Tipo de publicación: Conference Paper

Publicado en: 2019 IV Jornadas Costarricenses de Investigación en Computación e Informática (JoCICI)

Descripción:

Over the past years the use of anonymization services has gained significant relevance as more users are interested in protecting their data and privacy on the internet. One of the most popular ways to achieve this result is Tor. The anonymity and untraceability that Tor provides, however, can also be used by ill-intentioned users who try to take advantage of bypassing security control and policies. The Cybersecurity and Infrastructure Security Agency (CISA) mentions two methods of recognizing Tor traffic in the enterprise: indicator- or behavior-based analysis. The first one uses log analysis and lists of Tor exit nodes to identify the suspicious activity while the latter inspects patterns in TCP and UDP ports, DNS queries and inspecting the payload of the packets. In this paper, we propose a different approach using white-box machine learning models such as decision trees and Random Forest. On the one hand, our classifier achieves accuracy levels above 95%. On the other hand, our approach is the first one to allow understanding the importance of each traffic feature in the classification. Our results demonstrate that the TCP window size, the frame size and time related traffic features can be used to identify Tor traffic. In this paper we will describe a Machine Learning methodology used to identify Tor network traffic utilizing decision trees C5.0 and Random Forest. We followed a white-box approach and accomplished accuracy of over 95% in the prediction in both models. We also present an analysis of the importance of the top predictor variables.

Tipo de publicación: Conference Paper

Publicado en: 2020 IEEE Latin-American Conference on Communications (LATINCOM)

Descripción:

An asynchronous classifier of network flows was developed to detect Slowloris attacks. This classifier was implemented using random forests and its effectiveness was measured by the area under the ROC curve. These random forests were trained from a public dataset. We sought to minimize the number of necessary features that are required to analyze the flows satisfactorily. Finally, it was shown that the chosen features can be used individually to obtain reliable detections in the classifier, with two of the three individual features having an area under the curve greater than 0.95.

Tipo de publicación: Conference Paper

Publicado en: 2021 IEEE V Jornadas Costarricenses de Investigación en Computación e Informática (JoCICI)

Descripción:

Malicious domains are often hidden amongst benign DNS requests. Given that DNS traffic is generally permitted, blocking malicious requests is a challenge for most network defenses. Using machine learning to classify DNS requests enables a scalable alternative to programmable blocklists. Studies in this field often reduce their dataset scope to a a single attack behavior. However, organizations are being hit by a myriad of attack patterns across multiple objectives, reducing the scope means closing the door to classifier operationalization in a real-world environment. In this paper, we propose a broader and more challenging scenario for our dataset by combining the four DNS malicious behaviors: malware, phishing, spam and botnet with legitimate domains samples. We use Splunk and its Machine Learning Toolkit to create, test and validate our classifier. We extract 12 static features from the domain name and analyze their weight on the prediction. We compared two supervised learning algorithms and measure their accuracy for such challenging environment. We obtained an 88% of accuracy by using Random Forest algorithm against Decision Tree 87%.

Tipo de publicación: Conference Paper

Publicado en: NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium

Descripción:

Smart buildings are increasingly becoming more common and changing the way we interact with our home, workplace, and cities. Consequently, it is important to study how human factors play a role in smart building-based environments. This research focuses on the privacy and productivity of human factors, and presents the results of two complementary evaluations: a survey in which people’s privacy concerns were analyzed and an assessment that quantifies if smart building functionalities impacts people’s productivity.

Tipo de publicación: Conference Paper

Publicado en: Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022)

Descripción:

The usage of IoT devices is rapidly growing. Many users may want to add them to their homes to automate certain tasks, help themselves with information, or monitor their environment continuously. Quick IoT development is taking place on privacy, protocols, and other areas. However, the user interface area is being left out of the efforts. Mobile applications and websites are focused on technical requirements only. Research is not focused on the interaction of the user with the application, so standards and/or tendencies may not be utilized. This investigation aims to implement a smart house application interface focused on the user instead of the technical requirements. To start, the card sorting technique is used to group IoT devices into meaningful groups for users. Then, an interface prototype of a smart house application is created with the feedback obtained from the card sorting activity. Finally, the prototype is evaluated by using a standardized questionnaire.

Tipo de publicación: Conference Paper

Publicado en: International Conference on Ubiquitous Computing and Ambient Intelligence

Descripción:

The amount of users interested in protecting their data and privacy on the Internet has increased lately. This has augmented the popularity of anonymization services such as Tor. However, the anonymization and the complication of being tracked provided by Tor has also been used for illintended purposes, such as evading security policies and controls. In this work, we implemented and evaluated an offline Tor traffic detector using white-box machine learning algorithms such as decision trees and random forests. On the one hand, our classifier achieves precision levels above 99 %. On the other hand, our approach is the first one to allow understanding and interpreting the classifier, thus understanding which variables play a significant role in the classification. We show that TCP window size, packet size and some time-related features can be used to identify Tor traffic.

Tipo de publicación: Conference Paper

Publicado en: 2023 XLIX Latin American Computer Conference (CLEI)

Descripción:

Malicious URLs are constantly used for phishing, malware distribution and other illegal activities. Because benign URLs are needed for the Internet to function, malicious URLs are hard to block. While several works have focused on offline classification of malicious URLs, real-time detection still needs to be investigated. This paper evaluates the performance of real-time malicious URL detection using two techniques: blacklist methods and machine learning methods, deployed in both local and cloud environments. The study highlights significant differences in latency and connection failure rates under various load conditions, providing insights into the strengths and limitations of each approach. The blacklist method consistently demonstrates lower latency, making it suitable for scenarios requiring quick response times, though its stability may be compromised under high loads in a local setup. In contrast, the machine learning method offers advanced detection capabilities but exhibits higher latency, particularly in local environments, due to its resource-intensive nature. The cloud environment mitigates some latency issues but still lags behind the blacklist method in terms of speed. The findings emphasize that most latency stems from the verification process, with the local environment requiring significant optimization to reduce delays. The study concludes that implementing a proxy for real-time URL detection is viable, especially in cloud environments, where resource management can better handle increased demand.

Tipo de publicación: Conference Paper

Publicado en: 2024 IEEE Latin-American Conference on Communications (LATINCOM)