Open Access
Collecting packet traces at high speed
(2006) Aguirre Cascallana, Gorka; Magaña Lizarrondo, Eduardo; Automática y Computación; Automatika eta Konputazioa
In order to capture packet traces at high speed using a low-cost platform, we have to optimize the networking stack of a general purpose operating system. Different techniques are compared with the final objective of avoiding packet loss. Among those techniques we will study the performance of NAPI [6] and PF-RING [9]. Depending on the final application, we should tune certain parameters accordingly. We also present the advantages of a multiprocessor platform and the problematic of storing full packets directly to hard disk.
Open Access
Ransomware early detection by the analysis of file sharing traffic
(Elsevier, 2018) Morató Osés, Daniel; Berrueta Irigoyen, Eduardo; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
Crypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company. We propose an algorithm that can detect ransomware action and prevent further activity over shared documents. The algorithm is based on the analysis of passively monitored traffic by a network probe. 19 different ransomware families were used for testing the algorithm in action. The results show that it can detect ransomware activity in less than 20 s, before more than 10 files are lost. Recovery of even those files was also possible because their content was stored in the traffic monitored by the network probe. Several days of traffic from real corporate networks were used to validate a low rate of false alarms. This paper offers also analytical models for the probability of early detection and the probability of false alarms for an arbitrarily large population of users.
Open Access
Detección de congestión en la Internet europea
(IEEE, 2007) Hernández, Ana; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Morató Osés, Daniel; Automática y Computación; Automatika eta Konputazioa
In this paper we present a study about the utilization of one-way delay measurements to detect and characterize network congestion in the european Internet. The experiments have been made using the ETOMIC platfom that allows one-way delay measurement with high precision timestamps. We have found a peculiar router behaviour in which the bottleneck is not the available bandwidth but it is the packet processing power of the router (backplane and CPU constraints). This router has been characterized with several network parameters. Some of them are the dependency of this limitation with the input data rate in packets per second, the size of burst packet losses measured in packets or time and the absence of specific scheduling algorithms in the router that could affect to larger flows.
Open Access
Delay-throughput curves for timer-based OBS burstifiers with light load
(IEEE, 2006) Izal Azcárate, Mikel; Aracil Rico, Javier; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Automática y Computación; Automatika eta Konputazioa
The OBS burstifier delay-throughput curves are analyzed in this paper. The burstifier incorporates a timer-based scheme with minimum burst size, i. e., bursts are subject to padding in light-load scenarios. Precisely, due to this padding effect, the burstifier normalized throughput may not be equal to unity. Conversely, in a high-load scenario, padding will seldom occur. For the interesting light-load scenario, the throughput delay curves are derived and the obtained results are assessed against those obtained by trace-driven simulation. The influence of long-range dependence and instantaneous variability is analyzed to conclude that there is a threshold timeout value that makes the throughput curves flatten out to unity. This result motivates the introduction of adaptive burstification algorithms, that provide a timeout value that minimizes delay, yet keeping the throughput very close to unity. The dependence of such optimum timeout value with traffic long-range dependence and instantaneous burstiness is discussed. Finally, three different adaptive timeout algorithms are proposed, that tradeoff complexity versus accuracy.
Open Access
Approximations for end-to-end delay analysis in OBS networks with light load
(IEEE, 2004) Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Automática y Computación; Automatika eta Konputazioa
In this paper we provide an analysis of end-to-end delay in OBS networks and a large deviations approximation. The analysis is based on an exponential approximation of the OBS router blocking time and on the assumption of Poisson arrivals in routers along the path from source to destination. On the other hand, a lightload assumption is performed, namely, waiting time is mainly due to residual life of the output wavelengths and not to buffering.
