@article{Biblio24,

title = {Building a large, realistic and labeled HTTP URI dataset for anomaly-based intrusion detection systems: Biblio-US17 },

author = {Jesús E. {Díaz-Verdejo} and {Estepa Alonso}, Rafael and {Estepa Alonso}, Antonio and F. J. {Muñoz-Calle} and German {Madinabeitia}},

doi = {https://doi.org/10.1186/s42400‑024‑00336‑3},

issn = {2523-3246},

year  = {2025},

date = {2025-06-05},

urldate = {2025-06-05},

journal = {Cybersecurity},

volume = {8},

number = {35},

abstract = {This paper introduces Biblio-US17, a labeled dataset collected over 6 months from the log files of a popular public website at the University of Seville. It contains 47 million records, each including the method, uniform resource identifier (URI) and associated response code and size of every request received by the web server. Records have been classified as either normal or attack using a comprehensive semi-automated process, which involved signature-based detection, assisted inspection of URIs vocabulary, and substantial expert manual supervision. Unlike comparable datasets, this one offers a genuine real-world perspective on the normal operation of an active website, along with an unbiased proportion of actual attacks (i.e., non-synthetic). This makes it ideal for evaluating and comparing anomalybased approaches in a realistic environment. Its extensive size and duration also make it valuable for addressing challenges like data shift and insufficient training. This paper describes the collection and labeling processes, dataset structure, and most relevant properties. We also include an example of an application for assessing the performance of a simple anomaly detector. Biblio-US17, now available to the scientific community, can also be used to model the URIs used by current web servers.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{10.3897/jucs.131686,

title = {A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection},

author = {Javier Muñoz-Calle and Rafael Estepa Alonso and Antonio Estepa Alonso and Jesús E. Díaz-Verdejo and Elvira Castillo Fernández and Germán Madinabeitia},

url = {https://doi.org/10.3897/jucs.131686},

doi = {10.3897/jucs.131686},

issn = {0948-695X},

year  = {2024},

date = {2024-01-01},

urldate = {2024-01-01},

journal = {JUCS - Journal of Universal Computer Science},

volume = {30},

number = {9},

pages = {1184-1204},

publisher = {Journal of Universal Computer Science},

abstract = {Network monitoring systems can struggle to detect the full sequence of actions in a multi-step cyber attack, frequently resulting in multiple alerts (some of which are false positive (FP)) and missed actions. The challenge of easing the job of security analysts by triggering a single and accurate alert per attack requires developing and evaluating advanced event correlation techniques and models that have the potential to devise relationships between the different observed events/alerts.This work introduces a flexible architecture designed for hierarchical and iterative correlation of alerts and events. Its key feature is the sequential correlation of operations targeting specific attack episodes or aspects. This architecture utilizes IDS alerts or similar cybersecurity sensors, storing events and alerts in a non-relational database. Modules designed for knowledge creation then query these stored items to generate meta-alerts, also stored in the database. This approach facilitates creating a more refined knowledge that can be built on top of existing one by creating specialized modules. For illustrative purposes, we make a case study where we use this architectural approach to explore the feasibility of monitoring the progress of attacks of increased complexity by increasing the levels of the hyperalerts defined, including a case of a multi-step attack that adheres to the ATT&CK model. Although the mapping between the observations and the model components (i.e., techniques and tactics) is challenging, we could fully monitor the progress of two attacks and up to 5 out of 6 steps of the most complex attack by building up to three specialized modules. Despite some limitations due to the sensors and attack scenarios tested, the results indicate the architecture’s potential for enhancing the detection of complex cyber attacks, offering a promising direction for future cybersecurity research.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{LARA2024101427,

title = {Anomaly-based Intrusion Detection System for smart lighting},

author = {Agustín Lara and Antonio Estepa and Rafael Estepa and Jesús E. Díaz-Verdejo and Vicente Mayor},

url = {https://www.sciencedirect.com/science/article/pii/S2542660524003688},

doi = {https://doi.org/10.1016/j.iot.2024.101427},

issn = {2542-6605},

year  = {2024},

date = {2024-01-01},

urldate = {2024-01-01},

journal = {Internet of Things},

volume = {28},

pages = {101427},

abstract = {Smart Lighting Systems (SLS) are essential to smart cities, offering enhanced energy efficiency and public safety. However, they are susceptible to security threats, potentially leading to safety risks and service disruptions, making the protection of this infrastructure critical. This paper presents an anomaly-based Intrusion Detection System (IDS) designed for a real-world operational SLS. As commercial deployments vary in components, protocols, and functionalities, IDSs must be tailored to the specific characteristics of each deployment to perform effectively. Our anomaly-based IDS has been defined based on the properties of the available data and the types of attacks we aim to detect, offering both explainability and low complexity. The proposed system identifies anomalies in seven features of network traffic and in the telemetry data received at the central control (O&M) server. For the latter, we designed three customized detectors to identify abnormal data points, persistent deviations in street lamp power consumption, and abnormal power value based on the time of day. Validation with real-world data and simulated attacks demonstrates the effectiveness of our approach. Network attacks (e.g., DoS, scanning) were detected by at least one of the seven flow-related anomaly detectors, while simulated data poisoning attacks and operational technology (OT) issues were detected with nearly 90% accuracy. The datasets used in this work are publicly available and may serve as reference for the design of future IDSs. While our detectors were designed specifically for our dataset, the variables examined and vulnerabilities addressed are common in most commercial SLSs.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Lara2023,

title = {Smart home anomaly-based IDS: Architecture proposal and case study},

author = { {Walabonso Lara}, Agustín and Vicente Mayor and {Estepa Alonso}, Rafael and {Estepa Alonso} , Antonio and Jesús E. {Díaz-Verdejo}},

url = {https://linkinghub.elsevier.com/retrieve/pii/S2542660523000963},

doi = {10.1016/J.IOT.2023.100773},

issn = {2542-6605},

year  = {2023},

date = {2023-07-01},

urldate = {2023-07-01},

journal = {Internet of Things},

volume = {22},

pages = {100773},

publisher = {Elsevier},

abstract = {The complexity and diversity of the technologies involved in the Internet of Things (IoT) challenge the generalization of security solutions based on anomaly detection, which should fit the particularities of each context and deployment and allow for performance comparison. In this work, we provide a flexible architecture based on building blocks suited for detecting anomalies in the network traffic and the application-layer data exchanged by IoT devices in the context of Smart Home. Following this architecture, we have defined a particular Intrusion Detector System (IDS) for a case study that uses a public dataset with the electrical consumption of 21 home devices over one year. In particular, we have defined ten Indicators of Compromise (IoC) to detect network attacks and two anomaly detectors to detect false command or data injection attacks. We have also included a signature-based IDS (Snort) to extend the detection range to known attacks. We have reproduced eight network attacks (e.g., DoS, scanning) and four False Command or Data Injection attacks to test our IDS performance. The results show that all attacks were successfully detected by our IoCs and anomaly detectors with a false positive rate lower than 0.3%. Signature detection was able to detect only 4 out of 12 attacks. Our architecture and the IDS developed can be a reference for developing future IDS suited to different contexts or use cases. Given that we use a public dataset, our contribution can also serve as a baseline for comparison with new techniques that improve detection performance.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{10036374,

