Person: Magaña Lizarrondo, Eduardo
Loading...
Email Address
person.page.identifierURI
Birth Date
Research Projects
Organizational Units
Job Title
Last Name
Magaña Lizarrondo
First Name
Eduardo
person.page.departamento
Ingeniería Eléctrica, Electrónica y de Comunicación
person.page.instituteName
ISC. Institute of Smart Cities
ORCID
0000-0002-6851-3414
person.page.upna
2199
Name
62 results
Search Results
Now showing 1 - 10 of 62
Publication Open Access Técnicas eficientes de filtrado y análisis de tráfico para la monitorización continua de redes de comunicaciones(1999) Ruiz, José Javier; Magaña Lizarrondo, Eduardo; Aracil Rico, Javier; Villadangos Alonso, Jesús; Automática y Computación; Automatika eta KonputazioaThis paper presents an efficient traffic filtering and analysis architecture for network monitoring. Opposed to the usual network monitoring architectures that provide simultaneous filters as requested by managers (packet filters), we propose a different approach that aims at minimizing CPU load by avoiding unnecessary filter duplicates. Such architecture makes it possible to optimize several parallel filters execution and thus is suitable for continuous network monitoring in which it is necessary to keep track of hundreds of filters. This architecture has been implemented in a network-monitoring tool called PROMIS whose main features are detailed in this paper.Publication Open Access Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic(Elsevier, 2022) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Universidad Pública de Navarra / Nafarroako Unibertsitate PublikoaRansomware is considered as a significant threat for home users and enterprises. In corporate scenarios, users’ computers usually store only system and program files, while all the documents are accessed from shared servers. In these scenarios, one crypto-ransomware infected host is capable of locking the access to all shared files it has access to, which can be the whole set of files from a workgroup of users. We propose a tool to detect and block crypto-ransomware activity based on file-sharing traffic analysis. The tool monitors the traffic exchanged between the clients and the file servers and using machine learning techniques it searches for patterns in the traffic that betray ransomware actions while reading and overwriting files. This is the first proposal designed to work not only for clear text protocols but also for encrypted file-sharing protocols. We extract features from network traffic that describe the activity opening, closing, and modifying files. The features allow the differentiation between ransomware activity and high activity from benign applications. We train and test the detection model using a large set of more than 70 ransomware binaries from 33 different strains and more than 2,400 h of ‘not infected’ traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries described, including those not used in the training phase. This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detectedPublication Open Access Predicción de tráfico de Internet and aplicaciones(2001) Bernal, I.; Aracil Rico, Javier; Morató Osés, Daniel; Izal Azcárate, Mikel; Magaña Lizarrondo, Eduardo; Díez Marca, L. A.; Automática y Computación; Automatika eta KonputazioaIn this paper we focus on traffic prediction as a means to achieve dynamic bandwidth allocation in a generic Internet link. Our findings show that coarse prediction (bytes per interval) proves advantageous to perform dynamic link dimensioning, even if we consider a part of the top traffic producers in the traffic predictor.Publication Open Access Ransomware early detection by the analysis of file sharing traffic(Elsevier, 2018) Morató Osés, Daniel; Berrueta Irigoyen, Eduardo; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónCrypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company. We propose an algorithm that can detect ransomware action and prevent further activity over shared documents. The algorithm is based on the analysis of passively monitored traffic by a network probe. 19 different ransomware families were used for testing the algorithm in action. The results show that it can detect ransomware activity in less than 20 s, before more than 10 files are lost. Recovery of even those files was also possible because their content was stored in the traffic monitored by the network probe. Several days of traffic from real corporate networks were used to validate a low rate of false alarms. This paper offers also analytical models for the probability of early detection and the probability of false alarms for an arbitrarily large population of users.Publication Open Access Open repository for the evaluation of ransomware detection tools(IEEE, 2020) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónCrypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for ransom to recover the hijacked documents. Several articles have presented detection techniques for this type of malware; these techniques are applied before the ransomware encrypts files or during its action in an infected host. The evaluation of these proposals has always been accomplished using sets of ransomware samples that are prepared locally for the research article, without making the data available. Different studies use different sets of samples and different evaluation metrics, resulting in insufficient comparability. In this paper, we describe a public data repository containing the file access operations of more than 70 