@article{Biblio24,

title = {Building a large, realistic and labeled HTTP URI dataset for anomaly-based intrusion detection systems: Biblio-US17 },

author = {Jesús E. {Díaz-Verdejo} and {Estepa Alonso}, Rafael and {Estepa Alonso}, Antonio and F. J. Muñoz-Calle and German

Madinabeitia},

doi = {https://doi.org/10.1186/s42400‑024‑00336‑3},

issn = {2523-3246},

year  = {2024},

date = {2024-12-11},

urldate = {2024-12-11},

journal = {Cybersecurity},

abstract = {This paper introduces Biblio-US17, a labeled dataset collected over 6 months from the log files of a popular public website at the University of Seville. It contains 47 million records, each including the method, uniform resource identifier (URI) and associated response code and size of every request received by the web server. Records have been classified as either normal or attack using a comprehensive semi-automated process, which involved signature-based detection, assisted inspection of URIs vocabulary, and substantial expert manual supervision. Unlike comparable datasets, this one offers a genuine real-world perspective on the normal operation of an active website, along with an unbiased proportion of actual attacks (i.e., non-synthetic). This makes it ideal for evaluating and comparing anomalybased approaches in a realistic environment. Its extensive size and duration also make it valuable for addressing challenges like data shift and insufficient training. This paper describes the collection and labeling processes, dataset structure, and most relevant properties. We also include an example of an application for assessing the performance of a simple anomaly detector. Biblio-US17, now available to the scientific community, can also be used to model the URIs used by current web servers.},

keywords = {},

pubstate = {forthcoming},

tppubtype = {article}

}

@article{LARA2024101427,

title = {Anomaly-based Intrusion Detection System for smart lighting},

author = {Agustín Lara and Antonio Estepa and Rafael Estepa and Jesús E. Díaz-Verdejo and Vicente Mayor},

url = {https://www.sciencedirect.com/science/article/pii/S2542660524003688},

doi = {https://doi.org/10.1016/j.iot.2024.101427},

issn = {2542-6605},

year  = {2024},

date = {2024-01-01},

urldate = {2024-01-01},

journal = {Internet of Things},

volume = {28},

pages = {101427},

abstract = {Smart Lighting Systems (SLS) are essential to smart cities, offering enhanced energy efficiency and public safety. However, they are susceptible to security threats, potentially leading to safety risks and service disruptions, making the protection of this infrastructure critical. This paper presents an anomaly-based Intrusion Detection System (IDS) designed for a real-world operational SLS. As commercial deployments vary in components, protocols, and functionalities, IDSs must be tailored to the specific characteristics of each deployment to perform effectively. Our anomaly-based IDS has been defined based on the properties of the available data and the types of attacks we aim to detect, offering both explainability and low complexity. The proposed system identifies anomalies in seven features of network traffic and in the telemetry data received at the central control (O&M) server. For the latter, we designed three customized detectors to identify abnormal data points, persistent deviations in street lamp power consumption, and abnormal power value based on the time of day. Validation with real-world data and simulated attacks demonstrates the effectiveness of our approach. Network attacks (e.g., DoS, scanning) were detected by at least one of the seven flow-related anomaly detectors, while simulated data poisoning attacks and operational technology (OT) issues were detected with nearly 90% accuracy. The datasets used in this work are publicly available and may serve as reference for the design of future IDSs. While our detectors were designed specifically for our dataset, the variables examined and vulnerabilities addressed are common in most commercial SLSs.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{10.3897/jucs.131686,

title = {A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection},

author = {Javier Muñoz-Calle and Rafael Estepa Alonso and Antonio Estepa Alonso and Jesús E. Díaz-Verdejo and Elvira Castillo Fernández and Germán Madinabeitia},

url = {https://doi.org/10.3897/jucs.131686},

doi = {10.3897/jucs.131686},

issn = {0948-695X},

year  = {2024},

date = {2024-01-01},

urldate = {2024-01-01},

journal = {JUCS - Journal of Universal Computer Science},

volume = {30},

number = {9},

pages = {1184-1204},

publisher = {Journal of Universal Computer Science},

abstract = {Network monitoring systems can struggle to detect the full sequence of actions in a multi-step cyber attack, frequently resulting in multiple alerts (some of which are false positive (FP)) and missed actions. The challenge of easing the job of security analysts by triggering a single and accurate alert per attack requires developing and evaluating advanced event correlation techniques and models that have the potential to devise relationships between the different observed events/alerts.This work introduces a flexible architecture designed for hierarchical and iterative correlation of alerts and events. Its key feature is the sequential correlation of operations targeting specific attack episodes or aspects. This architecture utilizes IDS alerts or similar cybersecurity sensors, storing events and alerts in a non-relational database. Modules designed for knowledge creation then query these stored items to generate meta-alerts, also stored in the database. This approach facilitates creating a more refined knowledge that can be built on top of existing one by creating specialized modules. For illustrative purposes, we make a case study where we use this architectural approach to explore the feasibility of monitoring the progress of attacks of increased complexity by increasing the levels of the hyperalerts defined, including a case of a multi-step attack that adheres to the ATT&CK model. Although the mapping between the observations and the model components (i.e., techniques and tactics) is challenging, we could fully monitor the progress of two attacks and up to 5 out of 6 steps of the most complex attack by building up to three specialized modules. Despite some limitations due to the sensors and attack scenarios tested, the results indicate the architecture’s potential for enhancing the detection of complex cyber attacks, offering a promising direction for future cybersecurity research.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Lara2023,

title = {Smart home anomaly-based IDS: Architecture proposal and case study},

author = { {Walabonso Lara}, Agustín and Vicente Mayor and {Estepa Alonso}, Rafael and {Estepa Alonso} , Antonio and Jesús E. {Díaz-Verdejo}},

url = {https://linkinghub.elsevier.com/retrieve/pii/S2542660523000963},

doi = {10.1016/J.IOT.2023.100773},

issn = {2542-6605},

year  = {2023},

date = {2023-07-01},

urldate = {2023-07-01},

journal = {Internet of Things},

volume = {22},

pages = {100773},

publisher = {Elsevier},

abstract = {The complexity and diversity of the technologies involved in the Internet of Things (IoT) challenge the generalization of security solutions based on anomaly detection, which should fit the particularities of each context and deployment and allow for performance comparison. In this work, we provide a flexible architecture based on building blocks suited for detecting anomalies in the network traffic and the application-layer data exchanged by IoT devices in the context of Smart Home. Following this architecture, we have defined a particular Intrusion Detector System (IDS) for a case study that uses a public dataset with the electrical consumption of 21 home devices over one year. In particular, we have defined ten Indicators of Compromise (IoC) to detect network attacks and two anomaly detectors to detect false command or data injection attacks. We have also included a signature-based IDS (Snort) to extend the detection range to known attacks. We have reproduced eight network attacks (e.g., DoS, scanning) and four False Command or Data Injection attacks to test our IDS performance. The results show that all attacks were successfully detected by our IoCs and anomaly detectors with a false positive rate lower than 0.3%. Signature detection was able to detect only 4 out of 12 attacks. Our architecture and the IDS developed can be a reference for developing future IDS suited to different contexts or use cases. Given that we use a public dataset, our contribution can also serve as a baseline for comparison with new techniques that improve detection performance.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Diaz-Verdejo2023,

title = {A critical review of the techniques used for anomaly detection of HTTP-based attacks: taxonomy, limitations and open challenges},

author = {Jesús E. Díaz-Verdejo and {Estepa Alonso}, Rafael and {Estepa Alonso}, Antonio and German Madinabeitia},

doi = {10.1016/j.cose.2022.102997},

issn = {01674048},

year  = {2023},

date = {2023-01-01},

urldate = {2023-01-01},

journal = {Computers and Security},

volume = {124},

pages = {102997},

abstract = {Intrusion Detection Systems (IDSs) and Web Application Firewalls (WAFs) offer a crucial layer of defense that allows organizations to detect cyberattacks on their web servers. Academic research overwhelmingly suggests using anomaly detection techniques to improve the performance of these defensive systems. However, analyzing and comparing the wide range of solutions in the scientific literature is challenging since they are typically presented as isolated (unrelated) contributions, and their results cannot be generalized. We believe that this impairs the industry's adoption of academic results and the advancement of research in this field. This paper aims to shed light on the literature on anomaly-based detection of attacks that use HTTP request messages. We define a novel framework for anomaly detection based on six data processing steps grouped into two sequential phases: preprocessing and classification. Based on this framework, we provide a taxonomy and critical review of the techniques surveyed, emphasizing their limitations and applicability. Future approaches should take advantage of the syntax and semantics of the Uniform Resource Locator (URL), be scalable, and address their obsolescence. These aspects are frequently overlooked in the literature and pose a significant challenge in the current era of web services. For better comparability, authors should use adequate public datasets, follow a thorough methodology, and use appropriate metrics that fully show the pros and cons of the approach.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{10036374,