title = {Blockchain-Based Service-Oriented Architecture for Consent Management, Access Control, and Auditing},

author = {Isabel Román-Martínez and Jorge Calvillo-Arbizu and Vicente J. Mayor-Gallego and Germán Madinabeitia-Luque and Antonio J. Estepa-Alonso and Rafael M. Estepa-Alonso},

doi = {10.1109/ACCESS.2023.3242605},

issn = {2169-3536},

year  = {2023},

date = {2023-01-01},

urldate = {2023-01-01},

journal = {IEEE Access},

volume = {11},

pages = {12727-12741},

abstract = {Continuity of care requires the exchange of health information among organizations and care teams. The EU General Data Protection Regulation (GDPR) establishes that subject of care should give explicit consent to the treatment of her personal data, and organizations must obey the individual’s will. Nevertheless, few solutions focus on guaranteeing the proper execution of consents. We propose a service-oriented architecture, backed by blockchain technology, that enables: (1) tamper-proof and immutable storage of subject of care consents; (2) a fine-grained access control for protecting health data according to consents; and (3) auditing tasks for supervisory authorities (or subjects of care themselves) to assess that healthcare organizations comply with GDPR and granted consents. Standards for health information exchange and access control are adopted to guarantee interoperability. Access control events and the subject of care consents are maintained on a blockchain, providing a trusted collaboration between organizations, supervisory authorities, and individuals. A prototype of the architecture has been implemented as a proof of concept to evaluate the performance of critical components. The application of subject of care consent to control the treatment of personal health data in federated and distributed environments is a pressing concern. The experimental results show that blockchain can effectively support sharing consent and audit events among healthcare organizations, supervisory authorities, and individuals.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor2023284,

title = {CO-CAC: A new approach to Call Admission Control for VoIP in 5G/WiFi UAV-based relay networks},

author = {V. Mayor and R. Estepa and A. Estepa},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85145556975&doi=10.1016%2fj.comcom.2022.11.006&partnerID=40&md5=8185edfcb26bb2d34ddc5fbccf38f0cb},

doi = {10.1016/j.comcom.2022.11.006},

issn = {01403664},

year  = {2023},

date = {2023-01-01},

urldate = {2023-01-01},

journal = {Computer Communications},

volume = {197},

pages = {284-293},

publisher = {Elsevier B.V.},

abstract = {Voice over IP (VoIP) requires a Call Admission Control (CAC) mechanism in WiFi networks to preserve VoIP packet flows from excessive network delay or packet loss. Ideally, this mechanism should be integrated with the operational scenario, guarantee the quality of service of active calls, and maximize the number of concurrent calls. This paper presents a novel CAC scheme for VoIP in the context of a WiFi access network deployed with Unmanned Aerial Vehicles (UAVs) that relay to a backhaul 5G network. Our system, named Codec-Optimization CAC (CO-CAC), is integrated into each drone. It intercepts VoIP call control messages and decides on the admission of every new call based on a prediction of the WiFi network's congestion level and the minimum quality of service desired for VoIP calls. To maximize the number of concurrent calls, CO-CAC proactively optimizes the codec settings of active calls by exchanging signaling with VoIP users. We have simulated CO-CAC in a 50m × 50m scenario with four UAVs providing VoIP service to up to 200 ground users with IEEE 802.11ac WiFi terminals. Our results show that without CAC, the number of calls that did not meet a minimum quality level during the simulation was 10% and 90%, for 50 and 200 users, respectively. However, when CO-CAC was in place, all calls achieved minimum quality for up to 90 users without rejecting any call. For 200 users, only 25% of call attempts were rejected by the admission control scheme. These results were narrowly worse when the ground users moved randomly in the scenario. © 2022 Elsevier B.V.},

note = {cited By 0},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Diaz-Verdejo2023,

title = {A critical review of the techniques used for anomaly detection of HTTP-based attacks: taxonomy, limitations and open challenges},

author = {Jesús E. Díaz-Verdejo and {Estepa Alonso}, Rafael and {Estepa Alonso}, Antonio and German Madinabeitia},

doi = {10.1016/j.cose.2022.102997},

issn = {01674048},

year  = {2023},

date = {2023-01-01},

urldate = {2023-01-01},

journal = {Computers and Security},

volume = {124},

pages = {102997},

abstract = {Intrusion Detection Systems (IDSs) and Web Application Firewalls (WAFs) offer a crucial layer of defense that allows organizations to detect cyberattacks on their web servers. Academic research overwhelmingly suggests using anomaly detection techniques to improve the performance of these defensive systems. However, analyzing and comparing the wide range of solutions in the scientific literature is challenging since they are typically presented as isolated (unrelated) contributions, and their results cannot be generalized. We believe that this impairs the industry's adoption of academic results and the advancement of research in this field. This paper aims to shed light on the literature on anomaly-based detection of attacks that use HTTP request messages. We define a novel framework for anomaly detection based on six data processing steps grouped into two sequential phases: preprocessing and classification. Based on this framework, we provide a taxonomy and critical review of the techniques surveyed, emphasizing their limitations and applicability. Future approaches should take advantage of the syntax and semantics of the Uniform Resource Locator (URL), be scalable, and address their obsolescence. These aspects are frequently overlooked in the literature and pose a significant challenge in the current era of web services. For better comparability, authors should use adequate public datasets, follow a thorough methodology, and use appropriate metrics that fully show the pros and cons of the approach.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Diaz-Verdejo2022,

title = {On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks},

author = {J. E. Díaz-Verdejo and F. J. Muñoz-Calle and {Estepa Alonso}, A. and {Estepa Alonso}, R. and G. Madinabeitia},

url = {https://www.mdpi.com/2076-3417/12/2/852/htm https://www.mdpi.com/2076-3417/12/2/852},

doi = {10.3390/app12020852},

issn = {20763417},

year  = {2022},

date = {2022-01-01},

urldate = {2022-01-01},

journal = {Applied Sciences},

volume = {12},

number = {2},

pages = {852},

publisher = {Multidisciplinary Digital Publishing Institute},

abstract = {Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort’s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Diaz-Verdejo2020,

title = {A methodology for conducting efficient sanitization of HTTP training datasets},

author = {Jesús E. Díaz-Verdejo and Antonio Estepa and Rafael Estepa and German Madinabeitia and Fco Javier Muñoz-Calle},

