{"id":643,"date":"2022-03-05T12:33:11","date_gmt":"2022-03-05T11:33:11","guid":{"rendered":"http:\/\/localhost\/neus-cslab\/?page_id=643"},"modified":"2024-12-16T18:29:12","modified_gmt":"2024-12-16T17:29:12","slug":"coincyde","status":"publish","type":"page","link":"https:\/\/dtstc.ugr.es\/neus-cslab\/proyectos-idi\/coincyde\/","title":{"rendered":"Coincyde"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"643\" class=\"elementor elementor-643\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d4c7e28 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d4c7e28\" data-element_type=\"section\" data-e-type=\"section\" id=\"inicio\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-33 elementor-top-column elementor-element elementor-element-3c409f5\" data-id=\"3c409f5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4030b9a elementor-widget elementor-widget-image\" data-id=\"4030b9a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"705\" src=\"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/A-Computer-System-Hacked-Warning-1144604245_5300x3650-1024x705-1.jpeg\" class=\"attachment-large size-large wp-image-500\" alt=\"\" srcset=\"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/A-Computer-System-Hacked-Warning-1144604245_5300x3650-1024x705-1.jpeg 1024w, https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/A-Computer-System-Hacked-Warning-1144604245_5300x3650-1024x705-1-300x207.jpeg 300w, https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/A-Computer-System-Hacked-Warning-1144604245_5300x3650-1024x705-1-768x529.jpeg 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-257cd65 elementor-position-inline-start elementor-view-default elementor-mobile-position-block-start elementor-widget elementor-widget-icon-box\" data-id=\"257cd65\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-box-wrapper\">\n\n\t\t\t\t\t\t<div class=\"elementor-icon-box-icon\">\n\t\t\t\t<span  class=\"elementor-icon\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"far fa-calendar-alt\"><\/i>\t\t\t\t<\/span>\n\t\t\t<\/div>\n\t\t\t\n\t\t\t\t\t\t<div class=\"elementor-icon-box-content\">\n\n\t\t\t\t\t\t\t\t\t<h3 class=\"elementor-icon-box-title\">\n\t\t\t\t\t\t<span  >\n\t\t\t\t\t\t\tPeriodo\t\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/h3>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<p class=\"elementor-icon-box-description\">\n\t\t\t\t\t\t1-SEPT-2021 a 31-AGO-2024\t\t\t\t\t<\/p>\n\t\t\t\t\n\t\t\t<\/div>\n\t\t\t\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-73c1b5f elementor-widget elementor-widget-progress\" data-id=\"73c1b5f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"progress.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<span class=\"elementor-title\" id=\"elementor-progress-bar-73c1b5f\">\n\t\t\t\tProgreso\t\t\t<\/span>\n\t\t\n\t\t<div aria-labelledby=\"elementor-progress-bar-73c1b5f\" class=\"elementor-progress-wrapper\" role=\"progressbar\" aria-valuemin=\"0\" aria-valuemax=\"100\" aria-valuenow=\"100\">\n\t\t\t<div class=\"elementor-progress-bar\" data-max=\"100\">\n\t\t\t\t<span class=\"elementor-progress-text\"><\/span>\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-progress-percentage\">100%<\/span>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-66 elementor-top-column elementor-element elementor-element-58baba8\" data-id=\"58baba8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a662cc8 elementor-widget elementor-widget-heading\" data-id=\"a662cc8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Detecci\u00f3n de ciberataques en \u201cindustria conectada\u201d e IoT mediante integraci\u00f3n y correlaci\u00f3n de alertas multifuente \n(COINCYDE)<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-53bd27e2 elementor-position-inline-start elementor-view-default elementor-mobile-position-block-start elementor-widget elementor-widget-icon-box\" data-id=\"53bd27e2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-box-wrapper\">\n\n\t\t\t\t\t\t<div class=\"elementor-icon-box-icon\">\n\t\t\t\t<span  class=\"elementor-icon\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-barcode\"><\/i>\t\t\t\t<\/span>\n\t\t\t<\/div>\n\t\t\t\n\t\t\t\t\t\t<div class=\"elementor-icon-box-content\">\n\n\t\t\t\t\t\t\t\t\t<h3 class=\"elementor-icon-box-title\">\n\t\t\t\t\t\t<span  >\n\t\t\t\t\t\t\tReferencia \t\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/h3>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<p class=\"elementor-icon-box-description\">\n\t\t\t\t\t\tPID2020-115199RB-I00\t\t\t\t\t<\/p>\n\t\t\t\t\n\t\t\t<\/div>\n\t\t\t\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8656e0b elementor-position-inline-start elementor-view-default elementor-mobile-position-block-start elementor-widget elementor-widget-icon-box\" data-id=\"8656e0b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-box-wrapper\">\n\n\t\t\t\t\t\t<div class=\"elementor-icon-box-icon\">\n\t\t\t\t<span  class=\"elementor-icon\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-landmark\"><\/i>\t\t\t\t<\/span>\n\t\t\t<\/div>\n\t\t\t\n\t\t\t\t\t\t<div class=\"elementor-icon-box-content\">\n\n\t\t\t\t\t\t\t\t\t<h3 class=\"elementor-icon-box-title\">\n\t\t\t\t\t\t<span  >\n\t\t\t\t\t\t\tOrganismos \/ empresas\t\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/h3>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<p class=\"elementor-icon-box-description\">\n\t\t\t\t\t\tMinisterio de Ciencia e Innovaci\u00f3n\t\t\t\t\t<\/p>\n\t\t\t\t\n\t\t\t<\/div>\n\t\t\t\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-901bf72 elementor-position-inline-start elementor-view-default elementor-mobile-position-block-start elementor-widget elementor-widget-icon-box\" data-id=\"901bf72\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-box-wrapper\">\n\n\t\t\t\t\t\t<div class=\"elementor-icon-box-icon\">\n\t\t\t\t<span  class=\"elementor-icon\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-graduation-cap\"><\/i>\t\t\t\t<\/span>\n\t\t\t<\/div>\n\t\t\t\n\t\t\t\t\t\t<div class=\"elementor-icon-box-content\">\n\n\t\t\t\t\t\t\t\t\t<h3 class=\"elementor-icon-box-title\">\n\t\t\t\t\t\t<span  >\n\t\t\t\t\t\t\tInvestigadores\t\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/h3>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<p class=\"elementor-icon-box-description\">\n\t\t\t\t\t\t \t\t\t\t\t<\/p>\n\t\t\t\t\n\t\t\t<\/div>\n\t\t\t\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-019f81b elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\" data-id=\"019f81b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon-list.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items\">\n\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"\/neus-cslab\/personal\/jedv\">\n\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"far fa-user\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Jes\u00fas E. D\u00edaz Verdejo - IP<\/span>\n\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"far fa-user\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Juan Carlos Cubero Talavera  - IP<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-451544e elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\" data-id=\"451544e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon-list.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items\">\n\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-user\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Francisco Cortijo Bon<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"\/neus-cslab\/personal\/aea\">\n\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-user\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Antonio Estepa Alonso<\/span>\n\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"\/neus-cslab\/personal\/rea\">\n\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-user\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Rafael Estepa Alonso<\/span>\n\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"\/neus-cslab\/personal\/gm\">\n\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-user\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Germ\u00e1n  Madinabeitia Luque<\/span>\n\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-user\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Olga Pons Capote<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9425461 elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\" data-id=\"9425461\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon-list.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items\">\n\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-user\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Amparo Vila Miranda (baja por jubilaci\u00f3n)<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-028f966 elementor-position-inline-start elementor-view-default elementor-mobile-position-block-start elementor-widget elementor-widget-icon-box\" data-id=\"028f966\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-box-wrapper\">\n\n\t\t\t\t\t\t<div class=\"elementor-icon-box-icon\">\n\t\t\t\t<span  class=\"elementor-icon\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-graduation-cap\"><\/i>\t\t\t\t<\/span>\n\t\t\t<\/div>\n\t\t\t\n\t\t\t\t\t\t<div class=\"elementor-icon-box-content\">\n\n\t\t\t\t\t\t\t\t\t<h3 class=\"elementor-icon-box-title\">\n\t\t\t\t\t\t<span  >\n\t\t\t\t\t\t\tEquipo de trabajo\t\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/h3>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<p class=\"elementor-icon-box-description\">\n\t\t\t\t\t\t \t\t\t\t\t<\/p>\n\t\t\t\t\n\t\t\t<\/div>\n\t\t\t\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bc3adea elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\" data-id=\"bc3adea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon-list.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items\">\n\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-user\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Vicente Mayor Gallego<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-user\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Agust\u00edn W. Lara<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-95c8db3 elementor-position-right elementor-vertical-align-bottom elementor-widget elementor-widget-image-box\" data-id=\"95c8db3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><figure class=\"elementor-image-box-img\"><img decoding=\"async\" width=\"360\" height=\"103\" src=\"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/descarga.png\" class=\"attachment-full size-full wp-image-767\" alt=\"\" srcset=\"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/descarga.png 360w, https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/descarga-300x86.png 300w\" sizes=\"(max-width: 360px) 100vw, 360px\" \/><\/figure><div class=\"elementor-image-box-content\"><p class=\"elementor-image-box-description\">Este proyecto est\u00e1 financiado por  MCIN\/ AEI\/10.13039\/501100011033\/<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-cb48536 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"cb48536\" data-element_type=\"section\" data-e-type=\"section\" id=\"resumen\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5bceb0f\" data-id=\"5bceb0f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-73881d1 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"73881d1\" data-element_type=\"section\" data-e-type=\"section\" id=\"resumen\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-a2e6fc9\" data-id=\"a2e6fc9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a452ea5 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"a452ea5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#inicio\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Inicio<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-b8ffa6c\" data-id=\"b8ffa6c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a103a3d elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"a103a3d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#resumen\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Resumen<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-be95d67\" data-id=\"be95d67\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c85fd2f elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"c85fd2f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#antecedentes\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">antecedentes<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-297ba9c\" data-id=\"297ba9c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0fbcf4f elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"0fbcf4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#objetivos\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Objetivos<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-7ba089c\" data-id=\"7ba089c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-49b4a68 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"49b4a68\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#propuesta\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Propuesta<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-2a87b13\" data-id=\"2a87b13\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5cb754a elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"5cb754a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#resultados\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Resultados<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b2c7ff4 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b2c7ff4\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e52ea1f\" data-id=\"e52ea1f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-372944a elementor-widget elementor-widget-heading\" data-id=\"372944a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Resumen<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c8c5ece elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"c8c5ece\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Los sistemas de monitorizaci\u00f3n de la seguridad en red (NSM) se encuentran hoy en d\u00eda entre los componentes m\u00e1s relevantes para la detecci\u00f3n y respuesta a los ciberataques. Sin embargo, sus capacidades de detecci\u00f3n se limitan en su mayor\u00eda a ataques conocidos y tienden a generar una gran cantidad de alertas, muchas de las cuales son falsos positivos. As\u00ed, los operadores de ciberseguridad (CSO) deben supervisar una gran cantidad de alertas para determinar la ocurrencia real de incidentes, mientras que algunos de ellos permanecen sin ser detectados. Este proyecto tiene como objetivo desarrollar nuevas t\u00e9cnicas para mejorar las capacidades de detecci\u00f3n mediante la adici\u00f3n de nuevos m\u00e9todos basados en anomal\u00edas combinados con la correlaci\u00f3n y priorizaci\u00f3n de alertas incorporando informaci\u00f3n contextual de la red. Esto mejorar\u00e1 la calidad de las alertas y reducir\u00e1 la tasa de falsos positivos.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">En esta propuesta se plantea el desarrollo de un NSM espec\u00edfico para plantas industriales con elementos del Internet of Things (IoT) y, m\u00e1s concretamente en uno de sus usos verticales: las SmartCity. Las instalaciones que pueden beneficiarse de la soluci\u00f3n objeto de este proyecto son aquellas que permiten el control y monitorizaci\u00f3n de parques de dispositivos inteligentes (IoT, SmartCity), desde una aplicaci\u00f3n o servicio web que se utiliza como interfaz de usuario para la gesti\u00f3n de servicios inteligentes. La elecci\u00f3n del escenario tiene una triple motivaci\u00f3n. Primero, por la gran relevancia y expansi\u00f3n de este tipo de redes en la actualidad. Segundo, el escenario plantea una serie dificultades y requisitos espec\u00edficos que no han sido convenientemente abordados en los SIEM actuales. Y tercero, la selecci\u00f3n del escenario permite acotar el contexto, lo que posibilita un abordaje adecuado de la incorporaci\u00f3n de informaci\u00f3n contextual.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">El sistema a desarrollar incorporar\u00e1 m\u00faltiples detectores, incluyendo los usados habitualmente, considerando nuevos detectores espec\u00edficos para el escenario que est\u00e1n orientados a las diversas amenazas existentes. As\u00ed, se desarrollar\u00e1n detectores basados en anomal\u00edas a nivel del tr\u00e1fico observado (flujos), a nivel de aplicaci\u00f3n (sensorizaci\u00f3n) y a nivel de los servicios web usados para la operaci\u00f3n remota. Adicionalmente, se har\u00e1 uso de t\u00e9cnicas de inteligencia artificial para la correlaci\u00f3n y priorizaci\u00f3n de las alertas incorporando informaci\u00f3n relativa al estado e historia previa de la red. Esto permitir\u00e1 identificar falsos positivos, reducir el n\u00famero de alertas finalmente enviadas al CSO y mejorar la informaci\u00f3n en las mismas.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Un elemento relevante y novedoso es el uso de una matriz de tr\u00e1fico generada a partir de flujos en diferentes escalas de tiempo. Esta matriz contiene informaci\u00f3n sobre las conexiones de red que pueden explotarse para m\u00faltiples usos. As\u00ed, se pueden establecer algunos indicadores de compromiso para identificar ataques. Tambi\u00e9n se puede utilizar para aplicar varios tipos de an\u00e1lisis de miner\u00eda de datos, como la b\u00fasqueda de patrones comunes entre flujos, realizar perfiles de tr\u00e1fico de servicios, evaluar la importancia y encontrar relaciones entre activos. La informaci\u00f3n extra\u00edda de esta matriz se utilizar\u00e1 como informaci\u00f3n contextual en la correlaci\u00f3n y priorizaci\u00f3n de alertas.