Person: Izal Azcárate, Mikel
Loading...
Email Address
person.page.identifierURI
Birth Date
Research Projects
Organizational Units
Job Title
Last Name
Izal Azcárate
First Name
Mikel
person.page.departamento
Ingeniería Eléctrica, Electrónica y de Comunicación
person.page.instituteName
ISC. Institute of Smart Cities
ORCID
0000-0002-2770-912X
person.page.upna
2083
Name
54 results
Search Results
Now showing 1 - 10 of 54
Publication Open Access Open repository for the evaluation of ransomware detection tools(IEEE, 2020) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónCrypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for ransom to recover the hijacked documents. Several articles have presented detection techniques for this type of malware; these techniques are applied before the ransomware encrypts files or during its action in an infected host. The evaluation of these proposals has always been accomplished using sets of ransomware samples that are prepared locally for the research article, without making the data available. Different studies use different sets of samples and different evaluation metrics, resulting in insufficient comparability. In this paper, we describe a public data repository containing the file access operations of more than 70 ransomware samples during the encryption of a large network shared directory. These data have already been used successfully in the evaluation of a network-based ransomware detection algorithm. Now, we are making these data available to the community and describing their details, how they were captured, and how they can be used in the evaluation and comparison of the results of most ransomware detection techniques.Publication Open Access Ingress traffic classification versus aggregation in video over OBS networks(2010) Izal Azcárate, Mikel; Espina Antolín, Félix; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Automática y Computación; Automatika eta KonputazioaOptical Burst Switched (OBS) networks may become a backbone technology for video-on-demand providers. This work addresses the problem of dimensioning the access link of an ingress node to the optical core network in a video over OBS scenario. A video-ondemand provider using an OBS transport network will have to deliver traffic to a set of egress destinations. A large part of this traffic would be composed of video streaming traffic. However, in a real network there would be also a fraction of non video traffic related to non video services. This work studies the decision whether it is better to gather all traffic to the same destination in a joint burst assembler or separate video and general data traffic on different burs assemblers. The later may increase burst blocking probability but also allow for better tuning of OBS parameters that help improve video reception quality. Result show that this tuning of parameters is not enough to compensate the drop probability increase and thus it is better to aggregate video and general data traffic.Publication Open Access A popularity-aware method for discovering server IP addresses related to websites(IEEE, 2013) Torres García, Luis Miguel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Morató Osés, Daniel; Automática y Computación; Automatika eta KonputazioaThe complexity of web traffic has grown in the past years as websites evolve and new services are provided over the HTTP protocol. When accessing a website, multiple connections to different servers are opened and it is usually difficult to distinguish which servers are related to which sites. However, this information is useful from the perspective of security and accounting and can also help to label web traffic and use it as ground truth for traffic classification systems. In this paper we present a method to discover server IP addresses related to specific websites in a traffic trace. Our method uses NetFlow-type records which makes it scalable and impervious to encryption of packet payloads. It is, moreover, popularity-aware in the sense that it takes into consideration the differences in the number of accesses to each site in order to provide a better identification of servers. The method can be used to gather data from a group of interesting websites or, by applying it to a representative set of websites, it can label a sizeable number of connections in a packet trace.Publication Open Access Interactivity anomaly detection in remote work scenarios using LTSM(IEEE, 2024) Arellano Usón, Jesús; Magaña Lizarrondo, Eduardo; Morató Osés, Daniel; Izal Azcárate, Mikel; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoa eta Telekomunikazio Ingeniaritza; Institute of Smart Cities - ISCIn recent years, there has been a notable surge in the utilization of remote desktop services, largely driven by the emergence of new remote work models introduced during the pandemic. These services cater to interactive cloud-based applications (CIAs), whose core functionality operates in the cloud, demanding strict end-user interactivity requirements. This boom has led to a significant increase in their deployment, accompanied by a corresponding increase in associated maintenance costs. Service administrators aim to guarantee a satisfactory Quality of Experience (QoE) by monitoring metrics like interactivity time, particularly in cloud environments where variables such as network performance and shared resources come into play. This paper analyses anomaly detection state of the art and proposes a novel system for detecting interactivity time anomalies in cloud-based remote desktop environments. We employ an automatic model based on LSTM neural networks that achieves an accuracy of up to 99.97%.Publication Open Access On the reduction of authoritative DNS cache timeouts: detection and implications for user privacy(Elsevier, 2021) Hernández Quintanilla, Tomás; Magaña Lizarrondo, Eduardo; Morató Osés, Daniel; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónThe domain name system (DNS) is an Internet network service that is used by hosts to resolve IP addresses from symbolic names. This basic service has been attacked and abused many times, as it is one of the oldest and most vulnerable services on the Internet. Some DNS resolvers conduct DNS manipulation, in which authoritative DNS responses are modified. This DNS manipulation is sometimes used for legitimate reasons (e.g., parental control) and other times is used to support malicious activities, such as DNS poisoning or data collection. Between these DNS manipulation activities, some Internet service providers (ISPs) are changing the DNS cache timeout of the DNS responses with which their DNS resolvers responded to obtain additional data about their subscribers. These data can be a detailed web browsing profile of the user. This approach does not require a large investment and can yield huge benefits if the information is used or sold. Therefore, user privacy is disputed. We conducted a study in which we analyse how ISPs use this DNS manipulation, propose a method for identifying this DNS manipulation by the end-user and determine the amount of information an ISP can collect by using it. We also developed a public web tool, for which the source