MONITORIZACION Y ANALISIS DE REDES CON INFORMACION PARCIAL
PID2019-104451RB-C22
•
Nombre agencia financiadora Agencia Estatal de Investigación
Acrónimo agencia financiadora AEI
Programa Programa Estatal de Generación de Conocimiento y Fortalecimiento Científico y Tecnológico del Sistema de I+D+i
Subprograma Subprograma Estatal de Generación de Conocimiento
Convocatoria Proyectos I+D
Año convocatoria 2019
Unidad de gestión Plan Estatal de Investigación Científica y Técnica y de Innovación 2017-2020
Centro beneficiario UNIVERSIDAD PUBLICA DE NAVARRA
Identificador persistente http://dx.doi.org/10.13039/501100011033
Publicaciones
Found(s) 5 result(s)
Found(s) 1 page(s)
Found(s) 1 page(s)
Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic
Academica-e. Repositorio Institucional de la Universidad Pública de Navarra
- Berrueta Irigoyen, Eduardo
- Morató Osés, Daniel
- Magaña Lizarrondo, Eduardo
- Izal Azcárate, Mikel
Ransomware is considered as a significant threat for home users and enterprises. In corporate scenarios, users’
computers usually store only system and program files, while all the documents are accessed from shared
servers. In these scenarios, one crypto-ransomware infected host is capable of locking the access to all shared
files it has access to, which can be the whole set of files from a workgroup of users. We propose a tool
to detect and block crypto-ransomware activity based on file-sharing traffic analysis. The tool monitors the
traffic exchanged between the clients and the file servers and using machine learning techniques it searches
for patterns in the traffic that betray ransomware actions while reading and overwriting files. This is the
first proposal designed to work not only for clear text protocols but also for encrypted file-sharing protocols.
We extract features from network traffic that describe the activity opening, closing, and modifying files. The
features allow the differentiation between ransomware activity and high activity from benign applications. We
train and test the detection model using a large set of more than 70 ransomware binaries from 33 different
strains and more than 2,400 h of ‘not infected’ traffic from real users. The results reveal that the proposed
tool can detect all ransomware binaries described, including those not used in the training phase. This paper
provides a validation of the algorithm by studying the false positive rate and the amount of information from
user files that the ransomware could encrypt before being detected, This work was supported by Spanish Ministry of Science and Innovation through project PID2019-104451RB-C22/AEI/10.13039/ 501100011033. Open access funding provided by Universidad Pública de Navarra.
computers usually store only system and program files, while all the documents are accessed from shared
servers. In these scenarios, one crypto-ransomware infected host is capable of locking the access to all shared
files it has access to, which can be the whole set of files from a workgroup of users. We propose a tool
to detect and block crypto-ransomware activity based on file-sharing traffic analysis. The tool monitors the
traffic exchanged between the clients and the file servers and using machine learning techniques it searches
for patterns in the traffic that betray ransomware actions while reading and overwriting files. This is the
first proposal designed to work not only for clear text protocols but also for encrypted file-sharing protocols.
We extract features from network traffic that describe the activity opening, closing, and modifying files. The
features allow the differentiation between ransomware activity and high activity from benign applications. We
train and test the detection model using a large set of more than 70 ransomware binaries from 33 different
strains and more than 2,400 h of ‘not infected’ traffic from real users. The results reveal that the proposed
tool can detect all ransomware binaries described, including those not used in the training phase. This paper
provides a validation of the algorithm by studying the false positive rate and the amount of information from
user files that the ransomware could encrypt before being detected, This work was supported by Spanish Ministry of Science and Innovation through project PID2019-104451RB-C22/AEI/10.13039/ 501100011033. Open access funding provided by Universidad Pública de Navarra.