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Finalmente, la arquitectura propuesta incluye realimentaci\u00f3n a partir de las acciones del CSO, lo que permite evaluar la calidad de detecci\u00f3n y priorizaci\u00f3n y ajustar el rendimiento del sistema.<\/span><\/p>\n&nbsp;\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9b840cb elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9b840cb\" data-element_type=\"section\" data-e-type=\"section\" id=\"antecedentes\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c276ca9\" data-id=\"c276ca9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-cb9ae38 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"cb9ae38\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-3adf3ec\" data-id=\"3adf3ec\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3278ab9 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"3278ab9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#inicio\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Inicio<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-7022c20\" data-id=\"7022c20\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-542334d elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"542334d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#resumen\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Resumen<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-e185880\" data-id=\"e185880\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f545738 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"f545738\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#antecedentes\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">antecedentes<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-0d83437\" data-id=\"0d83437\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6dd8b92 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"6dd8b92\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#objetivos\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Objetivos<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-1e2cc34\" data-id=\"1e2cc34\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5da4883 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"5da4883\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#propuesta\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Propuesta<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-dd9f3f7\" data-id=\"dd9f3f7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-66332f8 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"66332f8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#resultados\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Resultados<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5c9a277 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5c9a277\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a1e06d4\" data-id=\"a1e06d4\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-889ab34 elementor-widget elementor-widget-heading\" data-id=\"889ab34\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Antecedentes<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-41f5742 elementor-widget elementor-widget-text-editor\" data-id=\"41f5742\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Network infrastructure has become a critical asset in nowadays organizations as it enables information exchange between user terminals and corporate servers (either locally hosted or in the Internet). Network downtimes can have a tremendous impact in productivity and reputation. Cyberattacks are increasingly frequent and with more relevant effects, as shown in the famous case of \u201cWannacry\u201d ransomware attack with more than 300 000 devices affected in 166 different countries. New cases are yet to come with unprecedented impact, potentially affecting critical infrastructure such as hospitals, facilities, industry, etc.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">The evolution towards the <i>Internet of Things<\/i> (IoT) and the incorporation of new network-based control and monitoring systems in the so-called <i>Connected Industry<\/i>, put the focus on the need to protect these systems from cyberattacks.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Organizations address cybersecurity with a combination of tools, procedures and practices. Most organizations deploy monitoring systems \u2014typically called <i>Network Security Monitoring<\/i> (NSM), or <i>Security Information and Event Management<\/i> (SIEM) [1] \u2014 to detect and react against attacks. These systems process heterogeneous information from multiple sources such as traffic flows seen by network elements, alerts generated by <i>Intrusion Detection Systems<\/i> (IDS) [2] or event logs from services. The large amount of information to be processed has become one of the main challenges to properly prioritize and classify alerts in real time. <\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Although many, even commercial, NSMs exist, they still lack of many desirable properties regarding the detection capabilities and the quality and the volume of alerts they generate, requiring the supervision from a human expert (the <i>Cybersecurity Officer,<\/i> CSO). Thus, a key issue regarding NSMs is to improve its performance in terms of the attacks they are able to discover and the reduction of the number of non-relevant alerts (false positives). <\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">The motivation above justifies the development of new techniques allowing to improve alert generation and prioritization in a timely manner, integrating and correlating the information from the multiple available sensors and detectors. This is especially relevant in the IoT and connected industries scenarios, as the number of field elements can be really high and the impact of an attack or malfunction can be enormous, especially in the case of critical infrastructures as a power plant. Furthermore, industrial and IoT scenarios poses specific characteristics (see later in this section) that makes the detection even more defying, while no specific NSM is available. <\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Thus, the context of this project includes a scenario with multiple data sources, which generate a high volume of information potentially relevant to the modeling and prioritization of security incidents. This is the right context for the application of data mining techniques that enable the generation of knowledge. The application of such techniques could produce a novel and significant advance in the field of NMS because it would improve detection capabilities and the understanding of incidents by establishing new relations among information coming from different data sources. On the other hand, these techniques can improve the characterization of events that can be associated with attacks and\/or can provide context information that enhances detection.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">In sum, this project aims to improve the state of art in the context of IoT and Industrial plants in the following cybersecurity challenges identified in [3]:<\/span><\/p>\n\n<ul>\n \t<li style=\"list-style-type: none; text-align: justify; line-height: normal;\">\n<ul>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">Reducing response time during incidents through the improvement of detection capabilities and the reduction of false positives. We propose methods to improve the detection of cyberattacks thanks to the correlation of the information from different sources and detectors.<\/span><\/li>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">Identification and characterization of context-related events that, although unrelated to attacks, produce information that can be relevant to improve the detection and modeling of some cybersecurity incidents.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dcc9034 elementor-widget__width-inherit elementor-widget elementor-widget-image\" data-id=\"dcc9034\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"768\" height=\"531\" src=\"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/coincide-2-768x531.jpg\" class=\"attachment-medium_large size-medium_large wp-image-802\" alt=\"\" srcset=\"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/coincide-2-768x531.jpg 768w, https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/coincide-2-300x208.jpg 300w, https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/coincide-2.jpg 983w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Fig. 1: Schematics of a typical Smart City scenario for lightning control<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-13ee06b elementor-widget elementor-widget-text-editor\" data-id=\"13ee06b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">More precisely, this project aims at the development of a specific cybersecurity solution for industrial plants (<i>Industrial Control Systems<\/i> or ICS) with elements of the <i>IoT<\/i> and, more specifically, in one of its vertical uses: the <i>SmartCity<\/i>. The target is to <b>develop a NSM able to provide significant information about on-going incidents by applying different intrusion detection approaches, including novel ones, to generate alerts that will be analyzed and correlated using IA-based techniques incorporating context information obtained from different sources and sensors<\/b> across the installation. The facilities that can benefit from the solution object of this project are those that allow the control and monitoring of smart device parks (<i>IoT<\/i>, <i>SmartCity<\/i>), from an application or <i>Web<\/i> service that is used as a user interface for the management of intelligent services. To illustrate it, Fig. 1 shows the schematic of a typical <i>Smart City<\/i> installation for the intelligent control of lighting in multiple cities. This deployment will be used as the example scenario for the current project.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">The IoT sensor plant in Fig. 1 is composed of 2 plants or field networks with sensors (called S in the figure) that correspond to intelligent lighting points remotely controlled from a management system (<i>IoT Server<\/i> in the figure) that is accessed through a Web application that allows remote management and operation of one or more plants. The <i>Control Center<\/i>, often located in the cloud, consists of several nodes and databases (DDBB in the figure) that store all the information of the system. The <i>IoT Server <\/i>is in turn responsible for the communication with the IoT nodes using the usual application protocols in IoT (e.g. <i>MQTT<\/i> or <i>CoAP<\/i>). The operation of the system is carried out from the Internet by the managing entity of the plants and includes the management of the IoT nodes (e.g., provision of procedures or operating points), and is carried out through a Web browser that uses a secure protocol (https with TLS 1.2 or higher). The access networks used by the IoT nodes can be private (e.g. Lora, Sigfox, NBWLAN networks with an Internet gateway \/ operator) or subcontracted to a network operator (e.g. GPRS or 3G), and communicate with the <i>Control Center<\/i> through a virtual private network (VPN) usually offered by the network operator.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">It is worth mentioning the significant specificities of this scenario regarding the deployment of a \u201cconventional\u201d NSM system:<\/span><\/p>\n\n<ul>\n \t<li style=\"list-style-type: none; text-align: justify; line-height: normal;\">\n<ul>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">Low throughput on the access data link to the IoT nodes: 2.5G coverage in many cases, and even lower data throughputs (e.g. SigFox, Lora).<\/span><\/li>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">\nRemote operation of the installation: the <i style=\"mso-bidi-font-style: normal;\">Control Center <\/i>is protected with a VPN provided by the network operator, but access to the <i style=\"mso-bidi-font-style: normal;\">IoT server<\/i> is usually offered through the Internet with a username and password (so as not to be inconvenient for the operator or manager of the plants) against an https application.<\/span><\/li>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">Use of IoT applications and protocols that are usually implemented with a low level of security (i.e. without communication encryption).<\/span><\/li>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">The possibility of obtaining the same behavior pattern between 2 similar and geographically close intelligent lighting plants is peculiar, some application variables (e.g., instantaneous power consumed) should have a synchronous behavior.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Connected Industry (&lt;i \u00ab&gt;Industry 4.0), in addition to the usual cyberthreats of an IT network (e.g., physical access control, user\/permission control, authentication policies -passwords-, etc.), we can highlight the following cyber threats particular to the scenario shown in the figure:<\/span><\/p>\n\n<ul>\n \t<li style=\"list-style-type: none; text-align: justify; line-height: normal;\">\n<ul>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">Impersonation of the web session or identity of the plant operator<\/span><\/li>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">Attack on the management application web server \/ application or the VPN server to operate the IoT infrastructure.<\/span>&lt;\/li<\/li>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">Attacks that are difficult to detect by conventional intrusion detection equipment (IDS, Intrusion Detection Systems &#8211; it could be an application-level firewall). This type of attack would be known as: 0-day and APT (<i>Advanced Persistent Threat<\/i>) for the control of systems and theft of sensitive information.<\/span><\/li>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">Attacks on IoT devices and infrastructure in the field network.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Due to the mentioned peculiarities, the possible commercial solutions for the early detection of cyberattacks in remotely managed industrial plants \/ IoT have differential characteristics compared to conventional cybersecurity systems (oriented to IT &#8211;<i>Information Technology<\/i>-) and should meet the following requirements:<\/span><\/p>\n\n<ul>\n \t<li style=\"list-style-type: none; text-align: justify; line-height: normal;\">\n<ul>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">REQ1: <b>Do not affect the normal operation<\/b> of the equipment installed in the plant. This implies: using only passive security tools (that do not inject traffic) and a minimum consumption of the network bandwidth available at the installation.<\/span><\/li>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">REQ2: Not significantly affect the <b>cost of the installation<\/b>. For this, in addition to the price associated with the acquisition and deployment of the cybersecurity system, the solution must have a low consumption of computational, storage, and network resources, ideally being able to be integrated into existing plant equipment as a virtual machine.<\/span><\/li>\n \t<li><span lang=\"EN-US\" style=\"font-family: 'Times New Roman',serif; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES;\">REQ3: <b>Wide detection capacity<\/b>. The solution must cover the detection of significant security events linked to the threats described above, both existing and 0-day, as well as allow compliance with the applicable regulations and policies in each case.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<span style=\"color: #038daa; font-size: 120%;\"><strong>References<\/strong><\/span>\n<table style=\"border-spacing: 0px;\" border=\"0\" width=\"100%\">\n<tbody>\n<tr style=\"border-bottom-width: 0px;\">\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\">[1]<\/span><\/td>\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\"> Sanders, C.; Smith, J.; <i> Applied Network Security Monitoring\u201d, Syngress, (2014). ISBN: 978-0-12-417208-1.<\/i><\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\"> [2]<\/span><\/td>\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\"> Garc\u00eda-Teodoro, P.; D\u00edaz-Verdejo, J.E.; y otros; \u201cAnomaly-based Network Intrusion Detection: Techniques, Systems and Challenges\u201d, Computers &amp; Security, 28:18-28 (2009).