Person:
Morató Osés, Daniel

Last Name

Morató Osés

First Name

Daniel

person.page.departamento

Automática y Computación

ORCID

0000-0002-0831-4042

person.page.upna

2085

Full item page

Search Results

Now showing 1 - 10 of 62

Open Access
Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic
(Elsevier, 2022) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Universidad Pública de Navarra / Nafarroako Unibertsitate Publikoa
Ransomware is considered as a significant threat for home users and enterprises. In corporate scenarios, users’ computers usually store only system and program files, while all the documents are accessed from shared servers. In these scenarios, one crypto-ransomware infected host is capable of locking the access to all shared files it has access to, which can be the whole set of files from a workgroup of users. We propose a tool to detect and block crypto-ransomware activity based on file-sharing traffic analysis. The tool monitors the traffic exchanged between the clients and the file servers and using machine learning techniques it searches for patterns in the traffic that betray ransomware actions while reading and overwriting files. This is the first proposal designed to work not only for clear text protocols but also for encrypted file-sharing protocols. We extract features from network traffic that describe the activity opening, closing, and modifying files. The features allow the differentiation between ransomware activity and high activity from benign applications. We train and test the detection model using a large set of more than 70 ransomware binaries from 33 different strains and more than 2,400 h of ‘not infected’ traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries described, including those not used in the training phase. This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detected
Open Access
Predicción de tráfico de Internet and aplicaciones
(2001) Bernal, I.; Aracil Rico, Javier; Morató Osés, Daniel; Izal Azcárate, Mikel; Magaña Lizarrondo, Eduardo; Díez, L. A.; Automática y Computación; Automatika eta Konputazioa
In this paper we focus on traffic prediction as a means to achieve dynamic bandwidth allocation in a generic Internet link. Our findings show that coarse prediction (bytes per interval) proves advantageous to perform dynamic link dimensioning, even if we consider a part of the top traffic producers in the traffic predictor.
Open Access
Ransomware early detection by the analysis of file sharing traffic
(Elsevier, 2018) Morató Osés, Daniel; Berrueta Irigoyen, Eduardo; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
Crypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company. We propose an algorithm that can detect ransomware action and prevent further activity over shared documents. The algorithm is based on the analysis of passively monitored traffic by a network probe. 19 different ransomware families were used for testing the algorithm in action. The results show that it can detect ransomware activity in less than 20 s, before more than 10 files are lost. Recovery of even those files was also possible because their content was stored in the traffic monitored by the network probe. Several days of traffic from real corporate networks were used to validate a low rate of false alarms. This paper offers also analytical models for the probability of early detection and the probability of false alarms for an arbitrarily large population of users.
Open Access
Traffic generator using Perlin Noise
(IEEE, 2012) Prieto Suárez, Iria; Izal Azcárate, Mikel; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Automática y Computación; Automatika eta Konputazioa; Universidad Pública de Navarra / Nafarroako Unibertsitate Publikoa
Study of high speed networks such as optical next generation burst or packet switched networks require large amounts of synthetic traffic to feed simulators. Methods to generate self-similar long range dependent traffic already exist but they usually work by generating large blocks of traffic of fixed time duration. This limits simulated time or require very high amount of data to be stored before simulation. On this work it is shown how self-similar traffic can be generated using Perlin Noise, an algorithm commonly used to generate 2D/3D noise for natural looking graphics. 1-dimension Perlin Noise can be interpreted as network traffic and used to generate long range dependent traffic for network simulation. The algorithm is compared to more classical approach Random Midpoint Displacement showing at traffic generated is similar but can be generated continuously with no fixed block size.
Open Access
A-priori flow bandwidth estimates for dynamic bandwidth allocation in ISP access links
(2001) Aracil Rico, Javier; Morató Osés, Daniel; Automática y Computación; Automatika eta Konputazioa
In this paper we study a-priori bandwidth estimation algorithms for TCP flows. An RTT-based bandwidth allocator is proposed, which outperforms a broad class of peak-rate and static allocation flow switching solutions. Our findings suggest that a-priori bandwidth estimation (i.e, before the TCP data transfer phase takes place) is indeed feasible and serves to design simple, yet efficient, dynamic bandwidth allocation rules for ISP access links.
Open Access
Pamplona-traceroute: topology discovery and alias resolution to build router level Internet maps
(IEEE, 2013) García-Jiménez, Santiago; Magaña Lizarrondo, Eduardo; Morató Osés, Daniel; Izal Azcárate, Mikel; Automática y Computación; Automatika eta Konputazioa