title = {Blockchain-Based Service-Oriented Architecture for Consent Management, Access Control, and Auditing},

author = {Isabel Román-Martínez and Jorge Calvillo-Arbizu and Vicente J. Mayor-Gallego and Germán Madinabeitia-Luque and Antonio J. Estepa-Alonso and Rafael M. Estepa-Alonso},

doi = {10.1109/ACCESS.2023.3242605},

issn = {2169-3536},

year  = {2023},

date = {2023-01-01},

journal = {IEEE Access},

volume = {11},

pages = {12727-12741},

abstract = {Continuity of care requires the exchange of health information among organizations and care teams. The EU General Data Protection Regulation (GDPR) establishes that subject of care should give explicit consent to the treatment of her personal data, and organizations must obey the individual’s will. Nevertheless, few solutions focus on guaranteeing the proper execution of consents. We propose a service-oriented architecture, backed by blockchain technology, that enables: (1) tamper-proof and immutable storage of subject of care consents; (2) a fine-grained access control for protecting health data according to consents; and (3) auditing tasks for supervisory authorities (or subjects of care themselves) to assess that healthcare organizations comply with GDPR and granted consents. Standards for health information exchange and access control are adopted to guarantee interoperability. Access control events and the subject of care consents are maintained on a blockchain, providing a trusted collaboration between organizations, supervisory authorities, and individuals. A prototype of the architecture has been implemented as a proof of concept to evaluate the performance of critical components. The application of subject of care consent to control the treatment of personal health data in federated and distributed environments is a pressing concern. The experimental results show that blockchain can effectively support sharing consent and audit events among healthcare organizations, supervisory authorities, and individuals.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor2023284,

title = {CO-CAC: A new approach to Call Admission Control for VoIP in 5G/WiFi UAV-based relay networks},

author = {V. Mayor and R. Estepa and A. Estepa},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85145556975&doi=10.1016%2fj.comcom.2022.11.006&partnerID=40&md5=8185edfcb26bb2d34ddc5fbccf38f0cb},

doi = {10.1016/j.comcom.2022.11.006},

issn = {01403664},

year  = {2023},

date = {2023-01-01},

journal = {Computer Communications},

volume = {197},

pages = {284-293},

publisher = {Elsevier B.V.},

abstract = {Voice over IP (VoIP) requires a Call Admission Control (CAC) mechanism in WiFi networks to preserve VoIP packet flows from excessive network delay or packet loss. Ideally, this mechanism should be integrated with the operational scenario, guarantee the quality of service of active calls, and maximize the number of concurrent calls. This paper presents a novel CAC scheme for VoIP in the context of a WiFi access network deployed with Unmanned Aerial Vehicles (UAVs) that relay to a backhaul 5G network. Our system, named Codec-Optimization CAC (CO-CAC), is integrated into each drone. It intercepts VoIP call control messages and decides on the admission of every new call based on a prediction of the WiFi network's congestion level and the minimum quality of service desired for VoIP calls. To maximize the number of concurrent calls, CO-CAC proactively optimizes the codec settings of active calls by exchanging signaling with VoIP users. We have simulated CO-CAC in a 50m × 50m scenario with four UAVs providing VoIP service to up to 200 ground users with IEEE 802.11ac WiFi terminals. Our results show that without CAC, the number of calls that did not meet a minimum quality level during the simulation was 10% and 90%, for 50 and 200 users, respectively. However, when CO-CAC was in place, all calls achieved minimum quality for up to 90 users without rejecting any call. For 200 users, only 25% of call attempts were rejected by the admission control scheme. These results were narrowly worse when the ground users moved randomly in the scenario. © 2022 Elsevier B.V.},

note = {cited By 0},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Diaz-Verdejo2022,

title = {On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks},

author = {J. E. Díaz-Verdejo and F. J. Muñoz-Calle and {Estepa Alonso}, A. and {Estepa Alonso}, R. and G. Madinabeitia},

url = {https://www.mdpi.com/2076-3417/12/2/852/htm https://www.mdpi.com/2076-3417/12/2/852},

doi = {10.3390/app12020852},

issn = {20763417},

year  = {2022},

date = {2022-01-01},

urldate = {2022-01-01},

journal = {Applied Sciences},

volume = {12},

number = {2},

pages = {852},

publisher = {Multidisciplinary Digital Publishing Institute},

abstract = {Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort’s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor2022,

title = {QoS-Aware Multilayer UAV Deployment to Provide VoWiFi Service over 5G Networks},

author = {V. Mayor and R. Estepa and A. Estepa},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85124381535&doi=10.1155%2f2022%2f3110572&partnerID=40&md5=c2fb1ebc948f2679dedab29b078cd4e1},

doi = {10.1155/2022/3110572},

issn = {15308669},

year  = {2022},

date = {2022-01-01},

journal = {Wireless Communications and Mobile Computing},

volume = {2022},

publisher = {Hindawi Limited},

abstract = {Drones equipped with wireless network cards can provide communication services in open areas. This paper proposes a hierarchical two-layered network architecture with two types of drones according to their communication equipment: Access and Distribution. While access drones provide WiFi access to ground users, distribution drones act as WiFi-to-5G relay forwarding packets into the 5G Core Network. In this context, we formulate a novel optimization problem for the 3-D initial placement of drones to provide Voice over WiFi (VoWiFi) service to ground users. Our optimization problem finds the minimum number of drones (and their type and location) to be deployed constrained to coverage and minimum voice speech quality. We have used a well-known metaheuristic algorithm (Particle Swarm Optimization) to solve our problem, examining the results obtained for different terrain sizes (from 25m×25m to 100m×100m) and ground users (from 10 to 100). In the most demanding case, we were able to provide VoWiFi service with four distribution drones and five access drones. Our results show that the overall number of UAVs deployed grows with the terrain size (i.e., with users' sparsity) and the number of ground users. © 2022 Vicente Mayor et al.},

note = {cited By 4},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor202294,

title = {Deployment of UAV-mounted Access Points for VoWiFi Service with guaranteed QoS},

author = {V. Mayor and R. Estepa and A. Estepa and G. Madinabeitia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85133540825&doi=10.1016%2fj.comcom.2022.06.037&partnerID=40&md5=e2d77e953e2987abaffb06aca60418c5},

doi = {10.1016/j.comcom.2022.06.037},

issn = {01403664},

year  = {2022},

date = {2022-01-01},

journal = {Computer Communications},

volume = {193},

pages = {94-108},

publisher = {Elsevier B.V.},

abstract = {Unmanned Aerial Vehicle (UAV) networks have emerged as a promising means to provide wireless coverage in open geographical areas. Nevertheless, in wireless networks such as WiFi, signal coverage alone is insufficient to guarantee that network performance meets the quality of service (QoS) requirements of real-time communication services, as it also depends on the traffic load produced by ground users sharing the medium access. We formulate a new problem for UAVs optimal deployment in which the QoS level is guaranteed for real-time voice over WiFi (VoWiFi) communications. More specifically, our goal is to dispatch the minimum number of UAVs possible to provide VoWiFi service to a set of ground users subject to coverage, call-blocking probability, and QoS constraints. Optimal solutions are found using well-known heuristics that include K-means clusterization and genetic algorithms. Via numerical results, we show that the WiFi standard revision (e.g. IEEE 802.11a/b/g/n/ac) in use plays an important role in both coverage and QoS performance and hence, in the number of UAVs required to provide the service. © 2022 The Author(s)},

note = {cited By 0},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa2021120689,

title = {RPL Cross-Layer Scheme for IEEE 802.15.4 IoT Devices with Adjustable Transmit Power},

author = {R. Estepa and A. Estepa and G. Madinabeitia and E. Garcia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85113833413&doi=10.1109%2fACCESS.2021.3107981&partnerID=40&md5=013e007afc3cced8a0ce5eaeae0b38c6},

doi = {10.1109/ACCESS.2021.3107981},

issn = {21693536},

year  = {2021},

date = {2021-01-01},

journal = {IEEE Access},

volume = {9},

pages = {120689-120703},

publisher = {Institute of Electrical and Electronics Engineers Inc.},

abstract = {We propose a novel cross-layer scheme to reduce energy consumption in wireless sensor networks composed of IEEE 802.15.4 IoT devices with adjustable transmit power. Our approach is based on the IETF's Routing Protocol for Low power and lossy networks (RPL). Nodes discover neighbors and keep fresh link statistics for each available transmit power level. Using the product of ETX and local transmit power level as a single metric, each node selects both the parent that minimizes the energy for packet transmission along the path to the root and the optimal local transmit power to be used. We have implemented our cross-layer scheme in NG-Contiki using the Z1 mote and two transmit power levels (55mW and 31mW). Simulations of a network of 15 motes show that (on average) 66% of nodes selected the low-power setting in a 25m times25textm area. As a result, we obtained an average reduction of 25% of the energy spent on transmission and reception of packets compared to the standard RPL settings where all nodes use the same transmit power level. In large scenarios (e.g., 150m times150textm and 40-100 motes), our approach provides better results in dense networks where reducing the transmit power of nodes does not translate into longer paths to the root nor degraded quality of service. © 2013 IEEE.},

