Person: Berrueta Irigoyen, Eduardo
Loading...
Email Address
person.page.identifierURI
Birth Date
Research Projects
Organizational Units
Job Title
Last Name
Berrueta Irigoyen
First Name
Eduardo
person.page.departamento
Ingeniería Eléctrica, Electrónica y de Comunicación
person.page.instituteName
ORCID
0000-0002-0076-4479
person.page.upna
811478
Name
4 results
Search Results
Now showing 1 - 4 of 4
Publication Open Access A survey on detection techniques for cryptographic ransomware(IEEE, 2019) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónCrypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for a ransom to recover the hijacked documents. It is a cyber threat that targets both companies and residential users, and has spread in recent years because of its lucrative results. Several articles have presented classifications of ransomware families and their typical behaviour. These insights have stimulated the creation of detection techniques for antivirus and firewall software. However, because the ransomware scene evolves quickly and aggressively, these studies quickly become outdated. In this study, we surveyed the detection techniques that the research community has developed in recent years. We compared the different approaches and classified the algorithms based on the input data they obtain from ransomware actions, and the decision procedures they use to reach a classification decision between benign or malign applications. This is a detailed survey that focuses on detection algorithms, compared to most previous studies that offer a survey of ransomware families or isolated proposals of detection algorithms. We also compared the results of these proposals.Publication Open Access Ransomware early detection by the analysis of file sharing traffic(Elsevier, 2018) Morató Osés, Daniel; Berrueta Irigoyen, Eduardo; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónCrypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company. We propose an algorithm that can detect ransomware action and prevent further activity over shared documents. The algorithm is based on the analysis of passively monitored traffic by a network probe. 19 different ransomware families were used for testing the algorithm in action. The results show that it can detect ransomware activity in less than 20 s, before more than 10 files are lost. Recovery of even those files was also possible because their content was stored in the traffic monitored by the network probe. Several days of traffic from real corporate networks were used to validate a low rate of false alarms. This paper offers also analytical models for the probability of early detection and the probability of false alarms for an arbitrarily large population of users.Publication Open Access Ransomware encrypted your files but you restored them from network traffic(IEEE, 2019) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónIn a scenario where user files are stored in a network shared volume, a single computer infected by ransomware could encrypt the whole set of shared files, with a large impact on user productivity. On the other hand, medium and large companies maintain hardware or software probes that monitor the traffic in critical network links, in order to evaluate service performance, detect security breaches, account for network or service usage, etc. In this paper we suggest using the monitoring capabilities in one of these tools in order to keep a trace of the traffic between the users and the file server. Once the ransomware is detected, the lost files can be recovered from the traffic trace. This includes any user modifications posterior to the last snapshot of periodic backups. The paper explains the problems faced by the monitoring tool, which is neither the client nor the server of the file sharing operations. It also describes the data structures in order to process the actions of users that could be simultaneously working on the same file. A proof of concept software implementation was capable of successfully recovering the files encrypted by 18 different ransomware families.Publication Open Access Algoritmo de detección de ransomwares mediante tráfico SMB en redes con directorios compartidos (REDFISH)(2018) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Escuela Técnica Superior de Ingenieros Industriales y de Telecomunicación; Telekomunikazio eta Industria Ingeniarien Goi Mailako Eskola TeknikoaEste trabajo presenta una solución para detectar una infección por ransomware en un equipo de una red local con directorios compartidos por SMB en uno o varios servidores. Se basa en el análisis de tráfico de las versiones 1 y 2 de este protocolo, en la cantidad de bytes leídos y escritos y en las eliminaciones que haga el usuario en ficheros del servidor. Deben establecerse tres parámetros que caracterizarán al algoritmo (N, T y Vumbral), y que determinarán la cantidad de ficheros que encriptará el ransomware antes de su detección. Aunque esos N ficheros van a ser encriptados en todos los casos en que se detecte el ransomware, se ha desarrollado una herramienta de recuperación para conseguir recuperar estos ficheros, de forma que podemos considerar la herramienta como sin pérdidas. Los resultados son del 100 % de detección de ransomware con una probabilidad de falso positivo menor del 1 % en la mayoría de los días testeados. Las pruebas se han realizado con un total de 53 muestras distintas de ransomware de 18 familias diferentes, corriendo en un entorno virtualizado. Los falsos positivos se han evaluado con muestras de tráfico de usuario de 6 días laborables en la red local de la UPNA y 1 día completo en otra red empresarial.