Open Access
NATRA: Network ACK-Based Traffic Reduction Algorithm
(IEEE, 2020) García-Jiménez, Santiago; Magaña Lizarrondo, Eduardo; Aracil Rico, Javier; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren
Traffic monitoring involves packet capturing and processing at a very high rate of packets per second. Typically, flow records are generated from the packet traffic, such as TCP flow records that feature the number of bytes and packets in each direction, flow duration, number of different ports, and other metrics. Delivering such flow records, about network traffic flowing at tens of Gbps is rather challenging in terms of processing power. To address this problem, traffic thinning can be applied to reduce the input load, by swiftly discarding useless packets at the sniffer NIC or driver level, which effectively reduces the load on software layers that handle traffic processing. This work proposes an algorithm that drops empty ACK packets from TCP traffic, thus achieving a significant reduction in the packets per second that must be handled by each traffic module. The tests discussed below show that the algorithm achieves a 25% decrease in the packets per second rate with minimal information loss.
Open Access
Online classification of user activities using machine learning on network traffic
(Elsevier, 2020) Labayen Guembe, Víctor; Magaña Lizarrondo, Eduardo; Morató Osés, Daniel; Izal Azcárate, Mikel; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren
The daily deployment of new applications, along with the exponential increase in network traffic, entails a growth in the complexity of network analysis and monitoring. Conversely, the increasing availability and decreasing cost of computational capacity have increased the popularity and usability of machine learning algorithms. In this paper, a system for classifying user activities from network traffic using both supervised and unsupervised learning is proposed. The system uses the behaviour exhibited over the network and classifies the underlying user activity, taking into consideration all of the traffic generated by the user within a given time window. Those windows are characterised with features extracted from the network and transport layer headers in the traffic flows. A three-layer model is proposed to perform the classification task. The first two layers of the model are implemented using K-Means, while the last one uses a Random Forest to obtain the activity labels. An average accuracy of 97.37% is obtained, with values of precision and recall that allow online classification of network traffic for Quality of Service (QoS) and user profiling, outperforming previous proposals.
Open Access
Instrumentation for measuring users' goodputs in dense Wi-Fi deployments and capacity-planning rules
(Springer Nature, 2020-01-11) García-Dorado, José Luis; Ramos, Javier; Gómez-Arribas, Francisco J.; Magaña Lizarrondo, Eduardo; Aracil Rico, Javier; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoa eta Telekomunikazio Ingeniaritza
Before a dense Wi-Fi network is deployed, Wi-Fi providers must be careful with the performance promises they made in their way to win a bidding process. After such deployment takes place, Wi-Fi-network owners-such as public institutions-must verify that the QoS agreements are being fulfilled. We have merged both needs into a low-cost measurement system, a report of measurements at diverse scenarios and a performance prediction tool. The measurement system allows measuring the actual goodput that a set of users are receiving, and it has been used in a number of schools on a national scale. From this experience, we report measurements for different scenarios and diverse factors-which may result of interest to practitioners by themselves. Finally, we translate all the learned lessons to a freely-available capacity-planning tool for forecasting performance given a set of input parameters such as frequency, signal strength and number of users-and so, useful for estimating the cost of future deployments.
Open Access
High-speed analysis of SMB2 file sharing traffic without TCP stream reconstruction
(IEEE, 2019) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
This paper presents a file sharing traffic analysis methodology for Server Message Block (SMB), a common protocol in the corporate environment. The design is focused on improving the traffic analysis rate that can be obtained per CPU core in the analysis machine. SMB is most commonly transported over Transmission Control Protocol (TCP) and therefore its analysis requires TCP stream reconstruction. We evaluate a traffic analysis design which does not require stream reconstruction. We compare the results obtained to a reference full reconstruction analysis, both in accuracy of the measurements and maximum rate per CPU core. We achieve an increment of 30% in the traffic processing rate, at the expense of a small loss in accuracy computing the probability distribution function for the protocol response times.
