publications | Alberto Miguel Diez

2027

CISIS 2026
Deep Sets for Network Flow Anomaly Detection Under a Multiple Instance Learning Framework

Alberto Miguel-Diez, Adrián Campazas-Vega, Claudia Álvarez-Aparicio, and 2 more authors

In Computational Intelligence in Security for Information Systems, 2027

Abs DOI Bib

The detection of malicious activity in high-throughput networks remains a challenging task due to the limitations of packet-level inspection and the growing volume of traffic generated in modern infrastructures. Flow-based analysis has emerged as a scalable alternative; however, most existing machine learning approaches operate at the individual flow level, which may fail to capture collective attack behaviors and often produce an excessive number of alerts. In this work, we propose a network intrusion detection framework based on Multiple Instance Learning (MIL), where network flows are grouped into bags and classified at the set level. To model the set-structured nature of the data, we employ a Deep Sets architecture enhanced with a top-k pooling mechanism, which allows the model to focus on the most informative instances within each bag and mitigates the dilution effect caused by predominantly benign traffic. The proposed approach is evaluated on the NF-CSE-CIC-IDS2018-v3 dataset, a widely used NetFlow-based benchmark. Experimental results demonstrate that the model achieves strong and balanced performance, obtaining an accuracy of 0.9528 and comparable precision and recall for both benign and malicious classes. These findings indicate that the proposed MIL-based Deep Sets framework is an effective and practical solution for flow-based network anomaly detection.
@inproceedings{10.1007/978-3-032-29251-3_3, author = {Miguel-Diez, Alberto and Campazas-Vega, Adri{\'a}n and {\'A}lvarez-Aparicio, Claudia and Sobr{\'i}n-Hidalgo, David and Guerrero-Higueras, {\'A}ngel Manuel}, editor = {Corchado, Emilio and Quinti{\'a}n, H{\'e}ctor and P{\'e}rez Garc{\'i}a, Hilde and Calvo Rolle, Jos{\'e} Luis and Ramos, S{\'e}rgio Filipe and Mart{\'i}nez de Pis{\'o}n, Francisco Javier and Fosci, Paolo}, title = {Deep Sets for Network Flow Anomaly Detection Under a Multiple Instance Learning Framework}, booktitle = {Computational Intelligence in Security for Information Systems}, year = {2027}, publisher = {Springer Nature Switzerland}, address = {Cham}, pages = {28--40}, isbn = {978-3-032-29251-3}, doi = {10.1007/978-3-032-29251-3_3} }

2026

CISIS 2025
Unsupervised Online Learning for Network Flow Anomaly Detection: A Comparative Evaluation

Alberto Miguel-Diez, Claudia Álvarez-Aparicio, Adrián Campazas-Vega, and 2 more authors

In Computational Intelligence in Security for Information Systems, 2026

Abs DOI Bib

Anomaly detection in network traffic is a crucial task for ensuring the security and integrity of communication systems. Traditional supervised machine learning models often achieve high accuracy but rely heavily on labeled datasets, which are costly to obtain and may become outdated. To address this limitation, this paper explores the use of unsupervised and online learning techniques for anomaly detection in network flow data. In this work, we compare three approaches: a baseline exact-match dictionary method, a supervised Decision Tree classifier, and an online One-Class SVM implemented using the River framework. The evaluation is performed on a real-world NetFlow-based dataset enriched with synthetic anomalies to simulate realistic threat scenarios. Results indicate that the online One-Class SVM achieves a high detection rate (recall = 0.9861) with a low false positive rate (FPR = 0.0118), highlighting its suitability for dynamic environments where adaptability and low maintenance are critical. This study demonstrates the potential of online unsupervised learning as a practical alternative to traditional models in network anomaly detection tasks.
@inproceedings{10.1007/978-3-032-19770-2_2, author = {Miguel-Diez, Alberto and {\'A}lvarez-Aparicio, Claudia and Campazas-Vega, Adri{\'a}n and Matell{\'a}n-Olivera, Vicente and Guerrero-Higueras, {\'A}ngel Manuel}, editor = {Corchado, Emilio and Quinti{\'a}n, H{\'e}ctor and P{\'e}rez Garc{\'i}a, Hilde and Calvo Rolle, Jos{\'e} Luis and Ramos, S{\'e}rgio Filipe and Mart{\'i}nez de Pis{\'o}n, Francisco Javier and Herrero Cos{\'i}o, {\'A}lvaro and Fosci, Paolo}, title = {Unsupervised Online Learning for Network Flow Anomaly Detection: A Comparative Evaluation}, booktitle = {Computational Intelligence in Security for Information Systems}, year = {2026}, publisher = {Springer Nature Switzerland}, address = {Cham}, pages = {13--22}, isbn = {978-3-032-19770-2}, doi = {10.1007/978-3-032-19770-2_2} }
IEEE Access
Detecting Automated SQL Injection Attacks in Flow-Based Networks: A Comparative Analysis of Deep Learning and Traditional Approaches in Sampled and Unsampled Flow Data

Adrián Campazas-Vega, Alberto Miguel-Diez, Claudia Álvarez-Aparicio, and 2 more authors