note = {cited By 5},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Diaz-Verdejo2020,

title = {A methodology for conducting efficient sanitization of HTTP training datasets},

author = {Jesús E. Díaz-Verdejo and Antonio Estepa and Rafael Estepa and German Madinabeitia and Fco Javier Muñoz-Calle},

url = {https://linkinghub.elsevier.com/retrieve/pii/S0167739X19322629},

doi = {10.1016/j.future.2020.03.033},

issn = {0167739X},

year  = {2020},

date = {2020-08-01},

urldate = {2020-08-01},

journal = {Future Generation Computer Systems},

volume = {109},

pages = {67--82},

publisher = {Elsevier B.V.},

abstract = {The performance of anomaly-based intrusion detection systems depends on the quality of the datasets used to form normal activity profiles. Suitable datasets should include high volumes of real-life data free from attack instances. On account of this requirement, obtaining quality datasets from collected data requires a process of data sanitization that may be prohibitive if done manually, or uncertain if fully automated. In this work, we propose a sanitization approach for obtaining datasets from HTTP traces suited for training, testing, or validating anomaly-based attack detectors. Our methodology has two sequential phases. In the first phase, we clean known attacks from data using a pattern-based approach that relies on tools that detect URI-based known attacks. In the second phase, we complement the result of the first phase by conducting assisted manual labeling systematically and efficiently, setting the focus of expert examination not on the raw data (which would be millions of URIs), but on the set of words that compose the URIs. This dramatically downsizes the volume of data that requires expert discernment, making manual sanitization of large datasets feasible. We have applied our method to sanitize a trace that includes 45 million requests received by the library web server of the University of Seville. We were able to generate clean datasets in less than 84 h with only 33 h of manual supervision. We have also applied our method to some public benchmark datasets, confirming that attacks unnoticed by signature-based detectors can be discovered in a reduced time span.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor2020589,

title = {Unified call admission control in corporate domains},

author = {V. Mayor and R. Estepa and A. Estepa and G. Madinabeitia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85076849304&doi=10.1016%2fj.comcom.2019.11.041&partnerID=40&md5=5af7826dafc22674ad6e1d5dd0e20f57},

doi = {10.1016/j.comcom.2019.11.041},

issn = {01403664},

year  = {2020},

date = {2020-01-01},

journal = {Computer Communications},

volume = {150},

pages = {589-602},

publisher = {Elsevier B.V.},

abstract = {Call Admission Control is a central mechanism for assurance of quality of service in telephony. While CAC is integrated into Public Switched Telephony Network (PSTN), its application to voice over IP in a corporate environment is challenging not only due to the heterogeneity of technologies, but also because of the difficulty of implementation into commercial VoIP terminals or Access Points. We present a novel framework that unifies call admission control for VoIP telephony corporate users despite their access network (i.e., WiFi or Ethernet) under a single corporate management domain. Our Unified CAC (U-CAC) system can be implemented in a VoIP Gateway/Proxy and uses only standard protocols already present in commercial off-the-shelf devices, avoiding the need to modify the firmware of existing APs or VoIP terminals. We define two variants of the decision algorithm: basic and advanced. In the basic mode of operation, the admission of new calls is based on the availability of spare circuits and the impact of the new call in the speech quality of VoWiFi calls in progress. In the advanced mode of operation, the traffic load in affected APs is proactively reduced by reconfiguring ongoing calls before rejecting the new call. Simulation results show that the number of simultaneous VoWiFi calls under guaranteed quality increases with our unified call admission control scheme. When using the advanced mode of operation, the number of simultaneous calls under guaranteed quality can be doubled when compared to the standard mode of operation. © 2019 Elsevier B.V.},

note = {cited By 4},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor20201,

title = {Energy-efficient uavs deployment for qos-guaranteed vowifi service},

author = {V. Mayor and R. Estepa and A. Estepa and G. Madinabeitia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85089348929&doi=10.3390%2fs20164455&partnerID=40&md5=e3dcfd4e62d8b2180e9fdfe7b936b6c0},

doi = {10.3390/s20164455},

issn = {14248220},

year  = {2020},

date = {2020-01-01},

journal = {Sensors (Switzerland)},

volume = {20},

number = {16},

pages = {1-32},

publisher = {MDPI AG},

abstract = {This paper formulates a new problem for the optimal placement of Unmanned Aerial Vehicles (UAVs) geared towards wireless coverage provision for Voice over WiFi (VoWiFi) service to a set of ground users confined in an open area. Our objective function is constrained by coverage and by VoIP speech quality and minimizes the ratio between the number of UAVs deployed and energy efficiency in UAVs, hence providing the layout that requires fewer UAVs per hour of service. Solutions provide the number and position of UAVs to be deployed, and are found using well-known heuristic search methods such as genetic algorithms (used for the initial deployment of UAVs), or particle swarm optimization (used for the periodical update of the positions). We examine two communication services: (a) one bidirectional VoWiFi channel per user; (b) single broadcast VoWiFi channel for announcements. For these services, we study the results obtained for an increasing number of users confined in a small area of 100 m2 as well as in a large area of 10,000 m2 . Results show that the drone turnover rate is related to both users’ sparsity and the number of users served by each UAV. For the unicast service, the ratio of UAVs per hour of service tends to increase with user sparsity and the power of radio communication represents 14–16% of the total UAV energy consumption depending on ground user density. In large areas, solutions tend to locate UAVs at higher altitudes seeking increased coverage, which increases energy consumption due to hovering. However, in the VoWiFi broadcast communication service, the traffic is scarce, and solutions are mostly constrained only by coverage. This results in fewer UAVs deployed, less total power consumption (between 20% and 75%), and less sensitivity to the number of served users. © 2020 by the authors. Licensee MDPI, Basel, Switzerland.},

note = {cited By 8},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Salah2019,

title = {Fusing information from tickets and alerts to improve the incident resolution process},

author = {S. Salah and G. Maciá-Fernández and J. E. Díaz-Verdejo},

doi = {10.1016/j.inffus.2018.01.011},

issn = {15662535},

year  = {2019},

date = {2019-01-01},

journal = {Information Fusion},

volume = {45},

abstract = {textcopyright 2018 Elsevier B.V. In the context of network incident monitoring, alerts are useful notifications that provide IT management staff with information about incidents. They are usually triggered in an automatic manner by network equipment and monitoring systems, thus containing only technical information available to the systems that are generating them. On the other hand, ticketing systems play a different role in this context. Tickets represent the business point of view of incidents. They are usually generated by human intervention and contain enriched semantic information about ongoing and past incidents. In this article, our main hypothesis is that incorporating tickets information into the alert correlation process will be beneficial to the incident resolution life-cycle in terms of accuracy, timing, and overall incident's description. We propose a methodology to validate this hypothesis and suggest a solution to the main challenges that appear. The proposed correlation approach is based on the time alignment of the events (alerts and tickets) that affect common elements in the network. For this we use real alert and ticket datasets obtained from a large telecommunications network. The results have shown that using ticket information enhances the incident resolution process, mainly by reducing and aggregating a higher percentage of alerts compared with standard alert correlation systems that only use alerts as the main source of information. Finally, we also show the applicability and usability of this model by applying it to a case study where we analyze the performance of the management staff.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor2019,

title = {Deploying a Reliable UAV-Aided Communication Service in Disaster Areas},

author = {V. Mayor and R. Estepa and A. Estepa and G. Madinabeitia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85065643702&doi=10.1155%2f2019%2f7521513&partnerID=40&md5=415539a365bd0d35ce600b19ff3ce412},

doi = {10.1155/2019/7521513},

issn = {15308669},

year  = {2019},

date = {2019-01-01},

journal = {Wireless Communications and Mobile Computing},

volume = {2019},

publisher = {Hindawi Limited},

abstract = {When telecommunication infrastructure is damaged by natural disasters, creating a network that can handle voice channels can be vital for search and rescue missions. Unmanned Aerial Vehicles (UAV) equipped with WiFi access points could be rapidly deployed to provide wireless coverage to ground users. This WiFi access network can in turn be used to provide a reliable communication service to be used in search and rescue missions. We formulate a new problem for UAVs optimal deployment which considers not only WiFi coverage but also the mac sublayer (i.e., quality of service). Our goal is to dispatch the minimum number of UAVs for provisioning a WiFi network that enables reliable VoIP communications in disaster scenarios. Among valid solutions, we choose the one that minimizes energy expenditure at the user's WiFi interface card in order to extend ground user's smartphone battery life as much as possible. Solutions are found using well-known heuristics such as K-means clusterization and genetic algorithms. Via numerical results, we show that the IEEE 802.11 standard revision has a decisive impact on the number of UAVs required to cover large areas, and that the user's average energy expenditure (attributable to communications) can be reduced by limiting the maximum altitude for drones or by increasing the VoIP speech quality. © 2019 Vicente Mayor et al.},

