@article{Biblio24,

title = {Building a large, realistic and labeled HTTP URI dataset for anomaly-based intrusion detection systems: Biblio-US17 },

author = {Jesús E. {Díaz-Verdejo} and {Estepa Alonso}, Rafael and {Estepa Alonso}, Antonio and F. J. {Muñoz-Calle} and German {Madinabeitia}},

doi = {https://doi.org/10.1186/s42400‑024‑00336‑3},

issn = {2523-3246},

year  = {2025},

date = {2025-06-05},

urldate = {2025-06-05},

journal = {Cybersecurity},

volume = {8},

number = {35},

abstract = {This paper introduces Biblio-US17, a labeled dataset collected over 6 months from the log files of a popular public website at the University of Seville. It contains 47 million records, each including the method, uniform resource identifier (URI) and associated response code and size of every request received by the web server. Records have been classified as either normal or attack using a comprehensive semi-automated process, which involved signature-based detection, assisted inspection of URIs vocabulary, and substantial expert manual supervision. Unlike comparable datasets, this one offers a genuine real-world perspective on the normal operation of an active website, along with an unbiased proportion of actual attacks (i.e., non-synthetic). This makes it ideal for evaluating and comparing anomalybased approaches in a realistic environment. Its extensive size and duration also make it valuable for addressing challenges like data shift and insufficient training. This paper describes the collection and labeling processes, dataset structure, and most relevant properties. We also include an example of an application for assessing the performance of a simple anomaly detector. Biblio-US17, now available to the scientific community, can also be used to model the URIs used by current web servers.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{10.3897/jucs.131686,

title = {A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection},

author = {Javier Muñoz-Calle and Rafael Estepa Alonso and Antonio Estepa Alonso and Jesús E. Díaz-Verdejo and Elvira Castillo Fernández and Germán Madinabeitia},

url = {https://doi.org/10.3897/jucs.131686},

doi = {10.3897/jucs.131686},

issn = {0948-695X},

year  = {2024},

date = {2024-01-01},

urldate = {2024-01-01},

journal = {JUCS - Journal of Universal Computer Science},

volume = {30},

number = {9},

pages = {1184-1204},

publisher = {Journal of Universal Computer Science},

abstract = {Network monitoring systems can struggle to detect the full sequence of actions in a multi-step cyber attack, frequently resulting in multiple alerts (some of which are false positive (FP)) and missed actions. The challenge of easing the job of security analysts by triggering a single and accurate alert per attack requires developing and evaluating advanced event correlation techniques and models that have the potential to devise relationships between the different observed events/alerts.This work introduces a flexible architecture designed for hierarchical and iterative correlation of alerts and events. Its key feature is the sequential correlation of operations targeting specific attack episodes or aspects. This architecture utilizes IDS alerts or similar cybersecurity sensors, storing events and alerts in a non-relational database. Modules designed for knowledge creation then query these stored items to generate meta-alerts, also stored in the database. This approach facilitates creating a more refined knowledge that can be built on top of existing one by creating specialized modules. For illustrative purposes, we make a case study where we use this architectural approach to explore the feasibility of monitoring the progress of attacks of increased complexity by increasing the levels of the hyperalerts defined, including a case of a multi-step attack that adheres to the ATT&CK model. Although the mapping between the observations and the model components (i.e., techniques and tactics) is challenging, we could fully monitor the progress of two attacks and up to 5 out of 6 steps of the most complex attack by building up to three specialized modules. Despite some limitations due to the sensors and attack scenarios tested, the results indicate the architecture’s potential for enhancing the detection of complex cyber attacks, offering a promising direction for future cybersecurity research.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Diaz-Verdejo2023,

title = {A critical review of the techniques used for anomaly detection of HTTP-based attacks: taxonomy, limitations and open challenges},

author = {Jesús E. Díaz-Verdejo and {Estepa Alonso}, Rafael and {Estepa Alonso}, Antonio and German Madinabeitia},