Open Access
KISS methodologies for network management and anomaly detection
(IEEE, 2018) Vega, Carlos; Aracil Rico, Javier; Magaña Lizarrondo, Eduardo; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren
Current networks are increasingly growing in size, complexity and the amount of monitoring data that they produce, which requires complex data analysis pipelines to handle data collection, centralization and analysis tasks. Literature approaches, include the use of custom agents to harvest information and large data centralization systems based on clusters to achieve horizontal scalability, which are expensive and difficult to deploy in real scenarios. In this paper we propose and evaluate a series of methodologies, deployed in real industrial production environments, for network management, from the architecture design to the visualization system as well as for the anomaly detection methodologies, that intend to squeeze the vertical resources and overcome the difficulties of data collection and centralization.
Open Access
Traffic generator using Perlin Noise
(IEEE, 2012) Prieto Suárez, Iria; Izal Azcárate, Mikel; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Automática y Computación; Automatika eta Konputazioa; Universidad Pública de Navarra / Nafarroako Unibertsitate Publikoa
Study of high speed networks such as optical next generation burst or packet switched networks require large amounts of synthetic traffic to feed simulators. Methods to generate self-similar long range dependent traffic already exist but they usually work by generating large blocks of traffic of fixed time duration. This limits simulated time or require very high amount of data to be stored before simulation. On this work it is shown how self-similar traffic can be generated using Perlin Noise, an algorithm commonly used to generate 2D/3D noise for natural looking graphics. 1-dimension Perlin Noise can be interpreted as network traffic and used to generate long range dependent traffic for network simulation. The algorithm is compared to more classical approach Random Midpoint Displacement showing at traffic generated is similar but can be generated continuously with no fixed block size.
Open Access
Arquitectura de publicación automatizada de contenidos educativos supervisados en Internet
(1999) Arin Irastorza, María Asunción; Magaña Lizarrondo, Eduardo; Astrain Escola, José Javier; Villadangos Alonso, Jesús; González de Mendívil Moreno, José Ramón; Automática y Computación; Automatika eta Konputazioa
This paper presents an automated publishing architecture of educational and supervised contents over the Internet. The system makes easier the job of publishing educational courses over the network using specific tools that automates the access control (CGI -- Common Gateway Interface), encrypts the information that goes through the net for not being accessed by strangers (SSL – Secure Sockets Layer), gives an statistical control of the usage of the system, and tutors the course. This project is multiplatform, i.e. all the components that integrate the system are available for any operating system (Windows 9X, Solaris, Linux,...) and it is based on the Web.
Open Access
A popularity-aware method for discovering server IP addresses related to websites
(IEEE, 2013) Torres García, Luis Miguel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Morató Osés, Daniel; Automática y Computación; Automatika eta Konputazioa
The complexity of web traffic has grown in the past years as websites evolve and new services are provided over the HTTP protocol. When accessing a website, multiple connections to different servers are opened and it is usually difficult to distinguish which servers are related to which sites. However, this information is useful from the perspective of security and accounting and can also help to label web traffic and use it as ground truth for traffic classification systems. In this paper we present a method to discover server IP addresses related to specific websites in a traffic trace. Our method uses NetFlow-type records which makes it scalable and impervious to encryption of packet payloads. It is, moreover, popularity-aware in the sense that it takes into consideration the differences in the number of accesses to each site in order to provide a better identification of servers. The method can be used to gather data from a group of interesting websites or, by applying it to a representative set of websites, it can label a sizeable number of connections in a packet trace.