note = {cited By 25},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa2019120411,

title = {Designing Cost-Effective Reliable Networks from a Risk Analysis Perspective: A Case Study for a Hospital Campus},

author = {A. Estepa and R. Estepa and G. Madinabeitia and J. Vozmediano},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85097341585&doi=10.1109%2fACCESS.2019.2937449&partnerID=40&md5=4894eb6b5897d4f7e9e02d45d51ce3be},

doi = {10.1109/ACCESS.2019.2937449},

issn = {21693536},

year  = {2019},

date = {2019-01-01},

journal = {IEEE Access},

volume = {7},

pages = {120411-120423},

publisher = {Institute of Electrical and Electronics Engineers Inc.},

abstract = {The unavailability of information and communication services due to network-related incidents may have a significant impact on large organizations. Network incidents can hence be viewed as a risk for organizations whose consequences are not accounted for by traditional network design problems. In this work, we address the problem of designing a reliable wired network from a risk analysis perspective. We propose a novel methodology for the quantitative assessment of the risk associated with network-related incidents in a hospital campus. We then define an optimization problem to find the topology that minimizes the network cost plus the expected loss over time attributable to the unavailability of corporate services to staff affected by network incidents. A case study illustrates our methodology and its benefits. Using available public information, we design the topology of a campus network for a large hospital where the cost of labor exceeds 200M€/year. The solution to our optimization problem is found through well-known genetic algorithms and provides a topology where network nodes with a higher impact on productivity exhibit higher reliability. As a consequence, the topology obtained reduces more than 95% (+392 000€) the expected annual lost profits when compared to common reduced-cost topologies such as the minimum-cost ring or the non-reliable minimum-cost tree, showing that investment in risk reduction pays off. Our contribution may be used by engineers to (re)design cost-effective reliable networks or by hospital managers to support decisions on updating present infrastructure based on risk reduction. © 2013 IEEE.},

note = {cited By 0},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Khalife2017,

title = {A sampling methodology for DPI classifiers},

author = {Jawad Khalife and Amjad Hajjar and Jesús Díaz-Verdejo},

doi = {10.6138/JIT.2017.18.4.20130525},

issn = {20794029},

year  = {2017},

date = {2017-01-01},

journal = {Journal of Internet Technology},

volume = {18},

number = {4},

pages = {787--800},

abstract = {In this paper we provide a general methodology for customizing sampling schemes used with DPI (Deep Packet inspection) based traffic classifiers. Sampling is supposed to optimize DPI classification by reducing the disclosed payload size for inspection and the associated computational overhead while providing better protection of the users' privacy. As a real case scenario, we choose a real traffic dataset captured on a campus network link on which we conduct a series of classification experiments joint with sampling using OpenDPI, as the DPI tool of choice. First, we attempt to statistically localize payload sections within a flow stream where application signatures are mostly matched by OpenDPI. Then, we specify the minimum required payload to be disclosed for inspection, on a per protocol basis. Finally, we recommend a methodology for generalizing one DPI sampling scheme.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa2017,

title = {More Effective Use of Urban Space by Autonomous Double Parking},

author = {R. Estepa and A. Estepa and J. Wideberg and M. Jonasson and A. Stensson-Trigell},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85042314940&doi=10.1155%2f2017%2f8426946&partnerID=40&md5=4bc61a0cece24f66e7c83ffdd7708a8c},

doi = {10.1155/2017/8426946},

issn = {01976729},

year  = {2017},

date = {2017-01-01},

journal = {Journal of Advanced Transportation},

volume = {2017},

publisher = {Hindawi Limited},

abstract = {The new capabilities of autonomous cars can be used to mitigate to a large extent safety concerns and nuisance traditionally associated with double parking. In this paper double parking for autonomous cars is proposed as a new approach to temporarily increase parking capacity in locations in clear need for extra provision when best alternatives cannot be found. The basic requirements, operation, and procedures of the proposed solution are outlined. A curbside parking has been simulated implementing the suggested double parking operation and important advantages have been identified for drivers, the environment, and the city. Double parking can increase over 50% the parking capacity of a given area. Autonomous car owners would (at least) double their probabilities of finding parking compared to traditional drivers, saving cruising time and emissions. However, significant work and technological advances are still needed in order to make this feasible in the near future. © 2017 Rafael Estepa et al.},

note = {cited By 17},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Delgado201648,

title = {Reusing UI elements with model-based user interface development},

author = {A. Delgado and A. Estepa and J. A. Troyano and R. Estepa},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-84942928651&doi=10.1016%2fj.ijhcs.2015.09.003&partnerID=40&md5=2197068cc0682df11d690c82b5552703},

doi = {10.1016/j.ijhcs.2015.09.003},

issn = {10715819},

year  = {2016},

date = {2016-01-01},

journal = {International Journal of Human Computer Studies},

volume = {86},

pages = {48-62},

publisher = {Academic Press},

abstract = {This paper introduces the potential for reusing UI elements in the context of Model-Based UI Development (MBUID) and provides guidance for future MBUID systems with enhanced reutilization capabilities. Our study is based upon the development of six inter-related projects with a specific MBUID environment which supports standard techniques for reuse such as parametrization and sub-specification, inclusion or shared repositories. We analyze our experience and discuss the benefits and limitations of each technique supported by our MBUID environment. The system architecture, the structure and composition of UI elements and the models specification languages have a decisive impact on reusability. In our case, more than 40% of the elements defined in the UI specifications were reused, resulting in a reduction of 55% of the specification size. Inclusion, parametrization and sub-specification have facilitated modularity and internal reuse of UI specifications at development time, whereas the reuse of UI elements between applications has greatly benefited from sharing repositories of UI elements at run time. © 2015 Elsevier Ltd.},

note = {cited By 13},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Salah2016,

title = {A Model for Incident Tickets Correlation in Network Management},

author = {Saeed Salah and Gabriel Maciá-Fernández and Jesús E. Díaz-Verdejo and Leovigildo Sánchez-Casado},

doi = {10.1007/s10922-014-9340-6},

issn = {10647570},

year  = {2016},

date = {2016-01-01},

journal = {Journal of Network and Systems Management},

volume = {24},

number = {1},

pages = {57--91},

abstract = {textcopyright 2015, Springer Science+Business Media New York. In Information Technology Service Management (ITSM), network management teams typically use an Incident Ticket System (ITS) as a tool to track, troubleshoot, and coordinate the resolution of network incidents that occur during the daily operation of the network. A well organized ITS may positively impact on the efficiency of the incident management process. Nevertheless, in many cases the handling of tickets by the management team is not completely systematic and may be incoherent and inefficient. This way, irrelevant or redundant tickets for the same incident may be issued, thus creating a redundancy in the system that leads to inefficiencies. In this paper, we suggest a model aimed to correlate redundant tickets in order to reduce the information to a single ticket per incident. We validate the proposed correlation model by evaluating it with two datasets taken from a real ticketing system of a telecommunications network company. Using this model as a basis, we also develop and evaluate a methodology that assesses the efficiency of the management team during the process of tickets creation and management. Based on it, we also get some insights on the performance of the different management groups involved in the ticket creation process. These analyses can be leveraged for improving both the management groups functioning and the policies for the tickets' creation.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Hajjar2015,

title = {Network traffic application identification based on message size analysis},

author = {Amjad Hajjar and Jawad Khalife and Jesús Díaz-Verdejo},

doi = {10.1016/J.JNCA.2015.10.003},

issn = {1084-8045},

year  = {2015},

date = {2015-12-01},

journal = {Journal of Network and Computer Applications},

volume = {58},

number = {2010},

pages = {130--143},

publisher = {Academic Press},

abstract = {Identifying network applications is centric to many network management and security tasks. A large number of approaches exist in the literature, most of which are based on statistical and machine learning techniques. For protecting the user privacy, the majority of the existing methods rely on discriminative traffic attributes at the network and transport layers, such as interaction schemes, packet sizes and inter-arrival times. In this work, we propose a novel blind, quintuple centric approach by exploring traffic attributes at the application level without inspecting the payloads. The identification model is based on the analysis of the first application-layer messages in a flow (quintuple), based on their sizes, directions and positions in the flow. The underlying idea is that the first messages of a flow usually carry some application level signaling and data transfer units (command, request, response, etc.) that can be discriminative through their patterns of size and direction. A Gaussian mixture model is proposed to characterize the applications, based on a study of the common characteristics of application-level protocols. The blind classifier is based on Markov models with low complexity and reasonable computational requirements, where the training procedure consists of profiling the target applications separately. Promising results were obtained for some popular protocols including many peer-to-peer applications.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Garcia-Teodoro2015,

