Person:
Morató Osés, Daniel

Profile Picture

Email Address

Birth Date

Research Projects

Organizational Units

Job Title

Last Name

Morató Osés

First Name

Daniel

person.page.departamento

Ingeniería Eléctrica, Electrónica y de Comunicación

ORCID

0000-0002-0831-4042

person.page.upna

2085

Name

Filters

Reset filters

Settings

Has files: true ×

Search Results

Now showing 1 - 10 of 62
  • Thumbnail Image
    PublicationOpen Access
    Validation of HTTP response time from network traffic as an alternative to web browser instrumentation
    (IEEE, 2021) López Romera, Carlos; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
    The measurement of response time in hypertext transfer protocol (HTTP) requests is the most basic proxy measurement method for evaluating web browsing quality. It is used in the research literature and in application performance measurement instruments. During the development of a website, response time is obtained from in-browser measurements. After the website has been deployed, network traffic is used to continuously monitor activity, and the measurement data are used for service management and planning. In this study, we evaluate the accuracy of the measurements obtained from network traffic by comparing them with the in-browser measurement of resource load time. We evaluate the response times for encrypted and clear-text requests in an emulated network environment, in a laboratory deployment equivalent to a data centre network, and accessing popular web sites on the public Internet. The accuracy for response time measurements obtained from network traffic is noticeable higher for Internet long distance paths than for lowdelay paths (below 20 ms round-trip). The overhead of traffic encryption in secure HTTP requests has a negative effect on measurement accuracy, and we find relative measurement errors higher than 70% when using network traffic to infer HTTP response times compared
  • Thumbnail Image
    PublicationOpen Access
    Aproximación al modelado y predicción de tráfico de Internet como múltiplex de conexión de transporte
    (2001) Morató Osés, Daniel; Aracil Rico, Javier; Automática y Computación; Automatika eta Konputazioa
    El tráfico de datos en la Internet actual presenta un nuevo reto de caracterización y modelado para el correcto dimensionamiento de los equipos y enlaces que conforman la llamada “red de redes”. En este trabajo presentamos una revisión de los modelos propuestos hasta la fecha, lo cual nos lleva desde los límites de la telefonía clásica hasta los conceptos de dependencia a largo plazo y autosimilitud. A partir de estos modelos abordamos la caracterización de una gran población de usuarios de Internet. Para ello nos hemos basado en trazas del tráfico del enlace IP sobre ATM para acceso a Internet en la Universidad Pública de Navarra. Dichas trazas han sido obtenidas mediante una novedosa herramienta de monitorización de enlaces ATM. Con estas trazas presentamos un análisis macroscópico de protocolos y servicios en el enlace que nos muestra a TCP como principal protocolo y al Web como el servicio más utilizado al suponer más de tres cuartas partes del tráfico generado. A la vista de la predominancia de estas conexiones TCP realizamos una caracterización en base a procesos estocásticos para el múltiples de flujos TCP. Dicha caracterización se fundamenta en varias características observadas del tráfico, concretamente que la tasa de las conexiones TCP depende fuertemente del retardo extremo a extremo (RTT) de la conexión y que la intermitencia de las mismas no sigue la progresión exponencial que se esperaría del algoritmo slow-start. Esto nos lleva a un modelo mediante restricciones (σ, ρ) que permite el empleo de tecnologías de conmutación de circuitos para la reserva de ancho de banda por flujo. Con el conocimiento obtenido del funcionamiento de los flujos TCP en la red actual realizamos una revisión del modelo M/G/∞ de flujos. Este es uno de los modelos más empleados tanto para generación de tráfico sintético de datos como en el estudio analítico de las características del mismo. Confirmamos dos de las hipótesis en que se basa (proceso de llegadas de Poisson y duraciones de flujos con varianza infinita), pero vemos que la hipótesis de tasa constante de transferencia dista de lo observado en el tráfico real. Por ello proponemos una alteración del modelo mediante la incorporación de una variable aleatoria de Weibull para la tasa de flujos. Esta modificación permite que el tráfico resultante ajuste mejor la variabilidad de la marginal del mismo. El modelo M/G/∞ clásico subestima la variabilidad del tráfico aunque modele correctamente su dependencia a largo plazo. Mostramos, sin embargo, que en futuras redes de alta velocidad que formarán