An Internet topology map at the router level not only needs to discover IP addresses in Internet paths (traceroute) but also needs to identify IP addresses belonging to the same router (IP aliases). Both processes, discovery and IP alias resolution, have traditionally been independent tasks. In this paper, a new tool called Pamplona-traceroute is proposed to improve upon current results in a state of the art for Internet topology construction at the router level. Indirect probing using TTLscoped UDP packets, usually present in the discovery phases, is reused in IP alias resolution phases, providing high identification rates, especially in access routers.
Open Access
Detección de congestión en la Internet europea
(IEEE, 2007) Hernández, Ana; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Morató Osés, Daniel; Automática y Computación; Automatika eta Konputazioa
In this paper we present a study about the utilization of one-way delay measurements to detect and characterize network congestion in the european Internet. The experiments have been made using the ETOMIC platfom that allows one-way delay measurement with high precision timestamps. We have found a peculiar router behaviour in which the bottleneck is not the available bandwidth but it is the packet processing power of the router (backplane and CPU constraints). This router has been characterized with several network parameters. Some of them are the dependency of this limitation with the input data rate in packets per second, the size of burst packet losses measured in packets or time and the absence of specific scheduling algorithms in the router that could affect to larger flows.
Open Access
Open repository for the evaluation of ransomware detection tools
(IEEE, 2020) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
Crypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for ransom to recover the hijacked documents. Several articles have presented detection techniques for this type of malware; these techniques are applied before the ransomware encrypts files or during its action in an infected host. The evaluation of these proposals has always been accomplished using sets of ransomware samples that are prepared locally for the research article, without making the data available. Different studies use different sets of samples and different evaluation metrics, resulting in insufficient comparability. In this paper, we describe a public data repository containing the file access operations of more than 70 ransomware samples during the encryption of a large network shared directory. These data have already been used successfully in the evaluation of a network-based ransomware detection algorithm. Now, we are making these data available to the community and describing their details, how they were captured, and how they can be used in the evaluation and comparison of the results of most ransomware detection techniques.
Open Access
Online detection of pathological TCP flows with retransmissions in high-speed networks
(Elsevier, 2018) Miravalls-Sierra, Eduardo; Muelas, David; Ramos, Javier; López de Vergara, Jorge E.; Morató Osés, Daniel; Aracil Rico, Javier; Automática y Computación; Automatika eta Konputazioa
Online Quality of Service (QoS) assessment in high speed networks is one of the key concerns for service providers, namely to detect QoS degradation on-the-fly as soon as possible and avoid customers’ complaints. In this regard, a Key Performance Indicator (KPI) is the number of TCP retransmissions per flow, which is related to packet losses or increased network and/or client/server latency. However, to accurately detect TCP retransmissions the whole sequence number list should be tracked which is a challenging task in multi-Gb/s networks. In this paper we show that the simplest approach of counting as a retransmission a packet whose sequence number is smaller than the previous one is enough to detect pathological flows with severe retransmissions. Such a lightweight approach eliminates the need of tracking the whole TCP flow history, which severely restricts traffic analysis throughput. Our findings show that low False Positive Rates (FPR) and False Negative Rates (FNR) can be achieved in the detection of such pathological flows with severe retransmissions, which are of paramount importance for QoS monitoring. Most importantly, we show that live detection of such pathological flows at 10 Gb/s rate per processing core is feasible.
Open Access
Analysis and stochastic characterization of TCP flows
(Springer, 2000) Aracil Rico, Javier; Morató Osés, Daniel; Izal Azcárate, Mikel; Automática y Computación; Automatika eta Konputazioa
Since the most Internet services use TCP as a transport protocol there is a growing interest in the characterization of TCP flows. However, the flow characteristics depend on a large number of factors, due to the complexity of the TCP. As a result, the TCS characteristics are normally studies by means of simulations or controlled network setups. In this paper we propose a TCP characterization based on a generic model based of stochastic flow with burstiness and throughput (((σ, ρ)-constraints), which is useful in order to characterize flows in ATM and other flow-switched networks. The model is obtained through extensive analysis of a real traffic trace, comprising an approximate number of 1,500 hosts and 1,700,000 TCP connections. The results suggests that TCP connections in the wide area Internet have low throughput while the packet bursts do not suffer an exponential increase, as indicated by the slow-start behavior. On the other hand, the impact of the connection establishment phase is striking. We note that the throughput of the TCP flow is approximately half the throughput which is obtained in the data transfer phase, namely after the connection has been established.