url = {https://linkinghub.elsevier.com/retrieve/pii/S0167739X19322629},

doi = {10.1016/j.future.2020.03.033},

issn = {0167739X},

year  = {2020},

date = {2020-08-01},

urldate = {2020-08-01},

journal = {Future Generation Computer Systems},

volume = {109},

pages = {67--82},

publisher = {Elsevier B.V.},

abstract = {The performance of anomaly-based intrusion detection systems depends on the quality of the datasets used to form normal activity profiles. Suitable datasets should include high volumes of real-life data free from attack instances. On account of this requirement, obtaining quality datasets from collected data requires a process of data sanitization that may be prohibitive if done manually, or uncertain if fully automated. In this work, we propose a sanitization approach for obtaining datasets from HTTP traces suited for training, testing, or validating anomaly-based attack detectors. Our methodology has two sequential phases. In the first phase, we clean known attacks from data using a pattern-based approach that relies on tools that detect URI-based known attacks. In the second phase, we complement the result of the first phase by conducting assisted manual labeling systematically and efficiently, setting the focus of expert examination not on the raw data (which would be millions of URIs), but on the set of words that compose the URIs. This dramatically downsizes the volume of data that requires expert discernment, making manual sanitization of large datasets feasible. We have applied our method to sanitize a trace that includes 45 million requests received by the library web server of the University of Seville. We were able to generate clean datasets in less than 84 h with only 33 h of manual supervision. We have also applied our method to some public benchmark datasets, confirming that attacks unnoticed by signature-based detectors can be discovered in a reduced time span.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{2020-howmuch,

title = {How Much Training Data is Enough? A Case Study for HTTP Anomaly-Based Intrusion Detection},

author = {R. Estepa and J. E. Díaz-Verdejo and A. Estepa and G. Madinabeitia},

doi = {10.1109/ACCESS.2020.2977591},

issn = {2169-3536},

year  = {2020},

date = {2020-03-02},

journal = {IEEE Access},

volume = {8},

pages = {44410-44425},

abstract = {Most anomaly-based intrusion detectors rely on models that learn from training datasets whose quality is crucial in their performance. Albeit the properties of suitable datasets have been formulated, the influence of the dataset size on the performance of the anomaly-based detector has received scarce attention so far. In this work, we investigate the optimal size of a training dataset. This size should be large enough so that training data is representative of normal behavior, but after that point, collecting more data may result in unnecessary waste of time and computational resources, not to mention an increased risk of overtraining. In this spirit, we provide a method to find out when the amount of data collected at the production environment is representative of normal behavior in the context of a detector of HTTP URI attacks based on 1-grammar. Our approach is founded on a set of indicators related to the statistical properties of the data. These indicators are periodically calculated during data collection, producing time series that stabilize when more training data is not expected to translate to better system performance, which indicates that data collection can be stopped. We present a case study with real-life datasets collected at the University of Seville (Spain) and a public dataset from the University of Saskatchewan. The application of our method to these datasets showed that more than 42% of one trace, and almost 20% of another were unnecessarily collected, thereby showing that our proposed method can be an efficient approach for collecting training data at the production environment.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor2020589,

title = {Unified call admission control in corporate domains},

author = {V. Mayor and R. Estepa and A. Estepa and G. Madinabeitia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85076849304&doi=10.1016%2fj.comcom.2019.11.041&partnerID=40&md5=5af7826dafc22674ad6e1d5dd0e20f57},

doi = {10.1016/j.comcom.2019.11.041},

issn = {01403664},

year  = {2020},

date = {2020-01-01},

urldate = {2020-01-01},

journal = {Computer Communications},

volume = {150},

pages = {589-602},

publisher = {Elsevier B.V.},

abstract = {Call Admission Control is a central mechanism for assurance of quality of service in telephony. While CAC is integrated into Public Switched Telephony Network (PSTN), its application to voice over IP in a corporate environment is challenging not only due to the heterogeneity of technologies, but also because of the difficulty of implementation into commercial VoIP terminals or Access Points. We present a novel framework that unifies call admission control for VoIP telephony corporate users despite their access network (i.e., WiFi or Ethernet) under a single corporate management domain. Our Unified CAC (U-CAC) system can be implemented in a VoIP Gateway/Proxy and uses only standard protocols already present in commercial off-the-shelf devices, avoiding the need to modify the firmware of existing APs or VoIP terminals. We define two variants of the decision algorithm: basic and advanced. In the basic mode of operation, the admission of new calls is based on the availability of spare circuits and the impact of the new call in the speech quality of VoWiFi calls in progress. In the advanced mode of operation, the traffic load in affected APs is proactively reduced by reconfiguring ongoing calls before rejecting the new call. Simulation results show that the number of simultaneous VoWiFi calls under guaranteed quality increases with our unified call admission control scheme. When using the advanced mode of operation, the number of simultaneous calls under guaranteed quality can be doubled when compared to the standard mode of operation. © 2019 Elsevier B.V.},

note = {cited By 4},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Mayor2019,

title = {Deploying a Reliable UAV-Aided Communication Service in Disaster Areas},

author = {V. Mayor and R. Estepa and A. Estepa and G. Madinabeitia},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85065643702&doi=10.1155%2f2019%2f7521513&partnerID=40&md5=415539a365bd0d35ce600b19ff3ce412},

doi = {10.1155/2019/7521513},

issn = {15308669},

year  = {2019},

date = {2019-01-01},

urldate = {2019-01-01},

journal = {Wireless Communications and Mobile Computing},

volume = {2019},

publisher = {Hindawi Limited},

abstract = {When telecommunication infrastructure is damaged by natural disasters, creating a network that can handle voice channels can be vital for search and rescue missions. Unmanned Aerial Vehicles (UAV) equipped with WiFi access points could be rapidly deployed to provide wireless coverage to ground users. This WiFi access network can in turn be used to provide a reliable communication service to be used in search and rescue missions. We formulate a new problem for UAVs optimal deployment which considers not only WiFi coverage but also the mac sublayer (i.e., quality of service). Our goal is to dispatch the minimum number of UAVs for provisioning a WiFi network that enables reliable VoIP communications in disaster scenarios. Among valid solutions, we choose the one that minimizes energy expenditure at the user's WiFi interface card in order to extend ground user's smartphone battery life as much as possible. Solutions are found using well-known heuristics such as K-means clusterization and genetic algorithms. Via numerical results, we show that the IEEE 802.11 standard revision has a decisive impact on the number of UAVs required to cover large areas, and that the user's average energy expenditure (attributable to communications) can be reduced by limiting the maximum altitude for drones or by increasing the VoIP speech quality. © 2019 Vicente Mayor et al.},

note = {cited By 25},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estepa2019120411,

title = {Designing Cost-Effective Reliable Networks from a Risk Analysis Perspective: A Case Study for a Hospital Campus},

author = {A. Estepa and R. Estepa and G. Madinabeitia and J. Vozmediano},

url = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-85097341585&doi=10.1109%2fACCESS.2019.2937449&partnerID=40&md5=4894eb6b5897d4f7e9e02d45d51ce3be},