la próxima generación de internet el efecto de dependencia a largo plazo tenderá a desaparecer a costa de un aumento en la variabilidad del tráfico, que pasará a ser el factor que condicione las prestaciones de la red. Esto último es un fuerte apoyo para aceptar modificaciones del modelo en la línea de la propuesta. Finalmente, empleamos la caracterización de flujos TCP obtenida para proponer un algoritmo de estimación de ancho de banda basado en el RTT de las conexiones. La estimación está orientada a la reserva de ancho de banda en enlaces de proveedores de acceso a Internet. Los resultados muestran que la estimación en base a parámetros conocidos a priori es realizable y mejora los resultados obtenidos con asignadores basados en tasa de pico, asignaciones estáticas o best-effort. Esto abre numerosas posibilidades de estudio de algoritmos de asignación así como de cálculo dinámico de los parámetros de los mismos.
  • Thumbnail Image
    PublicationOpen Access
    Ransomware early detection by the analysis of file sharing traffic
    (Elsevier, 2018) Morató Osés, Daniel; Berrueta Irigoyen, Eduardo; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de Comunicación
    Crypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company. We propose an algorithm that can detect ransomware action and prevent further activity over shared documents. The algorithm is based on the analysis of passively monitored traffic by a network probe. 19 different ransomware families were used for testing the algorithm in action. The results show that it can detect ransomware activity in less than 20 s, before more than 10 files are lost. Recovery of even those files was also possible because their content was stored in the traffic monitored by the network probe. Several days of traffic from real corporate networks were used to validate a low rate of false alarms. This paper offers also analytical models for the probability of early detection and the probability of false alarms for an arbitrarily large population of users.
  • Thumbnail Image
    PublicationOpen Access
    Detección de congestión en la Internet europea
    (IEEE, 2007) Hernández, Ana; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Morató Osés, Daniel; Automática y Computación; Automatika eta Konputazioa
    In this paper we present a study about the utilization of one-way delay measurements to detect and characterize network congestion in the european Internet. The experiments have been made using the ETOMIC platfom that allows one-way delay measurement with high precision timestamps. We have found a peculiar router behaviour in which the bottleneck is not the available bandwidth but it is the packet processing power of the router (backplane and CPU constraints). This router has been characterized with several network parameters. Some of them are the dependency of this limitation with the input data rate in packets per second, the size of burst packet losses measured in packets or time and the absence of specific scheduling algorithms in the router that could affect to larger flows.
  • Thumbnail Image
    PublicationOpen Access
    Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic
    (Elsevier, 2022) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Universidad Pública de Navarra / Nafarroako Unibertsitate Publikoa
    Ransomware is considered as a significant threat for home users and enterprises. In corporate scenarios, users’ computers usually store only system and program files, while all the documents are accessed from shared servers. In these scenarios, one crypto-ransomware infected host is capable of locking the access to all shared files it has access to, which can be the whole set of files from a workgroup of users. We propose a tool to detect and block crypto-ransomware activity based on file-sharing traffic analysis. The tool monitors the traffic exchanged between the clients and the file servers and using machine learning techniques it searches for patterns in the traffic that betray ransomware actions while reading and overwriting files. This is the first proposal designed to work not only for clear text protocols but also for encrypted file-sharing protocols. We extract features from network traffic that describe the activity opening, closing, and modifying files. The features allow the differentiation between ransomware activity and high activity from benign applications. We train and test the detection model using a large set of more than 70 ransomware binaries from 33 different strains and more than 2,400 h of ‘not infected’ traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries described, including those not used in the training phase. This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detected
  • Thumbnail Image