<\/span><\/td>\n<\/tr>\n<tr style=\"border-bottom-width: 0px;\">\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\">[3]\u00a0<\/span><\/td>\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\"> Zuech, R.; Khoshgoftaar, T.; Wald, R.; \u201cIntrusion detection and big heterogeneous data: a survey\u201d, Journal of Big Data, 2:3 (2015). <\/span><\/td>\n<\/tr>\n<tr style=\"border-bottom-width: 0px;\">\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\">[4]<\/span><\/td>\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\"> M. Kaouk, et.al.; \u00abA Review of Intrusion Detection Systems for Industrial Control Systems\u00bb, In Proc. 6th Int. Conf. on Control, Decision and Inf. Technologies, 1699-1704. <\/span><\/td>\n<\/tr>\n<tr style=\"border-bottom-width: 0px;\">\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\">[5]<\/span><\/td>\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\"> Lu, Yang, and Li Da Xu; \u00abInternet of things (IOT) cybersecurity research: A review of current research topics\u00bb, IEEE Internet of Things Journal 6.2: 2103-2115 (2018). <\/span><\/td>\n<\/tr>\n<tr style=\"border-bottom-width: 0px;\">\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\">[6]\u00a0<\/span><\/td>\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\">Sridhar, et.al.; \u201cModel-based attack detection and mitigation for automatic generation control\u201d, IEEE Transactions on Smart Grid, 5(2)580\u2013591 (2014). <\/span><\/td>\n<\/tr>\n<tr style=\"border-bottom-width: 0px;\">\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\">[7]<\/span><\/td>\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\">Zhu, B., Joseph, A., &amp; Sastry, S.; \u00a0\u201cA taxonomy of cyber attacks on SCADA systems\u201d, In Proc. IEEE Int. Conf. on Internet of Things and Cyber, Physical and Social Computing. (2011). <\/span><\/td>\n<\/tr>\n<tr style=\"border-bottom-width: 0px;\">\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; font-size: 90%; line-height: 1.0em;\">[8]\u00a0<\/span><\/td>\n<td style=\"border-bottom-width: 0px; padding-bottom: 0px; padding-top: 0px;\"><span style=\"font-family: 'Lato',serif; font-style: normal; font-weight: 300; justify-content: align; line-height: 0.8rem; font-size: 90%;\">Kallitsis, M. G., Michailidis, G., &amp; Tout, S.; \u201cCorrelative monitoring for detection of false data injection attacks in smart grids\u201d, In proc. 2015 IEEE Int. Conf. on Smart Grid Communications, 386\u2013391 (2016). <\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0aa630f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"0aa630f\" data-element_type=\"section\" data-e-type=\"section\" id=\"objetivos\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-31b1e3d\" data-id=\"31b1e3d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-b0caf62 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b0caf62\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-74222d5\" data-id=\"74222d5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9371191 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"9371191\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#inicio\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Inicio<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-ceb08ab\" data-id=\"ceb08ab\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4a6f8a6 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"4a6f8a6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#resumen\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Resumen<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-d8a0d72\" data-id=\"d8a0d72\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4afbf00 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"4afbf00\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#antecedentes\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">antecedentes<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-cbaa29f\" data-id=\"cbaa29f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-85c50af elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"85c50af\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#objetivos\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Objetivos<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-b38e4cb\" data-id=\"b38e4cb\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a7a9028 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"a7a9028\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#propuesta\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Propuesta<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-876e11c\" data-id=\"876e11c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9cb9c98 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"9cb9c98\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#resultados\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Resultados<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9977b72 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9977b72\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e807cfe\" data-id=\"e807cfe\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ad3643c elementor-widget elementor-widget-heading\" data-id=\"ad3643c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Objetivos<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-149fd5e elementor-widget elementor-widget-text-editor\" data-id=\"149fd5e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">The main objective of the project is the design and implementation of an innovative system for the early detection of cyber attacks specific for remotely managed industrial IoT environments. Thus the objective is to <b>develop an IoT and connected industries oriented NSM <\/b> able to provide significant information about on-going incidents by <b>correlating the alerts from different existing and novel intrusion detection approaches using context information from different sources and sensors through the incorporation of data mining techniques<\/b> in order to<b> improve the quality of the detection <\/b>in <b>attack scenarios<\/b> or failures (incidents). <\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">The implementation includes a test pilot that allows to validate or readjust the design in a real plant, based on a final battery of tests on which to measure the performance and consumption of resources of the provided solution. To be suitable for commercial exploitation, this security solution must meet the following partial objectives\/capabilities:<\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">O1. <i style=\"mso-bidi-font-style: normal;\">Passiveness<\/i>: The NSM must be passive so as not to affect existing systems.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">O2. <i>Detection capabilities<\/i>: The NSM must offer a broad capacity to detect threats of various types, e.g. it must incorporate existing knowledge of defined known attacks, and must also incorporate the ability to detect 0-day attacks and APTs through the analysis of anomalies both at the traffic level and at the IoT application level. <\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">O3. <i>Multi-plant correlation<\/i>: In the case of multi-plant installations, the system will apply spatio-temporal correlation techniques among similar plants to identify anomalous behaviors. <\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">O4. <i style=\"mso-bidi-font-style: normal;\">Identity compromise detection<\/i>: To detect spoofing attacks or the theft of credentials, anomalies will also be sought in the pattern of actions carried out by the users in the operation of the IoT plant.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">O5. <i>Integration<\/i>: The NSM must be integrated into the operations console of an event management system in the operations center, offering information on cyberattacks to the operators of the IoT system. They will be able to take corrective actions and provide feedback to the detection system in order to minimize the false positive rate and bring the system to an optimal point of operation.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">O6. <i style=\"mso-bidi-font-style: normal;\">Contextual information<\/i>: The system must apply data mining and IA-based methods to correlate the alerts from the existing detectors, logs and sensors using contextual information in order to reduce the number of alerts sent to the administration console (by grouping the information related to the same incident) and to improve the detection and false positives rates.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">The purpose of this proposal is twice. First, it pretends to <b style=\"mso-bidi-font-weight: normal;\">advance in the scientific knowledge<\/b> by the development of a <b style=\"mso-bidi-font-weight: normal;\">novel integrated system <\/b>suit for the considered scenario. This system will <b style=\"mso-bidi-font-weight: normal;\">combine the adaptation of existing techniques<\/b>, especially signature based ones, and <b style=\"mso-bidi-font-weight: normal;\">the development and tuning of new ones<\/b>. In particular, the proposal will integrate the concepts of context-aware detection, per-user behavior analysis and spatio<\/span><span lang=\"EN\" style=\"font-family: 'Times New Roman',serif; mso-ansi-language: EN;\">-temporal correlation of alerts from similar plants into the anomaly detection process in an approach to identify specific threats for this kind of scenarios and to improve the detection capabilities. Second, it pretends to develop and evaluate a near-to-market prototype system that could be of interest for its incorporation into a catalogue of IoT cybersecurity solutions. This system will fill a gap that is currently available on the market.<\/span><\/p>\n<p class=\"MsoNormal\" style=\"text-align: justify; text-indent: 17.85pt; line-height: normal; mso-pagination: none; mso-layout-grid-align: none; text-autospace: none; margin: 3.0pt 0cm .0001pt 0cm;\"><span lang=\"EN\" style=\"font-family: 'Times New Roman',serif; mso-ansi-language: EN;\">To this end, a TRL6 demonstrator pilot of a cyberattack detection system in connected industry plants in multi-plant IoT environments will be developed.<\/span><\/p>\n<p class=\"MsoNormal\" style=\"text-align: justify; text-indent: 17.85pt; line-height: normal; mso-pagination: none; mso-layout-grid-align: none; text-autospace: none; margin: 3.0pt 0cm .0001pt 0cm;\"><span lang=\"EN\" style=\"font-family: 'Times New Roman',serif; mso-ansi-language: EN;\">\u00a0<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4620e4f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4620e4f\" data-element_type=\"section\" data-e-type=\"section\" id=\"propuesta\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-68dfd8d\" data-id=\"68dfd8d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-a5d479b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"a5d479b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-a5413c5\" data-id=\"a5413c5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9a53fd3 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"9a53fd3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#inicio\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Inicio<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-01c3062\" data-id=\"01c3062\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c459898 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"c459898\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#resumen\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Resumen<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-bab7b23\" data-id=\"bab7b23\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-be94696 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"be94696\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#antecedentes\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">antecedentes<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-24ff558\" data-id=\"24ff558\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-30d47f1 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"30d47f1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#objetivos\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Objetivos<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-e9409d1\" data-id=\"e9409d1\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-21e7aac elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"21e7aac\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#propuesta\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Propuesta<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-ad14fb5\" data-id=\"ad14fb5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-42461f0 elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"42461f0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#resultados\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Resultados<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-a35e76f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"a35e76f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4341625\" data-id=\"4341625\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2c715a4 elementor-widget elementor-widget-heading\" data-id=\"2c715a4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Propuesta<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b68dcc7 elementor-widget elementor-widget-text-editor\" data-id=\"b68dcc7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<b style=\"mso-bidi-font-weight: normal;\"><span lang=\"EN-GB\" style=\"font-size: 120%; color: #0070c0; mso-ansi-language: EN-GB; mso-bidi-font-style: italic;\">Proposed solution overview and elements\n<\/span><\/b>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Although the design of the solution is part of the project, it is possible to start from a simple <b style=\"mso-bidi-font-weight: normal;\">block diagram that serves as a starting point<\/b> and helps to structure and plan the proposal. The preliminary proposed solution (Fig. 2) integrates techniques to improve the detection capacity and performance in cybersecurity systems in the considered scenario. It aims to detect, classify and prioritize the incidents by considering <b style=\"mso-bidi-font-weight: normal;\">different target oriented detectors<\/b> and the <b style=\"mso-bidi-font-weight: normal;\">holistic analysis of all the security related events<\/b> through a context-aware analysis. It is composed of six main modules:\n<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b76332b elementor-widget elementor-widget-image\" data-id=\"b76332b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"396\" src=\"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/coincide-1-768x396.png\" class=\"attachment-medium_large size-medium_large wp-image-801\" alt=\"\" srcset=\"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/coincide-1-768x396.png 768w, https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/coincide-1-300x155.png 300w, https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/coincide-1-1024x528.png 1024w, https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/coincide-1-1536x792.png 1536w, https:\/\/dtstc.ugr.es\/neus-cslab\/wp-content\/uploads\/2022\/03\/coincide-1-2048x1056.png 2048w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Fig. 2: Cybersecurity solution architecture (proposed). <\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-12bbea9 elementor-widget elementor-widget-text-editor\" data-id=\"12bbea9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">&#8211; Module 1: <i>Flow-based Preprocessing.<\/i> The target of this module is to generate the \u201ctraffic matrix\u201d including information from all the observed flows after applying deep packet inspection techniques for its characterization. <\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">&#8211; Module 2: <i>Application-based Preprocessing.<\/i> This module considers the communication from the field plants to the<i style=\"mso-bidi-font-style: normal;\"> IoT server<\/i> and extract the times series for the different monitored parameters and variables.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">&#8211; Module 3: <i>Web Attacks Detection.<\/i> This module generates alerts related to the existing web-servers. It must include both signature-based methods and anomaly-based analysis in order to detect previously known attacks, 0-day and APT.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">&#8211; Module 4: <i style=\"mso-bidi-font-style: normal;\">Traffic Anomaly Detection.<\/i> Its target is to generate alerts from the analysis of the traffic matrix by using anomaly-based detection methods, i.e., it is oriented to the detection of anomalies in the traffic at flows level.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">&#8211; Module 5: <i style=\"mso-bidi-font-style: normal;\">Application Anomaly Detection.<\/i> This module looks for anomalies in the behavior of the elements in the field plant at the application level, i.e., it considers the evolution of the values of the monitored variables and parameters.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">&#8211; Module 6: <i>SIEM Core<\/i>. It will process all the alerts from the different modules in order to correlate them and include contextual information in the analysis. This module will generate the per-incident alerts that will be presented to the CSO after filtering out those finally classified as false positives.<\/span><\/p>\n&nbsp;\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Modules 1 and 2 are preprocessing modules that extract the information needed by other modules. Modules 3, 4 and 5 are detector modules that generate raw alerts, each of them focused in a different feature\/analysis. Finally, module 6 is the core of the system, as it will combine the information from the raw alerts and it will analyze them considering contextual information gathered by different techniques.<\/span>\n<\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Thus, the overall operation of the system is as follows (Fig. 2). The solution must monitor the traffic flow seen by the <i>IoT Server<\/i>, as well as the most significant events from the application server \u2014e.g., a log with user control actions, alarms, connections made, etc.