Open Access
Ransomware early detection by the analysis of file sharing traffic
(Elsevier, 2018) Morató Osés, Daniel; Berrueta Irigoyen, Eduardo; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
Crypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company. We propose an algorithm that can detect ransomware action and prevent further activity over shared documents. The algorithm is based on the analysis of passively monitored traffic by a network probe. 19 different ransomware families were used for testing the algorithm in action. The results show that it can detect ransomware activity in less than 20 s, before more than 10 files are lost. Recovery of even those files was also possible because their content was stored in the traffic monitored by the network probe. Several days of traffic from real corporate networks were used to validate a low rate of false alarms. This paper offers also analytical models for the probability of early detection and the probability of false alarms for an arbitrarily large population of users.
Open Access
Performance evaluation of client-based traffic sniffing for very large populations
(Elsevier, 2019-11-09) Roquero, Paula; Magaña Lizarrondo, Eduardo; Leira, Rafael; Aracil Rico, Javier; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoa eta Telekomunikazio Ingeniaritza
Current Internet users are demanding an increased mobility and service ubiquity, which, in turns, requires that Internet services are provided from different datacenters in the cloud. Traffic monitoring in such a mobile scenario, for security and QoS monitoring purposes, is rather challenging, as the sniffing points may be fully distributed in the operator's network. To complicate matters, out-going traffic may leave the network through a given PoP and return through a different one. As a result, traffic monitoring at the edges, at the very client terminal or domestic router, becomes a sensible alternative. However, such a measurement scheme implies that millions of tiny monitoring probes are contin- uously producing flow r ecords, which builds up a significant load fo r the monitoring data collector and for the network itself, aside from the induced load to the client terminal or router. In this paper, we study whether such large scale deployment of microsniffers is feasible in terms of the resulting load, namely deployment of lightweight network probes that perform passive measurements at the client terminal. We further propose data summarization schemes to reduce load with minimum information loss. Our findings show that deployment of a large populations of microsniffers is feasible, provided that adequate data thinning techniques are provided, as we propose in this paper.
Open Access
High-speed analysis of SMB2 file sharing traffic without TCP stream reconstruction
(IEEE, 2019) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
This paper presents a file sharing traffic analysis methodology for Server Message Block (SMB), a common protocol in the corporate environment. The design is focused on improving the traffic analysis rate that can be obtained per CPU core in the analysis machine. SMB is most commonly transported over Transmission Control Protocol (TCP) and therefore its analysis requires TCP stream reconstruction. We evaluate a traffic analysis design which does not require stream reconstruction. We compare the results obtained to a reference full reconstruction analysis, both in accuracy of the measurements and maximum rate per CPU core. We achieve an increment of 30% in the traffic processing rate, at the expense of a small loss in accuracy computing the probability distribution function for the protocol response times.
Open Access
KISS methodologies for network management and anomaly detection
(IEEE, 2018) Vega, Carlos; Aracil Rico, Javier; Magaña Lizarrondo, Eduardo; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren
Current networks are increasingly growing in size, complexity and the amount of monitoring data that they produce, which requires complex data analysis pipelines to handle data collection, centralization and analysis tasks. Literature approaches, include the use of custom agents to harvest information and large data centralization systems based on clusters to achieve horizontal scalability, which are expensive and difficult to deploy in real scenarios. In this paper we propose and evaluate a series of methodologies, deployed in real industrial production environments, for network management, from the architecture design to the visualization system as well as for the anomaly detection methodologies, that intend to squeeze the vertical resources and overcome the difficulties of data collection and centralization.
Open Access
A survey on detection techniques for cryptographic ransomware
(IEEE, 2019) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
Crypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for a ransom to recover the hijacked documents. It is a cyber threat that targets both companies and residential users, and has spread in recent years because of its lucrative results. Several articles have presented classifications of ransomware families and their typical behaviour. These insights have stimulated the creation of detection techniques for antivirus and firewall software. However, because the ransomware scene evolves quickly and aggressively, these studies quickly become outdated. In this study, we surveyed the detection techniques that the research community has developed in recent years. We compared the different approaches and classified the algorithms based on the input data they obtain from ransomware actions, and the decision procedures they use to reach a classification decision between benign or malign applications. This is a detailed survey that focuses on detection algorithms, compared to most previous studies that offer a survey of ransomware families or isolated proposals of detection algorithms. We also compared the results of these proposals.