    PublicationOpen Access
    Predicción de tráfico de Internet and aplicaciones
    (2001) Bernal, I.; Aracil Rico, Javier; Morató Osés, Daniel; Izal Azcárate, Mikel; Magaña Lizarrondo, Eduardo; Díez Marca, L. A.; Automática y Computación; Automatika eta Konputazioa
    In this paper we focus on traffic prediction as a means to achieve dynamic bandwidth allocation in a generic Internet link. Our findings show that coarse prediction (bytes per interval) proves advantageous to perform dynamic link dimensioning, even if we consider a part of the top traffic producers in the traffic predictor.
  • Thumbnail Image
    PublicationOpen Access
    Mejoras en la identificación de tráfico de aplicación basado en firmas
    (2008) Santolaya Bea, Néstor; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Morató Osés, Daniel; Automática y Computación; Automatika eta Konputazioa
    Traffic identification has been based traditionally on transport protocol ports, associating always the same ports with the same applications. Nowadays that assumption is not true and new methods like signature identification or statistical techniques are applied. This work presents a method based on signature identification with some improvements. The use of regular expressions for typical applications has been studied deeply and its use has been improved in the aspects of percentage identification and resources consumption. On the other hand, a flows-record structure has been applied in order to classify those packets that do not verify any regular expression. Results are compared with the opensource related project L7-filter, and the improvements are presented. Finally, detailed regular expressions for analyzed applications are included in the paper, especially P2P applications.
  • Thumbnail Image
    PublicationOpen Access
    Use of CBR for IP over ATM
    (SPIE, 1997) Aracil Rico, Javier; Morató Osés, Daniel; Izal Azcárate, Mikel; Donézar, C.; Automática y Computación; Automatika eta Konputazioa
    Internet traffic burstiness allows for statistical multiplexing gain in the available bandwidth of an ATM link. However, a dynamic allocation bandwidth assignment (ABR) has to be performed. In this paper we evaluate the real advantages of ABR versus CBR for Internet service provisioning. We consider performance parameters such as connection setup delay and active waiting time due to flow control and show that CBR schemes can be a good alternative for Internet service provisioning over ATM networks.
  • Thumbnail Image
    PublicationOpen Access
    Online detection of pathological TCP flows with retransmissions in high-speed networks
    (Elsevier, 2018) Miravalls-Sierra, Eduardo; Muelas, David; Ramos, Javier; López de Vergara, Jorge E.; Morató Osés, Daniel; Aracil Rico, Javier; Automática y Computación; Automatika eta Konputazioa
    Online Quality of Service (QoS) assessment in high speed networks is one of the key concerns for service providers, namely to detect QoS degradation on-the-fly as soon as possible and avoid customers’ complaints. In this regard, a Key Performance Indicator (KPI) is the number of TCP retransmissions per flow, which is related to packet losses or increased network and/or client/server latency. However, to accurately detect TCP retransmissions the whole sequence number list should be tracked which is a challenging task in multi-Gb/s networks. In this paper we show that the simplest approach of counting as a retransmission a packet whose sequence number is smaller than the previous one is enough to detect pathological flows with severe retransmissions. Such a lightweight approach eliminates the need of tracking the whole TCP flow history, which severely restricts traffic analysis throughput. Our findings show that low False Positive Rates (FPR) and False Negative Rates (FNR) can be achieved in the detection of such pathological flows with severe retransmissions, which are of paramount importance for QoS monitoring. Most importantly, we show that live detection of such pathological flows at 10 Gb/s rate per processing core is feasible.
  • Thumbnail Image
    PublicationOpen Access
    A-priori flow bandwidth estimates for dynamic bandwidth allocation in ISP access links
    (2001) Aracil Rico, Javier; Morató Osés, Daniel; Automática y Computación; Automatika eta Konputazioa
    In this paper we study a-priori bandwidth estimation algorithms for TCP flows. An RTT-based bandwidth allocator is proposed, which outperforms a broad class of peak-rate and static allocation flow switching solutions. Our findings suggest that a-priori bandwidth estimation (i.e, before the TCP data transfer phase takes place) is indeed feasible and serves to design simple, yet efficient, dynamic bandwidth allocation rules for ISP access links.