\u2014 and the HTTP traffic to the web server. This information is fed into 3 different modules targeted at different kinds of analysis. The first two modules (modules 1 and 2) are preprocessing modules that extract and enrich the information associated to the observed flows and the payloads related to the IoT application. Thus, module 1 generates a traffic matrix after processing enriched flows through deep packet inspection techniques. Module 2 generates time series of IoT application events. The outputs from these modules together with the http payloads will fed, respectively, three different detectors (modules 3, 4 and 5) that will generate alerts associated to each of the different dimensions considered in the system. Finally, those alerts are feed to the SIEM core (module 6) for its further processing and the generation of the alerts that will be sent to the dashboard. The target of the SIEM core module is to enhance the detection capabilities by applying different sources of knowledge whose final objective is to improve CSO situational awareness. For this, the alerts will be correlated and prioritized having into account the information about the overall state of the system (context-aware analysis), the behavior of the operators and the relationships among the different generated alerts. <\/span>\n<\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">A feedback procedure is also considered. The CSO can apply a fine tuning of the system in order to reduce false positives or irrelevant alerts. For this, some parameters related to the global operation (i.e. equipment to filter out, thresholds for anomaly-based detectors, alarm filtering) will be considered. <\/span>\n<\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">From a <b >threat point of view<\/b>, the output of Module 1 makes it possible to find anomalies at the level of network traffic (Module 4), which makes it possible to easily detect scanning attacks, DDoS, etc. The output of Module 2 will allow to detect anomalies (Module 5) at application or plant level by looking for behavioral anomalies that could correspond to errors or operational problems or cyberattacks. Said anomalies can come both from the comparison of the time series with a self-learned normality pattern, as well as from the spatio-temporal correlation of this series with other series that could be correlated (e.g., light level detected with time of day, or light level detected by the IoT node with the light level detected by another IoT node in nearby location). This second correlation is especially interesting in the case of multi-site IoT systems. Finally, threats to the web server, i.e. web-based attacks, are handled by Module 3, that combines state of the art detectors with different capabilities. On top of these, SIEM core will provide an additional layer able to discriminate false positives and true positives by analyzing the relationships among events and the state of the overall system. As a simplistic example, an anomaly detected at the time series analysis \u2014i.e. lights turned on at daylight\u2014 can derive from a legitimate order sent from the console \u2014i.e. due to maintenance activities\u2014 and as such, should be labeled as a false positive.<\/span>\n<\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">From a <b>research point of view<\/b>, as previously mentioned, the proposed architecture try to merge well-known techniques and methods with novel proposals in order to provide an effective and practical NSM for the considered scenario. Some of the existing techniques should be adapted and optimized while others are to be explored in this context which will unquestionably represent contributions in the field. On the other hand, the correlation of security events and the reduction of the false positives rate constitutes a relevant challenge that has not yet been satisfactorily solved and that is the focus of current research. In this regard, major contributions are expected from the anomaly-based detection techniques as well as from the application of IA-related methods for the post-processing of the alerts.<\/span>\n<\/p>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">Thus, the objective of the <b>SIEM core<\/b> module is the extraction of intelligence to determine the existence of certain relevant <b >events<\/b>  from the point of view of security and the relationship among various data for its use in alerts analysis. Therefore, the objective is to develop methods that allow the extraction of intelligence for their use in the SIEM and to determine the parameters or significant data for the characterization of security related events. For this, at least the following methods will be considered:<\/span>\n<\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">&#8211; <b>Frequent patterns extraction<\/b>: Its objective is to determine the possible relationships between the data of the different sensors\/elements. As an example, and in relation to the traffic matrix, it intends to establish the patterns of frequent interconnections (flows) among the assets.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">&#8211; <b>User\/service profiles<\/b>: Its objective is to establish profiles associated with the different types of users (e.g. plant operator, end user, administrative) and services. The output of this module is especially relevant for the evaluation of the impact of the incidents.<\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">&#8211; <b>Prediction of links\/flows<\/b>: This module will provide indicators regarding the probabilities of establishing new relationships (prediction) from a given state of the network. These probabilities are of interest both for the modelling of the attacks and for the prediction of risks. \n<\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">&#8211; <b>Outliers detection and clustering<\/b>: Various methods will be applied for the detection of outliers in the state\/characterization of the network, that is, for assessing the normality of an observed context. Similarly, clustering-based techniques will be applied both to stablish the context and to correlate observed alerts.\n<\/span><\/p>\n<p style=\"text-align: justify; text-indent: -20pt; line-height: normal; margin: 5.0pt 20pt 1pt 40pt;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">&#8211; <b>Case-based reasoning<\/b>:  Case-based reasoning techniques will be applied, together with Mitre ATT&amp;CK model for ICS environments, in order to correlate alerts and predict the risk of an on-going incident.\n<\/span><\/p>\n<br>\n<p style=\"text-align: justify; text-indent: 20pt; line-height: normal;\"><span lang=\"EN-GB\" style=\"font-family: 'Times New Roman',serif;\">The information from these analyses will be considered for the context-aware classification of alerts.<\/span><\/p>\n<br>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4c26c1f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4c26c1f\" data-element_type=\"section\" data-e-type=\"section\" id=\"resultados\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d4c3a91\" data-id=\"d4c3a91\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-8929305 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8929305\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-45a6808\" data-id=\"45a6808\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8cd092d elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"8cd092d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#inicio\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Inicio<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-0873296\" data-id=\"0873296\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-26266ee elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"26266ee\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#resumen\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Resumen<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-2d06c3a\" data-id=\"2d06c3a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8aac79e elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"8aac79e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#antecedentes\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">antecedentes<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-43d5afa\" data-id=\"43d5afa\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ac0190f elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"ac0190f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#objetivos\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Objetivos<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-5163a5b\" data-id=\"5163a5b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-25d7eda elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"25d7eda\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#propuesta\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Propuesta<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-afe3b51\" data-id=\"afe3b51\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-397439f elementor-align-center full-btn elementor-widget elementor-widget-button\" data-id=\"397439f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-md\" href=\"#resultados\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Resultados<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-933ebda elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"933ebda\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d991e93\" data-id=\"d991e93\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-192c75d elementor-widget elementor-widget-heading\" data-id=\"192c75d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Resultados<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-92a7332 elementor-widget elementor-widget-text-editor\" data-id=\"92a7332\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3><span style=\"color: #038daa;\">Publicaciones<\/span><\/h3><div><div class=\"teachpress_pub_list\"><form name=\"tppublistform\" method=\"get\"><a name=\"tppubs\" id=\"tppubs\"><\/a><\/form><div class=\"teachpress_publication_list\"><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> D\u00edaz-Verdejo, Jes\u00fas E.;  Estepa Alonso, Rafael;  Estepa Alonso, Antonio;  Mu\u00f1oz-Calle, F. J.;  Madinabeitia, German<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('496','tp_links')\" style=\"cursor:pointer;\">Building a large, realistic and labeled HTTP URI dataset for anomaly-based intrusion detection systems: Biblio-US17 <\/a> <span class=\"tp_pub_type tp_  article\">Art\u00edculo de revista<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_journal\">Cybersecurity, <\/span><span class=\"tp_pub_additional_volume\">vol. 8, <\/span><span class=\"tp_pub_additional_number\">no 35, <\/span><span class=\"tp_pub_additional_year\">2025<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 2523-3246<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_496\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('496','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_496\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('496','tp_links')\" title=\"Mostrar enlaces y recursos\" style=\"cursor:pointer;\">Enlaces<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_496\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('496','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_496\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{Biblio24,<br \/>\r\ntitle = {Building a large, realistic and labeled HTTP URI dataset for anomaly-based intrusion detection systems: Biblio-US17 },<br \/>\r\nauthor = {Jes\u00fas E. {D\u00edaz-Verdejo} and {Estepa Alonso}, Rafael and {Estepa Alonso}, Antonio and F. J. {Mu\u00f1oz-Calle} and German {Madinabeitia}},<br \/>\r\ndoi = {https:\/\/doi.org\/10.1186\/s42400\u2011024\u201100336\u20113},<br \/>\r\nissn = {2523-3246},<br \/>\r\nyear  = {2025},<br \/>\r\ndate = {2025-06-05},<br \/>\r\nurldate = {2025-06-05},<br \/>\r\njournal = {Cybersecurity},<br \/>\r\nvolume = {8},<br \/>\r\nnumber = {35},<br \/>\r\nabstract = {This paper introduces Biblio-US17, a labeled dataset collected over 6 months from the log files of a popular public website at the University of Seville. It contains 47 million records, each including the method, uniform resource identifier (URI) and associated response code and size of every request received by the web server. Records have been classified as either normal or attack using a comprehensive semi-automated process, which involved signature-based detection, assisted inspection of URIs vocabulary, and substantial expert manual supervision. Unlike comparable datasets, this one offers a genuine real-world perspective on the normal operation of an active website, along with an unbiased proportion of actual attacks (i.e., non-synthetic). This makes it ideal for evaluating and comparing anomalybased approaches in a realistic environment. Its extensive size and duration also make it valuable for addressing challenges like data shift and insufficient training. This paper describes the collection and labeling processes, dataset structure, and most relevant properties. We also include an example of an application for assessing the performance of a simple anomaly detector. Biblio-US17, now available to the scientific community, can also be used to model the URIs used by current web servers.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('496','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_496\" style=\"display:none;\"><div class=\"tp_abstract_entry\">This paper introduces Biblio-US17, a labeled dataset collected over 6 months from the log files of a popular public website at the University of Seville. It contains 47 million records, each including the method, uniform resource identifier (URI) and associated response code and size of every request received by the web server. Records have been classified as either normal or attack using a comprehensive semi-automated process, which involved signature-based detection, assisted inspection of URIs vocabulary, and substantial expert manual supervision. Unlike comparable datasets, this one offers a genuine real-world perspective on the normal operation of an active website, along with an unbiased proportion of actual attacks (i.e., non-synthetic). This makes it ideal for evaluating and comparing anomalybased approaches in a realistic environment. Its extensive size and duration also make it valuable for addressing challenges like data shift and insufficient training. This paper describes the collection and labeling processes, dataset structure, and most relevant properties. We also include an example of an application for assessing the performance of a simple anomaly detector. Biblio-US17, now available to the scientific community, can also be used to model the URIs used by current web servers.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('496','tp_abstract')\">Cerrar<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_496\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/https:\/\/doi.org\/10.1186\/s42400\u2011024\u201100336\u20113\" title=\"DOI de seguimiento:https:\/\/doi.org\/10.1186\/s42400\u2011024\u201100336\u20113\" target=\"_blank\">doi:https:\/\/doi.org\/10.1186\/s42400\u2011024\u201100336\u20113<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('496','tp_links')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Lara, Agust\u00edn;  Estepa, Antonio;  Estepa, Rafael;  D\u00edaz-Verdejo, Jes\u00fas E.;  Mayor, Vicente<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('495','tp_links')\" style=\"cursor:pointer;\">Anomaly-based Intrusion Detection System for smart lighting<\/a> <span class=\"tp_pub_type tp_  article\">Art\u00edculo de revista<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_journal\">Internet of Things, <\/span><span class=\"tp_pub_additional_volume\">vol. 28, <\/span><span class=\"tp_pub_additional_pages\">pp. 101427, <\/span><span class=\"tp_pub_additional_year\">2024<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 2542-6605<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_495\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('495','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_495\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('495','tp_links')\" title=\"Mostrar enlaces y recursos\" style=\"cursor:pointer;\">Enlaces<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_495\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('495','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_495\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{LARA2024101427,<br \/>\r\ntitle = {Anomaly-based Intrusion Detection System for smart lighting},<br \/>\r\nauthor = {Agust\u00edn Lara and Antonio Estepa and Rafael Estepa and Jes\u00fas E. D\u00edaz-Verdejo and Vicente Mayor},<br \/>\r\nurl = {https:\/\/www.sciencedirect.com\/science\/article\/pii\/S2542660524003688},<br \/>\r\ndoi = {https:\/\/doi.org\/10.1016\/j.iot.2024.101427},<br \/>\r\nissn = {2542-6605},<br \/>\r\nyear  = {2024},<br \/>\r\ndate = {2024-01-01},<br \/>\r\nurldate = {2024-01-01},<br \/>\r\njournal = {Internet of Things},<br \/>\r\nvolume = {28},<br \/>\r\npages = {101427},<br \/>\r\nabstract = {Smart Lighting Systems (SLS) are essential to smart cities, offering enhanced energy efficiency and public safety. However, they are susceptible to security threats, potentially leading to safety risks and service disruptions, making the protection of this infrastructure critical. This paper presents an anomaly-based Intrusion Detection System (IDS) designed for a real-world operational SLS. As commercial deployments vary in components, protocols, and functionalities, IDSs must be tailored to the specific characteristics of each deployment to perform effectively. Our anomaly-based IDS has been defined based on the properties of the available data and the types of attacks we aim to detect, offering both explainability and low complexity. The proposed system identifies anomalies in seven features of network traffic and in the telemetry data received at the central control (O&M) server. For the latter, we designed three customized detectors to identify abnormal data points, persistent deviations in street lamp power consumption, and abnormal power value based on the time of day. Validation with real-world data and simulated attacks demonstrates the effectiveness of our approach. Network attacks (e.g., DoS, scanning) were detected by at least one of the seven flow-related anomaly detectors, while simulated data poisoning attacks and operational technology (OT) issues were detected with nearly 90% accuracy. The datasets used in this work are publicly available and may serve as reference for the design of future IDSs. While our detectors were designed specifically for our dataset, the variables examined and vulnerabilities addressed are common in most commercial SLSs.