Enhancing cyber-threat intelligence with the support of automated learning and process mining techniques

Projects and Activities

Projects and Activities

ModSecIntl: A machine learning-assisted web application firewall

The general objective of this project is the conception and development of automated mechanisms for the identification, analysis and prevention of computer attacks on web applications. The technological result of the project will be a Minimum Viable Product (MVP) consisting of models and tools that allow automated support to these mechanisms.

With the aim of improving the detection capacity and/or the reduction of false positives of the WAF ModSecurity we have conceived a framework whose architecture is shown in the figure below:

ModSecIntl: A machine learning-assisted web application firewall

The main idea is to combine the flexibility provided by the classification procedures obtained from the definition of machine learning models with the codified knowledge integrated in the specification of the rules used by the WAF to detect attacks. A major challenge is being able to provide the ability to integrate user-defined learning models with the ModSecurity rule decision engine. This framework incorporates a model development environment and a classifier module called the Web Attack Classification Engine (WACE).
Link to extended summary

Team

Team: Gustavo Betarte, Daniel Calegari, Juan Diego Campo, Rodrigo Martínez, Nicolás Montes, Álvaro Pardo, Fernando Outeda, Amanda Riverol, Marcelo Rodríguez, Felipe Zipitría.

Funding

Funding: Partially funded by a grant from Fondo de Innovación en Ciberseguridad de la OEA, Cisco y Fundación Citi. 2021-2022.

ict4v InCo-FING-Udelar UCU - FING Tilsor

Automation of knowledge derivation for the assurance of computer systems

The objective of this project was the definition and development of techniques that allow incorporating the use and adaptation of machine learning techniques, data mining and model-driven security for the construction of tools capable of increasing the level of assurance of web applications. The development of attack detection techniques, in particular, involves procedures that help to discern between the behavior of a valid user of the system and a malicious (human or mechanical) actor. The identification and classification of an unforeseen (anomalous) behavior must take into account if a detected event is simply suspicious, or if in fact it is an event that is part of a security incident, and particularly an attack.

Team

Team: Gustavo Betarte, Daniel Calegari, Juan Diego Campo, Juan José Goyeneche, Rodrigo Martínez, Nicolás Montes, Álvaro Pardo, Marcelo Rodríguez.

Funding

Funding: Partially funded by a grant from Fondo María Viñas, Research and Innovation National Agency (ANII, Uruguay). 2018-2021.

ANII InCo-FING-Udelar FING Pedeciba

WAFIntl

The general objective of this project was the conception and development of automated identification mechanisms, as well as the analysis and prevention of computer attacks on web applications. It also focused on the development of cyber-intelligence processes that provide support for the systematic treatment of analysis tasks. The specific objectives of the project were: the development of attack detection techniques and determination of attackers profiles, the conception, design and implementation of a high-level interaction honeypot for the registration and analysis of attack vectors and the conception and development of tools for automated support of cyber threat intelligence techniques.

Team

Team: Gustavo Betarte, Eduardo Giménez, Rodrigo Martínez, Nicolás Montes, Álvaro Pardo, Marcelo Rodríguez.

Funding

Funding: Partially funded by grants from ICT4V, 2015-2018.

ict4v InCo-FING-Udelar FING Tilsor
Team

WAF Mind team

Gustavo Betarte, Daniel Calegari, Juan Diego Campo, Rodrigo Martínez, Nicolás Montes, Álvaro Pardo, Amanda Riverol Quesadas, Marcelo Rodríguez, Felipe Zipitría.

Gustavo Betarte

Gustavo
Betarte

Gustavo Betarte received a BSc degree in Computer Engineer (1990) from Facultad de Ingeniería de la Universidad de la República, Uruguay (FING-Udelar), and a MSc. (1993) and a PhD. (1998) in Computing Science from the University of Gothenburg, Sweden. He is a Full Professor of the Department of Computer Science (InCo) and principal researcher and head of the Computer Security team (GSI) of FING-Udelar. Dr. Betarte is member of the Uruguayan Researchers National System (SNI, Level II) and an active researcher (Grado 4) of the Informatics Area of PEDECIBA. Since 2006 he is the Technical Director of the Computer Security Consulting Team of Tilsor SA, an Uruguayan IT company.