doi = {10.1109/ACCESS.2019.2937449},

issn = {21693536},

year  = {2019},

date = {2019-01-01},

journal = {IEEE Access},

volume = {7},

pages = {120411-120423},

publisher = {Institute of Electrical and Electronics Engineers Inc.},

abstract = {The unavailability of information and communication services due to network-related incidents may have a significant impact on large organizations. Network incidents can hence be viewed as a risk for organizations whose consequences are not accounted for by traditional network design problems. In this work, we address the problem of designing a reliable wired network from a risk analysis perspective. We propose a novel methodology for the quantitative assessment of the risk associated with network-related incidents in a hospital campus. We then define an optimization problem to find the topology that minimizes the network cost plus the expected loss over time attributable to the unavailability of corporate services to staff affected by network incidents. A case study illustrates our methodology and its benefits. Using available public information, we design the topology of a campus network for a large hospital where the cost of labor exceeds 200M€/year. The solution to our optimization problem is found through well-known genetic algorithms and provides a topology where network nodes with a higher impact on productivity exhibit higher reliability. As a consequence, the topology obtained reduces more than 95% (+392 000€) the expected annual lost profits when compared to common reduced-cost topologies such as the minimum-cost ring or the non-reliable minimum-cost tree, showing that investment in risk reduction pays off. Our contribution may be used by engineers to (re)design cost-effective reliable networks or by hospital managers to support decisions on updating present infrastructure based on risk reduction. © 2013 IEEE.},

note = {cited By 0},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Salah2019,

title = {Fusing information from tickets and alerts to improve the incident resolution process},

author = {S. Salah and G. Maciá-Fernández and J. E. Díaz-Verdejo},

doi = {10.1016/j.inffus.2018.01.011},

issn = {15662535},

year  = {2019},

date = {2019-01-01},

journal = {Information Fusion},

volume = {45},

abstract = {textcopyright 2018 Elsevier B.V. In the context of network incident monitoring, alerts are useful notifications that provide IT management staff with information about incidents. They are usually triggered in an automatic manner by network equipment and monitoring systems, thus containing only technical information available to the systems that are generating them. On the other hand, ticketing systems play a different role in this context. Tickets represent the business point of view of incidents. They are usually generated by human intervention and contain enriched semantic information about ongoing and past incidents. In this article, our main hypothesis is that incorporating tickets information into the alert correlation process will be beneficial to the incident resolution life-cycle in terms of accuracy, timing, and overall incident's description. We propose a methodology to validate this hypothesis and suggest a solution to the main challenges that appear. The proposed correlation approach is based on the time alignment of the events (alerts and tickets) that affect common elements in the network. For this we use real alert and ticket datasets obtained from a large telecommunications network. The results have shown that using ticket information enhances the incident resolution process, mainly by reducing and aggregating a higher percentage of alerts compared with standard alert correlation systems that only use alerts as the main source of information. Finally, we also show the applicability and usability of this model by applying it to a case study where we analyze the performance of the management staff.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Khalife2017,

title = {A sampling methodology for DPI classifiers},

author = {Jawad Khalife and Amjad Hajjar and Jesús Díaz-Verdejo},

doi = {10.6138/JIT.2017.18.4.20130525},

issn = {20794029},

year  = {2017},

date = {2017-01-01},

journal = {Journal of Internet Technology},

volume = {18},

number = {4},

pages = {787--800},

abstract = {In this paper we provide a general methodology for customizing sampling schemes used with DPI (Deep Packet inspection) based traffic classifiers. Sampling is supposed to optimize DPI classification by reducing the disclosed payload size for inspection and the associated computational overhead while providing better protection of the users' privacy. As a real case scenario, we choose a real traffic dataset captured on a campus network link on which we conduct a series of classification experiments joint with sampling using OpenDPI, as the DPI tool of choice. First, we attempt to statistically localize payload sections within a flow stream where application signatures are mostly matched by OpenDPI. Then, we specify the minimum required payload to be disclosed for inspection, on a per protocol basis. Finally, we recommend a methodology for generalizing one DPI sampling scheme.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Salah2016,

title = {A Model for Incident Tickets Correlation in Network Management},

author = {Saeed Salah and Gabriel Maciá-Fernández and Jesús E. Díaz-Verdejo and Leovigildo Sánchez-Casado},

doi = {10.1007/s10922-014-9340-6},

issn = {10647570},

year  = {2016},

date = {2016-01-01},

journal = {Journal of Network and Systems Management},

volume = {24},

number = {1},

pages = {57--91},

abstract = {textcopyright 2015, Springer Science+Business Media New York. In Information Technology Service Management (ITSM), network management teams typically use an Incident Ticket System (ITS) as a tool to track, troubleshoot, and coordinate the resolution of network incidents that occur during the daily operation of the network. A well organized ITS may positively impact on the efficiency of the incident management process. Nevertheless, in many cases the handling of tickets by the management team is not completely systematic and may be incoherent and inefficient. This way, irrelevant or redundant tickets for the same incident may be issued, thus creating a redundancy in the system that leads to inefficiencies. In this paper, we suggest a model aimed to correlate redundant tickets in order to reduce the information to a single ticket per incident. We validate the proposed correlation model by evaluating it with two datasets taken from a real ticketing system of a telecommunications network company. Using this model as a basis, we also develop and evaluate a methodology that assesses the efficiency of the management team during the process of tickets creation and management. Based on it, we also get some insights on the performance of the different management groups involved in the ticket creation process. These analyses can be leveraged for improving both the management groups functioning and the policies for the tickets' creation.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Hajjar2015,

title = {Network traffic application identification based on message size analysis},

author = {Amjad Hajjar and Jawad Khalife and Jesús Díaz-Verdejo},

doi = {10.1016/J.JNCA.2015.10.003},

issn = {1084-8045},

year  = {2015},

date = {2015-12-01},

journal = {Journal of Network and Computer Applications},

volume = {58},

number = {2010},

pages = {130--143},

publisher = {Academic Press},

abstract = {Identifying network applications is centric to many network management and security tasks. A large number of approaches exist in the literature, most of which are based on statistical and machine learning techniques. For protecting the user privacy, the majority of the existing methods rely on discriminative traffic attributes at the network and transport layers, such as interaction schemes, packet sizes and inter-arrival times. In this work, we propose a novel blind, quintuple centric approach by exploring traffic attributes at the application level without inspecting the payloads. The identification model is based on the analysis of the first application-layer messages in a flow (quintuple), based on their sizes, directions and positions in the flow. The underlying idea is that the first messages of a flow usually carry some application level signaling and data transfer units (command, request, response, etc.) that can be discriminative through their patterns of size and direction. A Gaussian mixture model is proposed to characterize the applications, based on a study of the common characteristics of application-level protocols. The blind classifier is based on Markov models with low complexity and reasonable computational requirements, where the training procedure consists of profiling the target applications separately. Promising results were obtained for some popular protocols including many peer-to-peer applications.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Garcia-Teodoro2015,

