Publications - Pervasive Computing Laboratory

 Access control anotacionsemantica authentication Cloud computing coap compromise cryptography cynamon emadrid emrisco home network I-Shaper identity management inrisco inteligenciafuentesabiertas Internet of Things IoT magos Pervasive computing privacy Protocols Qursa raudo2 Security servicioseguridad Smart Card Trust management Ubisec VANETs 
Show all
2024
 Gutiérrez-Portela, Fernando;  Almenares-Mendoza, Florina;  Calderón-Benavides, Liliana
Evaluation of the performance of unsupervised learning algorithms for intrusion detection in unbalanced data environments Proceedings Article 
In: IEEE, 2024, ISSN: 2169-3536.
Abstract | Links | BibTeX | Tags: anomaly detection, compromise, intrusion detection system, machine learning, metrics, Qursa, unsupervised models
@inproceedings{almenarez019,

title = {Evaluation of the performance of unsupervised learning algorithms for intrusion detection in unbalanced data environments},

author = {Fernando Gutiérrez-Portela and Florina Almenares-Mendoza and Liliana Calderón-Benavides},

url = {https://ieeexplore.ieee.org/document/10794744},

doi = {10.1109/ACCESS.2024.3516615},

issn = {2169-3536},

year  = {2024},

date = {2024-12-12},

urldate = {2024-12-12},

publisher = {IEEE},

abstract = {In this study, the performance of different unsupervised machine learning algorithms used for intrusion detection within unbalanced data environments were analyzed; these algorithms included the K-means++ algorithm, density-based spatial clustering of applications with noise (DBSCAN), local outlier factor (LOF), and isolation forest (I-forest) using the BoT–IoT dataset. Performance metrics such as purity, homogeneity_score, completeness_score, v_measure_score, and adjusted_mutual_info_score were used to evaluate the effectiveness of algorithms in detecting various types of attacks such as distributed denial of service (DDoS), denial of service (DoS), and reconnaissance. Similarly, different methods were used for the automatic selection of the optimal number of clusters such as the elbow method, silhouette coefficient, Calinski–Harabasz index, and Davies–Bouldin index. Moreover, principal component analysis (PCA) was used to explain data variance and the influence of variables on intrusion detection. Results revealed that the K-means algorithm achieved 95% purity as well as 95% and 99% prediction accuracies for normal and abnormal data, respectively. The I-forest algorithm achieved 95% purity as well as 99% and 90% prediction accuracies for normal and abnormal data in a balanced dataset, respectively. These findings indicated that I-forest exhibited a low central processing unit (CPU) consumption rate of 10% on balanced data, outperforming DBSCAN, K-Means++, and LOF, with 16% consumption rates.},

keywords = {anomaly detection, compromise, intrusion detection system, machine learning, metrics, Qursa, unsupervised models},

pubstate = {published},

tppubtype = {inproceedings}

}

Close
In this study, the performance of different unsupervised machine learning algorithms used for intrusion detection within unbalanced data environments were analyzed; these algorithms included the K-means++ algorithm, density-based spatial clustering of applications with noise (DBSCAN), local outlier factor (LOF), and isolation forest (I-forest) using the BoT–IoT dataset. Performance metrics such as purity, homogeneity_score, completeness_score, v_measure_score, and adjusted_mutual_info_score were used to evaluate the effectiveness of algorithms in detecting various types of attacks such as distributed denial of service (DDoS), denial of service (DoS), and reconnaissance. Similarly, different methods were used for the automatic selection of the optimal number of clusters such as the elbow method, silhouette coefficient, Calinski–Harabasz index, and Davies–Bouldin index. Moreover, principal component analysis (PCA) was used to explain data variance and the influence of variables on intrusion detection. Results revealed that the K-means algorithm achieved 95% purity as well as 95% and 99% prediction accuracies for normal and abnormal data, respectively. The I-forest algorithm achieved 95% purity as well as 99% and 90% prediction accuracies for normal and abnormal data in a balanced dataset, respectively. These findings indicated that I-forest exhibited a low central processing unit (CPU) consumption rate of 10% on balanced data, outperforming DBSCAN, K-Means++, and LOF, with 16% consumption rates.
Close
https://ieeexplore.ieee.org/document/10794744
doi:10.1109/ACCESS.2024.3516615
Close
 Moure-Garrido, Marta;  Das, Sajal;  Campo, Celeste;  García-Rubio, Carlos
Real-Time Analysis of Encrypted DNS Traffic for Threat Detection Conference 
ICC 2024 - IEEE International Conference on Communications, IEEE, 2024, ISSN: 1550-3607.
Abstract | Links | BibTeX | Tags: APT, compromise, dns tunnels, doh traffic, encrypted traffic, intrusion detection system, Qursa
@conference{marta003,

title = {Real-Time Analysis of Encrypted DNS Traffic for Threat Detection},

author = {Marta Moure-Garrido and Sajal Das and Celeste Campo and Carlos García-Rubio},

url = {https://ieeexplore.ieee.org/document/10622347},

doi = {https://doi.org/10.1109/ICC51166.2024.10622347},

issn = {1550-3607},

year  = {2024},

date = {2024-08-20},

booktitle = {ICC 2024 - IEEE International Conference on Communications},

pages = {3292-3297},

publisher = {IEEE},

abstract = {Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.},

keywords = {APT, compromise, dns tunnels, doh traffic, encrypted traffic, intrusion detection system, Qursa},