doi = {10.1016/j.cose.2022.102997},

issn = {01674048},

year  = {2023},

date = {2023-01-01},

urldate = {2023-01-01},

journal = {Computers and Security},

volume = {124},

pages = {102997},

abstract = {Intrusion Detection Systems (IDSs) and Web Application Firewalls (WAFs) offer a crucial layer of defense that allows organizations to detect cyberattacks on their web servers. Academic research overwhelmingly suggests using anomaly detection techniques to improve the performance of these defensive systems. However, analyzing and comparing the wide range of solutions in the scientific literature is challenging since they are typically presented as isolated (unrelated) contributions, and their results cannot be generalized. We believe that this impairs the industry's adoption of academic results and the advancement of research in this field. This paper aims to shed light on the literature on anomaly-based detection of attacks that use HTTP request messages. We define a novel framework for anomaly detection based on six data processing steps grouped into two sequential phases: preprocessing and classification. Based on this framework, we provide a taxonomy and critical review of the techniques surveyed, emphasizing their limitations and applicability. Future approaches should take advantage of the syntax and semantics of the Uniform Resource Locator (URL), be scalable, and address their obsolescence. These aspects are frequently overlooked in the literature and pose a significant challenge in the current era of web services. For better comparability, authors should use adequate public datasets, follow a thorough methodology, and use appropriate metrics that fully show the pros and cons of the approach.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{10036374,

title = {Blockchain-Based Service-Oriented Architecture for Consent Management, Access Control, and Auditing},

author = {Isabel Román-Martínez and Jorge Calvillo-Arbizu and Vicente J. Mayor-Gallego and Germán Madinabeitia-Luque and Antonio J. Estepa-Alonso and Rafael M. Estepa-Alonso},

doi = {10.1109/ACCESS.2023.3242605},

issn = {2169-3536},

year  = {2023},

date = {2023-01-01},

urldate = {2023-01-01},

journal = {IEEE Access},

volume = {11},

pages = {12727-12741},

abstract = {Continuity of care requires the exchange of health information among organizations and care teams. The EU General Data Protection Regulation (GDPR) establishes that subject of care should give explicit consent to the treatment of her personal data, and organizations must obey the individual’s will. Nevertheless, few solutions focus on guaranteeing the proper execution of consents. We propose a service-oriented architecture, backed by blockchain technology, that enables: (1) tamper-proof and immutable storage of subject of care consents; (2) a fine-grained access control for protecting health data according to consents; and (3) auditing tasks for supervisory authorities (or subjects of care themselves) to assess that healthcare organizations comply with GDPR and granted consents. Standards for health information exchange and access control are adopted to guarantee interoperability. Access control events and the subject of care consents are maintained on a blockchain, providing a trusted collaboration between organizations, supervisory authorities, and individuals. A prototype of the architecture has been implemented as a proof of concept to evaluate the performance of critical components. The application of subject of care consent to control the treatment of personal health data in federated and distributed environments is a pressing concern. The experimental results show that blockchain can effectively support sharing consent and audit events among healthcare organizations, supervisory authorities, and individuals.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Diaz-Verdejo2022,

title = {On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks},

author = {J. E. Díaz-Verdejo and F. J. Muñoz-Calle and {Estepa Alonso}, A. and {Estepa Alonso}, R. and G. Madinabeitia},

url = {https://www.mdpi.com/2076-3417/12/2/852/htm https://www.mdpi.com/2076-3417/12/2/852},

doi = {10.3390/app12020852},

issn = {20763417},

year  = {2022},

date = {2022-01-01},

urldate = {2022-01-01},

journal = {Applied Sciences},

volume = {12},

number = {2},

pages = {852},

publisher = {Multidisciplinary Digital Publishing Institute},

abstract = {Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort’s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor202294,

title = {Deployment of UAV-mounted Access Points for VoWiFi Service with guaranteed QoS},

author = {V. Mayor and R. Estepa and A. Estepa and G. Madinabeitia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85133540825&doi=10.1016%2fj.comcom.2022.06.037&partnerID=40&md5=e2d77e953e2987abaffb06aca60418c5},

doi = {10.1016/j.comcom.2022.06.037},

issn = {01403664},

year  = {2022},

date = {2022-01-01},

urldate = {2022-01-01},

journal = {Computer Communications},

volume = {193},

pages = {94-108},

publisher = {Elsevier B.V.},

abstract = {Unmanned Aerial Vehicle (UAV) networks have emerged as a promising means to provide wireless coverage in open geographical areas. Nevertheless, in wireless networks such as WiFi, signal coverage alone is insufficient to guarantee that network performance meets the quality of service (QoS) requirements of real-time communication services, as it also depends on the traffic load produced by ground users sharing the medium access. We formulate a new problem for UAVs optimal deployment in which the QoS level is guaranteed for real-time voice over WiFi (VoWiFi) communications. More specifically, our goal is to dispatch the minimum number of UAVs possible to provide VoWiFi service to a set of ground users subject to coverage, call-blocking probability, and QoS constraints. Optimal solutions are found using well-known heuristics that include K-means clusterization and genetic algorithms. Via numerical results, we show that the WiFi standard revision (e.g. IEEE 802.11a/b/g/n/ac) in use plays an important role in both coverage and QoS performance and hence, in the number of UAVs required to provide the service. © 2022 The Author(s)},