title = {Automatic generation of HTTP intrusion signatures by selective identification of anomalies},

author = {P. Garcia-Teodoro and J. E. Diaz-Verdejo and J. E. Tapiador and R. Salazar-Hernandez},

doi = {10.1016/j.cose.2015.09.007},

issn = {01674048},

year  = {2015},

date = {2015-01-01},

journal = {Computers and Security},

volume = {55},

pages = {159--174},

abstract = {In this paper, we introduce a novel methodology to automatically generate HTTP intrusion signatures for Network Intrusion Detection Systems (NIDS). Our approach relies on the use of a service-specific, semantic-aware anomaly detection scheme that combines stochastic learning with a model structure based on the protocol specification. Each incoming payload for the target service is tagged with an anomaly score obtained from probabilistically matching it against the corresponding learned model of normal usage. For those payloads whose anomaly score exceeds a given threshold, a more detailed analysis is performed to extract the portions that contribute the most to the anomaly score. Such portions are then used to build up candidate intrusion signatures, using a merging process that combines them with already existing patterns in order to keep the signature database as simple as possible by avoiding redundancies. We report results obtained with a specific implementation of our proposal for web traffic. During our evaluation, we used a well-known signature-based NIDS that sits behind the anomaly detection system and is fed with the signatures automatically generated by the latter. Our results indicate that functioning in such a way translates into an improvement of the often tedious signature generation process. Furthermore, a visual inspection of the signatures reveals that the generation procedure is quite reliable, mimicking (and, in some cases, even improving) attack patterns manually generated by security analysts. This results in an increase of the overall detection performance of the composite signature- plus anomaly-based system.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Khalife2014,

title = {A multilevel taxonomy and requirements for an optimal traffic- classification model},

author = {Jawad Khalife and Amjad Hajjar and Jesus Diaz-Verdejo},

doi = {10.1002/nem.1855},

issn = {10991190},

year  = {2014},

date = {2014-01-01},

journal = {International Journal of Network Management},

volume = {24},

number = {2},

pages = {101--120},

abstract = {Identifying Internet traffic applications is essential for network security and management. The steady emergence of new Internet applications, together with the use of encryption and obfuscation techniques, ensures that traffic classification remains a hot research topic. Much research has been devoted to this topic by the research community in the last decade. However, an optimal traffic classification model has yet to be defined. Many techniques and formats have been described, with the current literature therefore lacking appropriate benchmarks expressed in a consistent terminology. Moreover, existing surveys are outdated and do not include many recent advances in the field. In this article, we present a systematic multilevel taxonomy that covers a broad range of existing and recently proposed methods, together with examples of vendor classification techniques. Our taxonomy assists in defining a consistent terminology. It could be useful in future benchmarking contexts by characterizing and comparing methods at three different levels. From this perspective, we describe key features and provide design hints for future classification models, while emphasizing the main requirements for promoting future research efforts. To motivate researchers and other interested parties, we collect and share data captured from real traffic, using two models to protect data privacy. Copyright textcopyright 2014 John Wiley & Sons, Ltd. With the huge amount of recently emergent papers in traffic classification, existing surveys cannot reflect current advances and trends in the field. In this article, we propose a multilevel taxonomy categorising and characterizing most existing methods at three different levels, which is vital for future benchmarks. We show comparisons, highlight on current research trends and describe the optimal future classifier's features. From the perspective of our taxonomy, we illuminate on research requirements both on the policy and technical levels. Copyright textcopyright 2014 John Wiley & Sons, Ltd.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Jimenez2014583,

title = {Energy efficiency and quality of service optimization for constant bit rate real-time applications in 802.11 networks},

author = {J. Jimenez and R. Estepa and A. Estepa and F. R. Rubio and F. Gõmez-Estern},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-84898003589&doi=10.1002%2fwcm.2210&partnerID=40&md5=87a65bbe5e6a8ff2a711ab53c3035691},

doi = {10.1002/wcm.2210},

issn = {15308669},

year  = {2014},

date = {2014-01-01},

journal = {Wireless Communications and Mobile Computing},

volume = {14},

number = {6},

pages = {583-595},

publisher = {John Wiley and Sons Ltd},

abstract = {In this paper, we propose a quality of service (QoS)-sensitive energy efficiency optimization mechanism for 802.11 networks on the basis of the dynamic and simultaneous adjustment of the content window (W) and retry attempts limit (r) of the media access control (MAC) sublayer. The use of both operational variables let us not only find the optimum operational point regarding energy efficiency but also attain a positive impact on the QoS, which improves the results obtained with current single-variable optimization strategies. The model under consideration includes external noise and does not impose the saturation condition in stations and as such is well suited for real-time industrial applications under noisy channels. Results obtained from simulation confirm the advantages of adjusting simultaneously W and r versus adjusting either one separately, obtaining a slight improvement in energy efficiency and resulting in less loss and delay at the MAC sublayer. Copyright © 2012 John Wiley & Sons, Ltd.},

note = {cited By 2},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Padilla2013a,

title = {On the influence of the propagation channel in the performance of energy-efficient geographic routing algorithms for Wireless Sensor Networks (WSN)},

author = {P. Padilla and J. Camacho and G. Maciá-Fernández and J. E. Díaz-Verdejo and P. García-Teodoro and C. Gómez-Calero},

doi = {10.1007/s11277-012-0676-5},

issn = {09296212},

year  = {2013},

date = {2013-01-01},

journal = {Wireless Personal Communications},

volume = {70},

number = {1},

abstract = {In this paper, the influence of the features of the propagation channel in the performance of energy-efficient routing algorithms for wireless sensor networks is studied. Although there are a lot of works regarding energy-efficient routing protocols, almost no reference to realistic propagation channel models and influence is made in the literature. Considering that the propagation channel may affect the efficiency of the different energy-efficient routing algorithms, different propagation scenarios are proposed in this work, from the most simplistic free-space propagation model to more complex ones. The latter includes the effects of multipath propagation, shadowing, fading, etc. In addition, spatial diversity transmission/reception models are considered to mitigate the effects of hard propagation fading. Some results are provided comparing the performance of several energy-efficient routing algorithms in different scenarios. textcopyright 2012 Springer Science+Business Media, LLC.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Camacho2013,

title = {A generalizable dynamic flow pairing method for traffic classification},

author = {J. Camacho and P. Padilla and P. García-Teodoro and J. Díaz-Verdejo},

doi = {10.1016/j.comnet.2013.06.006},

issn = {13891286},

year  = {2013},

date = {2013-01-01},

journal = {Computer Networks},

volume = {57},

number = {14},

abstract = {The goal of network traffic classification is to identify the protocols or types of protocols in the network traffic. In particular, the identification of network traffic with high resource consumption, such as peer-to-peer (P2P) traffic, represents a great concern for Internet Service Providers (ISP) and network managers. Most current flow-based classification approaches report high accuracy without paying attention to the generalization ability of the classifier. However, without this ability, a classifier may not be suitable for on-line classification. In this paper, a number of experiments on real traffic help to elucidate the reason for this lack of generalization. It is also shown that one way to attain the generalization ability is by using dynamic classifiers. From these results, a dynamic classification approach based on the pairing of flows according to a similarity criterion is proposed. The pairing method is not a classifier by itself. Rather, its goal is to determine in a fast way that two given flows are similar enough to conclude they correspond to the same protocol. Combining this method with a classifier, most of the flows do not need to be explicitly evaluated by the later, so that the computational overhead is reduced without a significant reduction in accuracy. In this paper, as a case study, we explore complementing the pairing method with payload inspection. In the experiments performed, the pairing approach generalizes well to traffic obtained in different conditions and scenarios than that used for calibration. Moreover, a high portion of the traffic unclassified by payload inspection is categorized with the pairing method. textcopyright 2013 Elsevier B.V. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Román2013338,

title = {Experiences applying RM-ODP principles and techniques to intelligent transportation system architectures},

author = {I. Román and G. Madinabeitia and L. Jimenez and G. A. Molina and J. A. Ternero},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-84872020740&doi=10.1016%2fj.csi.2011.12.004&partnerID=40&md5=8e1c7270dbe3815467a6d8c0107d152c},