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('495','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_495\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Smart Lighting Systems (SLS) are essential to smart cities, offering enhanced energy efficiency and public safety. However, they are susceptible to security threats, potentially leading to safety risks and service disruptions, making the protection of this infrastructure critical. This paper presents an anomaly-based Intrusion Detection System (IDS) designed for a real-world operational SLS. As commercial deployments vary in components, protocols, and functionalities, IDSs must be tailored to the specific characteristics of each deployment to perform effectively. Our anomaly-based IDS has been defined based on the properties of the available data and the types of attacks we aim to detect, offering both explainability and low complexity. The proposed system identifies anomalies in seven features of network traffic and in the telemetry data received at the central control (O&amp;M) server. For the latter, we designed three customized detectors to identify abnormal data points, persistent deviations in street lamp power consumption, and abnormal power value based on the time of day. Validation with real-world data and simulated attacks demonstrates the effectiveness of our approach. Network attacks (e.g., DoS, scanning) were detected by at least one of the seven flow-related anomaly detectors, while simulated data poisoning attacks and operational technology (OT) issues were detected with nearly 90% accuracy. The datasets used in this work are publicly available and may serve as reference for the design of future IDSs. While our detectors were designed specifically for our dataset, the variables examined and vulnerabilities addressed are common in most commercial SLSs.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('495','tp_abstract')\">Cerrar<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_495\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-globe\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/www.sciencedirect.com\/science\/article\/pii\/S2542660524003688\" title=\"https:\/\/www.sciencedirect.com\/science\/article\/pii\/S2542660524003688\" target=\"_blank\">https:\/\/www.sciencedirect.com\/science\/article\/pii\/S2542660524003688<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/https:\/\/doi.org\/10.1016\/j.iot.2024.101427\" title=\"DOI de seguimiento:https:\/\/doi.org\/10.1016\/j.iot.2024.101427\" target=\"_blank\">doi:https:\/\/doi.org\/10.1016\/j.iot.2024.101427<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('495','tp_links')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Mu\u00f1oz-Calle, Javier;  Alonso, Rafael Estepa;  Alonso, Antonio Estepa;  D\u00edaz-Verdejo, Jes\u00fas E.;  Fern\u00e1ndez, Elvira Castillo;  Madinabeitia, Germ\u00e1n<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('494','tp_links')\" style=\"cursor:pointer;\">A Flexible Multilevel System for Mitre ATT&amp;CK Model-driven Alerts and Events Correlation in Cyberattacks Detection<\/a> <span class=\"tp_pub_type tp_  article\">Art\u00edculo de revista<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_journal\">JUCS &#8211; Journal of Universal Computer Science, <\/span><span class=\"tp_pub_additional_volume\">vol. 30, <\/span><span class=\"tp_pub_additional_number\">no 9, <\/span><span class=\"tp_pub_additional_pages\">pp. 1184-1204, <\/span><span class=\"tp_pub_additional_year\">2024<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 0948-695X<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_494\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('494','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_494\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('494','tp_links')\" title=\"Mostrar enlaces y recursos\" style=\"cursor:pointer;\">Enlaces<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_494\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('494','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_494\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{10.3897\/jucs.131686,<br \/>\r\ntitle = {A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection},<br \/>\r\nauthor = {Javier Mu\u00f1oz-Calle and Rafael Estepa Alonso and Antonio Estepa Alonso and Jes\u00fas E. D\u00edaz-Verdejo and Elvira Castillo Fern\u00e1ndez and Germ\u00e1n Madinabeitia},<br \/>\r\nurl = {https:\/\/doi.org\/10.3897\/jucs.131686},<br \/>\r\ndoi = {10.3897\/jucs.131686},<br \/>\r\nissn = {0948-695X},<br \/>\r\nyear  = {2024},<br \/>\r\ndate = {2024-01-01},<br \/>\r\nurldate = {2024-01-01},<br \/>\r\njournal = {JUCS - Journal of Universal Computer Science},<br \/>\r\nvolume = {30},<br \/>\r\nnumber = {9},<br \/>\r\npages = {1184-1204},<br \/>\r\npublisher = {Journal of Universal Computer Science},<br \/>\r\nabstract = {Network monitoring systems can struggle to detect the full sequence of actions in a multi-step cyber attack, frequently resulting in multiple alerts (some of which are false positive (FP)) and missed actions. The challenge of easing the job of security analysts by triggering a single and accurate alert per attack requires developing and evaluating advanced event correlation techniques and models that have the potential to devise relationships between the different observed events\/alerts.This work introduces a flexible architecture designed for hierarchical and iterative correlation of alerts and events. Its key feature is the sequential correlation of operations targeting specific attack episodes or aspects. This architecture utilizes IDS alerts or similar cybersecurity sensors, storing events and alerts in a non-relational database. Modules designed for knowledge creation then query these stored items to generate meta-alerts, also stored in the database. This approach facilitates creating a more refined knowledge that can be built on top of existing one by creating specialized modules. For illustrative purposes, we make a case study where we use this architectural approach to explore the feasibility of monitoring the progress of attacks of increased complexity by increasing the levels of the hyperalerts defined, including a case of a multi-step attack that adheres to the ATT&amp;CK model. Although the mapping between the observations and the model components (i.e., techniques and tactics) is challenging, we could fully monitor the progress of two attacks and up to 5 out of 6 steps of the most complex attack by building up to three specialized modules. Despite some limitations due to the sensors and attack scenarios tested, the results indicate the architecture&rsquo;s potential for enhancing the detection of complex cyber attacks, offering a promising direction for future cybersecurity research.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('494','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_494\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Network monitoring systems can struggle to detect the full sequence of actions in a multi-step cyber attack, frequently resulting in multiple alerts (some of which are false positive (FP)) and missed actions. The challenge of easing the job of security analysts by triggering a single and accurate alert per attack requires developing and evaluating advanced event correlation techniques and models that have the potential to devise relationships between the different observed events\/alerts.This work introduces a flexible architecture designed for hierarchical and iterative correlation of alerts and events. Its key feature is the sequential correlation of operations targeting specific attack episodes or aspects. This architecture utilizes IDS alerts or similar cybersecurity sensors, storing events and alerts in a non-relational database. Modules designed for knowledge creation then query these stored items to generate meta-alerts, also stored in the database. This approach facilitates creating a more refined knowledge that can be built on top of existing one by creating specialized modules. For illustrative purposes, we make a case study where we use this architectural approach to explore the feasibility of monitoring the progress of attacks of increased complexity by increasing the levels of the hyperalerts defined, including a case of a multi-step attack that adheres to the ATT&amp;amp;CK model. Although the mapping between the observations and the model components (i.e., techniques and tactics) is challenging, we could fully monitor the progress of two attacks and up to 5 out of 6 steps of the most complex attack by building up to three specialized modules. Despite some limitations due to the sensors and attack scenarios tested, the results indicate the&amp;nbsp;architecture&amp;rsquo;s potential for enhancing the detection of complex cyber attacks, offering a promising direction for future cybersecurity research.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('494','tp_abstract')\">Cerrar<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_494\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-globe\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/doi.org\/10.3897\/jucs.131686\" title=\"https:\/\/doi.org\/10.3897\/jucs.131686\" target=\"_blank\">https:\/\/doi.org\/10.3897\/jucs.131686<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.3897\/jucs.131686\" title=\"DOI de seguimiento:10.3897\/jucs.131686\" target=\"_blank\">doi:10.3897\/jucs.131686<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('494','tp_links')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> D\u00edaz-Verdejo, Jes\u00fas E.;  Estepa Alonso, Rafael;  Estepa Alonso, Antonio;  Mu\u00f1oz-Calle, Javier;  Madinabeitia, Germ\u00e1n<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('492','tp_links')\" style=\"cursor:pointer;\">Biblio-US17: A labeled real URL dataset for anomaly-based intrusion detection systems development<\/a> <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_booktitle\">European Interdisciplinary Cybersecurity Conference (EICC 2024), <\/span><span class=\"tp_pub_additional_pages\">pp. 217\u2013218, <\/span><span class=\"tp_pub_additional_year\">2024<\/span>, <span class=\"tp_pub_additional_isbn\">ISBN: 9798400716515<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_492\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('492','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_492\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('492','tp_links')\" title=\"Mostrar enlaces y recursos\" style=\"cursor:pointer;\">Enlaces<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_492\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('492','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_492\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{Diaz-Verdejo2024b,<br \/>\r\ntitle = {Biblio-US17: A labeled real URL dataset for anomaly-based intrusion detection systems development},<br \/>\r\nauthor = {Jes\u00fas E. D\u00edaz-Verdejo and {Estepa Alonso}, Rafael and {Estepa Alonso}, Antonio and Javier Mu\u00f1oz-Calle and Germ\u00e1n Madinabeitia},<br \/>\r\ndoi = {10.1145\/3655693.3661319},<br \/>\r\nisbn = {9798400716515},<br \/>\r\nyear  = {2024},<br \/>\r\ndate = {2024-01-01},<br \/>\r\nurldate = {2024-01-01},<br \/>\r\nbooktitle = {European Interdisciplinary Cybersecurity Conference (EICC 2024)},<br \/>\r\npages = {217\u2013218},<br \/>\r\nabstract = {The development of anomaly-based intrusion detection systems is hindered by the scarcity of adequate datasets. An ideal dataset should contain real traffic, genuine attacks and cover a large time period that may demonstrate time shift. To be useful, the dataset must be labeled to provide accurate ground-truth, This paper presents a dataset of URLs that possesses these qualities. It can therefore be used to effectively train, test, and validate URL-based anomaly detection systems. The dataset is publicly available and contains 47M registers, including 320k attacks, and spans for 6.5 months. It is partitioned acording to two schemes to allow for time dependent and time independent experiments.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('492','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_492\" style=\"display:none;\"><div class=\"tp_abstract_entry\">The development of anomaly-based intrusion detection systems is hindered by the scarcity of adequate datasets. An ideal dataset should contain real traffic, genuine attacks and cover a large time period that may demonstrate time shift. To be useful, the dataset must be labeled to provide accurate ground-truth, This paper presents a dataset of URLs that possesses these qualities. It can therefore be used to effectively train, test, and validate URL-based anomaly detection systems. The dataset is publicly available and contains 47M registers, including 320k attacks, and spans for 6.5 months. It is partitioned acording to two schemes to allow for time dependent and time independent experiments.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('492','tp_abstract')\">Cerrar<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_492\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1145\/3655693.3661319\" title=\"DOI de seguimiento:10.1145\/3655693.3661319\" target=\"_blank\">doi:10.1145\/3655693.3661319<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('492','tp_links')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> D\u00edaz-Verdejo, J.;  Alonso, R. Estepa;  Alonso, A. Estepa;  Mu\u00f1oz-Calle, F. J.<\/p><p class=\"tp_pub_title\">Impacto de la evoluci\u00f3n temporal de datasets reales en el rendimiento de un IDS basados en anomal\u00edas: estudio experimental sobre HTTP <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_booktitle\">XI Jornadas Nacionales de Investigaci\u00f3n en Ciberseguridad, <\/span><span class=\"tp_pub_additional_pages\">pp. 302\u2013309, <\/span><span class=\"tp_pub_additional_year\">2024<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_493\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('493','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_493\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('493','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_493\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{DiazVerdejo2024,<br \/>\r\ntitle = {Impacto de la evoluci\u00f3n temporal de datasets reales en el rendimiento de un IDS basados en anomal\u00edas: estudio experimental sobre HTTP},<br \/>\r\nauthor = {J. D\u00edaz-Verdejo and R. Estepa Alonso and A. Estepa Alonso and F. J. Mu\u00f1oz-Calle},<br \/>\r\nyear  = {2024},<br \/>\r\ndate = {2024-01-01},<br \/>\r\nurldate = {2024-01-01},<br \/>\r\nbooktitle = {XI Jornadas Nacionales de Investigaci\u00f3n en Ciberseguridad},<br \/>\r\npages = {302\u2013309},<br \/>\r\nabstract = {El desarrollo y evaluaci\u00f3n de sistemas de detecci\u00f3n de intrusiones basados en anomal\u00edas es de vital importancia en el contexto de la ciberseguridad, especialmente en relaci\u00f3n a los ataques de d\u00eda cero. La naturaleza altamente diamica tanto de los sistemas a proteger como de los ataques hace que la detecci\u00f3n de anomal\u00edas resulte una tarea compleja, ya que esta evoluci\u00f3n temporal puede afectar a las capacidades de los modelos estimados en un escenario y periodo determinados. A pesar de su importancia, este efecto ha sido explorado de forma limitada en la literatura, especialmente por la pr\u00e1tica inexistencia de datos reales convenientemente etiquetados con la suficiente extensi\u00f3n temporal. En el presente trabajo evaluamos experimentalmente el impacto de la evoluci\u00f3n temporal en un sistema para la detecci\u00f3n de ataques basados en URL utilizando datos reales capturados en un escenario real durante un periodo de tiempo relativamente extenso. Nuestros an\u00e1lisis demuestran una degradaci\u00f3n de creciente con la distancia temporal entre el entrenamiento y la evaluaci\u00f3n. Esta degradaci\u00f3n es debida a la combinaci\u00f3n de la p\u00e9rdida de calidad del modelo con el tiempo as\u00ed como a la propia variaci\u00f3n del comportamiento del servicio y\/o ataques a lo largo del tiempo.