title = {Automatic generation of HTTP intrusion signatures by selective identification of anomalies},

author = {P. Garcia-Teodoro and J. E. Diaz-Verdejo and J. E. Tapiador and R. Salazar-Hernandez},

doi = {10.1016/j.cose.2015.09.007},

issn = {01674048},

year  = {2015},

date = {2015-01-01},

journal = {Computers and Security},

volume = {55},

pages = {159--174},

abstract = {In this paper, we introduce a novel methodology to automatically generate HTTP intrusion signatures for Network Intrusion Detection Systems (NIDS). Our approach relies on the use of a service-specific, semantic-aware anomaly detection scheme that combines stochastic learning with a model structure based on the protocol specification. Each incoming payload for the target service is tagged with an anomaly score obtained from probabilistically matching it against the corresponding learned model of normal usage. For those payloads whose anomaly score exceeds a given threshold, a more detailed analysis is performed to extract the portions that contribute the most to the anomaly score. Such portions are then used to build up candidate intrusion signatures, using a merging process that combines them with already existing patterns in order to keep the signature database as simple as possible by avoiding redundancies. We report results obtained with a specific implementation of our proposal for web traffic. During our evaluation, we used a well-known signature-based NIDS that sits behind the anomaly detection system and is fed with the signatures automatically generated by the latter. Our results indicate that functioning in such a way translates into an improvement of the often tedious signature generation process. Furthermore, a visual inspection of the signatures reveals that the generation procedure is quite reliable, mimicking (and, in some cases, even improving) attack patterns manually generated by security analysts. This results in an increase of the overall detection performance of the composite signature- plus anomaly-based system.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Khalife2014,

title = {A multilevel taxonomy and requirements for an optimal traffic- classification model},

author = {Jawad Khalife and Amjad Hajjar and Jesus Diaz-Verdejo},

doi = {10.1002/nem.1855},

issn = {10991190},

year  = {2014},

date = {2014-01-01},

journal = {International Journal of Network Management},

volume = {24},

number = {2},

pages = {101--120},

abstract = {Identifying Internet traffic applications is essential for network security and management. The steady emergence of new Internet applications, together with the use of encryption and obfuscation techniques, ensures that traffic classification remains a hot research topic. Much research has been devoted to this topic by the research community in the last decade. However, an optimal traffic classification model has yet to be defined. Many techniques and formats have been described, with the current literature therefore lacking appropriate benchmarks expressed in a consistent terminology. Moreover, existing surveys are outdated and do not include many recent advances in the field. In this article, we present a systematic multilevel taxonomy that covers a broad range of existing and recently proposed methods, together with examples of vendor classification techniques. Our taxonomy assists in defining a consistent terminology. It could be useful in future benchmarking contexts by characterizing and comparing methods at three different levels. From this perspective, we describe key features and provide design hints for future classification models, while emphasizing the main requirements for promoting future research efforts. To motivate researchers and other interested parties, we collect and share data captured from real traffic, using two models to protect data privacy. Copyright textcopyright 2014 John Wiley & Sons, Ltd. With the huge amount of recently emergent papers in traffic classification, existing surveys cannot reflect current advances and trends in the field. In this article, we propose a multilevel taxonomy categorising and characterizing most existing methods at three different levels, which is vital for future benchmarks. We show comparisons, highlight on current research trends and describe the optimal future classifier's features. From the perspective of our taxonomy, we illuminate on research requirements both on the policy and technical levels. Copyright textcopyright 2014 John Wiley & Sons, Ltd.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Camacho2013,

title = {A generalizable dynamic flow pairing method for traffic classification},

author = {J. Camacho and P. Padilla and P. García-Teodoro and J. Díaz-Verdejo},

doi = {10.1016/j.comnet.2013.06.006},

issn = {13891286},

year  = {2013},

date = {2013-01-01},

journal = {Computer Networks},

volume = {57},

number = {14},

abstract = {The goal of network traffic classification is to identify the protocols or types of protocols in the network traffic. In particular, the identification of network traffic with high resource consumption, such as peer-to-peer (P2P) traffic, represents a great concern for Internet Service Providers (ISP) and network managers. Most current flow-based classification approaches report high accuracy without paying attention to the generalization ability of the classifier. However, without this ability, a classifier may not be suitable for on-line classification. In this paper, a number of experiments on real traffic help to elucidate the reason for this lack of generalization. It is also shown that one way to attain the generalization ability is by using dynamic classifiers. From these results, a dynamic classification approach based on the pairing of flows according to a similarity criterion is proposed. The pairing method is not a classifier by itself. Rather, its goal is to determine in a fast way that two given flows are similar enough to conclude they correspond to the same protocol. Combining this method with a classifier, most of the flows do not need to be explicitly evaluated by the later, so that the computational overhead is reduced without a significant reduction in accuracy. In this paper, as a case study, we explore complementing the pairing method with payload inspection. In the experiments performed, the pairing approach generalizes well to traffic obtained in different conditions and scenarios than that used for calibration. Moreover, a high portion of the traffic unclassified by payload inspection is categorized with the pairing method. textcopyright 2013 Elsevier B.V. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Salah2013,

title = {A model-based survey of alert correlation techniques},

author = {S. Salah and G. Maciá-Fernández and J. E. Díaz-Verdejo},

doi = {10.1016/j.comnet.2012.10.022},

issn = {13891286},

year  = {2013},

date = {2013-01-01},

journal = {Computer Networks},

volume = {57},

number = {5},

abstract = {As telecommunication networks evolve rapidly in terms of scalability, complexity, and heterogeneity, the efficiency of fault localization procedures and the accuracy in the detection of anomalous behaviors are becoming important factors that largely influence the decision making process in large management companies. For this reason, telecommunication companies are doing a big effort investing in new technologies and projects aimed at finding efficient management solutions. One of the challenging issues for network and system management operators is that of dealing with the huge amount of alerts generated by the managed systems and networks. In order to discover anomalous behaviors and speed up fault localization processes, alert correlation is one of the most popular resources. Although many different alert correlation techniques have been investigated, it is still an active research field. In this paper, a survey of the state of the art in alert correlation techniques is presented. Unlike other authors, we consider that the correlation process is a common problem for different fields in the industry. Thus, we focus on showing the broad influence of this problem. Additionally, we suggest an alert correlation architecture capable of modeling current and prospective proposals. Finally, we also review some of the most important commercial products currently available. textcopyright 2012 Elsevier B.V. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Khalife2013,