doi = {10.1016/j.csi.2011.12.004},

issn = {09205489},

year  = {2013},

date = {2013-01-01},

journal = {Computer Standards and Interfaces},

volume = {35},

number = {3},

pages = {338-347},

abstract = {This paper shows the early experiences transferring architectural knowledge from Academic to Industry within an R + D + I project. This is done through the design and development of an Intelligent Transportation System (ITS) Architecture following SOA and RM-ODP principles, to facilitate openness, reusability, scalability and interoperability. Rationale selection of standards, technologies and platforms, considering system's requirements (real time, cost ellipsis) has been done. An iterative agile development process, with incremental stages from design to final prototype, has been used. Early outcomes are centered in two services; multimedia flow management and notification. They have been developed using CORBA and are embedded in system's devices. © 2011 Elsevier B.V.},

note = {cited By 5},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Fernández201325,

title = {Common virtualized environment in telematics labs},

author = {F. J. Fernández and A. J. Sierra and T. Ariza and G. Madinabeitia and J. M. Vozmediano},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-84879510639&doi=10.3991%2fijoe.v9iS5.2757&partnerID=40&md5=af96cffe4c35612845623dc7a1739774},

doi = {10.3991/ijoe.v9iS5.2757},

issn = {18681646},

year  = {2013},

date = {2013-01-01},

journal = {International Journal of Online Engineering},

volume = {9},

number = {SPL.ISSUE5},

pages = {25-31},

abstract = {The aim of this paper is to show the common scenario for practical content of subjects in the Department of Telematics Engineering by means of virtualization. This Department is responsible for a high number of laboratory groups, requiring many teachers and a high workload. A common environment for all practice groups is desired. A virtual machine was built with the same environment of the Computing Centre at School of Engineering at University of Seville. Then, this virtual machine was provided to students and is used to do practices. This article describes this experience and shows the improvements obtained.},

note = {cited By 1},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Padilla2013,

title = {Erratum: On the influence of the propagation channel in the performance of energy-efficient geographic routing algorithms for wireless sensor networks (WSN) (Wireless Personal Communications DOI: 10.1007/s11277-012-0676-5)},

author = {P. Padilla and J. Camacho and G. Maciá-Fernández and J. E. Díaz-Verdejo and P. García-Teodoro and C. Gómez-Calero},

doi = {10.1007/s11277-012-0719-y},

issn = {09296212},

year  = {2013},

date = {2013-01-01},

journal = {Wireless Personal Communications},

volume = {70},

number = {1},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Salah2013,

title = {A model-based survey of alert correlation techniques},

author = {S. Salah and G. Maciá-Fernández and J. E. Díaz-Verdejo},

doi = {10.1016/j.comnet.2012.10.022},

issn = {13891286},

year  = {2013},

date = {2013-01-01},

journal = {Computer Networks},

volume = {57},

number = {5},

abstract = {As telecommunication networks evolve rapidly in terms of scalability, complexity, and heterogeneity, the efficiency of fault localization procedures and the accuracy in the detection of anomalous behaviors are becoming important factors that largely influence the decision making process in large management companies. For this reason, telecommunication companies are doing a big effort investing in new technologies and projects aimed at finding efficient management solutions. One of the challenging issues for network and system management operators is that of dealing with the huge amount of alerts generated by the managed systems and networks. In order to discover anomalous behaviors and speed up fault localization processes, alert correlation is one of the most popular resources. Although many different alert correlation techniques have been investigated, it is still an active research field. In this paper, a survey of the state of the art in alert correlation techniques is presented. Unlike other authors, we consider that the correlation process is a common problem for different fields in the industry. Thus, we focus on showing the broad influence of this problem. Additionally, we suggest an alert correlation architecture capable of modeling current and prospective proposals. Finally, we also review some of the most important commercial products currently available. textcopyright 2012 Elsevier B.V. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Khalife2013,

title = {Performance of OpenDPI in identifying sampled network traffic},

author = {Jawad Khalife and Amjad Hajjar and Jesús Díaz-Verdejo},

doi = {10.4304/jnw.8.1.71-81},

issn = {17962056},

year  = {2013},

date = {2013-01-01},

journal = {Journal of Networks},

volume = {8},

number = {1},

pages = {71--81},

abstract = {The identification of the nature of the traffic flowing through a TCP/IP network is a relevant target for traffic engineering and security related tasks. Despite the privacy concerns it arises, Deep Packet Inspection (DPI) is one of the most successful current techniques. Nevertheless, the performance of DPI is strongly limited by computational issues related to the huge amount of data it needs to handle, both in terms of number of packets and the length of the packets. One way to reduce the computational overhead with identification techniques is to sample the traffic being monitored. This paper addresses the sensitivity of OpenDPI, one of the most powerful freely available DPI systems, with sampled network traffic. Two sampling techniques are applied and compared: the per-packet payload sampling, and the per-flow packet sampling. Based on the obtained results, some conclusions are drawn to show how far DPI methods could be optimised through traffic sampling. textcopyright2013 ACADEMY PUBLISHER.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Salcedo-Campos2012,

title = {Segmental parameterisation and statistical modelling of e-mail headers for spam detection},

author = {Francisco Salcedo-Campos and Jesús Díaz-Verdejo and Pedro García-Teodoro},

doi = {10.1016/j.ins.2012.01.022},

issn = {0020-0255},

year  = {2012},

date = {2012-07-01},

journal = {Information Sciences},

volume = {195},

pages = {45--61},

publisher = {Elsevier},

abstract = {'Spammers exploit the popularity and low cost of e-mail services to send unsolicited messages (spam), which fill users' accounts and waste valuable resources. To combat this problem, many different spam filtering techniques have been proposed in the literature. Nevertheless, most current anti-spamming filtering schemes are based on detecting relevant terms or tokens in the entire message or in only the body, which implies an invasion of users' privacy. In this paper, a novel spam-filtering technique based solely on the information present in headers is introduced. In this approach, headers are considered as the result of a dynamic process that generates characters. The observed characters are treated as signals and parameterised in accordance with standard signal pre-processing techniques by extracting relevant parameters from the header. From this, Hidden Markov Models (HMMs) are considered for a spam detection system. The performance achieved by our proposal is evaluated and compared with that of other pattern classification paradigms used for spam filtering. The experimental results for SpamAssassin, TREC05 and CEAS 2008 Lab Evaluation improve on those results obtained with other widely used techniques, achieving up to 98.42% of spam detection while keeping the false positive rate below 0.4% and with the added advantages of using only information from the headers and being independent of the language in which the e-mail is written. textcopyright 2012 Elsevier Inc. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Camacho2011c,

title = {Least-squares approximation of a space distribution for a given covariance and latent sub-space},

author = {José Camacho and Pablo Padilla and Jesús Díaz-Verdejo and Keith Smith and David Lovett},

doi = {10.1016/j.chemolab.2010.12.005},

issn = {0169-7439},

year  = {2011},

date = {2011-02-01},

journal = {Chemometrics and Intelligent Laboratory Systems},

volume = {105},

number = {2},

pages = {171--180},

publisher = {Elsevier},

abstract = {In this paper, a new method to approximate a data set by another data set with constrained covariance matrix is proposed. The method is termed Approximation of a DIstribution for a given COVariance (ADICOV). The approximation is solved in any projection subspace, including that of Principal Component Analysis (PCA) and Partial Least Squares (PLS). Given the direct relationship between covariance matrices and projection models, ADICOV is useful to test whether a data set satisfies the covariance structure in a projection model. This idea is broadly applicable in chemometrics. Also, ADICOV can be used to simulate data with a specific covariance structure and data distribution. Some applications are illustrated in an industrial case of study. textcopyright 2010 Elsevier B.V.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa2011349,

title = {A productivity-based approach to LAN topology design},

author = {R. Estepa and A. Estepa and T. Cupertino and J. M. Vozmediano and G. Madinabeitia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-79952900288&doi=10.1109%2fLCOMM.2011.012511.101742&partnerID=40&md5=f9279a570b98809e8d1fbad864ce0e31},

doi = {10.1109/LCOMM.2011.012511.101742},

issn = {10897798},

year  = {2011},

date = {2011-01-01},

journal = {IEEE Communications Letters},

volume = {15},

number = {3},

pages = {349-351},

abstract = {Over the useful life of a LAN, network downtimes will have a negative impact on organizational productivity not included in current Network Topological Design (NTD) problems. We propose a new approach to LAN topological design that includes the impact of these productivity losses into the network design, minimizing not only the CAPEX but also the expected cost of unproductiveness attributable to network downtimes over a certain period of network operation. © 2010 IEEE.},

note = {cited By 2},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa20112303,

title = {A productivity-oriented methodology for local area network design in industrial environments},

author = {R. Estepa and A. Estepa and T. Cupertino},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-79957450386&doi=10.1016%2fj.comnet.2011.03.011&partnerID=40&md5=24a7813b3bc920d26cca5bacc072726d},