ransomware samples during the encryption of a large network shared directory. These data have already been used successfully in the evaluation of a network-based ransomware detection algorithm. Now, we are making these data available to the community and describing their details, how they were captured, and how they can be used in the evaluation and comparison of the results of most ransomware detection techniques.Publication Open Access Ingress traffic classification versus aggregation in video over OBS networks(2010) Izal Azcárate, Mikel; Espina Antolín, Félix; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Automática y Computación; Automatika eta KonputazioaOptical Burst Switched (OBS) networks may become a backbone technology for video-on-demand providers. This work addresses the problem of dimensioning the access link of an ingress node to the optical core network in a video over OBS scenario. A video-ondemand provider using an OBS transport network will have to deliver traffic to a set of egress destinations. A large part of this traffic would be composed of video streaming traffic. However, in a real network there would be also a fraction of non video traffic related to non video services. This work studies the decision whether it is better to gather all traffic to the same destination in a joint burst assembler or separate video and general data traffic on different burs assemblers. The later may increase burst blocking probability but also allow for better tuning of OBS parameters that help improve video reception quality. Result show that this tuning of parameters is not enough to compensate the drop probability increase and thus it is better to aggregate video and general data traffic.Publication Open Access Pamplona-traceroute: topology discovery and alias resolution to build router level Internet maps(IEEE, 2013) García-Jiménez, Santiago; Magaña Lizarrondo, Eduardo; Morató Osés, Daniel; Izal Azcárate, Mikel; Automática y Computación; Automatika eta KonputazioaAn Internet topology map at the router level not only needs to discover IP addresses in Internet paths (traceroute) but also needs to identify IP addresses belonging to the same router (IP aliases). Both processes, discovery and IP alias resolution, have traditionally been independent tasks. In this paper, a new tool called Pamplona-traceroute is proposed to improve upon current results in a state of the art for Internet topology construction at the router level. Indirect probing using TTLscoped UDP packets, usually present in the discovery phases, is reused in IP alias resolution phases, providing high identification rates, especially in access routers.Publication Open Access Mejoras en la identificación de tráfico de aplicación basado en firmas(2008) Santolaya Bea, Néstor; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Morató Osés, Daniel; Automática y Computación; Automatika eta KonputazioaTraffic identification has been based traditionally on transport protocol ports, associating always the same ports with the same applications. Nowadays that assumption is not true and new methods like signature identification or statistical techniques are applied. This work presents a method based on signature identification with some improvements. The use of regular expressions for typical applications has been studied deeply and its use has been improved in the aspects of percentage identification and resources consumption. On the other hand, a flows-record structure has been applied in order to classify those packets that do not verify any regular expression. Results are compared with the opensource related project L7-filter, and the improvements are presented. Finally, detailed regular expressions for analyzed applications are included in the paper, especially P2P applications.Publication Open Access Collecting packet traces at high speed(2006) Aguirre Cascallana, Gorka; Magaña Lizarrondo, Eduardo; Automática y Computación; Automatika eta KonputazioaIn order to capture packet traces at high speed using a low-cost platform, we have to optimize the networking stack of a general purpose operating system. Different techniques are compared with the final objective of avoiding packet loss. Among those techniques we will study the performance of NAPI [6] and PF-RING [9]. Depending on the final application, we should tune certain parameters accordingly. We also present the advantages of a multiprocessor platform and the problematic of storing full packets directly to hard disk.Publication Open Access Detección de congestión en la Internet europea(IEEE, 2007) Hernández, Ana; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Morató Osés, Daniel; Automática y Computación; Automatika eta KonputazioaIn this paper we present a study about the utilization of one-way delay measurements to detect and characterize network congestion in the european Internet. The experiments have been made using the ETOMIC platfom that allows one-way delay measurement with high precision timestamps. We have found a peculiar router behaviour in which the bottleneck is not the available bandwidth but it is the packet processing power of the router (backplane and CPU constraints). This router has been characterized with several network parameters. Some of them are the dependency of this limitation with the input data rate in packets per second, the size of burst packet losses measured in packets or time and the absence of specific scheduling algorithms in the router that could affect to larger flows.