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('493','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_493\" style=\"display:none;\"><div class=\"tp_abstract_entry\">El desarrollo y evaluaci\u00f3n de sistemas de detecci\u00f3n de intrusiones basados en anomal\u00edas es de vital importancia en el contexto de la ciberseguridad, especialmente en relaci\u00f3n a los ataques de d\u00eda cero. La naturaleza altamente diamica tanto de los sistemas a proteger como de los ataques hace que la detecci\u00f3n de anomal\u00edas resulte una tarea compleja, ya que esta evoluci\u00f3n temporal puede afectar a las capacidades de los modelos estimados en un escenario y periodo determinados. A pesar de su importancia, este efecto ha sido explorado de forma limitada en la literatura, especialmente por la pr\u00e1tica inexistencia de datos reales convenientemente etiquetados con la suficiente extensi\u00f3n temporal. En el presente trabajo evaluamos experimentalmente el impacto de la evoluci\u00f3n temporal en un sistema para la detecci\u00f3n de ataques basados en URL utilizando datos reales capturados en un escenario real durante un periodo de tiempo relativamente extenso. Nuestros an\u00e1lisis demuestran una degradaci\u00f3n de creciente con la distancia temporal entre el entrenamiento y la evaluaci\u00f3n. Esta degradaci\u00f3n es debida a la combinaci\u00f3n de la p\u00e9rdida de calidad del modelo con el tiempo as\u00ed como a la propia variaci\u00f3n del comportamiento del servicio y\/o ataques a lo largo del tiempo.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('493','tp_abstract')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> D\u00edaz-Verdejo, J.;  Mu\u00f1oz-Calle, J.;  Alonso, R. Estepa;  Alonso, A. Estepa<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('491','tp_links')\" style=\"cursor:pointer;\">InspectorLog : A New Tool for Offline Attack Detection over Web Log<\/a> <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_booktitle\">Proceedings of the 21st International Conference on Security and Cryptography (SECRYPT 2024), <\/span><span class=\"tp_pub_additional_pages\">pp. 692\u2013697, <\/span><span class=\"tp_pub_additional_year\">2024<\/span>, <span class=\"tp_pub_additional_isbn\">ISBN: 9789897587092<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_491\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('491','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_491\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('491','tp_links')\" title=\"Mostrar enlaces y recursos\" style=\"cursor:pointer;\">Enlaces<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_491\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('491','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_491\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{Diaz-Verdejo2024a,<br \/>\r\ntitle = {InspectorLog : A New Tool for Offline Attack Detection over Web Log},<br \/>\r\nauthor = {J. D\u00edaz-Verdejo and J. Mu\u00f1oz-Calle and R. Estepa Alonso and A. Estepa Alonso},<br \/>\r\ndoi = {10.5220\/0012764000003767},<br \/>\r\nisbn = {9789897587092},<br \/>\r\nyear  = {2024},<br \/>\r\ndate = {2024-01-01},<br \/>\r\nurldate = {2024-01-01},<br \/>\r\nbooktitle = {Proceedings of the 21st International Conference on Security and Cryptography (SECRYPT 2024)},<br \/>\r\nnumber = {Secrypt},<br \/>\r\npages = {692\u2013697},<br \/>\r\nabstract = {InspectorLog is a novel tool for offline analysis of HTTP logs. The tool processes web server logs to identify attacks using diverse rule sets, focusing primarily on the URI field. It is compatible with standard rule formats from systems such as Snort, Nemesida, and ModSecurity. This paper describes InspectorLog functionalities, architecture and applications to the scientific community. We also experimentally validate InspectorLog by comparing its detection power with that of the IDS from which rules are taken. Inspector log fills a gap in available tools in cybersecurity practices in forensic analysis, dataset sanitization, and signature tuning. Future enhancements are planned to support additionalWeb Application Firewalls (WAFs), new rule types, and HTTP protocol methods, aiming to broaden its scope and utility in the ever-evolving domain of network security.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('491','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_491\" style=\"display:none;\"><div class=\"tp_abstract_entry\">InspectorLog is a novel tool for offline analysis of HTTP logs. The tool processes web server logs to identify attacks using diverse rule sets, focusing primarily on the URI field. It is compatible with standard rule formats from systems such as Snort, Nemesida, and ModSecurity. This paper describes InspectorLog functionalities, architecture and applications to the scientific community. We also experimentally validate InspectorLog by comparing its detection power with that of the IDS from which rules are taken. Inspector log fills a gap in available tools in cybersecurity practices in forensic analysis, dataset sanitization, and signature tuning. Future enhancements are planned to support additionalWeb Application Firewalls (WAFs), new rule types, and HTTP protocol methods, aiming to broaden its scope and utility in the ever-evolving domain of network security.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('491','tp_abstract')\">Cerrar<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_491\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.5220\/0012764000003767\" title=\"DOI de seguimiento:10.5220\/0012764000003767\" target=\"_blank\">doi:10.5220\/0012764000003767<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('491','tp_links')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> D\u00edaz-Verdejo, Jes\u00fas;  Alonso, Rafael Estepa;  Alonso, Antonio Estepa;  Mu\u00f1oz-Calle, Javier<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('490','tp_links')\" style=\"cursor:pointer;\">Insights into anomaly-based intrusion detection systems usability. A case study using real http requests<\/a> <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_booktitle\">Proc. European Interdisciplinary Cybersecurity Conference (EICC 2024), <\/span><span class=\"tp_pub_additional_pages\">pp. 82\u201389, <\/span><span class=\"tp_pub_additional_year\">2024<\/span>, <span class=\"tp_pub_additional_isbn\">ISBN: 9798400716515<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_490\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('490','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_490\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('490','tp_links')\" title=\"Mostrar enlaces y recursos\" style=\"cursor:pointer;\">Enlaces<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_490\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('490','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_490\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{Diaz-Verdejo2024,<br \/>\r\ntitle = {Insights into anomaly-based intrusion detection systems usability. A case study using real http requests},<br \/>\r\nauthor = {Jes\u00fas D\u00edaz-Verdejo and Rafael Estepa Alonso and Antonio Estepa Alonso and Javier Mu\u00f1oz-Calle},<br \/>\r\ndoi = {10.1145\/3655693.3655745},<br \/>\r\nisbn = {9798400716515},<br \/>\r\nyear  = {2024},<br \/>\r\ndate = {2024-01-01},<br \/>\r\nurldate = {2024-01-01},<br \/>\r\nbooktitle = {Proc. European Interdisciplinary Cybersecurity Conference (EICC 2024)},<br \/>\r\npages = {82\u201389},<br \/>\r\nabstract = {Intrusion detection systems based on anomalies (A-IDS) are crucial for detecting cyberattacks, especially zero-day attacks. Numerous A-IDS proposals in the literature report excellent performance according to established metrics and settings in a laboratory. However, finding systems implementing these proposals in real-world scenarios is challenging. This work explores, through a case study, the suitability of performance metrics commonly used in the scientific literature to real-world scenarios. Our case study will consider a Web attack detector based on URIs and a real, large-scale dataset. Our results show significant limitations in the performance metrics commonly used to select the system&#039;s operating point and its practical use in real-world scenarios.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('490','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_490\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Intrusion detection systems based on anomalies (A-IDS) are crucial for detecting cyberattacks, especially zero-day attacks. Numerous A-IDS proposals in the literature report excellent performance according to established metrics and settings in a laboratory. However, finding systems implementing these proposals in real-world scenarios is challenging. This work explores, through a case study, the suitability of performance metrics commonly used in the scientific literature to real-world scenarios. Our case study will consider a Web attack detector based on URIs and a real, large-scale dataset. Our results show significant limitations in the performance metrics commonly used to select the system&#039;s operating point and its practical use in real-world scenarios.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('490','tp_abstract')\">Cerrar<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_490\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1145\/3655693.3655745\" title=\"DOI de seguimiento:10.1145\/3655693.3655745\" target=\"_blank\">doi:10.1145\/3655693.3655745<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('490','tp_links')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Walabonso Lara, Agust\u00edn;  Mayor, Vicente;  Estepa Alonso, Rafael;  Estepa Alonso, Antonio;  D\u00edaz-Verdejo, Jes\u00fas E.<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('265','tp_links')\" style=\"cursor:pointer;\">Smart home anomaly-based IDS: Architecture proposal and case study<\/a> <span class=\"tp_pub_type tp_  article\">Art\u00edculo de revista<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_journal\">Internet of Things, <\/span><span class=\"tp_pub_additional_volume\">vol. 22, <\/span><span class=\"tp_pub_additional_pages\">pp. 100773, <\/span><span class=\"tp_pub_additional_year\">2023<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 2542-6605<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_265\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('265','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_265\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('265','tp_links')\" title=\"Mostrar enlaces y recursos\" style=\"cursor:pointer;\">Enlaces<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_265\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('265','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_265\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{Lara2023,<br \/>\r\ntitle = {Smart home anomaly-based IDS: Architecture proposal and case study},<br \/>\r\nauthor = { {Walabonso Lara}, Agust\u00edn and Vicente Mayor and {Estepa Alonso}, Rafael and {Estepa Alonso} , Antonio and Jes\u00fas E. {D\u00edaz-Verdejo}},<br \/>\r\nurl = {https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S2542660523000963},<br \/>\r\ndoi = {10.1016\/J.IOT.2023.100773},<br \/>\r\nissn = {2542-6605},<br \/>\r\nyear  = {2023},<br \/>\r\ndate = {2023-07-01},<br \/>\r\nurldate = {2023-07-01},<br \/>\r\njournal = {Internet of Things},<br \/>\r\nvolume = {22},<br \/>\r\npages = {100773},<br \/>\r\npublisher = {Elsevier},<br \/>\r\nabstract = {The complexity and diversity of the technologies involved in the Internet of Things (IoT) challenge the generalization of security solutions based on anomaly detection, which should fit the particularities of each context and deployment and allow for performance comparison. In this work, we provide a flexible architecture based on building blocks suited for detecting anomalies in the network traffic and the application-layer data exchanged by IoT devices in the context of Smart Home. Following this architecture, we have defined a particular Intrusion Detector System (IDS) for a case study that uses a public dataset with the electrical consumption of 21 home devices over one year. In particular, we have defined ten Indicators of Compromise (IoC) to detect network attacks and two anomaly detectors to detect false command or data injection attacks. We have also included a signature-based IDS (Snort) to extend the detection range to known attacks. We have reproduced eight network attacks (e.g., DoS, scanning) and four False Command or Data Injection attacks to test our IDS performance. The results show that all attacks were successfully detected by our IoCs and anomaly detectors with a false positive rate lower than 0.3%. Signature detection was able to detect only 4 out of 12 attacks. Our architecture and the IDS developed can be a reference for developing future IDS suited to different contexts or use cases. Given that we use a public dataset, our contribution can also serve as a baseline for comparison with new techniques that improve detection performance.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('265','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_265\" style=\"display:none;\"><div class=\"tp_abstract_entry\">The complexity and diversity of the technologies involved in the Internet of Things (IoT) challenge the generalization of security solutions based on anomaly detection, which should fit the particularities of each context and deployment and allow for performance comparison. In this work, we provide a flexible architecture based on building blocks suited for detecting anomalies in the network traffic and the application-layer data exchanged by IoT devices in the context of Smart Home. Following this architecture, we have defined a particular Intrusion Detector System (IDS) for a case study that uses a public dataset with the electrical consumption of 21 home devices over one year. In particular, we have defined ten Indicators of Compromise (IoC) to detect network attacks and two anomaly detectors to detect false command or data injection attacks. We have also included a signature-based IDS (Snort) to extend the detection range to known attacks. We have reproduced eight network attacks (e.g., DoS, scanning) and four False Command or Data Injection attacks to test our IDS performance. The results show that all attacks were successfully detected by our IoCs and anomaly detectors with a false positive rate lower than 0.3%. Signature detection was able to detect only 4 out of 12 attacks. Our architecture and the IDS developed can be a reference for developing future IDS suited to different contexts or use cases. Given that we use a public dataset, our contribution can also serve as a baseline for comparison with new techniques that improve detection performance.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('265','tp_abstract')\">Cerrar<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_265\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-globe\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S2542660523000963\" title=\"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S2542660523000963\" target=\"_blank\">https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S2542660523000963<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1016\/J.IOT.2023.100773\" title=\"DOI de seguimiento:10.1016\/J.IOT.2023.100773\" target=\"_blank\">doi:10.1016\/J.IOT.2023.100773<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('265','tp_links')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Castillo-Fern\u00e1ndez, Elvira;  Mu\u00f1oz, Escol\u00e1stico;  Diaz-Verdejo, J.;  Estepa Alonso, R;  Estepa Alonso, A.<\/p><p class=\"tp_pub_title\">Dise\u00f1o y despliegue de un laboratorio para formaci\u00f3n e investigaci\u00f3n  en ciberseguridad <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_booktitle\">Actas de las VIII Jornadas Nacionales de Investigaci\u00f3n en Ciberseguridad (JNIC23) , <\/span><span class=\"tp_pub_additional_pages\">pp. 445-452, <\/span><span class=\"tp_pub_additional_year\">2023<\/span>, <span class=\"tp_pub_additional_isbn\">ISBN: 978-84-8158-970-2<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_480\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('480','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_480\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('480','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_480\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{jnic23-cslab,<br \/>\r\ntitle = {Dise\u00f1o y despliegue de un laboratorio para formaci\u00f3n e investigaci\u00f3n  en ciberseguridad},<br \/>\r\nauthor = {Elvira Castillo-Fern\u00e1ndez and Escol\u00e1stico Mu\u00f1oz and J. Diaz-Verdejo and {Estepa Alonso}, R and {Estepa Alonso}, A.},<br \/>\r\nisbn = {978-84-8158-970-2},<br \/>\r\nyear  = {2023},<br \/>\r\ndate = {2023-06-21},<br \/>\r\nurldate = {2023-06-21},<br \/>\r\nbooktitle = {Actas de las VIII Jornadas Nacionales de Investigaci\u00f3n en Ciberseguridad (JNIC23) },<br \/>\r\njournal = {Actas de las VIII Jornadas Nacionales de Investigaci\u00f3n en Ciberseguridad (JNIC23) - En revisi\u00f3n},<br \/>\r\npages = {445-452},<br \/>\r\nabstract = {La realizaci\u00f3n de simulacros y\/o experimentos para actividades de formaci\u00f3n e investigaci\u00f3n en ciberseguridad plantea serias dificultades pr\u00e1cticas por la ejecuci\u00f3n de ataques a los sistemas que conforman la propia infraestructura. Se presentan m\u00faltiples requisitos, en ocasiones, incompatibles entre s\u00ed, como la necesidad de preservar la seguridad de los sistemas externos y de monitorizaci\u00f3n sin perder la conectividad hacia Internet, la capacidad de monitorizaci\u00f3n y adquisici\u00f3n de trazas de una forma segura, la flexibilidad que permita m\u00faltiples escenarios lo m\u00e1s realistas posible y una f\u00e1cil reusabilidad del laboratorio. En el presente trabajo se propone e implementa una arquitectura para un laboratorio de ciberseguridad que presenta un equilibrio entre flexibilidad, funcionalidad, usabilidad y seguridad de las operaciones. La propuesta se basa en la divisi\u00f3n en una red de supervisi\u00f3n y una red de laboratorio sobre la que, mediante virtualizaci\u00f3n de bajo nivel, se pueden desarrollar los diferentes experimentos y ataques con riesgo m\u00ednimo de impacto sobre la red de supervisi\u00f3n. Para ello se establecen diferentes barreras, tanto f\u00edsicas como l\u00f3gicas, que permiten filtrar el tr\u00e1fico entre ambas y la conectividad hacia Internet. Para mostrar la operaci\u00f3n y capacidades de la arquitectura propuesta se presenta un caso de uso con un ataque multietapa que involucra diversos sistemas operativos y equipos.