Person: Berrueta Irigoyen, Eduardo
Loading...
Email Address
person.page.identifierURI
Birth Date
Research Projects
Organizational Units
Job Title
Last Name
Berrueta Irigoyen
First Name
Eduardo
person.page.departamento
IngenierĆa ElĆ©ctrica, ElectrĆ³nica y de ComunicaciĆ³n
person.page.instituteName
ORCID
0000-0002-0076-4479
person.page.upna
811478
Name
3 results
Search Results
Now showing 1 - 3 of 3
Publication Open Access High-speed analysis of SMB2 file sharing traffic without TCP stream reconstruction(IEEE, 2019) Berrueta Irigoyen, Eduardo; MoratĆ³ OsĆ©s, Daniel; MagaƱa Lizarrondo, Eduardo; Izal AzcĆ”rate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; IngenierĆa ElĆ©ctrica, ElectrĆ³nica y de ComunicaciĆ³nThis paper presents a file sharing traffic analysis methodology for Server Message Block (SMB), a common protocol in the corporate environment. The design is focused on improving the traffic analysis rate that can be obtained per CPU core in the analysis machine. SMB is most commonly transported over Transmission Control Protocol (TCP) and therefore its analysis requires TCP stream reconstruction. We evaluate a traffic analysis design which does not require stream reconstruction. We compare the results obtained to a reference full reconstruction analysis, both in accuracy of the measurements and maximum rate per CPU core. We achieve an increment of 30% in the traffic processing rate, at the expense of a small loss in accuracy computing the probability distribution function for the protocol response times.Publication Open Access Ransomware early detection by the analysis of file sharing traffic(Elsevier, 2018) MoratĆ³ OsĆ©s, Daniel; Berrueta Irigoyen, Eduardo; MagaƱa Lizarrondo, Eduardo; Izal AzcĆ”rate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; IngenierĆa ElĆ©ctrica, ElectrĆ³nica y de ComunicaciĆ³nCrypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company. We propose an algorithm that can detect ransomware action and prevent further activity over shared documents. The algorithm is based on the analysis of passively monitored traffic by a network probe. 19 different ransomware families were used for testing the algorithm in action. The results show that it can detect ransomware activity in less than 20āÆs, before more than 10 files are lost. Recovery of even those files was also possible because their content was stored in the traffic monitored by the network probe. Several days of traffic from real corporate networks were used to validate a low rate of false alarms. This paper offers also analytical models for the probability of early detection and the probability of false alarms for an arbitrarily large population of users.Publication Open Access Open repository for the evaluation of ransomware detection tools(IEEE, 2020) Berrueta Irigoyen, Eduardo; MoratĆ³ OsĆ©s, Daniel; MagaƱa Lizarrondo, Eduardo; Izal AzcĆ”rate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; IngenierĆa ElĆ©ctrica, ElectrĆ³nica y de ComunicaciĆ³nCrypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for ransom to recover the hijacked documents. Several articles have presented detection techniques for this type of malware; these techniques are applied before the ransomware encrypts files or during its action in an infected host. The evaluation of these proposals has always been accomplished using sets of ransomware samples that are prepared locally for the research article, without making the data available. Different studies use different sets of samples and different evaluation metrics, resulting in insufficient comparability. In this paper, we describe a public data repository containing the file access operations of more than 70 ransomware samples during the encryption of a large network shared directory. These data have already been used successfully in the evaluation of a network-based ransomware detection algorithm. Now, we are making these data available to the community and describing their details, how they were captured, and how they can be used in the evaluation and comparison of the results of most ransomware detection techniques.