Open Access
Ransomware encrypted your files but you restored them from network traffic
(IEEE, 2019) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
In a scenario where user files are stored in a network shared volume, a single computer infected by ransomware could encrypt the whole set of shared files, with a large impact on user productivity. On the other hand, medium and large companies maintain hardware or software probes that monitor the traffic in critical network links, in order to evaluate service performance, detect security breaches, account for network or service usage, etc. In this paper we suggest using the monitoring capabilities in one of these tools in order to keep a trace of the traffic between the users and the file server. Once the ransomware is detected, the lost files can be recovered from the traffic trace. This includes any user modifications posterior to the last snapshot of periodic backups. The paper explains the problems faced by the monitoring tool, which is neither the client nor the server of the file sharing operations. It also describes the data structures in order to process the actions of users that could be simultaneously working on the same file. A proof of concept software implementation was capable of successfully recovering the files encrypted by 18 different ransomware families.
Open Access
Computation of traffic time series for large populations of IoT devices
(MDPI, 2018) Izal Azcárate, Mikel; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; García-Jiménez, Santiago; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
En este artículo se estudian las tecnicas para clasificar paquetes de tráfico de red en múltiples clases orientadas a la realización de series temporales de tráfico en escenarios de un elevado numero de clases como pueden ser los proveedores de red para dispositivos IoT. Se muestra que usando técnicas basadas en DStries se pueden monitorizar en tiempo real redes con decenas de miles de dispositivos.
Open Access
Effective analysis of secure web response time
(IEEE, 2019) López Romera, Carlos; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
The measurement of response time in web based applications is a common task for the evaluation of service responsiveness and the detection of network or server problems. Traffic analysis is the most common strategy for obtaining response time measurements. However, when the traffic is encrypted, the analysis tools cannot provide these measurement results. In this paper we propose a methodology for measuring the response time in HTTPS traffic based on the flow of data in each direction. We have validated the tool with real traffic and with a worst case scenario created in a testbed. When pipelining is present in the encrypted HTTP 1.1 traffic, it results in a small error in the measurement (between 5% and 15% of error for the 99.9 percentile of the real response time). However, pipelining support has almost disappeared from modern web browsers; this makes the estimation provided by this methodology very accurate in real traffic measurements, even for low probability response times. More than 98.8% of the over 8.6 million request-response times we measured in our campus Internet link were obtained without any error.
Open Access
Remote access protocols for Desktop-as-a-Service solutions
(Public Library of Science, 2019) Magaña Lizarrondo, Eduardo; Sesma Gracia, Iris; Morató Osés, Daniel; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
The use of remote desktop services on virtualized machines is a general trend to reduce the cost of desktop seats. Instead of assigning a physical machine with its operating system and software to each user, it is considerably easier to manage a light client machine that connects to a server where the instance of the user’s desktop machine actually executes. Citrix and VMware have been major suppliers of these systems in private clouds. Desktop-as-a-Service solutions such as Amazon WorkSpaces offer a similar functionality, yet in a public cloud environment. In this paper, we review the main offerings of remote desktop protocols for a cloud deployment. We evaluate the necessary network resources using a traffic model based on self-similar processes. We also evaluate the quality of experience perceived by the user, in terms of image quality and interactivity, providing values of Mean Opinion Score (MOS). The results confirm that the type of application running on the remote servers and the mix of users must be considered to determine the bandwidth requirements. Applications such as web browsing result in unexpectedly high traffic rates and long bursts, more than the case of desktop video playing, because the on-page animations are rendered on the server.
Open Access
On the design and performance evaluation of automatic traffic report generation systems with huge data volumes
(Wiley, 2018) Vega, Carlos; Miravalls-Sierra, Eduardo; Julián-Moreno, Guillermo; López de Vergara, Jorge E.; Magaña Lizarrondo, Eduardo; Aracil Rico, Javier; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren
In this paper we analyze the performance issues involved in the generation of automated traffic reports for large IT infrastructures. Such reports allow the IT manager to proactively detect possible abnormal situations and roll out the corresponding corrective actions. With the ever-increasing bandwidth of current networks, the design of automated traffic report generation systems is very challenging. In a first step, the huge volumes of collected traffic are transformed into enriched flow records obtained from diverse collectors and dissectors. Then, such flow records, along with time series obtained from the raw traffic, are further processed to produce a usable report. As will be shown, the data volume in flow records turns out to be very large as well and requires careful selection of the Key Performance Indicators (KPIs) to be included in the report. In this regard, we discuss the use of high-level languages versus low-level approaches, in terms of speed and versatility. Furthermore, our design approach is targeted for rapid development in commodity hardware, which is essential to cost-effectively tackle demanding traffic analysis scenarios. Actually, the paper shows feasibility of delivering a large number of KPIs, as will be detailed later, for several TBytes of traffic per day using a commodity hardware architecture and high-level languages.