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('480','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_480\" style=\"display:none;\"><div class=\"tp_abstract_entry\">La realizaci\u00f3n de simulacros y\/o experimentos para actividades de formaci\u00f3n e investigaci\u00f3n en ciberseguridad plantea serias dificultades pr\u00e1cticas por la ejecuci\u00f3n de ataques a los sistemas que conforman la propia infraestructura. Se presentan m\u00faltiples requisitos, en ocasiones, incompatibles entre s\u00ed, como la necesidad de preservar la seguridad de los sistemas externos y de monitorizaci\u00f3n sin perder la conectividad hacia Internet, la capacidad de monitorizaci\u00f3n y adquisici\u00f3n de trazas de una forma segura, la flexibilidad que permita m\u00faltiples escenarios lo m\u00e1s realistas posible y una f\u00e1cil reusabilidad del laboratorio. En el presente trabajo se propone e implementa una arquitectura para un laboratorio de ciberseguridad que presenta un equilibrio entre flexibilidad, funcionalidad, usabilidad y seguridad de las operaciones. La propuesta se basa en la divisi\u00f3n en una red de supervisi\u00f3n y una red de laboratorio sobre la que, mediante virtualizaci\u00f3n de bajo nivel, se pueden desarrollar los diferentes experimentos y ataques con riesgo m\u00ednimo de impacto sobre la red de supervisi\u00f3n. Para ello se establecen diferentes barreras, tanto f\u00edsicas como l\u00f3gicas, que permiten filtrar el tr\u00e1fico entre ambas y la conectividad hacia Internet. Para mostrar la operaci\u00f3n y capacidades de la arquitectura propuesta se presenta un caso de uso con un ataque multietapa que involucra diversos sistemas operativos y equipos.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('480','tp_abstract')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Castillo-Fern\u00e1ndez, E.;  Diaz-Verdejo, J.;  Estepa Alonso, R.;  Estepa Alonso, A.<\/p><p class=\"tp_pub_title\">Riesgos en la Smart Home: estudio experimental <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_booktitle\">Actas de las VIII Jornadas Nacionales de Investigaci\u00f3n en Ciberseguridad (JNIC23), <\/span><span class=\"tp_pub_additional_pages\">pp. 375-382, <\/span><span class=\"tp_pub_additional_year\">2023<\/span>, <span class=\"tp_pub_additional_isbn\">ISBN: 978-84-8158-970-2<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_476\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('476','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_476\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('476','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_476\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{jnic23-iot,<br \/>\r\ntitle = {Riesgos en la Smart Home: estudio experimental},<br \/>\r\nauthor = {E. Castillo-Fern\u00e1ndez and J. Diaz-Verdejo and {Estepa Alonso}, R. and {Estepa Alonso}, A.},<br \/>\r\nisbn = {978-84-8158-970-2},<br \/>\r\nyear  = {2023},<br \/>\r\ndate = {2023-06-21},<br \/>\r\nurldate = {2023-06-21},<br \/>\r\nbooktitle = {Actas de las VIII Jornadas Nacionales de Investigaci\u00f3n en Ciberseguridad (JNIC23)},<br \/>\r\npages = {375-382},<br \/>\r\nabstract = {En este trabajo realizamos una evaluaci\u00f3n preliminar de los riesgos de ciberseguridad en un escenario de aplicaci\u00f3n t\u00edpico de SmartHome: una vivienda unifamiliar. Para ello se han desplegado varias tecnolog\u00edas com\u00fanmente utilizadas en este contexto y se ha monitorizado el tr\u00e1fico asociado a los dispositivos y servidores SmartHome. A partir del an\u00e1lisis realizado se ha constatado la existencia de ataques, patrones de comunicaci\u00f3n an\u00f3malos entre dispositivos y con servidores externos, as\u00ed como vulnerabilidades asociadas a debilidades en las configuraciones de los dispositivos y los protocolos desplegados, algunos de ellos propietarios. Adicionalmente, para algunos dispositivos se ha constatado una gran dependencia de la nube, lo que facilita la indisponibilidad de  algunos servicios en caso de fallos en la conexi\u00f3n con nube. El resultado evidencia un pobre tratamiento de la ciberseguridad por la mayor\u00eda de los operadores del sector y un riesgo en este tipo de instalaciones que puede pasar inadvertido al usuario.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('476','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_476\" style=\"display:none;\"><div class=\"tp_abstract_entry\">En este trabajo realizamos una evaluaci\u00f3n preliminar de los riesgos de ciberseguridad en un escenario de aplicaci\u00f3n t\u00edpico de SmartHome: una vivienda unifamiliar. Para ello se han desplegado varias tecnolog\u00edas com\u00fanmente utilizadas en este contexto y se ha monitorizado el tr\u00e1fico asociado a los dispositivos y servidores SmartHome. A partir del an\u00e1lisis realizado se ha constatado la existencia de ataques, patrones de comunicaci\u00f3n an\u00f3malos entre dispositivos y con servidores externos, as\u00ed como vulnerabilidades asociadas a debilidades en las configuraciones de los dispositivos y los protocolos desplegados, algunos de ellos propietarios. Adicionalmente, para algunos dispositivos se ha constatado una gran dependencia de la nube, lo que facilita la indisponibilidad de  algunos servicios en caso de fallos en la conexi\u00f3n con nube. El resultado evidencia un pobre tratamiento de la ciberseguridad por la mayor\u00eda de los operadores del sector y un riesgo en este tipo de instalaciones que puede pasar inadvertido al usuario.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('476','tp_abstract')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Lara, Agust\u00edn W.;  Ternero, J. A.;  Estepa Alonso, Rafael;  Estepa Alonso, Antonio;  Ruiz-Robles, Fernando;  D\u00edaz-Verdejo, Jes\u00fas E.<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('478','tp_links')\" style=\"cursor:pointer;\">HTTP Cyberattacks Detection through Automatic Signature Generation in multi-site IoT Deployments<\/a> <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_booktitle\">Proc. European Interdisciplinary Cybersecurity Conference (EICC 2023)\r\n, <\/span><span class=\"tp_pub_additional_pages\">pp. 6, <\/span><span class=\"tp_pub_additional_year\">2023<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_478\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('478','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_478\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('478','tp_links')\" title=\"Mostrar enlaces y recursos\" style=\"cursor:pointer;\">Enlaces<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_478\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('478','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_478\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{eicc2-firmas,<br \/>\r\ntitle = {HTTP Cyberattacks Detection through Automatic Signature Generation in multi-site IoT Deployments},<br \/>\r\nauthor = {Agust\u00edn W. Lara and J.A. Ternero and {Estepa Alonso}, Rafael and {Estepa Alonso}, Antonio and Fernando Ruiz-Robles and Jes\u00fas E. D\u00edaz-Verdejo<br \/>\r\n},<br \/>\r\ndoi = {10.1145\/3590777.3590788},<br \/>\r\nyear  = {2023},<br \/>\r\ndate = {2023-06-14},<br \/>\r\nurldate = {2023-06-14},<br \/>\r\nbooktitle = {Proc. European Interdisciplinary Cybersecurity Conference (EICC 2023)<br \/>\r\n},<br \/>\r\npages = {6},<br \/>\r\nabstract = { IoT deployments often include a web-interface server for managerial purposes. Signature-based Intrusion Detection Systems are commonly used to detect HTTP attacks on these web servers. The standard signature repositories used by these defensive systems can be enhanced with new signatures generated automatically from attacks detected with anomaly detection techniques. <br \/>\r\n  This work presents a scheme for generating such anomaly-based signatures from HTTP attacks in a way that avoids excessive false positives. The signatures generated are distributed to peer sites in a multi-site environment. We also present a case study based on an IoT real-life dataset collected at four different SmartLight deployments from the same organization. Our results show a notable performance improvement (from $24.1%$ to $66.7%$) when anomaly-based signatures are added to the standard default Snort ruleset and distributed to the other three sites.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('478','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_478\" style=\"display:none;\"><div class=\"tp_abstract_entry\"> IoT deployments often include a web-interface server for managerial purposes. Signature-based Intrusion Detection Systems are commonly used to detect HTTP attacks on these web servers. The standard signature repositories used by these defensive systems can be enhanced with new signatures generated automatically from attacks detected with anomaly detection techniques. <br \/>\r\n  This work presents a scheme for generating such anomaly-based signatures from HTTP attacks in a way that avoids excessive false positives. The signatures generated are distributed to peer sites in a multi-site environment. We also present a case study based on an IoT real-life dataset collected at four different SmartLight deployments from the same organization. Our results show a notable performance improvement (from $24.1%$ to $66.7%$) when anomaly-based signatures are added to the standard default Snort ruleset and distributed to the other three sites.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('478','tp_abstract')\">Cerrar<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_478\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1145\/3590777.3590788\" title=\"DOI de seguimiento:10.1145\/3590777.3590788\" target=\"_blank\">doi:10.1145\/3590777.3590788<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('478','tp_links')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Fern\u00e1ndez, Elvira Castillo;  D\u00edaz-Verdejo, Jes\u00fas E.;  Estepa Alonso, Rafael;  Estepa Alonso, Antonio;  Mu\u00f1oz-Calle, Javier;  Madinabeitia, Germ\u00e1n<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('477','tp_links')\" style=\"cursor:pointer;\">Multistep Cyberattacks Detection using a Flexible Multilevel System for Alerts and Events Correlation<\/a> <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_booktitle\">Proc. European Interdisciplinary Cybersecurity Conference (EICC 2023), <\/span><span class=\"tp_pub_additional_pages\">pp. 6, <\/span><span class=\"tp_pub_additional_year\">2023<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_477\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('477','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_477\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('477','tp_links')\" title=\"Mostrar enlaces y recursos\" style=\"cursor:pointer;\">Enlaces<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_477\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('477','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_477\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{eicc23-attacks,<br \/>\r\ntitle = {Multistep Cyberattacks Detection using a Flexible Multilevel System for Alerts and Events Correlation},<br \/>\r\nauthor = {Elvira {Castillo Fern\u00e1ndez} and Jes\u00fas E. {D\u00edaz-Verdejo} and {Estepa Alonso}, Rafael and {Estepa Alonso}, Antonio and Javier {Mu\u00f1oz-Calle} and Germ\u00e1n Madinabeitia},<br \/>\r\ndoi = {10.1145\/3590777.3590778},<br \/>\r\nyear  = {2023},<br \/>\r\ndate = {2023-06-14},<br \/>\r\nurldate = {2023-06-14},<br \/>\r\nbooktitle = {Proc. European Interdisciplinary Cybersecurity Conference (EICC 2023)},<br \/>\r\npages = {6},<br \/>\r\nabstract = {Current network monitoring systems tend to generate several alerts per attack, especially in multistep attacks. However, Cybersecurity Officers (CSO) would rather receive a single alert summarizing the entire incident. Triggering a single alert per attack is a challenge that requires developing and evaluating advanced event correlation techniques and models to determine the relationships between the different observed events\/alerts.<br \/>\r\n<br \/>\r\nIn this work, we propose a flexible architecture oriented toward the correlation and aggregation of events and alerts in a multilevel iterative approach. <br \/>\r\nIn our scheme, sensors generate events and alerts that are stored in a non-relational database queried by modules that create knowledge structured as meta-alerts that are also stored in the database. These meta-alerts (also called hyperalerts) are, in turn, used iteratively to create new knowledge. This iterative approach can be used to aggregate information at multiple levels or steps in complex attack models. <br \/>\r\nOur architecture also allows the incorporation of additional sensors and the evaluation of various correlation techniques and multistage attack models. The capabilities of the system are assessed through three case studies.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('477','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_477\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Current network monitoring systems tend to generate several alerts per attack, especially in multistep attacks. However, Cybersecurity Officers (CSO) would rather receive a single alert summarizing the entire incident. Triggering a single alert per attack is a challenge that requires developing and evaluating advanced event correlation techniques and models to determine the relationships between the different observed events\/alerts.<br \/>\r\n<br \/>\r\nIn this work, we propose a flexible architecture oriented toward the correlation and aggregation of events and alerts in a multilevel iterative approach. <br \/>\r\nIn our scheme, sensors generate events and alerts that are stored in a non-relational database queried by modules that create knowledge structured as meta-alerts that are also stored in the database. These meta-alerts (also called hyperalerts) are, in turn, used iteratively to create new knowledge. This iterative approach can be used to aggregate information at multiple levels or steps in complex attack models. <br \/>\r\nOur architecture also allows the incorporation of additional sensors and the evaluation of various correlation techniques and multistage attack models. The capabilities of the system are assessed through three case studies.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('477','tp_abstract')\">Cerrar<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_477\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1145\/3590777.3590778\" title=\"DOI de seguimiento:10.1145\/3590777.3590778\" target=\"_blank\">doi:10.1145\/3590777.3590778<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('477','tp_links')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Castillo-Fern\u00e1ndez, Elvira;  D\u00edaz-Verdejo, Jes\u00fas Esteban;  Alonso, Rafael Mar\u00eda Estepa;  Alonso, Antonio Estepa;  Mu\u00f1oz-Calle, Fco Javier<\/p><p class=\"tp_pub_title\">Uso practico del modelo ATT&amp;CK para la detecci\u00f3n de ciberataques <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_booktitle\">Actas de las XVI Jornadas de Ingenier\u00eda Telem\u00e1tica &#8211; JITEL 2023, <\/span><span class=\"tp_pub_additional_pages\">pp. 1\u20134, <\/span><span class=\"tp_pub_additional_year\">2023<\/span>, <span class=\"tp_pub_additional_isbn\">ISBN: 9783131450715<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_484\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('484','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_484\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('484','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_484\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{Castillo-Fernandez2023,<br \/>\r\ntitle = {Uso practico del modelo ATT&CK para la detecci\u00f3n de ciberataques},<br \/>\r\nauthor = {Elvira Castillo-Fern\u00e1ndez and Jes\u00fas Esteban D\u00edaz-Verdejo and Rafael Mar\u00eda Estepa Alonso and Antonio Estepa Alonso and Fco Javier Mu\u00f1oz-Calle},<br \/>\r\nisbn = {9783131450715},<br \/>\r\nyear  = {2023},<br \/>\r\ndate = {2023-01-01},<br \/>\r\nurldate = {2023-01-01},<br \/>\r\nbooktitle = {Actas de las XVI Jornadas de Ingenier\u00eda Telem\u00e1tica - JITEL 2023},<br \/>\r\npages = {1\u20134},<br \/>\r\nabstract = {ATT&CK establece un modelo donde se especifican las fases secuenciales de un ciberataque, as\u00ed como las t\u00e9cnicas que suelen ser usadas en cada paso del ataque. Ser\u00eda interesante incorporar este modelo en el proceso de detecci\u00f3n de los ciberataques ya que facilitar\u00eda la correlaci\u00f3n de las numerosas alertas generadas por los sistemas de monitorizaci\u00f3n de red. Sin embargo, la aplicaci\u00f3n del modelo en los procesos de correlaci\u00f3n de eventos no es inmediata, ya que no est\u00e1 formulado en t\u00e9rminos de eventos observables y\/o detecciones sino de acciones a realizar. En el presente trabajo exploramos y evaluamos los elementos necesarios para incorporar el modelo ATT&CK en el procesamiento de la informaci\u00f3n generada por los sistemas de monitorizaci\u00f3n de la seguridad en la red.