Open Access
Pamplona-traceroute: topology discovery and alias resolution to build router level Internet maps
(IEEE, 2013) García-Jiménez, Santiago; Magaña Lizarrondo, Eduardo; Morató Osés, Daniel; Izal Azcárate, Mikel; Automática y Computación; Automatika eta Konputazioa
An Internet topology map at the router level not only needs to discover IP addresses in Internet paths (traceroute) but also needs to identify IP addresses belonging to the same router (IP aliases). Both processes, discovery and IP alias resolution, have traditionally been independent tasks. In this paper, a new tool called Pamplona-traceroute is proposed to improve upon current results in a state of the art for Internet topology construction at the router level. Indirect probing using TTLscoped UDP packets, usually present in the discovery phases, is reused in IP alias resolution phases, providing high identification rates, especially in access routers.
Open Access
Monitorización activa de altas prestaciones mediante la plataforma paneuropa ETOMIC
(2005) Magaña Lizarrondo, Eduardo; Naranjo Abad, Francisco José; Aracil Rico, Javier; Automática y Computación; Automatika eta Konputazioa
In this paper we present the first set of active measurements that we have made using the ETOMIC system. ETOMIC is a paneuropean traffic measurement infrastructure with GPS-synchronized monitoring nodes. Specific hardware is used in order to provide high-precision transmission and reception capabilities. Besides, the system is open and any experiment can be executed. Internet measurements with high infrastructure requirements are now possible like one-way delay, routes and topology changing, congestion detection and virtual path aggregation detection. We will explain the results and how easy is to implement these measurements using the tools provided by ETOMIC, specially the API for using the specific sending and receiving capabilities.
Open Access
Resolución de alias para el cálculo de topologías
(2007) García-Jiménez, Santiago; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Morató Osés, Daniel; Automática y Computación; Automatika eta Konputazioa
The network topology is a fundamental parameter for managers and researchers. The traditional methodology for discovering the topology of a network is based on the tool traceroute, used from several vantage points in different subnetworks. The result is a set of sink trees where the nodes are the discovered IP addresses from the routers. However, few tools have faced the problem of identifying the nodes in different sink trees as interfaces in the same router. This paper shows a new methodology for this problem of alias resolution. It has been used in the european research network using the ETOMIC platform. It shows that the traditional methodologies are not effective in today’s networking scenario but can be easily improved at least in a factor of 3 in the number of successes.
Open Access
IP addresses distribution in Internet and its application on reduction methods for IP alias resolution
(IEEE, 2009) García-Jiménez, Santiago; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Morató Osés, Daniel; Automática y Computación; Automatika eta Konputazioa
Discovery of Internet topology is an important and open task. It is difficulted by the high number of networks and internetworking equipments, and even by the dynamic of those interconnections. Mapping Internet at router-level needs to identify IP addresses that belong to the same router. This is called IP address alias resolution and classical methods in the state of the art like Ally need to test IP addresses in pairs. This means a very high cost in traffic generated and time consumption, specially with an increasing topology size. Some methods have been proposed to reduce the number of pairs of IP addresses to compare based on the TTL or IP identifier fields from the IP header. However both need extra traffic and they have problems with the probing distribution between several probing nodes. This paper proposes to use the peculiar distribution of IP addresses in Internet Autonomous Systems in order to reduce the number of IP addresses to compare. The difference between pairs of IP addresses is used to know a priori if they are candidates to be alias with certain probability. Performance evaluation has been made using Planetlab and Etomic measurement platforms. The paper justifies the reduction method, obtaining high reduction ratios without injecting extra traffic in the network and with the possibility to distribute the process for alias resolution.
Open Access
Técnicas eficientes de filtrado y análisis de tráfico para la monitorización continua de redes de comunicaciones
(1999) Ruiz, José Javier; Magaña Lizarrondo, Eduardo; Aracil Rico, Javier; Villadangos Alonso, Jesús; Automática y Computación; Automatika eta Konputazioa
This paper presents an efficient traffic filtering and analysis architecture for network monitoring. Opposed to the usual network monitoring architectures that provide simultaneous filters as requested by managers (packet filters), we propose a different approach that aims at minimizing CPU load by avoiding unnecessary filter duplicates. Such architecture makes it possible to optimize several parallel filters execution and thus is suitable for continuous network monitoring in which it is necessary to keep track of hundreds of filters. This architecture has been implemented in a network-monitoring tool called PROMIS whose main features are detailed in this paper.