note = {cited By 0},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa2021120689,

title = {RPL Cross-Layer Scheme for IEEE 802.15.4 IoT Devices with Adjustable Transmit Power},

author = {R. Estepa and A. Estepa and G. Madinabeitia and E. Garcia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85113833413&doi=10.1109%2fACCESS.2021.3107981&partnerID=40&md5=013e007afc3cced8a0ce5eaeae0b38c6},

doi = {10.1109/ACCESS.2021.3107981},

issn = {21693536},

year  = {2021},

date = {2021-01-01},

journal = {IEEE Access},

volume = {9},

pages = {120689-120703},

publisher = {Institute of Electrical and Electronics Engineers Inc.},

abstract = {We propose a novel cross-layer scheme to reduce energy consumption in wireless sensor networks composed of IEEE 802.15.4 IoT devices with adjustable transmit power. Our approach is based on the IETF's Routing Protocol for Low power and lossy networks (RPL). Nodes discover neighbors and keep fresh link statistics for each available transmit power level. Using the product of ETX and local transmit power level as a single metric, each node selects both the parent that minimizes the energy for packet transmission along the path to the root and the optimal local transmit power to be used. We have implemented our cross-layer scheme in NG-Contiki using the Z1 mote and two transmit power levels (55mW and 31mW). Simulations of a network of 15 motes show that (on average) 66% of nodes selected the low-power setting in a 25m times25textm area. As a result, we obtained an average reduction of 25% of the energy spent on transmission and reception of packets compared to the standard RPL settings where all nodes use the same transmit power level. In large scenarios (e.g., 150m times150textm and 40-100 motes), our approach provides better results in dense networks where reducing the transmit power of nodes does not translate into longer paths to the root nor degraded quality of service. © 2013 IEEE.},

note = {cited By 5},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Diaz-Verdejo2020,

title = {A methodology for conducting efficient sanitization of HTTP training datasets},

author = {Jesús E. Díaz-Verdejo and Antonio Estepa and Rafael Estepa and German Madinabeitia and Fco Javier Muñoz-Calle},

url = {https://linkinghub.elsevier.com/retrieve/pii/S0167739X19322629},

doi = {10.1016/j.future.2020.03.033},

issn = {0167739X},

year  = {2020},

date = {2020-08-01},

urldate = {2020-08-01},

journal = {Future Generation Computer Systems},

volume = {109},

pages = {67--82},

publisher = {Elsevier B.V.},

abstract = {The performance of anomaly-based intrusion detection systems depends on the quality of the datasets used to form normal activity profiles. Suitable datasets should include high volumes of real-life data free from attack instances. On account of this requirement, obtaining quality datasets from collected data requires a process of data sanitization that may be prohibitive if done manually, or uncertain if fully automated. In this work, we propose a sanitization approach for obtaining datasets from HTTP traces suited for training, testing, or validating anomaly-based attack detectors. Our methodology has two sequential phases. In the first phase, we clean known attacks from data using a pattern-based approach that relies on tools that detect URI-based known attacks. In the second phase, we complement the result of the first phase by conducting assisted manual labeling systematically and efficiently, setting the focus of expert examination not on the raw data (which would be millions of URIs), but on the set of words that compose the URIs. This dramatically downsizes the volume of data that requires expert discernment, making manual sanitization of large datasets feasible. We have applied our method to sanitize a trace that includes 45 million requests received by the library web server of the University of Seville. We were able to generate clean datasets in less than 84 h with only 33 h of manual supervision. We have also applied our method to some public benchmark datasets, confirming that attacks unnoticed by signature-based detectors can be discovered in a reduced time span.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{2020-howmuch,

title = {How Much Training Data is Enough? A Case Study for HTTP Anomaly-Based Intrusion Detection},

