Goi Mailako Eskola Teknikoa; Politecnico di Torino (Italia)The SDN controllers with the network applications running on the top of them, can be seen as ”network brains”. Those applications apply the control logic and they will install some commands in the data plane. We can see that the performance of those applications is really important for a SDN controller and therefore, for the network it manages. Because of this importance, the purpose of this thesis is to adapt OFCProbe (one existing evaluation tool) in order to assess the performance of some processes on the applications running on the top of the SDN controller. Our new tool, denoted as CPBeT, is aimed at changing the network topology in real-time, in order to load the algorithm which calculates the shortest path on the controller. CPBeT will generate a specific amount of OpenFlow control traffic through the network and it will force the controller to process large amount of packets. CPBeT will build a virtual network with virtual switches and hosts, and we will have the control over the topology, number of hosts, generation of packets, etc. The experimental part of this work will evaluate the behaviour of L2 network application that run on the top of a Floodlight controller with a time varying topology which is the worst case for the shortest path algorithm. We will analyze the CPU and RAM usage on the controller changing some parameters of the experiments, like hosts, topology or rate of change of the topology, and we will demonstrate the effect of the computation of the shortest path algorithm on the controllers and how many devices the controller can manage before its saturation. Once the controller is saturated, we will analyze its behaviour and the reasons that cause that saturation.Publication Open Access Ransomware encrypted your files but you restored them from network traffic(IEEE, 2019) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónIn a scenario where user files are stored in a network shared volume, a single computer infected by ransomware could encrypt the whole set of shared files, with a large impact on user productivity. On the other hand, medium and large companies maintain hardware or software probes that monitor the traffic in critical network links, in order to evaluate service performance, detect security breaches, account for network or service usage, etc. In this paper we suggest using the monitoring capabilities in one of these tools in order to keep a trace of the traffic between the users and the file server. Once the ransomware is detected, the lost files can be recovered from the traffic trace. This includes any user modifications posterior to the last snapshot of periodic backups. The paper explains the problems faced by the monitoring tool, which is neither the client nor the server of the file sharing operations. It also describes the data structures in order to process the actions of users that could be simultaneously working on the same file. A proof of concept software implementation was capable of successfully recovering the files encrypted by 18 different ransomware families.Publication Open Access Algoritmo de detección de ransomwares mediante tráfico SMB en redes con directorios compartidos (REDFISH)(2018) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Escuela Técnica Superior de Ingenieros Industriales y de Telecomunicación; Telekomunikazio eta Industria Ingeniarien Goi Mailako Eskola TeknikoaEste trabajo presenta una solución para detectar una infección por ransomware en un equipo de una red local con directorios compartidos por SMB en uno o varios servidores. Se basa en el análisis de tráfico de las versiones 1 y 2 de este protocolo, en la cantidad de bytes leídos y escritos y en las eliminaciones que haga el usuario en ficheros del servidor. Deben establecerse tres parámetros que caracterizarán al algoritmo (N, T y Vumbral), y que determinarán la cantidad de ficheros que encriptará el ransomware antes de su detección. Aunque esos N ficheros van a ser encriptados en todos los casos en que se detecte el ransomware, se ha desarrollado una herramienta de recuperación para conseguir recuperar estos ficheros, de forma que podemos considerar la herramienta como sin pérdidas. Los resultados son del 100 % de detección de ransomware con una probabilidad de falso positivo menor del 1 % en la mayoría de los días testeados. Las pruebas se han realizado con un total de 53 muestras distintas de ransomware de 18 familias diferentes, corriendo en un entorno virtualizado. Los falsos positivos se han evaluado con muestras de tráfico de usuario de 6 días laborables en la red local de la UPNA y 1 día completo en otra red empresarial.Publication Open Access Desarrollo y análisis de modelos de detección de crypto-ransomware en base a tráfico de compartición de ficheros(2022) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio IngeniaritzarenHoy en día la información se ha convertido en un bien muy preciado tanto para los usuarios como para las empresas. Desde el año 2015 han cobrado importancia los ataques dirigidos a secuestrar esta información y pedir un rescate económico para su recuperación. Son los llamados 'crypto-ransomware'. Durante la realización de este trabajo se han analizado más de 90 variantes distintas de ransomware, tratando de establecer patrones de comportamiento comunes para poder detectar la infección de un usuario. Aunque afectan por igual a usuarios particulares y a empresas, son estas últimas las más perjudicadas por la infección, ya que habitualmente tiene un coste económico muy elevado debido a la paralización de su actividad. Además, sus archivos de datos están alojados en servidores centrales a los que tienen acceso todos los trabajadores. Un único usuario infectado puede provocar enormes pérdidas de información muy valiosa para la empresa. En esta tesis nos centramos en este tipo de escenarios en que la información se aloja en servidores centrales a los que acceden los usuarios desde sus máquinas. La estrategia que se ha seguido para la detección ha sido capturar en un punto intermedio el tráfico intercambiado por usuarios y servidores y analizarlo en busca de patrones conocidos de tráfico de ransomware. En un primer trabajo se desarrolló una herramienta basada en el tipo de operación que realiza cada usuario sobre los archivos del servidor, siendo necesario el análisis de cada mensaje del protocolo de compartición de ficheros. Se lograron unos resultados de detección del 100% de los binarios estudiados con una tasa de falsos positivos muy baja (1 cada 15 días en redes con 300 usuarios). Sin embargo, la principal limitación es que no es eficaz en los casos en que el protocolo de compartición de ficheros vaya cifrado en la red, lo cual es habitual en versiones modernas. Para superar esta limitación se desarrolla otro modelo, basado ya en patrones de tráfico en lugar de en el tipo de operaciones que ejecutan los usuarios. Para establecer patrones entre las características se comparan varios modelos de machine learning y deep learning analizando sus resultados y escogiendo el que mejor se adapta a nuestro escenario. Una vez seleccionado el modelo, se analiza cronológicamente la evolución del mismo como si hubiera sido empleado en un entorno real y entrenado con las variantes de ransomware aparecidas desde 2015 hasta 2021. Se presentan los resultados y extraen conclusiones sobre la necesidad de mantener un entrenamiento constante del modelo para mejorar la eficiencia de la detección. Como consecuencia del estudio del comportamiento de los más de 90 binarios, se han publicado en un repositorio de acceso abierto las trazas de tráfico objeto del estudio, así como la secuencia de operaciones llevadas a cabo por los ransomware sobre los ficheros alojados en el servidor.