Person:
Berrueta Irigoyen, Eduardo

Loading...
Profile Picture

Email Address

Birth Date

Research Projects

Organizational Units

Job Title

Last Name

Berrueta Irigoyen

First Name

Eduardo

person.page.departamento

IngenierĆ­a ElĆ©ctrica, ElectrĆ³nica y de ComunicaciĆ³n

person.page.instituteName

ORCID

0000-0002-0076-4479

person.page.upna

811478

Name

Search Results

Now showing 1 - 3 of 3
  • PublicationOpen Access
    High-speed analysis of SMB2 file sharing traffic without TCP stream reconstruction
    (IEEE, 2019) Berrueta Irigoyen, Eduardo; MoratĆ³ OsĆ©s, Daniel; MagaƱa Lizarrondo, Eduardo; Izal AzcĆ”rate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; IngenierĆ­a ElĆ©ctrica, ElectrĆ³nica y de ComunicaciĆ³n
    This paper presents a file sharing traffic analysis methodology for Server Message Block (SMB), a common protocol in the corporate environment. The design is focused on improving the traffic analysis rate that can be obtained per CPU core in the analysis machine. SMB is most commonly transported over Transmission Control Protocol (TCP) and therefore its analysis requires TCP stream reconstruction. We evaluate a traffic analysis design which does not require stream reconstruction. We compare the results obtained to a reference full reconstruction analysis, both in accuracy of the measurements and maximum rate per CPU core. We achieve an increment of 30% in the traffic processing rate, at the expense of a small loss in accuracy computing the probability distribution function for the protocol response times.
  • PublicationOpen Access
    Ransomware early detection by the analysis of file sharing traffic
    (Elsevier, 2018) MoratĆ³ OsĆ©s, Daniel; Berrueta Irigoyen, Eduardo; MagaƱa Lizarrondo, Eduardo; Izal AzcĆ”rate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; IngenierĆ­a ElĆ©ctrica, ElectrĆ³nica y de ComunicaciĆ³n
    Crypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company. We propose an algorithm that can detect ransomware action and prevent further activity over shared documents. The algorithm is based on the analysis of passively monitored traffic by a network probe. 19 different ransomware families were used for testing the algorithm in action. The results show that it can detect ransomware activity in less than 20ā€Æs, before more than 10 files are lost. Recovery of even those files was also possible because their content was stored in the traffic monitored by the network probe. Several days of traffic from real corporate networks were used to validate a low rate of false alarms. This paper offers also analytical models for the probability of early detection and the probability of false alarms for an arbitrarily large population of users.
  • PublicationOpen Access
    Open repository for the evaluation of ransomware detection tools
    (IEEE, 2020) Berrueta Irigoyen, Eduardo; MoratĆ³ OsĆ©s, Daniel; MagaƱa Lizarrondo, Eduardo; Izal AzcĆ”rate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; IngenierĆ­a ElĆ©ctrica, ElectrĆ³nica y de ComunicaciĆ³n
    Crypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for ransom to recover the hijacked documents. Several articles have presented detection techniques for this type of malware; these techniques are applied before the ransomware encrypts files or during its action in an infected host. The evaluation of these proposals has always been accomplished using sets of ransomware samples that are prepared locally for the research article, without making the data available. Different studies use different sets of samples and different evaluation metrics, resulting in insufficient comparability. In this paper, we describe a public data repository containing the file access operations of more than 70 ransomware samples during the encryption of a large network shared directory. These data have already been used successfully in the evaluation of a network-based ransomware detection algorithm. Now, we are making these data available to the community and describing their details, how they were captured, and how they can be used in the evaluation and comparison of the results of most ransomware detection techniques.