title = {Performance of OpenDPI in identifying sampled network traffic},

author = {Jawad Khalife and Amjad Hajjar and Jesús Díaz-Verdejo},

doi = {10.4304/jnw.8.1.71-81},

issn = {17962056},

year  = {2013},

date = {2013-01-01},

journal = {Journal of Networks},

volume = {8},

number = {1},

pages = {71--81},

abstract = {The identification of the nature of the traffic flowing through a TCP/IP network is a relevant target for traffic engineering and security related tasks. Despite the privacy concerns it arises, Deep Packet Inspection (DPI) is one of the most successful current techniques. Nevertheless, the performance of DPI is strongly limited by computational issues related to the huge amount of data it needs to handle, both in terms of number of packets and the length of the packets. One way to reduce the computational overhead with identification techniques is to sample the traffic being monitored. This paper addresses the sensitivity of OpenDPI, one of the most powerful freely available DPI systems, with sampled network traffic. Two sampling techniques are applied and compared: the per-packet payload sampling, and the per-flow packet sampling. Based on the obtained results, some conclusions are drawn to show how far DPI methods could be optimised through traffic sampling. textcopyright2013 ACADEMY PUBLISHER.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Salcedo-Campos2012,

title = {Segmental parameterisation and statistical modelling of e-mail headers for spam detection},

author = {Francisco Salcedo-Campos and Jesús Díaz-Verdejo and Pedro García-Teodoro},

doi = {10.1016/j.ins.2012.01.022},

issn = {0020-0255},

year  = {2012},

date = {2012-07-01},

journal = {Information Sciences},

volume = {195},

pages = {45--61},

publisher = {Elsevier},

abstract = {'Spammers exploit the popularity and low cost of e-mail services to send unsolicited messages (spam), which fill users' accounts and waste valuable resources. To combat this problem, many different spam filtering techniques have been proposed in the literature. Nevertheless, most current anti-spamming filtering schemes are based on detecting relevant terms or tokens in the entire message or in only the body, which implies an invasion of users' privacy. In this paper, a novel spam-filtering technique based solely on the information present in headers is introduced. In this approach, headers are considered as the result of a dynamic process that generates characters. The observed characters are treated as signals and parameterised in accordance with standard signal pre-processing techniques by extracting relevant parameters from the header. From this, Hidden Markov Models (HMMs) are considered for a spam detection system. The performance achieved by our proposal is evaluated and compared with that of other pattern classification paradigms used for spam filtering. The experimental results for SpamAssassin, TREC05 and CEAS 2008 Lab Evaluation improve on those results obtained with other widely used techniques, achieving up to 98.42% of spam detection while keeping the false positive rate below 0.4% and with the added advantages of using only information from the headers and being independent of the language in which the e-mail is written. textcopyright 2012 Elsevier Inc. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Salazar-Hernandez2010,

title = {Hybrid detection of application layer attacks using Markov models for normality and attacks},

author = {Rolando Salazar-Hernández and Jesús E. Díaz-Verdejo},

doi = {10.1007/978-3-642-17650-0_29},

issn = {03029743},

year  = {2010},

date = {2010-01-01},

journal = {Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)},

volume = {6476 LNCS},

pages = {416--429},

abstract = {Previous works has shown that Markov modelling can be used to model the payloads of the observed packets from a selected protocol with applications to anomaly-based intrusion detection. The detection is made based on a normality score derived from the model and a tunable threshold, which allows the choice of the operating point in terms of detection and false positive rates. In this work a hybrid system is proposed and evaluated based on this approach. The detection is made by explicit modelling of both the attack and the normal payloads and the joint use of a recognizer and a threshold based detector. First, the recognizer evaluates the probabilities of a payload being normal or attack and a probability of missclassification. The dubious results are passed through the detector, which evaluates the normality score. The system allows the choice of the operating point and improves the performance of the basic system. textcopyright 2010 Springer-Verlag.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Macia-Fernandez2010,

title = {Defense techniques for low-rate DoS attacks against application servers},

author = {Gabriel Maciá-Fernández and Rafael A. Rodríguez-Gómez and Jesús E. Díaz-Verdejo},

doi = {10.1016/j.comnet.2010.05.002},

issn = {13891286},

year  = {2010},

date = {2010-01-01},

journal = {Computer Networks},

volume = {54},

number = {15},

pages = {2711--2727},

abstract = {Low-rate denial of service (DoS) attacks have recently emerged as new strategies for denying networking services. Such attacks are capable of discovering vulnerabilities in protocols or applications behavior to carry out a DoS with low-rate traffic. In this paper, we focus on a specific attack: the low-rate DoS attack against application servers, and address the task of finding an effective defense against this attack. Different approaches are explored and four alternatives to defeat these attacks are suggested. The techniques proposed are based on modifying the way in which an application server accepts incoming requests. They focus on protective measures aimed at (i) preventing an attacker from capturing all the positions in the incoming queues of applications, and (ii) randomizing the server operation to eliminate possible vulnerabilities due to predictable behaviors. We extensively describe the suggested techniques, discussing the benefits and drawbacks for each under two criteria: the attack efficiency reduction obtained, and the impact on the normal operation of the server. We evaluate the proposed solutions in a both a simulated and a real environment, and provide guidelines for their implementation in a production system. textcopyright 2010 Elsevier B.V. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Macia-Fernandez2009a,

title = {Fraud in roaming scenarios: an overview},

author = {Gabriel Macia-Fernandez and Pedro Garcia-Teodoro and Jesus Diaz-Verdejo},

url = {http://ieeexplore.ieee.org/document/5361183/},

doi = {10.1109/MWC.2009.5361183},

issn = {1536-1284},

year  = {2009},

date = {2009-12-01},

journal = {IEEE Wireless Communications},

volume = {16},

number = {6},

pages = {88--94},

abstract = {In the mobile telecommunications sector in general, and in the roaming scenario in particular, fraud can lead to large financial losses. This article first presents the major concerns regarding such security threats, and then proposes a classification for this type of attack, highlighting the necessity for the different players involved to take joint action. textcopyright 2009 IEEE.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Macia-Fernandez2009,

title = {Mathematical model for low-rate dos attacks against application servers},

author = {Gabriel Maciá-Fernández and Jesús E. Díaz-Verdejo and Pedro García-Teodoro},

doi = {10.1109/TIFS.2009.2024719},

issn = {15566013},

year  = {2009},

date = {2009-01-01},

journal = {IEEE Transactions on Information Forensics and Security},

volume = {4},

number = {3},

pages = {519--529},

abstract = {In recent years, variants of denial of service (DoS) attacks that use low-rate traffic have been proposed, including the Shrew attack, reduction of quality attacks, and low-rate DoS attacks against application servers (LoRDAS). All of these are flooding attacks that take advantage of vulnerability in the victims for reducing the rate of the traffic. Although their implications and impact have been comprehensively studied, mainly by means of simulation, there is a need for mathematical models by which the behaviour of these sometimes complex processes can be described. In this paper, we propose a mathematical model for the LoRDAS attack. This model allows us to evaluate its performance by relating it to the configuration parameters of the attack and the dynamics of network and victim. The model is validated by comparing the performance values given against those obtained from a simulated environment. In addition, some applicability issues for the model are contributed, together with interpretation guidelines to the model's behaviour. Finally, experience of the model enables us to make some recommendations for the challenging task of building defense techniques against this attack. textcopyright 2006 IEEE.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Garcia-Teodoro2009,