His research interests include formal methods, program verification, software and system security and foundations of computer science. He is currently working on applying knowledge discovery techniques for adaptive software security, the formal definition and verification of security properties of cryptocurrency protocols, and the design and implementation of security training platforms (Cyber Ranges). For more detailed information please check the full CV and DBLP list of publications.

Link www.fing.edu.uy/~gustun
Daniel Calegari

Daniel
Calegari

Daniel Calegari received a B.Eng. degree in Computer Engineer (2003) from Facultad de Ingeniería de la Universidad de la República, Uruguay (FING-Udelar), and a MSc. (2007) and a PhD. (2014) in Computing Science from PEDECIBA, Uruguay. He is an Associate Professor of the Department of Computer Science (InCo) and principal researcher and head of the COAL research group of FING-Udelar. Dr. Calegari is a member of the Uruguayan Researchers National System (SNI, Level I) and an active researcher (Grado 3) of the Informatics Area of PEDECIBA.

His research interests focus on the adoption of Model-Driven Engineering (MDE) as a software engineering paradigm. He is currently working on the use of models in heterogeneous contexts (e.g., for Business Process Management) to support logical reasoning and automatic code generation. For more detailed information please check the full CV and DBLP list of publications.

Link www.fing.edu.uy/~dcalegar
Juan Diego Campo

Juan Diego
Campo

Juan Diego Campo received a BSc degree in Computer Engineer (2009) from Facultad de Ingeniería de la Universidad de la República, Uruguay (FING-Udelar), and a PhD. (2016) in Computing Science from PEDECIBA Informática, Uruguay. He is a lecturer of the Department of Computer Science (InCo) and member of the Computer Security team (GSI) of FING-Udelar. Dr. Campo is an active researcher (Grado 3) of the Informatics Area of PEDECIBA.

His research interests include formal methods, program verification, software and system security and foundations of computer science. He is currently working on the application of knowledge discovery techniques for adaptive software security and the security of cyber-physical systems. For more detailed information please see the DBLP list of publications.

Rodrigo Martínez

Rodrigo
Martínez

Rodrigo Martinez received a BSc degree in Computer Engineer (2009) from Facultad de Ingeniería de la Universidad de la República, Uruguay (FING-Udelar), and a MSc. (2019) in Computing Science from PEDECIBA Informática, Uruguay. He is a lecturer of the Department of Computer Science (InCo) and member of the Computer Security team (GSI) of FING-Udelar. He has worked as an IT security consultant at Tilsor SA since 2009 and is a member of the company's Incident Response Team (CSIRT-Tilsor). Since 2018 he is the technical leader of the computer security team of Tilsor.

His research interests include application and web application security and the use of machine learning techniques applied to web application security. For more detailed information please check the full CV.

Nicolás Montes

Nicolás
Montes

Nicolás Montes received a BSc degree in Statistics (2018) from Facultad de Economía de la Universidad de la República, Uruguay and currently is finishing a MSc in Machine Learning and Data Science from Facultad de Ingeniería de la Universidad de la República, Uruguay (FING-Udelar).

His research interests focus on Machine Learning and Deep Learning, with applications in different areas like Text Processing, Computer Vision, and Network Analysis. He is currently working on applying machine learning and deep learning techniques to increase the level of assurance of web applications.

Álvaro Pardo

Álvaro
Pardo

Álvaro Pardo is a Doctor in Electrical Engineering from the University of the Republic (2003). Professor of the Department of Engineering of the Catholic University of Uruguay. Image processing and machine learning specialist. Founding partner of Digital Sense, a company dedicated to R&D projects in computer vision and machine learning.

Amanda Riverol Quesadas

Amanda
Riverol Quesadas

Amanda Riverol Quesada received her B.Sc. (2015) and M.Sc. (2018) degrees in Computer Science from the Universidad Central “Marta Abreu” de Las Villas (Cuba). She is an Artificial Intelligence specialist in the Knowledge-Based System area. Currently, she is a Ph.D. student of the Informatics area of the PEDECIBA. Since 2020, she has been a member of the Computer Security Consulting Team of Tilsor SA. Her research interests include the use of automated learning techniques applied to web application security.