IEEE Access, 2026

Abs DOI Bib

SQL injections are widely recognized as highly damaging attacks, ranking among the top threats in the OWASP Top 10 list. The literature has already addressed the problem of detecting SQLIA by analyzing the payload of network packets. However, certain networks face the challenge of handling an overwhelming amount of traffic, making it computationally infeasible to inspect every network packet. Consequently, these networks resort to using lightweight flow-based protocols and implement packet sampling techniques during flow generation. This paper aims to demonstrate the feasibility of detecting SQLIA in networks utilizing flow-based protocols and implementing packet sampling. Moreover, we present evidence to support the assertion that a deep learning-based approach outperforms traditional algorithms in detecting SQLIA in networks that rely on network flows employing packet sampling.
@article{11503229, author = {Campazas-Vega, Adrián and Miguel-Diez, Alberto and Álvarez-Aparicio, Claudia and Matellán-Olivera, Vicente and Guerrero-Higueras, Ángel Manuel}, journal = {IEEE Access}, title = {Detecting Automated SQL Injection Attacks in Flow-Based Networks: A Comparative Analysis of Deep Learning and Traditional Approaches in Sampled and Unsampled Flow Data}, year = {2026}, volume = {14}, number = {}, pages = {69143-69160}, keywords = {Payloads;Aerospace engineering;Military aircraft;Space technology;Filtering;Filters;Central Processing Unit;Circuits and systems;Communication systems;Radio frequency;Cybersecurity;deep learning;machine learning;multilayer perceptron;NetFlow;network anomaly detection;network traffic analysis;packet sampling;SQL injection attack}, doi = {10.1109/ACCESS.2026.3689760}, issn = {2169-3536}, month = {}, }

2025

arXiv

Anomaly detection in network flows using unsupervised online machine learning

Alberto Miguel-Diez, Adrián Campazas-Vega, Ángel Manuel Guerrero-Higueras, and 2 more authors

2025
LJIGPL
A systematic literature review of unsupervised learning algorithms for anomalous traffic detection based on flows

Alberto Miguel-Diez, Adrián Campazas-Vega, Claudia Álvarez-Aparicio, and 2 more authors

Logic Journal of the IGPL, Dec 2025

Abs DOI Bib

The constant increase of devices connected to the Internet, and therefore of cyber-attacks, makes it necessary to analyse network traffic in order to recognize malicious activity. Traditional packet-based analysis methods are insufficient because in large networks the amount of traffic is so high that it is unfeasible to review all communications. For this reason, network flows is a suitable approach for this situation, which in future 5G networks will have to be used, as the number of packets will increase dramatically. If this is also combined with unsupervised learning models, it can detect new threats for which it has not been trained. This paper presents a systematic review of the literature on unsupervised learning algorithms for detecting anomalies in network flows, following the PRISMA guideline. A total of 63 scientific articles have been reviewed, analysing 15 of them in depth. The results obtained show that autoencoder is the most used option, followed by SVM, ALAD, or SOM. On the other hand, all the datasets used for anomaly detection have been collected, including some specialised in IoT or with real data collected from honeypots.
@article{systematicreviewunsupervisedanomalydetection, author = {Miguel-Diez, Alberto and Campazas-Vega, Adrián and Álvarez-Aparicio, Claudia and Esteban-Costales, Gonzalo and Guerrero-Higueras, Ángel Manuel}, title = {A systematic literature review of unsupervised learning algorithms for anomalous traffic detection based on flows}, journal = {Logic Journal of the IGPL}, volume = {34}, number = {1}, pages = {jzaf020}, year = {2025}, month = dec, issn = {1367-0751}, doi = {10.1093/jigpal/jzaf020}, url = {https://doi.org/10.1093/jigpal/jzaf020}, eprint = {https://academic.oup.com/jigpal/article-pdf/34/1/jzaf020/65735847/jzaf020.pdf}, }

2024

CISIS 2024
Exploring the Landscape of Honeypots in the Fight Against Cyber Threats: A Systematic Mapping of Literature

Alberto Miguel-Diez, Rodrigo González-Fernández, Gonzalo Esteban-Costales, and 4 more authors

In International Joint Conferences, Dec 2024

Abs DOI Bib

The steady increase in cyber threats highlights the need to strengthen cybersecurity defenses. In this context, honeypots emerge as crucial tools for detecting and mitigating such threats. A honeypot is a computer decoy that simulates having certain vulnerabilities that are attractive to a cybercriminal, allowing observation and analysis of the attack and the techniques used on the decoy. This article presents a systematic literature review of honeypots, analyzing the most commonly used characteristics and protocols following the PRISMA guidelines. A total of 258 scientific articles were reviewed, with 17 of them analyzed in depth. The results showed that the most commonly used protocols were HTTP and HTTPS, and the areas with the most available honeypots are those related to web applications and IoT devices. Additionally, lists have been compiled grouping honeypots by field of action, type of interaction, and protocol, with the aim of identifying aspects of honeypot development that require further investigation in future researches.
@inproceedings{10.1007/978-3-031-75016-8_17, author = {Miguel-Diez, Alberto and Gonz{\'a}lez-Fern{\'a}ndez, Rodrigo and Esteban-Costales, Gonzalo and Vega-Gonz{\'a}lez, Christian and Campazas-Vega, Adri{\'a}n and Matell{\'a}n-Olivera, Vicente and Guerrero-Higueras, {\'A}ngel Manuel}, editor = {}, title = {Exploring the Landscape of Honeypots in the Fight Against Cyber Threats: A Systematic Mapping of Literature}, booktitle = {International Joint Conferences}, year = {2024}, publisher = {Springer Nature Switzerland}, address = {Cham}, pages = {179--190}, isbn = {978-3-031-75016-8}, doi = {10.1007/978-3-031-75016-8_17}, }
CEUR

Cybersecurity Issues in Robotic Platforms

A. Campazas-Vega, A. Miguel-Diez, M. Hermida-López, and 3 more authors

CEUR Workshop Proceedings, Dec 2024

2023

JNIC 2023

Evaluación de la seguridad en el robot cuadrúpedo A1 de Unitree Robotics

Alberto Miguel Díez, Adrián Campazas Vega, Beatriz Castro, and 3 more authors

In Actas de las VIII Jornadas Nacionales de Investigación en Ciberseguridad: Vigo, 21 a 23 de junio de 2023, Dec 2023