Open Access
NATRA: Network ACK-Based Traffic Reduction Algorithm
(IEEE, 2020) García-Jiménez, Santiago; Magaña Lizarrondo, Eduardo; Aracil Rico, Javier; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren
Traffic monitoring involves packet capturing and processing at a very high rate of packets per second. Typically, flow records are generated from the packet traffic, such as TCP flow records that feature the number of bytes and packets in each direction, flow duration, number of different ports, and other metrics. Delivering such flow records, about network traffic flowing at tens of Gbps is rather challenging in terms of processing power. To address this problem, traffic thinning can be applied to reduce the input load, by swiftly discarding useless packets at the sniffer NIC or driver level, which effectively reduces the load on software layers that handle traffic processing. This work proposes an algorithm that drops empty ACK packets from TCP traffic, thus achieving a significant reduction in the packets per second that must be handled by each traffic module. The tests discussed below show that the algorithm achieves a 25% decrease in the packets per second rate with minimal information loss.
Open Access
Online classification of user activities using machine learning on network traffic
(Elsevier, 2020) Labayen Guembe, Víctor; Magaña Lizarrondo, Eduardo; Morató Osés, Daniel; Izal Azcárate, Mikel; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren
The daily deployment of new applications, along with the exponential increase in network traffic, entails a growth in the complexity of network analysis and monitoring. Conversely, the increasing availability and decreasing cost of computational capacity have increased the popularity and usability of machine learning algorithms. In this paper, a system for classifying user activities from network traffic using both supervised and unsupervised learning is proposed. The system uses the behaviour exhibited over the network and classifies the underlying user activity, taking into consideration all of the traffic generated by the user within a given time window. Those windows are characterised with features extracted from the network and transport layer headers in the traffic flows. A three-layer model is proposed to perform the classification task. The first two layers of the model are implemented using K-Means, while the last one uses a Random Forest to obtain the activity labels. An average accuracy of 97.37% is obtained, with values of precision and recall that allow online classification of network traffic for Quality of Service (QoS) and user profiling, outperforming previous proposals.
Open Access
Instrumentation for measuring users' goodputs in dense Wi-Fi deployments and capacity-planning rules
(Springer Nature, 2020-01-11) García-Dorado, José Luis; Ramos, Javier; Gómez-Arribas, Francisco J.; Magaña Lizarrondo, Eduardo; Aracil Rico, Javier; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoa eta Telekomunikazio Ingeniaritza
Before a dense Wi-Fi network is deployed, Wi-Fi providers must be careful with the performance promises they made in their way to win a bidding process. After such deployment takes place, Wi-Fi-network owners-such as public institutions-must verify that the QoS agreements are being fulfilled. We have merged both needs into a low-cost measurement system, a report of measurements at diverse scenarios and a performance prediction tool. The measurement system allows measuring the actual goodput that a set of users are receiving, and it has been used in a number of schools on a national scale. From this experience, we report measurements for different scenarios and diverse factors-which may result of interest to practitioners by themselves. Finally, we translate all the learned lessons to a freely-available capacity-planning tool for forecasting performance given a set of input parameters such as frequency, signal strength and number of users-and so, useful for estimating the cost of future deployments.
Open Access
High-speed analysis of SMB2 file sharing traffic without TCP stream reconstruction
(IEEE, 2019) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
This paper presents a file sharing traffic analysis methodology for Server Message Block (SMB), a common protocol in the corporate environment. The design is focused on improving the traffic analysis rate that can be obtained per CPU core in the analysis machine. SMB is most commonly transported over Transmission Control Protocol (TCP) and therefore its analysis requires TCP stream reconstruction. We evaluate a traffic analysis design which does not require stream reconstruction. We compare the results obtained to a reference full reconstruction analysis, both in accuracy of the measurements and maximum rate per CPU core. We achieve an increment of 30% in the traffic processing rate, at the expense of a small loss in accuracy computing the probability distribution function for the protocol response times.
Open Access
KISS methodologies for network management and anomaly detection
(IEEE, 2018) Vega, Carlos; Aracil Rico, Javier; Magaña Lizarrondo, Eduardo; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren
Current networks are increasingly growing in size, complexity and the amount of monitoring data that they produce, which requires complex data analysis pipelines to handle data collection, centralization and analysis tasks. Literature approaches, include the use of custom agents to harvest information and large data centralization systems based on clusters to achieve horizontal scalability, which are expensive and difficult to deploy in real scenarios. In this paper we propose and evaluate a series of methodologies, deployed in real industrial production environments, for network management, from the architecture design to the visualization system as well as for the anomaly detection methodologies, that intend to squeeze the vertical resources and overcome the difficulties of data collection and centralization.