author = {R. Estepa and J. E. Díaz-Verdejo and A. Estepa and G. Madinabeitia},

doi = {10.1109/ACCESS.2020.2977591},

issn = {2169-3536},

year  = {2020},

date = {2020-03-02},

journal = {IEEE Access},

volume = {8},

pages = {44410-44425},

abstract = {Most anomaly-based intrusion detectors rely on models that learn from training datasets whose quality is crucial in their performance. Albeit the properties of suitable datasets have been formulated, the influence of the dataset size on the performance of the anomaly-based detector has received scarce attention so far. In this work, we investigate the optimal size of a training dataset. This size should be large enough so that training data is representative of normal behavior, but after that point, collecting more data may result in unnecessary waste of time and computational resources, not to mention an increased risk of overtraining. In this spirit, we provide a method to find out when the amount of data collected at the production environment is representative of normal behavior in the context of a detector of HTTP URI attacks based on 1-grammar. Our approach is founded on a set of indicators related to the statistical properties of the data. These indicators are periodically calculated during data collection, producing time series that stabilize when more training data is not expected to translate to better system performance, which indicates that data collection can be stopped. We present a case study with real-life datasets collected at the University of Seville (Spain) and a public dataset from the University of Saskatchewan. The application of our method to these datasets showed that more than 42% of one trace, and almost 20% of another were unnecessarily collected, thereby showing that our proposed method can be an efficient approach for collecting training data at the production environment.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor2020589,

title = {Unified call admission control in corporate domains},

author = {V. Mayor and R. Estepa and A. Estepa and G. Madinabeitia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85076849304&doi=10.1016%2fj.comcom.2019.11.041&partnerID=40&md5=5af7826dafc22674ad6e1d5dd0e20f57},

doi = {10.1016/j.comcom.2019.11.041},

issn = {01403664},

year  = {2020},

date = {2020-01-01},

urldate = {2020-01-01},

journal = {Computer Communications},

volume = {150},

pages = {589-602},

publisher = {Elsevier B.V.},

abstract = {Call Admission Control is a central mechanism for assurance of quality of service in telephony. While CAC is integrated into Public Switched Telephony Network (PSTN), its application to voice over IP in a corporate environment is challenging not only due to the heterogeneity of technologies, but also because of the difficulty of implementation into commercial VoIP terminals or Access Points. We present a novel framework that unifies call admission control for VoIP telephony corporate users despite their access network (i.e., WiFi or Ethernet) under a single corporate management domain. Our Unified CAC (U-CAC) system can be implemented in a VoIP Gateway/Proxy and uses only standard protocols already present in commercial off-the-shelf devices, avoiding the need to modify the firmware of existing APs or VoIP terminals. We define two variants of the decision algorithm: basic and advanced. In the basic mode of operation, the admission of new calls is based on the availability of spare circuits and the impact of the new call in the speech quality of VoWiFi calls in progress. In the advanced mode of operation, the traffic load in affected APs is proactively reduced by reconfiguring ongoing calls before rejecting the new call. Simulation results show that the number of simultaneous VoWiFi calls under guaranteed quality increases with our unified call admission control scheme. When using the advanced mode of operation, the number of simultaneous calls under guaranteed quality can be doubled when compared to the standard mode of operation. © 2019 Elsevier B.V.},

note = {cited By 4},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor20201,

title = {Energy-efficient uavs deployment for qos-guaranteed vowifi service},

author = {V. Mayor and R. Estepa and A. Estepa and G. Madinabeitia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85089348929&doi=10.3390%2fs20164455&partnerID=40&md5=e3dcfd4e62d8b2180e9fdfe7b936b6c0},

doi = {10.3390/s20164455},

issn = {14248220},

year  = {2020},

date = {2020-01-01},

urldate = {2020-01-01},

journal = {Sensors (Switzerland)},

volume = {20},

number = {16},

pages = {1-32},

publisher = {MDPI AG},

abstract = {This paper formulates a new problem for the optimal placement of Unmanned Aerial Vehicles (UAVs) geared towards wireless coverage provision for Voice over WiFi (VoWiFi) service to a set of ground users confined in an open area. Our objective function is constrained by coverage and by VoIP speech quality and minimizes the ratio between the number of UAVs deployed and energy efficiency in UAVs, hence providing the layout that requires fewer UAVs per hour of service. Solutions provide the number and position of UAVs to be deployed, and are found using well-known heuristic search methods such as genetic algorithms (used for the initial deployment of UAVs), or particle swarm optimization (used for the periodical update of the positions). We examine two communication services: (a) one bidirectional VoWiFi channel per user; (b) single broadcast VoWiFi channel for announcements. For these services, we study the results obtained for an increasing number of users confined in a small area of 100 m2 as well as in a large area of 10,000 m2 . Results show that the drone turnover rate is related to both users’ sparsity and the number of users served by each UAV. For the unicast service, the ratio of UAVs per hour of service tends to increase with user sparsity and the power of radio communication represents 14–16% of the total UAV energy consumption depending on ground user density. In large areas, solutions tend to locate UAVs at higher altitudes seeking increased coverage, which increases energy consumption due to hovering. However, in the VoWiFi broadcast communication service, the traffic is scarce, and solutions are mostly constrained only by coverage. This results in fewer UAVs deployed, less total power consumption (between 20% and 75%), and less sensitivity to the number of served users. © 2020 by the authors. Licensee MDPI, Basel, Switzerland.},