doi = {10.1016/j.comnet.2011.03.011},

issn = {13891286},

year  = {2011},

date = {2011-01-01},

journal = {Computer Networks},

volume = {55},

number = {9},

pages = {2303-2314},

abstract = {Industrial plants use conventional local area networks (LANs) to access a growing number of client/server (C/S) applications such as customer relationship management (CRM) or enterprise resource planning (ERP) which have a direct impact on organization's productivity. These LANs are typically extended throughout the plant which makes them exposed to occasional accidents such as fiber breakages or power failures. Reliable network design (RND) problems address the design of minimum-cost topologies resilient to link failures up to a certain degree. However, RND problems fail to capture some parameters of practical importance for organizations such as productivity losses due to network outages, the time period for which the network design is expected to be operating, or the fact that not all nodes are equally important for productivity. We propose a new approach to LAN topological design named Productivity-aware reliable network design (PA-RND) that takes into account the productivity associated to each node of the network, minimizing not only the CAPEX but also the expected cost attributable to network downtimes over a certain period of network operation. Results show that our PA-RND problem optimizes the LAN topological design obtaining better results than current network design problems such as reliability constrained network design (RCND), minimum spanning tree (MST) or minimum cost ring (MCR). © 2011 Elsevier B.V. All rights reserved.},

note = {cited By 2},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Salazar-Hernandez2010,

title = {Hybrid detection of application layer attacks using Markov models for normality and attacks},

author = {Rolando Salazar-Hernández and Jesús E. Díaz-Verdejo},

doi = {10.1007/978-3-642-17650-0_29},

issn = {03029743},

year  = {2010},

date = {2010-01-01},

journal = {Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)},

volume = {6476 LNCS},

pages = {416--429},

abstract = {Previous works has shown that Markov modelling can be used to model the payloads of the observed packets from a selected protocol with applications to anomaly-based intrusion detection. The detection is made based on a normality score derived from the model and a tunable threshold, which allows the choice of the operating point in terms of detection and false positive rates. In this work a hybrid system is proposed and evaluated based on this approach. The detection is made by explicit modelling of both the attack and the normal payloads and the joint use of a recognizer and a threshold based detector. First, the recognizer evaluates the probabilities of a payload being normal or attack and a probability of missclassification. The dubious results are passed through the detector, which evaluates the normality score. The system allows the choice of the operating point and improves the performance of the basic system. textcopyright 2010 Springer-Verlag.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Macia-Fernandez2010,

title = {Defense techniques for low-rate DoS attacks against application servers},

author = {Gabriel Maciá-Fernández and Rafael A. Rodríguez-Gómez and Jesús E. Díaz-Verdejo},

doi = {10.1016/j.comnet.2010.05.002},

issn = {13891286},

year  = {2010},

date = {2010-01-01},

journal = {Computer Networks},

volume = {54},

number = {15},

pages = {2711--2727},

abstract = {Low-rate denial of service (DoS) attacks have recently emerged as new strategies for denying networking services. Such attacks are capable of discovering vulnerabilities in protocols or applications behavior to carry out a DoS with low-rate traffic. In this paper, we focus on a specific attack: the low-rate DoS attack against application servers, and address the task of finding an effective defense against this attack. Different approaches are explored and four alternatives to defeat these attacks are suggested. The techniques proposed are based on modifying the way in which an application server accepts incoming requests. They focus on protective measures aimed at (i) preventing an attacker from capturing all the positions in the incoming queues of applications, and (ii) randomizing the server operation to eliminate possible vulnerabilities due to predictable behaviors. We extensively describe the suggested techniques, discussing the benefits and drawbacks for each under two criteria: the attack efficiency reduction obtained, and the impact on the normal operation of the server. We evaluate the proposed solutions in a both a simulated and a real environment, and provide guidelines for their implementation in a production system. textcopyright 2010 Elsevier B.V. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Macia-Fernandez2009a,

title = {Fraud in roaming scenarios: an overview},

author = {Gabriel Macia-Fernandez and Pedro Garcia-Teodoro and Jesus Diaz-Verdejo},

url = {http://ieeexplore.ieee.org/document/5361183/},

doi = {10.1109/MWC.2009.5361183},

issn = {1536-1284},

year  = {2009},

date = {2009-12-01},

journal = {IEEE Wireless Communications},

volume = {16},

number = {6},

pages = {88--94},

abstract = {In the mobile telecommunications sector in general, and in the roaming scenario in particular, fraud can lead to large financial losses. This article first presents the major concerns regarding such security threats, and then proposes a classification for this type of attack, highlighting the necessity for the different players involved to take joint action. textcopyright 2009 IEEE.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Garcia-Teodoro2009,

title = {Anomaly-based network intrusion detection: Techniques, systems and challenges},

author = {P. García-Teodoro and J. Díaz-Verdejo and G. Maciá-Fernández and E. Vázquez},

doi = {10.1016/j.cose.2008.08.003},

issn = {01674048},

year  = {2009},

date = {2009-01-01},

urldate = {2009-01-01},

journal = {Computers and Security},

volume = {28},

number = {1-2},

pages = {18--28},

abstract = {The Internet and computer networks are exposed to an increasing number of security threats. With new types of attacks appearing continually, developing flexible and adaptive security oriented approaches is a severe challenge. In this context, anomaly-based network intrusion detection techniques are a valuable technology to protect target systems and networks against malicious activities. However, despite the variety of such methods described in the literature in recent years, security tools incorporating anomaly detection functionalities are just starting to appear, and several important problems remain to be solved. This paper begins with a review of the most well-known anomaly-based intrusion detection techniques. Then, available platforms, systems under development and research projects in the area are presented. Finally, we outline the main challenges to be dealt with for the wide scale deployment of anomaly-based intrusion detectors, with special emphasis on assessment issues. textcopyright 2008 Elsevier Ltd. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Macia-Fernandez2009,

title = {Mathematical model for low-rate dos attacks against application servers},

author = {Gabriel Maciá-Fernández and Jesús E. Díaz-Verdejo and Pedro García-Teodoro},

doi = {10.1109/TIFS.2009.2024719},

issn = {15566013},

year  = {2009},

date = {2009-01-01},

journal = {IEEE Transactions on Information Forensics and Security},

volume = {4},

number = {3},

pages = {519--529},

abstract = {In recent years, variants of denial of service (DoS) attacks that use low-rate traffic have been proposed, including the Shrew attack, reduction of quality attacks, and low-rate DoS attacks against application servers (LoRDAS). All of these are flooding attacks that take advantage of vulnerability in the victims for reducing the rate of the traffic. Although their implications and impact have been comprehensively studied, mainly by means of simulation, there is a need for mathematical models by which the behaviour of these sometimes complex processes can be described. In this paper, we propose a mathematical model for the LoRDAS attack. This model allows us to evaluate its performance by relating it to the configuration parameters of the attack and the dynamics of network and victim. The model is validated by comparing the performance values given against those obtained from a simulated environment. In addition, some applicability issues for the model are contributed, together with interpretation guidelines to the model's behaviour. Finally, experience of the model enables us to make some recommendations for the challenging task of building defense techniques against this attack. textcopyright 2006 IEEE.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{DeToro-Negro2008,

title = {A deterministic crowding evolutionary algorithm for optimization of a knn-based anomaly intrusion detection system},

author = {F. De Toro-Negro and P. García-Teodoro and J. E. Díaz-Verdejo and G. Maciá-Fernandez},

editor = {IOS Press},

url = {https://dl.acm.org/doi/10.5555/1565639.1565651},

doi = {10.3233/978-1-58603-890-8-111},

issn = {09226389},

year  = {2008},

date = {2008-01-01},

journal = {Frontiers in Artificial Intelligence and Applications},

volume = {177},

number = {1},

pages = {111--120},

abstract = {This paper addresses the use of an evolutionary algorithm for the optimization of a K-nearest neighbor classifier to be used in the implementation of an intrusion detection system. The inclusion of a diversity maintenance technique embodied in the design of the evolutionary algorithm enables us to obtain different subsets of features extracted from network traffic data that lead to high classification accuracies. The methodology has been preliminarily applied to the Denial of Service attack detection, a key issue in maintaining continuity of the services provided by business organizations. textcopyright 2008 The authors and IOS Press. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa2008199,

title = {Traffic trunk parameters for voice transport over MPLS},

author = {A. Estepa and R. Estepa and J. Vozmediano},

editor = {Obaidat M. S. Filipe J.},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85025453062&doi=10.1007%2f978-3-540-70760-8_16&partnerID=40&md5=f55008a672886f9a2e86c71012e57ab2},

doi = {10.1007/978-3-540-70760-8_16},

issn = {18650929},

year  = {2008},

date = {2008-01-01},

journal = {Communications in Computer and Information Science},

volume = {9},

pages = {199-210},

publisher = {Springer Verlag},

abstract = {Access nodes in NGN are likely to transport voice traffic using MPLS Traffic Trunks. The traffic parameters describing a Traffic Trunk are basic to calculate the network resources to be allocated along the nodes belonging to its corresponding Label-Switched-Path (LSP). This paper provides an analytical model to estimate the lower limit of the bandwidth that needs to be allocated to a TT loaded with a heterogeneous set of voice connections. Our model considers the effect of the Silence Insertion Descriptor (SID) frames that a number of VoIP codecs currently use. Additionally, two transport schemes are considered: VoIP and VoMPLS. The results, experimentally validated, quantify the benefits of VoMPLS over VoIP. © Springer-Verlag Berlin Heidelberg 2008.},