title = {Anomaly-based network intrusion detection: Techniques, systems and challenges},

author = {P. García-Teodoro and J. Díaz-Verdejo and G. Maciá-Fernández and E. Vázquez},

doi = {10.1016/j.cose.2008.08.003},

issn = {01674048},

year  = {2009},

date = {2009-01-01},

urldate = {2009-01-01},

journal = {Computers and Security},

volume = {28},

number = {1-2},

pages = {18--28},

abstract = {The Internet and computer networks are exposed to an increasing number of security threats. With new types of attacks appearing continually, developing flexible and adaptive security oriented approaches is a severe challenge. In this context, anomaly-based network intrusion detection techniques are a valuable technology to protect target systems and networks against malicious activities. However, despite the variety of such methods described in the literature in recent years, security tools incorporating anomaly detection functionalities are just starting to appear, and several important problems remain to be solved. This paper begins with a review of the most well-known anomaly-based intrusion detection techniques. Then, available platforms, systems under development and research projects in the area are presented. Finally, we outline the main challenges to be dealt with for the wide scale deployment of anomaly-based intrusion detectors, with special emphasis on assessment issues. textcopyright 2008 Elsevier Ltd. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Macia-Fernandez2008,

title = {Evaluation of a low-rate DoS attack against application servers},

author = {Gabriel Maciá-Fernández and Jesús E. Díaz-Verdejo and Pedro García-Teodoro},

doi = {10.1016/j.cose.2008.07.004},

issn = {01674048},

year  = {2008},

date = {2008-01-01},

journal = {Computers and Security},

volume = {27},

number = {7-8},

pages = {335--354},

abstract = {In the network security field there is a need to identify new movements and trends that attackers might adopt, in order to anticipate their attempts with defense and mitigation techniques. The present study explores new approaches that attackers could use in order to make denial of service attacks against application servers. We show that it is possible to launch such attacks by using low-rate traffic directed against servers, and apply the proposed techniques to defeat a persistent HTTP server. The low-rate feature is highly beneficial to the attacker for two main reasons: firstly, because the resources needed to carry out the attack are considerably reduced, easing its execution. Secondly, the attack is more easily hidden to security mechanisms that rely on the detection of high-rate traffic. In this paper, a mechanism that allows the attacker to control the attack load in order to bypass an IDS is contributed. We present the fundamentals of the attack, describing its strategy and design issues. The performance is also evaluated in both simulated and real environments. Finally, a study of possible improvement techniques to be used by the attackers is contributed. textcopyright 2008 Elsevier Ltd. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{DeToro-Negro2008,

title = {A deterministic crowding evolutionary algorithm for optimization of a knn-based anomaly intrusion detection system},

author = {F. De Toro-Negro and P. García-Teodoro and J. E. Díaz-Verdejo and G. Maciá-Fernandez},

editor = {IOS Press},

url = {https://dl.acm.org/doi/10.5555/1565639.1565651},

doi = {10.3233/978-1-58603-890-8-111},

issn = {09226389},

year  = {2008},

date = {2008-01-01},

journal = {Frontiers in Artificial Intelligence and Applications},

volume = {177},

number = {1},

pages = {111--120},

abstract = {This paper addresses the use of an evolutionary algorithm for the optimization of a K-nearest neighbor classifier to be used in the implementation of an intrusion detection system. The inclusion of a diversity maintenance technique embodied in the design of the evolutionary algorithm enables us to obtain different subsets of features extracted from network traffic data that lead to high classification accuracies. The methodology has been preliminarily applied to the Denial of Service attack detection, a key issue in maintaining continuity of the services provided by business organizations. textcopyright 2008 The authors and IOS Press. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Diaz-Verdejo2007,

title = {Una aproximación basada en Snort para el desarrollo e implantación de IDS híbridos},

author = {Jesus E. Díaz-Verdejo and Pedro García-Teodoro and P. Muñoz and G. Maciá-Fernández and F. De Toro},

doi = {10.1109/TLA.2007.4395226},

issn = {15480992},

year  = {2007},

date = {2007-01-01},

journal = {IEEE Latin America Transactions},

volume = {5},

number = {6},

pages = {386--392},

abstract = {Apart from the modeling techniques, the development and deployment of anomaly-based intrusion detection systems still faces two main problems. The first one is related to the acquisition and handling of real traffic to be used for training purposes. The second one concerns the better performance of signature-based IDS for known attacks. In this paper the authors propose the use of a modified version of Snort which results in a hybrid detector/classifier. This version can be used both during the training phase of the anomaly-based system and as a deployed hybrid detector and traffic sniffer. Furthermore, it can be adjusted to work just as signature-based, anomaly-based or both (hybrid) detector. On the other hand, this version can be used to directly sniff, classify and split the network traffic according to its malicious nature, which eases the problems related to the acquisition and handling of training traffic. textcopyright Copyright 2010 IEEE - All Rights Reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Macia-Fernandez2007,

title = {Evaluation of a low-rate DoS attack against iterative servers},

author = {G. Maciá-Fernández and J. E. Díaz-Verdejo and P. García-Teodoro},

doi = {10.1016/j.comnet.2006.07.002},

issn = {13891286},

year  = {2007},

date = {2007-01-01},

journal = {Computer Networks},

volume = {51},

number = {4},

abstract = {This paper presents a low-rate DoS attack that could be launched against iterative servers. Such an attack takes advantage of the vulnerability consisting in the possibility of forecasting the instant at which an iterative server will generate a response to a client request. This knowledge could allow a potential intruder to overflow application buffers with relatively low-rate traffic to the server, thus avoiding the usual DoS IDS detection techniques. Besides the fundamentals of the attack, the authors also introduce a mathematical model for evaluating the efficiency of this kind of attack. The evaluation is contrasted with both simulated and real implementations. Some variants of the attack are also studied. The overall results derived from this work show how the proposed low-rate DoS attack could cause an important negative impact on the performance of iterative servers. textcopyright 2006 Elsevier B.V. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Garcia-teodoro2007,

title = {Network-based Hybrid Intrusion Detection and Honeysystems as Active Reaction Schemes},

author = {Pedro García-Teodoro and Jesús E Díaz-Verdejo and Gabriel Maciá-Fernández and Leovigildo Sánchez-Casado},

url = {http://www.first.org},

year  = {2007},

date = {2007-01-01},

journal = {International Journal of Computer Science and Network Security},

volume = {7},

number = {10},

pages = {62--70},

publisher = {Dpto. de Teoría de la Señal, Telemática y Comunicaciones},

abstract = {This paper presents some proposals and contributions in network-based intrusion-related technologies. Two key points are discussed in this line: anomaly-based intrusion detection, and active response mechanisms. The first issue is mainly focused on the consideration of a stochastic approach to model the normal behavior of the network system to be monitored and protected. This anomaly-based detection methodology is combined with a signature-based one, thus resulting in a hybrid detection system, in order to improve the overall detection throughput. On the other hand, a honeysystem-based approach is also introduced to deal with the development of a pro-active response mechanism in the context of intrusion detection technologies. Both of the aspects, detection and reaction, will be studied as functional modules of an integral intrusion platform developed from a current available IDS tool.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Salazar-jitel2007,