Open Access
Interactivity anomaly detection in remote work scenarios using LTSM
(IEEE, 2024) Arellano Usón, Jesús; Magaña Lizarrondo, Eduardo; Morató Osés, Daniel; Izal Azcárate, Mikel; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoa eta Telekomunikazio Ingeniaritza; Institute of Smart Cities - ISC
In recent years, there has been a notable surge in the utilization of remote desktop services, largely driven by the emergence of new remote work models introduced during the pandemic. These services cater to interactive cloud-based applications (CIAs), whose core functionality operates in the cloud, demanding strict end-user interactivity requirements. This boom has led to a significant increase in their deployment, accompanied by a corresponding increase in associated maintenance costs. Service administrators aim to guarantee a satisfactory Quality of Experience (QoE) by monitoring metrics like interactivity time, particularly in cloud environments where variables such as network performance and shared resources come into play. This paper analyses anomaly detection state of the art and proposes a novel system for detecting interactivity time anomalies in cloud-based remote desktop environments. We employ an automatic model based on LSTM neural networks that achieves an accuracy of up to 99.97%.
Open Access
Técnicas eficientes de filtrado de tráfico para monitorización de redes de comunicaciones
(2001) Magaña Lizarrondo, Eduardo; Aracil Rico, Javier; Villadangos Alonso, Jesús; Automática y Computación; Automatika eta Konputazioa
Las necesidades de intercambio de datos han crecido de manera espectacular en los últimos años y con ello la infraestructura de telecomunicaciones asociada. Además, la aparición de nuevos servicios ha requerido cada vez un control más estricto de la red. Por todo ello, la gestión de las redes de comunicaciones se ha convertido en un campo de actuación muy importante. Dentro de él se pueden enmarcar los sistemas de monitorización que ofrecen información detallada del tráfico que circula por las redes. En el presente trabajo se presenta un algoritmo de filtrado de paquetes con aplicación a los sistemas de monitorización de redes de datos que poseen una problemática particular. En concreto, el número de filtrados simultáneos que se suele requerir a los sistemas de monitorización es elevado. En una primera parte se presentan las diferentes alternativas existentes en la actualidad para el filtrado de paquetes. Por un lado están los sistemas packet filter, optimizados para filtrado de un único flujo de paquetes. Por otro lado existen multitud de propuestas para clasificación de paquetes en routers de alta velocidad, que sin embargo se centran únicamente en campos muy concretos del paquete como las direcciones IP destino para realizar la clasificación. También existen sistemas de filtrado o clasificación de paquetes en los propios sistemas operativos, para poder proveer de diferentes puntos de acceso a servicios a las aplicaciones de la misma máquina y para realizar el encaminamiento cuando la máquina posea varios interfaces de red. Existen escasas propuestas específicamente orientadas a sistemas de monitorización. Posteriormente se realiza una propuesta de técnica de filtrado que se aprovecha de las particularidades de los sistemas de monitorización: el algoritmo PAM-Tree. Su característica principal es la reutilización de bloques de subfiltrado con lo que se soporta de manera más adecuada un mayor número de filtros simultáneos. Además se incorporan en la propia estructura de filtrado los parámetros de monitorización por lo que la actualización de parámetros es inmediata a la vez que se realiza el proceso de filtrado de cada paquete. Tras su descripción, se realiza una formalización mediante teoría de autómatas que se aplica a la demostración de las propiedades del algoritmo propuesto. Una vez presentado el algoritmo, se pasa a un estudio analítico, modelando el coste de filtrado de un paquete como el tiempo de servicio en un sistema de colas M/G/1. Al comparar el modelo del algoritmo PAM-Tree con otro aplicable a los sistemas de tipo packet filter, se comprueba la mejora obtenida con PAM-Tree conforme crece el número de filtros. Tras ello, una comparativa experimental entre PAM-Tree y los packet filter BPF/LSF nos dará una visión más real del comportamiento del algoritmo propuesto sobre implementaciones de sistemas de monitorización. Los resultados experimentales obtenidos validan el modelo analítico considerado. El algoritmo propuesto se ha implementado en dos sistemas de monitorización implantados sobre las redes de datos de una empresa fabricante de coches y una operadora de cable regional, en dos versiones, una primera con funcionalidades recortadas. El algoritmo de filtrado es el núcleo fundamental de estas herramientas y su funcionamiento de terminará la flexibilidad en la definición de parámetros de monitorización de red por parte del gestor.