Open Access
Traffic generator using Perlin Noise
(IEEE, 2012) Prieto Suárez, Iria; Izal Azcárate, Mikel; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Automática y Computación; Automatika eta Konputazioa; Universidad Pública de Navarra / Nafarroako Unibertsitate Publikoa
Study of high speed networks such as optical next generation burst or packet switched networks require large amounts of synthetic traffic to feed simulators. Methods to generate self-similar long range dependent traffic already exist but they usually work by generating large blocks of traffic of fixed time duration. This limits simulated time or require very high amount of data to be stored before simulation. On this work it is shown how self-similar traffic can be generated using Perlin Noise, an algorithm commonly used to generate 2D/3D noise for natural looking graphics. 1-dimension Perlin Noise can be interpreted as network traffic and used to generate long range dependent traffic for network simulation. The algorithm is compared to more classical approach Random Midpoint Displacement showing at traffic generated is similar but can be generated continuously with no fixed block size.
Open Access
A popularity-aware method for discovering server IP addresses related to websites
(IEEE, 2013) Torres García, Luis Miguel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Morató Osés, Daniel; Automática y Computación; Automatika eta Konputazioa
The complexity of web traffic has grown in the past years as websites evolve and new services are provided over the HTTP protocol. When accessing a website, multiple connections to different servers are opened and it is usually difficult to distinguish which servers are related to which sites. However, this information is useful from the perspective of security and accounting and can also help to label web traffic and use it as ground truth for traffic classification systems. In this paper we present a method to discover server IP addresses related to specific websites in a traffic trace. Our method uses NetFlow-type records which makes it scalable and impervious to encryption of packet payloads. It is, moreover, popularity-aware in the sense that it takes into consideration the differences in the number of accesses to each site in order to provide a better identification of servers. The method can be used to gather data from a group of interesting websites or, by applying it to a representative set of websites, it can label a sizeable number of connections in a packet trace.
Open Access
Pamplona-traceroute: topology discovery and alias resolution to build router level Internet maps
(IEEE, 2013) García-Jiménez, Santiago; Magaña Lizarrondo, Eduardo; Morató Osés, Daniel; Izal Azcárate, Mikel; Automática y Computación; Automatika eta Konputazioa
An Internet topology map at the router level not only needs to discover IP addresses in Internet paths (traceroute) but also needs to identify IP addresses belonging to the same router (IP aliases). Both processes, discovery and IP alias resolution, have traditionally been independent tasks. In this paper, a new tool called Pamplona-traceroute is proposed to improve upon current results in a state of the art for Internet topology construction at the router level. Indirect probing using TTLscoped UDP packets, usually present in the discovery phases, is reused in IP alias resolution phases, providing high identification rates, especially in access routers.
Open Access
Ransomware early detection by the analysis of file sharing traffic
(Elsevier, 2018) Morató Osés, Daniel; Berrueta Irigoyen, Eduardo; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
Crypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company. We propose an algorithm that can detect ransomware action and prevent further activity over shared documents. The algorithm is based on the analysis of passively monitored traffic by a network probe. 19 different ransomware families were used for testing the algorithm in action. The results show that it can detect ransomware activity in less than 20 s, before more than 10 files are lost. Recovery of even those files was also possible because their content was stored in the traffic monitored by the network probe. Several days of traffic from real corporate networks were used to validate a low rate of false alarms. This paper offers also analytical models for the probability of early detection and the probability of false alarms for an arbitrarily large population of users.
Open Access
Midiendo retardos y pérdidas en las redes móviles de alta velocidad
(2015) Prieto Suárez, Iria; Izal Azcárate, Mikel; Magaña Lizarrondo, Eduardo; Morató Osés, Daniel; Automática y Computación; Automatika eta Konputazioa
Mobile networks are constantly evolving, but still, due to their nature, it is not trivial to analayse how they face up different kinds of traffic. On the Internet a wide range of services can be found. Usually the majority send large packets, i.e Web services, but others, like VoIP, send small packets. The question is how the mobile networks manage all this traffic. In this work experiments to measure losses and times of sending different packet size bursts are described. Also, preliminary results for experiments with a real network mobile client, are analaysed showing that the performance of the network is different depending on the size of packet.