note = {cited By 0},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa200837,

title = {Accurate resource estimation for generalized VoIP sources},

author = {A. Estepa and R. Estepa and A. Pacheco},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-49449095865&doi=10.1007%2fs11235-008-9084-2&partnerID=40&md5=bb597ddaa93a06927252fae29e031c4e},

doi = {10.1007/s11235-008-9084-2},

issn = {10184864},

year  = {2008},

date = {2008-01-01},

journal = {Telecommunication Systems},

volume = {39},

number = {1},

pages = {37-50},

abstract = {Current voice codecs like G.729, G.723.1 or AMR can generate short background descriptors (SID) frames during voice inactivity periods for Comfort Noise Generation (CNG). This feature alters the classical on-off traffic pattern typically used to model the traffic generated by codecs with a Silence Suppression scheme. Therefore the CNG feature leads to severe inaccuracies in the dimensioning analysis done through traditional models based on multiplexing on-off sources like MMPP or fluid model. In this paper, we focus on the VoIP dimensioning issue. First, we define the traffic pattern generated by those codecs that include CNG (generalized VoIP sources). Second, we extend the traditional MMPP and fluid analytical models to multiplex our generalized VoIP sources and propose a simple but efficient dimensioning algorithm. Results are validated by simulations fed by VoIP traces and demonstrate a significant improvement in accuracy with respect to current on-off based approaches. © 2008 Springer Science+Business Media, LLC.},

note = {cited By 3},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa20082505,

title = {Accurate resource estimation for homogeneous VoIP aggregated traffic},

author = {A. Estepa and R. Estepa},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-49049103930&doi=10.1016%2fj.comnet.2008.04.012&partnerID=40&md5=7c03558bd610a83013b07656e6a10d77},

doi = {10.1016/j.comnet.2008.04.012},

issn = {13891286},

year  = {2008},

date = {2008-01-01},

journal = {Computer Networks},

volume = {52},

number = {13},

pages = {2505-2517},

abstract = {Modern VoIP codecs like G.729, G.723.1 or AMR can generate traffic during voice inactivity periods for Comfort Noise Generation (CNG). This feature alters the classical on-off pattern typically used to model the traffic generated by codecs with a Silence Suppression scheme. Therefore, the traffic generated due to CNG leads to severe inaccuracies in the dimensioning analysis done through traditional models based on multiplexing on-off sources like MMPP or fluid model. This paper addresses the VoIP dimensioning issue. First, we extend the traditional MMPP and fluid analytical models to include those traffic sources which perform the CNG feature. Second, we propose a simple but efficient algorithm which can be applied in dimensioning or admission control to find out the bandwidth reservation required to guarantee delay and loss in a packet-switch multiplexer node for VoIP traffic. Results are validated by simulations and VoIP traces and demonstrate a significant improvement in accuracy with respect to current on-off-based approaches. © 2008 Elsevier B.V. All rights reserved.},

note = {cited By 6},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Macia-Fernandez2008,

title = {Evaluation of a low-rate DoS attack against application servers},

author = {Gabriel Maciá-Fernández and Jesús E. Díaz-Verdejo and Pedro García-Teodoro},

doi = {10.1016/j.cose.2008.07.004},

issn = {01674048},

year  = {2008},

date = {2008-01-01},

journal = {Computers and Security},

volume = {27},

number = {7-8},

pages = {335--354},

abstract = {In the network security field there is a need to identify new movements and trends that attackers might adopt, in order to anticipate their attempts with defense and mitigation techniques. The present study explores new approaches that attackers could use in order to make denial of service attacks against application servers. We show that it is possible to launch such attacks by using low-rate traffic directed against servers, and apply the proposed techniques to defeat a persistent HTTP server. The low-rate feature is highly beneficial to the attacker for two main reasons: firstly, because the resources needed to carry out the attack are considerably reduced, easing its execution. Secondly, the attack is more easily hidden to security mechanisms that rely on the detection of high-rate traffic. In this paper, a mechanism that allows the attacker to control the attack load in order to bypass an IDS is contributed. We present the fundamentals of the attack, describing its strategy and design issues. The performance is also evaluated in both simulated and real environments. Finally, a study of possible improvement techniques to be used by the attackers is contributed. textcopyright 2008 Elsevier Ltd. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Salazar-jitel2007,

title = {Uso de funciones compendio en la detección de anomalías mediante N3},

author = {R. Salazar-Hernández and J. Díaz-Verdejo and P. García-Teodoro and G. Maciá-Fernández and F. De Toro},

year  = {2007},

date = {2007-01-01},

journal = {Actas de las VI Jornadas de Ingeniería Telemática (JITEL '07)},

pages = {601--604},

abstract = {The Nearest Normal Neighbor (N3) is an anomaly-based intrusion detection system which has demonstrated a good performance in terms of detection capabilities when applied to the HTTP protocol. Nevertheless, N3 presents a high computational cost, as it is based in the comparison of the target HTTP payload against every payload in the normality model. The cost is proportional to the length of the payloads and to the number of elements in the model. The present paper explores the use of the hash functions as a method to reduce the computational cost of the system by decreasing the average length of the payloads. The model is, therefore, composed by fixed length hashes of each payload in the original model, and the hash of the target payload is compared against this model. The results obtained for SHA256 and SHA512 show a big decrease in computational cost with a reduced impact in system's performance.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa20071318,

title = {Accurate VoIP dimensioning for WAN links},

author = {A. Estepa and R. Estepa},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-36049039557&doi=10.1049%2fel%3a20071739&partnerID=40&md5=19fddcff41c2ce59723e252cd4019314},

doi = {10.1049/el:20071739},

issn = {00135194},

year  = {2007},

date = {2007-01-01},

journal = {Electronics Letters},

volume = {43},

number = {23},

pages = {1318-1320},

abstract = {The comfort noise generation (CNG) feature of current VoIP codecs leads to inaccuracies in the multiplexing performance analysis based on on-off sources. The fluid model is adapted to obtain accurate loss prediction in the multiplexing process of VoIP sources equipped with CNG and provide an algorithmic solution for its dimensioning application. Results, validated with traces, demonstrate significant improvement with respect to on-off multiplexing approaches. © The Institution of Engineering and Technology 2007.},

note = {cited By 3},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa20071010,

title = {Dimensioning generalized VoIP sources in WAN links},

author = {A. Estepa and R. Estepa},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-38149120631&doi=10.1109%2fLCOMM.2007.070924&partnerID=40&md5=d85618446bd944e5ef8defaa9c3dd468},

doi = {10.1109/LCOMM.2007.070924},

issn = {10897798},

year  = {2007},

date = {2007-01-01},

journal = {IEEE Communications Letters},

volume = {11},

number = {12},

pages = {1010-1012},

abstract = {The Comfort Noise Generation (CNG) feature of current VoIP codecs can lead to severe inaccuracies in the dimensioning analysis done through traditional models based on multiplexing on-off sources. We adapt the fluid model to obtain an accurate loss prediction in the multiplexing process of those codecs equipped with CNG. Results are validated by simulations fed with VoIP traffic traces and demonstrate a significant accuracy improvement with respect to current on-off multiplexing approaches. © 2007 IEEE.},

note = {cited By 1},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Diaz-Verdejo2007,

title = {Una aproximación basada en Snort para el desarrollo e implantación de IDS híbridos},

author = {Jesus E. Díaz-Verdejo and Pedro García-Teodoro and P. Muñoz and G. Maciá-Fernández and F. De Toro},

doi = {10.1109/TLA.2007.4395226},

issn = {15480992},

year  = {2007},

date = {2007-01-01},

journal = {IEEE Latin America Transactions},

volume = {5},

number = {6},

pages = {386--392},

abstract = {Apart from the modeling techniques, the development and deployment of anomaly-based intrusion detection systems still faces two main problems. The first one is related to the acquisition and handling of real traffic to be used for training purposes. The second one concerns the better performance of signature-based IDS for known attacks. In this paper the authors propose the use of a modified version of Snort which results in a hybrid detector/classifier. This version can be used both during the training phase of the anomaly-based system and as a deployed hybrid detector and traffic sniffer. Furthermore, it can be adjusted to work just as signature-based, anomaly-based or both (hybrid) detector. On the other hand, this version can be used to directly sniff, classify and split the network traffic according to its malicious nature, which eases the problems related to the acquisition and handling of training traffic. textcopyright Copyright 2010 IEEE - All Rights Reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}