title = {Uso de funciones compendio en la detección de anomalías mediante N3},

author = {R. Salazar-Hernández and J. Díaz-Verdejo and P. García-Teodoro and G. Maciá-Fernández and F. De Toro},

year  = {2007},

date = {2007-01-01},

journal = {Actas de las VI Jornadas de Ingeniería Telemática (JITEL '07)},

pages = {601--604},

abstract = {The Nearest Normal Neighbor (N3) is an anomaly-based intrusion detection system which has demonstrated a good performance in terms of detection capabilities when applied to the HTTP protocol. Nevertheless, N3 presents a high computational cost, as it is based in the comparison of the target HTTP payload against every payload in the normality model. The cost is proportional to the length of the payloads and to the number of elements in the model. The present paper explores the use of the hash functions as a method to reduce the computational cost of the system by decreasing the average length of the payloads. The model is, therefore, composed by fixed length hashes of each payload in the original model, and the hash of the target payload is compared against this model. The results obtained for SHA256 and SHA512 show a big decrease in computational cost with a reduced impact in system's performance.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Macia-Fernandez2006c,

title = {Low rate DoS attack to monoprocess servers},

author = {Gabriel Maciá-Fernández and Jesús E. Díaz-Verdejo and Pedro García-Teodoro},

url = {https://link.springer.com/chapter/10.1007/11734666_5},

doi = {10.1007/11734666_5},

issn = {16113349},

year  = {2006},

date = {2006-01-01},

journal = {Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)},

volume = {3934 LNCS},

pages = {43--57},

publisher = {Springer, Berlin, Heidelberg},

abstract = {In this work1, we present a vulnerability in monoprocess or monothreaded servers that allows the execution of DoS attacks with the peculiarity that they are generated by low rate traffic. This feature makes the attack less vulnerable to detection by current IDS systems, which usually expect high rate traffic. The intruder can take advantage of some knowledge about the inter-output times in the server to build the attack. We have simulated and tested it in a real environment, obtaining worrying conclusions due to the efficiency achieved by the attack, with low effort from the attacker. textcopyright Springer-Verlag Berlin Heidelberg 2006.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estevez-Tapiador2004,

title = {Anomaly detection methods in wired networks: A survey and taxonomy},

author = {J. M. Estevez-Tapiador and P. Garcia-Teodoro and J. E. Diaz-Verdejo},

url = {https://link.springer.com/chapter/10.1007/978-3-540-24707-4_97},

doi = {10.1016/j.comcom.2004.07.002},

issn = {01403664},

year  = {2004},

date = {2004-01-01},

journal = {Computer Communications},

volume = {27},

number = {16},

pages = {841--850},

publisher = {Springer, Berlin, Heidelberg},

abstract = {Despite the advances reached along the last 20 years, anomaly detection in network behavior is still an immature technology, and the shortage of commercial tools thus corroborates it. Nevertheless, the benefits which could be obtained from a better understanding of the problem itself as well as the improvement of these mechanisms, especially in network security, justify the demand for more research efforts in this direction. This article presents a survey on current anomaly detection methods for network intrusion detection in classical wired environments. After introducing the problem and elucidating its interest, a taxonomy of current solutions is presented. The outlined scheme allows us to systematically classify current detection methods as well as to study the different facets of the problem. The more relevant paradigms are subsequently discussed and illustrated through several case studies of selected systems developed in the field. The problems addressed by each of them as well as their weakest points are thus explained. Finally, this work concludes with an analysis of the problems that still remain open. Based on this discussion, some research lines are identified. textcopyright 2004 Elsevier B.V. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estevez-Tapiador2004a,

title = {Measuring normality in HTTP traffic for anomaly-based intrusion detection},

author = {J. M. Estévez-Tapiador and P. García-Teodoro and J. E. Díaz-Verdejo},

doi = {10.1016/j.comnet.2003.12.016},

issn = {13891286},

year  = {2004},

date = {2004-01-01},

journal = {Computer Networks},

volume = {45},

number = {2},

abstract = {In this paper, the problem of measuring normality in HTTP traffic for the purpose of anomaly-based network intrusion detection is addressed. The work carried out is expressed in two steps: first, some statistical analysis of both normal and hostile traffic is presented. The experimental results of this study reveal that certain features extracted from HTTP requests can be used to distinguish anomalous (and, therefore, suspicious) traffic from that corresponding to correct, normal connections. The second part of the paper presents a new anomaly-based approach to detect attacks carried out over HTTP traffic. The technique introduced is statistical and makes use of Markov chains to model HTTP network traffic. The incoming HTTP traffic is parameterised for evaluation on a packet payload basis. Thus, the payload of each HTTP request is segmented into a certain number of contiguous blocks, which are subsequently quantized according to a previously trained scalar codebook. Finally, the temporal sequence of the symbols obtained is evaluated by means of a Markov model derived during a training phase. The detection results provided by our approach show important improvements, both in detection ratio and regarding false alarms, in comparison with those obtained using other current techniques. textcopyright 2004 Elsevier B.V. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Estevez-Tapiador2003a,

title = {NSDF: A computer network system description framework and its application to network security},

author = {Juan M. Estévez-Tapiador and Pedro García-Teodoro and Jeśus E. Díaz-Verdejo},

doi = {10.1016/S1389-1286(03)00291-3},

issn = {13891286},

year  = {2003},

date = {2003-01-01},

journal = {Computer Networks},

volume = {43},

number = {5},

pages = {573--600},

abstract = {In this work a general framework, termed NSDF, for describing network systems is proposed. Basic elements of this scheme are entities and the relationships established between them. Both entities and relationships are the basis underlying the concept of system state. The dynamics of a network system can be conceived of as a trajectory in the state space. The term action is used to describe every event which can produce a transition from one state to another. These concepts (entity, relationship, state, and action) are enough to construct a model of the system. Evolution and dynamism are easily captured, and it is possible to monitor the behaviour of the system. With the aim of illustrating the use of the proposed framework, a network state description language derived from NSDF, termed RENDL, is also specified. An immediate application of this framework concerns the network security field. It is shown that concepts like security policing of the site, insecure states, intrusive activities and intrusion response mechanisms can be modelled well. Thus, some imprecise terms used in the security context can be expressed in a uniform, precise way within this framework. Formalizing the above concepts allows us to introduce a generic model to classify currently presented taxonomies related to intrusive activities in network systems. This provides a general context for a better understanding of security flaws and how to develop effective defenses. textcopyright 2003 Elsevier B.V. All rights reserved.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}