note = {cited By 8},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor2019,

title = {Deploying a Reliable UAV-Aided Communication Service in Disaster Areas},

author = {V. Mayor and R. Estepa and A. Estepa and G. Madinabeitia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85065643702&doi=10.1155%2f2019%2f7521513&partnerID=40&md5=415539a365bd0d35ce600b19ff3ce412},

doi = {10.1155/2019/7521513},

issn = {15308669},

year  = {2019},

date = {2019-01-01},

urldate = {2019-01-01},

journal = {Wireless Communications and Mobile Computing},

volume = {2019},

publisher = {Hindawi Limited},

abstract = {When telecommunication infrastructure is damaged by natural disasters, creating a network that can handle voice channels can be vital for search and rescue missions. Unmanned Aerial Vehicles (UAV) equipped with WiFi access points could be rapidly deployed to provide wireless coverage to ground users. This WiFi access network can in turn be used to provide a reliable communication service to be used in search and rescue missions. We formulate a new problem for UAVs optimal deployment which considers not only WiFi coverage but also the mac sublayer (i.e., quality of service). Our goal is to dispatch the minimum number of UAVs for provisioning a WiFi network that enables reliable VoIP communications in disaster scenarios. Among valid solutions, we choose the one that minimizes energy expenditure at the user's WiFi interface card in order to extend ground user's smartphone battery life as much as possible. Solutions are found using well-known heuristics such as K-means clusterization and genetic algorithms. Via numerical results, we show that the IEEE 802.11 standard revision has a decisive impact on the number of UAVs required to cover large areas, and that the user's average energy expenditure (attributable to communications) can be reduced by limiting the maximum altitude for drones or by increasing the VoIP speech quality. © 2019 Vicente Mayor et al.},

note = {cited By 25},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa2019120411,

title = {Designing Cost-Effective Reliable Networks from a Risk Analysis Perspective: A Case Study for a Hospital Campus},

author = {A. Estepa and R. Estepa and G. Madinabeitia and J. Vozmediano},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85097341585&doi=10.1109%2fACCESS.2019.2937449&partnerID=40&md5=4894eb6b5897d4f7e9e02d45d51ce3be},

doi = {10.1109/ACCESS.2019.2937449},

issn = {21693536},

year  = {2019},

date = {2019-01-01},

journal = {IEEE Access},

volume = {7},

pages = {120411-120423},

publisher = {Institute of Electrical and Electronics Engineers Inc.},

abstract = {The unavailability of information and communication services due to network-related incidents may have a significant impact on large organizations. Network incidents can hence be viewed as a risk for organizations whose consequences are not accounted for by traditional network design problems. In this work, we address the problem of designing a reliable wired network from a risk analysis perspective. We propose a novel methodology for the quantitative assessment of the risk associated with network-related incidents in a hospital campus. We then define an optimization problem to find the topology that minimizes the network cost plus the expected loss over time attributable to the unavailability of corporate services to staff affected by network incidents. A case study illustrates our methodology and its benefits. Using available public information, we design the topology of a campus network for a large hospital where the cost of labor exceeds 200M€/year. The solution to our optimization problem is found through well-known genetic algorithms and provides a topology where network nodes with a higher impact on productivity exhibit higher reliability. As a consequence, the topology obtained reduces more than 95% (+392 000€) the expected annual lost profits when compared to common reduced-cost topologies such as the minimum-cost ring or the non-reliable minimum-cost tree, showing that investment in risk reduction pays off. Our contribution may be used by engineers to (re)design cost-effective reliable networks or by hospital managers to support decisions on updating present infrastructure based on risk reduction. © 2013 IEEE.},

note = {cited By 0},

keywords = {},

pubstate = {published},

tppubtype = {article}

}