Validation of HTTP response time from network traffic as an alternative to web browser instrumentation
Academica-e. Repositorio Institucional de la Universidad Pública de Navarra
- López Romera, Carlos
- Morató Osés, Daniel
- Magaña Lizarrondo, Eduardo
- Izal Azcárate, Mikel
The measurement of response time in hypertext transfer protocol (HTTP) requests is the most basic proxy measurement method for evaluating web browsing quality. It is used in the research literature and in application performance measurement instruments. During the development of a website, response time is obtained from in-browser measurements. After the website has been deployed, network traffic is used to continuously monitor activity, and the measurement data are used for service management and planning. In this study, we evaluate the accuracy of the measurements obtained from network traffic by comparing them with the in-browser measurement of resource load time. We evaluate the response times for encrypted and clear-text requests in an emulated network environment, in a laboratory deployment equivalent to a data centre network, and accessing popular web sites on the public Internet. The accuracy for response time measurements obtained from network traffic is noticeable higher for Internet long distance paths than for lowdelay paths (below 20 ms round-trip). The overhead of traffic encryption in secure HTTP requests has a negative effect on measurement accuracy, and we find relative measurement errors higher than 70% when using network traffic to infer HTTP response times compared, This work was supported by the Spanish State Agency of Research through project PID2019-104451RB-C22/AEI/10.13039/501100011033
On the reduction of authoritative DNS cache timeouts: detection and implications for user privacy
Academica-e. Repositorio Institucional de la Universidad Pública de Navarra
- Hernández Quintanilla, Tomás
- Magaña Lizarrondo, Eduardo
- Morató Osés, Daniel
- Izal Azcárate, Mikel
The domain name system (DNS) is an Internet network service that is used by hosts to resolve IP addresses from symbolic names. This basic service has been attacked and abused many times, as it is one of the oldest and most vulnerable services on the Internet. Some DNS resolvers conduct DNS manipulation, in which authoritative DNS responses are modified. This DNS manipulation is sometimes used for legitimate reasons (e.g., parental control) and other times is used to support malicious activities, such as DNS poisoning or data collection. Between these DNS manipulation activities, some Internet service providers (ISPs) are changing the DNS cache timeout of the DNS responses with which their DNS resolvers responded to obtain additional data about their subscribers. These data can be a detailed web browsing profile of the user. This approach does not require a large investment and can yield huge benefits if the information is used or sold. Therefore, user privacy is disputed. We conducted a study in which we analyse how ISPs use this DNS manipulation, propose a method for identifying this DNS manipulation by the end-user and determine the amount of information an ISP can collect by using it. We also developed a public web tool, for which the source code is available, that can help Internet users determine whether their privacy is being compromised by their ISP via the exploitation of DNS cache timeouts. This service can facilitate the collection of data on how many people are victims of this abuse and which ISPs around the world are utilizing this technique., This work was supported by the Spanish State Research Agency with project PID2019-104451RB-C22/AEI/10.13039/501100011033.
Interactivity anomaly detection in remote work scenarios using LTSM
Academica-e. Repositorio Institucional de la Universidad Pública de Navarra
- Arellano Usón, Jesús
- Magaña Lizarrondo, Eduardo
- Morató Osés, Daniel
- Izal Azcárate, Mikel
In recent years, there has been a notable surge in the utilization of remote desktop services, largely driven by the emergence of new remote work models introduced during the pandemic. These services cater to interactive cloud-based applications (CIAs), whose core functionality operates in the cloud, demanding strict end-user interactivity requirements. This boom has led to a significant increase in their deployment, accompanied by a corresponding increase in associated maintenance costs. Service administrators aim to guarantee a satisfactory Quality of Experience (QoE) by monitoring metrics like interactivity time, particularly in cloud environments where variables such as network performance and shared resources come into play. This paper analyses anomaly detection state of the art and proposes a novel system for detecting interactivity time anomalies in cloud-based remote desktop environments. We employ an automatic model based on LSTM neural networks that achieves an accuracy of up to 99.97%., This work was supported by the Spanish State Research Agency under Project PID2019-104451RB-C22/AEI/10.13039/501100011033
Survey on quality of experience evaluation for cloud-based interactive applications
Academica-e. Repositorio Institucional de la Universidad Pública de Navarra
- Arellano Usón, Jesús
- Magaña Lizarrondo, Eduardo
- Morató Osés, Daniel
- Izal Azcárate, Mikel
A cloud-based interactive application (CIA) is an application running in the cloud with stringent interactivity requirements, such as remote desktop and cloud gaming. These services have experienced a surge in usage, primarily due to the adoption of new remote work practices during the pandemic and the emergence of entertainment schemes similar to cloud gaming platforms. Evaluating the quality of experience (QoE) in these applications requires specific metrics, including interactivity time, responsiveness, and the assessment of video- and audio-quality degradation. Despite existing studies that evaluate QoE and compare features of general cloud applications, systematic research into QoE for CIAs is lacking. Previous surveys often narrow their focus, overlooking a comprehensive assessment. They touch on QoE in broader contexts but fall short in detailed metric analysis. Some emphasise areas like mobile cloud computing, omitting CIA-specific nuances. This paper offers a comprehensive survey of QoE measurement techniques in CIAs, providing a taxonomy of input metrics, strategies, and evaluation architectures. State-of-the-art proposals are assessed, enabling a comparative analysis of their strengths and weaknesses and identifying future research directions., This work was supported by the Spanish State Research Agency project number PID2019-104451RB-C22/AEI/10.13039/501100011033.