code is available, that can help Internet users determine whether their privacy is being compromised by their ISP via the exploitation of DNS cache timeouts. This service can facilitate the collection of data on how many people are victims of this abuse and which ISPs around the world are utilizing this technique.Publication Open Access Validation of HTTP response time from network traffic as an alternative to web browser instrumentation(IEEE, 2021) López Romera, Carlos; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónThe measurement of response time in hypertext transfer protocol (HTTP) requests is the most basic proxy measurement method for evaluating web browsing quality. It is used in the research literature and in application performance measurement instruments. During the development of a website, response time is obtained from in-browser measurements. After the website has been deployed, network traffic is used to continuously monitor activity, and the measurement data are used for service management and planning. In this study, we evaluate the accuracy of the measurements obtained from network traffic by comparing them with the in-browser measurement of resource load time. We evaluate the response times for encrypted and clear-text requests in an emulated network environment, in a laboratory deployment equivalent to a data centre network, and accessing popular web sites on the public Internet. The accuracy for response time measurements obtained from network traffic is noticeable higher for Internet long distance paths than for lowdelay paths (below 20 ms round-trip). The overhead of traffic encryption in secure HTTP requests has a negative effect on measurement accuracy, and we find relative measurement errors higher than 70% when using network traffic to infer HTTP response times comparedPublication Open Access Analysis and stochastic characterization of TCP flows(Springer, 2000) Aracil Rico, Javier; Morató Osés, Daniel; Izal Azcárate, Mikel; Automática y Computación; Automatika eta KonputazioaSince the most Internet services use TCP as a transport protocol there is a growing interest in the characterization of TCP flows. However, the flow characteristics depend on a large number of factors, due to the complexity of the TCP. As a result, the TCS characteristics are normally studies by means of simulations or controlled network setups. In this paper we propose a TCP characterization based on a generic model based of stochastic flow with burstiness and throughput (((σ, ρ)-constraints), which is useful in order to characterize flows in ATM and other flow-switched networks. The model is obtained through extensive analysis of a real traffic trace, comprising an approximate number of 1,500 hosts and 1,700,000 TCP connections. The results suggests that TCP connections in the wide area Internet have low throughput while the packet bursts do not suffer an exponential increase, as indicated by the slow-start behavior. On the other hand, the impact of the connection establishment phase is striking. We note that the throughput of the TCP flow is approximately half the throughput which is obtained in the data transfer phase, namely after the connection has been established.Publication Open Access Online classification of user activities using machine learning on network traffic(Elsevier, 2020) Labayen Guembe, Víctor; Magaña Lizarrondo, Eduardo; Morató Osés, Daniel; Izal Azcárate, Mikel; Ingeniería Eléctrica, Electrónica y de Comunicación; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio IngeniaritzarenThe daily deployment of new applications, along with the exponential increase in network traffic, entails a growth in the complexity of network analysis and monitoring. Conversely, the increasing availability and decreasing cost of computational capacity have increased the popularity and usability of machine learning algorithms. In this paper, a system for classifying user activities from network traffic using both supervised and unsupervised learning is proposed. The system uses the behaviour exhibited over the network and classifies the underlying user activity, taking into consideration all of the traffic generated by the user within a given time window. Those windows are characterised with features extracted from the network and transport layer headers in the traffic flows. A three-layer model is proposed to perform the classification task. The first two layers of the model are implemented using K-Means, while the last one uses a Random Forest to obtain the activity labels. An average accuracy of 97.37% is obtained, with values of precision and recall that allow online classification of network traffic for Quality of Service (QoS) and user profiling, outperforming previous proposals.Publication Open Access Techniques for better alias resolution in Internet topology discovery(IEEE, 2009) García-Jiménez, Santiago; Magaña Lizarrondo, Eduardo; Morató Osés, Daniel; Izal Azcárate, Mikel; Automática y Computación; Automatika eta KonputazioaOne of the challenging problems related with network topology discovery in Internet is the process of IP address alias identification. Topology information is usually obtained from a set of traceroutes that provide IP addresses of routers in the path from a source to a destination. If these traceroutes are repeated between several source/destination pairs we can get a sampling of all IP addresses for crossed routers. In order to generate the topology graph in which each router is a node, it is needed to identify all IP addresses that belong to the same router. In this work we propose improvements over existing methods to obtain alias identification related mainly with the types and options in probing packets.Publication Open Access A survey on detection techniques for cryptographic ransomware(IEEE, 2019) Berrueta Irigoyen, Eduardo; Morató Osés, Daniel; Magaña Lizarrondo, Eduardo; Izal Azcárate, Mikel; Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren; Institute of Smart Cities - ISC; Ingeniería Eléctrica, Electrónica y de ComunicaciónCrypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for a ransom to recover the hijacked documents. It is a cyber threat that targets both companies and residential users, and has spread in recent years because of its lucrative results. Several articles have presented classifications of ransomware families and their typical behaviour. These insights have stimulated the creation of detection techniques for antivirus and firewall software. However, because the ransomware scene evolves quickly and aggressively, these studies quickly become outdated. In this study, we surveyed the detection techniques that the research community has developed in recent years. We compared the different approaches and classified the algorithms based on the input data they obtain from ransomware actions, and the decision procedures they use to reach a classification decision between benign or malign applications. This is a detailed survey that focuses on detection algorithms, compared to most previous studies that offer a survey of ransomware families or isolated proposals of detection algorithms. We also compared the results of these proposals.