Link www.fing.edu.uy/~marcelor
Marcelo Rodríguez

Marcelo
Rodríguez

Marcelo Rodríguez received a BSc degree in Computer Engineer (2007) from Facultad de Ingeniería de la Universidad de la República, Uruguay. He is currently studying Master in Computing Science of PEDECIBA Informática, Uruguay. He is a lecturer of the Department of Computer Science (InCo) and member of the Computer Security team (GSI) of FING-Udelar. He has worked as an IT security consultant at Tilsor since 2009 and is a member of the company's Incident Response Team (CSIRT-Tilsor). Research interests include attacker profiling in cybersecurity, digital forensics analysis and the development of methodologies and tools for correlation of threats indicators.

Link www.fing.edu.uy/~marcelor
Felipe Zipitría

Felipe
Zipitría

Felipe Zipitria received a BSc degree in Computer Engineer (1999) from Facultad de Ingeniería de la Universidad de la República, Uruguay (FING-Udelar), and a MSc. (2008) in Computing Science from PEDECIBA Informática, Uruguay. He is a lecturer of the Department of Computer Science (InCo) and member of the Computer Security team (GSI) of FING-Udelar.

Link www.fing.edu.uy/~fzipi
Publications

Publications

Articles in Journals and Conferences

M. Rodríguez, G. Betarte, D. Calegari, Discovering attacker profiles using process mining and the MITRE ATT&CK taxonomy, 12th Latin-American Symposium on Dependable and Secure Computing (LADC 2023) (2023).

N. Montes, G. Betarte, R. Martínez, A. Pardo, Web Application Attacks Detection Using Deep Learning Techniques. 25th Iberoamerican Congress on Pattern Recognition, CIARP 25 (2021).
Link to PDF

M. Bruno, P. Ibañez, T. Techera, D. Calegari, G. Betarte, Exploring the Application of Process Mining Techniques to Improve Web Application Security, CLEI 2021 (2021).
Link to PDF

M. Rodríguez, G. Betarte, D. Calegari, A Process Mining-based approach for Attacker Profiling, IEEE URUCON 2021 (2021).
Link to PDF

R. Martínez, Enhancing web application attack detection using machine learning, LADC 18, Student Forum (2018).
Link to PDF

G. Betarte, E. Giménez, R. Martínez, A. Pardo, Improving Web Application Firewalls through Anomaly Detection. International Conference on Machine Learning and Applications 2018: 779-784 (2018).
Link to PDF

G. Betarte, A. Pardo, R. Martínez, Web Application Attacks Detection Using Machine Learning Techniques. International Conference on Machine Learning and Applications 2018: 1065-1072 (2018).
Link to PDF

Preprints

G. Betarte, E. Giménez, R. Martínez, A. Pardo, Machine learning-assisted virtual patching of web applications. CoRR abs/1803.05529 (2018).
Link to PDF

Theses

Master theses

Nicolás Montes, Web application attacks detection using deep learning, Master Thesis, Ingeniería Matemática (October 2021).
Link to PDF

Rodrigo Martínez, Enhancing web application attack detection using machine learning, Master Thesis, Pedeciba Informática (November 2019).
Link to PDF

Graduate theses

E. Cuttica, F. Outeda, WACE: Un integrador de clasificadores de ataques web, Computer Engineer, FING-Udelar (2021).
Link to PDF

I. Monzalvo, J.P. Martínez, WAF NextGen, Computer Engineer, FING-Udelar (2021).
Link to PDF

M. Bruno, P. Ibañez, T. Techera, Minería de procesos para la mejora de la seguridad de aplicaciones web, Computer Engineer, FING-UdelaR (2020).
Link to PDF

F. Pernas, A. Sánchez, N. Zeballos, Web Honeypot, Computer Engineer, FING-Udelar (2020).
Link to PDF

Contact

Contact

* Required files.

Up