pubstate = {published},

tppubtype = {conference}

}

Close
Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.
Close
https://ieeexplore.ieee.org/document/10622347
doi:https://doi.org/10.1109/ICC51166.2024.10622347
Close
2023
 Moure-Garrido, Marta;  Campo-Vázquez, Celeste;  García-Rubio, Carlos
Real time detection of malicious DoH traffic using statistical analysis  Journal Article 
In: COMPUTER NETWORKS, vol. 234, iss. 109910, pp. 1-10, 2023, ISSN: 1389-1286.
Abstract | Links | BibTeX | Tags: classification, compromise, computer science, cynamon, dns tunnels, doh traffic, intrusion detection system, malicious doh, Qursa, statistical analysis
@article{campo002,

title = {Real time detection of malicious DoH traffic using statistical analysis },

author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},

url = {http://hdl.handle.net/10016/38151},

doi = {https://doi.org/10.1016/j.comnet.2023.109910},

issn = {1389-1286},

year  = {2023},

date = {2023-10-09},

urldate = {2023-10-09},

journal = {COMPUTER NETWORKS},

volume = {234},

issue = {109910},

pages = {1-10},

abstract = {The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.



In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.},

keywords = {classification, compromise, computer science, cynamon, dns tunnels, doh traffic, intrusion detection system, malicious doh, Qursa, statistical analysis},

pubstate = {published},

tppubtype = {article}

}

Close
The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.



In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.
Close
http://hdl.handle.net/10016/38151
doi:https://doi.org/10.1016/j.comnet.2023.109910
Close
 Gutierrez-Portela, Fernando;  Arteaga-Arteaga, Harold-Brayan;  Almenares-Mendoza, Florina;  Calderon-Benavides, Liliana;  Acosta-Mesa, Héctor-Gabriel;  Tabares-Soto, Reinel
Enhancing Intrusion Detection in IoT Communications Through ML Model Generalization With a New Dataset (IDSAI) Journal Article 
In: IEEE Access, vol. 11, pp. 70542 - 70559, 2023, ISSN: 2169-3536.
Abstract | Links | BibTeX | Tags: compromise, intrusion detection system, IoT
@article{almenarez017,

title = {Enhancing Intrusion Detection in IoT Communications Through ML Model Generalization With a New Dataset (IDSAI)},

author = {Fernando Gutierrez-Portela and Harold-Brayan Arteaga-Arteaga and Florina Almenares-Mendoza and Liliana Calderon-Benavides and Héctor-Gabriel Acosta-Mesa and Reinel Tabares-Soto},

url = {https://ieeexplore.ieee.org/document/10172186},

doi = {https://doi.org/10.1109/ACCESS.2023.3292267},

issn = {2169-3536},

year  = {2023},

date = {2023-07-04},

urldate = {2023-07-04},

journal = {IEEE Access},

volume = {11},

pages = {70542 - 70559},

abstract = {One of the fields where Artificial Intelligence (AI) must continue to innovate is computer security. The integration of Wireless Sensor Networks (WSN) with the Internet of Things (IoT) creates ecosystems of attractive surfaces for security intrusions, being vulnerable to multiple and simultaneous attacks. This research evaluates the performance of supervised ML techniques for detecting intrusions based on network traffic captures. This work presents a new balanced dataset (IDSAI) with intrusions generated in attack environments in a real scenario. This new dataset has been provided in order to contrast model generalization from different datasets. The results show that for the detection of intruders, the best supervised algorithms are XGBoost, Gradient Boosting, Decision Tree, Random Forest, and Extra Trees, which can generate predictions when trained and predicted with ten specific intrusions (such as ARP spoofing, ICMP echo request Flood, TCP Null, and others), both of binary form (intrusion and non-intrusion) with up to 94% of accuracy, as multiclass form (ten different intrusions and non-intrusion) with up to 92% of accuracy. In contrast, up to 90% of accuracy is achieved for prediction on the Bot-IoT dataset using models trained with the IDSAI dataset.},

keywords = {compromise, intrusion detection system, IoT},

pubstate = {published},

tppubtype = {article}

}

Close
One of the fields where Artificial Intelligence (AI) must continue to innovate is computer security. The integration of Wireless Sensor Networks (WSN) with the Internet of Things (IoT) creates ecosystems of attractive surfaces for security intrusions, being vulnerable to multiple and simultaneous attacks. This research evaluates the performance of supervised ML techniques for detecting intrusions based on network traffic captures. This work presents a new balanced dataset (IDSAI) with intrusions generated in attack environments in a real scenario. This new dataset has been provided in order to contrast model generalization from different datasets. The results show that for the detection of intruders, the best supervised algorithms are XGBoost, Gradient Boosting, Decision Tree, Random Forest, and Extra Trees, which can generate predictions when trained and predicted with ten specific intrusions (such as ARP spoofing, ICMP echo request Flood, TCP Null, and others), both of binary form (intrusion and non-intrusion) with up to 94% of accuracy, as multiclass form (ten different intrusions and non-intrusion) with up to 92% of accuracy. In contrast, up to 90% of accuracy is achieved for prediction on the Bot-IoT dataset using models trained with the IDSAI dataset.
Close
https://ieeexplore.ieee.org/document/10172186
doi:https://doi.org/10.1109/ACCESS.2023.3292267
Close