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('484','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_484\" style=\"display:none;\"><div class=\"tp_abstract_entry\">ATT&amp;CK establece un modelo donde se especifican las fases secuenciales de un ciberataque, as\u00ed como las t\u00e9cnicas que suelen ser usadas en cada paso del ataque. Ser\u00eda interesante incorporar este modelo en el proceso de detecci\u00f3n de los ciberataques ya que facilitar\u00eda la correlaci\u00f3n de las numerosas alertas generadas por los sistemas de monitorizaci\u00f3n de red. Sin embargo, la aplicaci\u00f3n del modelo en los procesos de correlaci\u00f3n de eventos no es inmediata, ya que no est\u00e1 formulado en t\u00e9rminos de eventos observables y\/o detecciones sino de acciones a realizar. En el presente trabajo exploramos y evaluamos los elementos necesarios para incorporar el modelo ATT&amp;CK en el procesamiento de la informaci\u00f3n generada por los sistemas de monitorizaci\u00f3n de la seguridad en la red.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('484','tp_abstract')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Mu\u00f1oz-calle, Javier;  Fructuoso, Javier;  Estepa, Rafael;  Estepa, Antonio<\/p><p class=\"tp_pub_title\">Evaluaci\u00f3n experimental de las capacidades de detecci\u00f3n de ciberataques basados en t\u00e9cnicas del modelo ATT &amp; CK mediante Snort <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_booktitle\">Actas de las XVI Jornadas de Ingenier\u00eda Telem\u00e1tica &#8211; JITEL 2023, <\/span><span class=\"tp_pub_additional_pages\">pp. 5\u20138, <\/span><span class=\"tp_pub_additional_year\">2023<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_487\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('487','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_487\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('487','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_487\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{Munoz-calle2023,<br \/>\r\ntitle = {Evaluaci\u00f3n experimental de las capacidades de detecci\u00f3n de ciberataques basados en t\u00e9cnicas del modelo ATT & CK mediante Snort},<br \/>\r\nauthor = {Javier Mu\u00f1oz-calle and Javier Fructuoso and Rafael Estepa and Antonio Estepa},<br \/>\r\nyear  = {2023},<br \/>\r\ndate = {2023-01-01},<br \/>\r\nurldate = {2023-01-01},<br \/>\r\nbooktitle = {Actas de las XVI Jornadas de Ingenier\u00eda Telem\u00e1tica - JITEL 2023},<br \/>\r\npages = {5\u20138},<br \/>\r\nabstract = {ATT&CK establece un modelo donde se especifican las fases secuenciales de un ciberataque, as\u00b4\u0131 como las t\u00b4ecnicas que suelen ser usadas en cada paso del ataque. Ser\u00b4\u0131a interesante incorporar este modelo en el proceso de detecci\u00b4on de los ciberataques ya que facilitar\u00b4\u0131a la correlaci\u00b4on de las numerosas alertas generadas por los sistemas de monitorizaci\u00b4on de red. Sin embargo, la aplicaci\u00b4on del modelo en los procesos de correlaci\u00b4on de eventos no es inmediata, ya que no est\u00b4a formulado en t\u00b4erminos de eventos observables y\/o detecciones sino de acciones a realizar. En el presente trabajo exploramos y evaluamos los elementos necesarios para incorporar el modelo ATT&CK en el procesamiento de la informaci\u00b4on generada por los sistemas de monitorizaci\u00b4on de la seguridad en la red.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('487','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_487\" style=\"display:none;\"><div class=\"tp_abstract_entry\">ATT&amp;CK establece un modelo donde se especifican las fases secuenciales de un ciberataque, as\u00b4\u0131 como las t\u00b4ecnicas que suelen ser usadas en cada paso del ataque. Ser\u00b4\u0131a interesante incorporar este modelo en el proceso de detecci\u00b4on de los ciberataques ya que facilitar\u00b4\u0131a la correlaci\u00b4on de las numerosas alertas generadas por los sistemas de monitorizaci\u00b4on de red. Sin embargo, la aplicaci\u00b4on del modelo en los procesos de correlaci\u00b4on de eventos no es inmediata, ya que no est\u00b4a formulado en t\u00b4erminos de eventos observables y\/o detecciones sino de acciones a realizar. En el presente trabajo exploramos y evaluamos los elementos necesarios para incorporar el modelo ATT&amp;CK en el procesamiento de la informaci\u00b4on generada por los sistemas de monitorizaci\u00b4on de la seguridad en la red.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('487','tp_abstract')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> D\u00edaz-Verdejo, Jes\u00fas E.;  Estepa Alonso, Rafael;  Estepa Alonso, Antonio;  Madinabeitia, German<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('264','tp_links')\" style=\"cursor:pointer;\">A critical review of the techniques used for anomaly detection of HTTP-based attacks: taxonomy, limitations and open challenges<\/a> <span class=\"tp_pub_type tp_  article\">Art\u00edculo de revista<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_journal\">Computers and Security, <\/span><span class=\"tp_pub_additional_volume\">vol. 124, <\/span><span class=\"tp_pub_additional_pages\">pp. 102997, <\/span><span class=\"tp_pub_additional_year\">2023<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 01674048<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_264\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('264','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_264\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('264','tp_links')\" title=\"Mostrar enlaces y recursos\" style=\"cursor:pointer;\">Enlaces<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_264\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('264','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_264\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{Diaz-Verdejo2023,<br \/>\r\ntitle = {A critical review of the techniques used for anomaly detection of HTTP-based attacks: taxonomy, limitations and open challenges},<br \/>\r\nauthor = {Jes\u00fas E. D\u00edaz-Verdejo and {Estepa Alonso}, Rafael and {Estepa Alonso}, Antonio and German Madinabeitia},<br \/>\r\ndoi = {10.1016\/j.cose.2022.102997},<br \/>\r\nissn = {01674048},<br \/>\r\nyear  = {2023},<br \/>\r\ndate = {2023-01-01},<br \/>\r\nurldate = {2023-01-01},<br \/>\r\njournal = {Computers and Security},<br \/>\r\nvolume = {124},<br \/>\r\npages = {102997},<br \/>\r\nabstract = {Intrusion Detection Systems (IDSs) and Web Application Firewalls (WAFs) offer a crucial layer of defense that allows organizations to detect cyberattacks on their web servers. Academic research overwhelmingly suggests using anomaly detection techniques to improve the performance of these defensive systems. However, analyzing and comparing the wide range of solutions in the scientific literature is challenging since they are typically presented as isolated (unrelated) contributions, and their results cannot be generalized. We believe that this impairs the industry&#039;s adoption of academic results and the advancement of research in this field. This paper aims to shed light on the literature on anomaly-based detection of attacks that use HTTP request messages. We define a novel framework for anomaly detection based on six data processing steps grouped into two sequential phases: preprocessing and classification. Based on this framework, we provide a taxonomy and critical review of the techniques surveyed, emphasizing their limitations and applicability. Future approaches should take advantage of the syntax and semantics of the Uniform Resource Locator (URL), be scalable, and address their obsolescence. These aspects are frequently overlooked in the literature and pose a significant challenge in the current era of web services. For better comparability, authors should use adequate public datasets, follow a thorough methodology, and use appropriate metrics that fully show the pros and cons of the approach.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('264','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_264\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Intrusion Detection Systems (IDSs) and Web Application Firewalls (WAFs) offer a crucial layer of defense that allows organizations to detect cyberattacks on their web servers. Academic research overwhelmingly suggests using anomaly detection techniques to improve the performance of these defensive systems. However, analyzing and comparing the wide range of solutions in the scientific literature is challenging since they are typically presented as isolated (unrelated) contributions, and their results cannot be generalized. We believe that this impairs the industry&#039;s adoption of academic results and the advancement of research in this field. This paper aims to shed light on the literature on anomaly-based detection of attacks that use HTTP request messages. We define a novel framework for anomaly detection based on six data processing steps grouped into two sequential phases: preprocessing and classification. Based on this framework, we provide a taxonomy and critical review of the techniques surveyed, emphasizing their limitations and applicability. Future approaches should take advantage of the syntax and semantics of the Uniform Resource Locator (URL), be scalable, and address their obsolescence. These aspects are frequently overlooked in the literature and pose a significant challenge in the current era of web services. For better comparability, authors should use adequate public datasets, follow a thorough methodology, and use appropriate metrics that fully show the pros and cons of the approach.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('264','tp_abstract')\">Cerrar<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_264\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1016\/j.cose.2022.102997\" title=\"DOI de seguimiento:10.1016\/j.cose.2022.102997\" target=\"_blank\">doi:10.1016\/j.cose.2022.102997<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('264','tp_links')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Mu\u00f1oz, Javier;  Bueno, Felipe;  Estepa, Rafael;  Estepa, Antonio;  D\u00edaz-Verdejo, Jes\u00fas E.<\/p><p class=\"tp_pub_title\">Ataques a servidores web: estudio experimental de la capacidad de detecci\u00f3n de algunos SIDS gratuitos <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_booktitle\">Actas de las VII Jornadas Nacionales de Investigaci\u00f3n en Ciberseguridad (JNIC&#039;22), <\/span><span class=\"tp_pub_additional_pages\">pp. 22\u201325, <\/span><span class=\"tp_pub_additional_year\">2022<\/span>, <span class=\"tp_pub_additional_isbn\">ISBN: 9878488734136<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_266\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('266','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_266\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('266','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_266\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{Munoz-jnic22,<br \/>\r\ntitle = {Ataques a servidores web: estudio experimental de la capacidad de detecci\u00f3n de algunos SIDS gratuitos},<br \/>\r\nauthor = {Javier Mu\u00f1oz and Felipe Bueno and Rafael Estepa and Antonio Estepa and Jes\u00fas E. D\u00edaz-Verdejo},<br \/>\r\nisbn = {9878488734136},<br \/>\r\nyear  = {2022},<br \/>\r\ndate = {2022-01-01},<br \/>\r\nurldate = {2022-01-01},<br \/>\r\nbooktitle = {Actas de las VII Jornadas Nacionales de Investigaci\u00f3n en Ciberseguridad (JNIC&#039;22)},<br \/>\r\npages = {22--25},<br \/>\r\nabstract = {Este trabajo cuantifica de forma experimental la capacidad de detecci\u00f3n de ataques a servidores web ofrecida por algunos de los detectores de intrusiones basados en firmas (SIDS) disponibles de forma gratuita. Para ello, se ha realizado una b\u00fasqueda y selecci\u00f3n de 28 herramientas actuales para la generaci\u00f3n de ataques y an\u00e1lisis de seguridad del servicio web. Con ellas, se han realizado casi 150 ataques a dos escenarios de uso de un servidor web (una web est\u00e1tica y una din\u00e1mica). Las peticiones HTTP registradas durante los ataques han sido utilizadas para crear un dataset de ataques que ser\u00e1 utilizado como entrada a tres SIDS gratuitos seleccionados por su amplio uso, de forma que se podr\u00e1 determinar la capacidad de detecci\u00f3n de los mismos frente a los ataques generados. Este trabajo se encuentra a\u00fan en desarrollo, por lo que en esta contribuci\u00f3n se muestran los primeros resultados relativos a la recolecci\u00f3n y selecci\u00f3n de herramientas para la generaci\u00f3n de los ataques, la generaci\u00f3n del dataset de ataques de forma que sea representativo de los ataques actuales y la evaluaci\u00f3n preliminar de las capacidades de detecci\u00f3n.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('266','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_266\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Este trabajo cuantifica de forma experimental la capacidad de detecci\u00f3n de ataques a servidores web ofrecida por algunos de los detectores de intrusiones basados en firmas (SIDS) disponibles de forma gratuita. Para ello, se ha realizado una b\u00fasqueda y selecci\u00f3n de 28 herramientas actuales para la generaci\u00f3n de ataques y an\u00e1lisis de seguridad del servicio web. Con ellas, se han realizado casi 150 ataques a dos escenarios de uso de un servidor web (una web est\u00e1tica y una din\u00e1mica). Las peticiones HTTP registradas durante los ataques han sido utilizadas para crear un dataset de ataques que ser\u00e1 utilizado como entrada a tres SIDS gratuitos seleccionados por su amplio uso, de forma que se podr\u00e1 determinar la capacidad de detecci\u00f3n de los mismos frente a los ataques generados. Este trabajo se encuentra a\u00fan en desarrollo, por lo que en esta contribuci\u00f3n se muestran los primeros resultados relativos a la recolecci\u00f3n y selecci\u00f3n de herramientas para la generaci\u00f3n de los ataques, la generaci\u00f3n del dataset de ataques de forma que sea representativo de los ataques actuales y la evaluaci\u00f3n preliminar de las capacidades de detecci\u00f3n.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('266','tp_abstract')\">Cerrar<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> D\u00edaz-Verdejo, J. E.;  Mu\u00f1oz-Calle, F. J.;  Estepa Alonso, A.;  Estepa Alonso, R.;  Madinabeitia, G.<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('263','tp_links')\" style=\"cursor:pointer;\">On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks<\/a> <span class=\"tp_pub_type tp_  article\">Art\u00edculo de revista<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">En: <\/span><span class=\"tp_pub_additional_journal\">Applied Sciences, <\/span><span class=\"tp_pub_additional_volume\">vol. 12, <\/span><span class=\"tp_pub_additional_number\">no 2, <\/span><span class=\"tp_pub_additional_pages\">pp. 852, <\/span><span class=\"tp_pub_additional_year\">2022<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 20763417<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_263\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('263','tp_abstract')\" title=\"Mostrar resumen\" style=\"cursor:pointer;\">Resumen<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_263\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('263','tp_links')\" title=\"Mostrar enlaces y recursos\" style=\"cursor:pointer;\">Enlaces<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_263\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('263','tp_bibtex')\" title=\"Mostrar entrada BibTeX \" style=\"cursor:pointer;\">BibTeX<\/a><\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_263\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{Diaz-Verdejo2022,<br \/>\r\ntitle = {On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks},<br \/>\r\nauthor = {J. E. D\u00edaz-Verdejo and F. J. Mu\u00f1oz-Calle and {Estepa Alonso}, A. and {Estepa Alonso}, R. and G. Madinabeitia},<br \/>\r\nurl = {https:\/\/www.mdpi.com\/2076-3417\/12\/2\/852\/htm https:\/\/www.mdpi.com\/2076-3417\/12\/2\/852},<br \/>\r\ndoi = {10.3390\/app12020852},<br \/>\r\nissn = {20763417},<br \/>\r\nyear  = {2022},<br \/>\r\ndate = {2022-01-01},<br \/>\r\nurldate = {2022-01-01},<br \/>\r\njournal = {Applied Sciences},<br \/>\r\nvolume = {12},<br \/>\r\nnumber = {2},<br \/>\r\npages = {852},<br \/>\r\npublisher = {Multidisciplinary Digital Publishing Institute},<br \/>\r\nabstract = {Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort&rsquo;s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('263','tp_bibtex')\">Cerrar<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_263\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort&amp;rsquo;s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('263','tp_abstract')\">Cerrar<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_263\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-globe\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/www.mdpi.com\/2076-3417\/12\/2\/852\/htm https:\/\/www.mdpi.com\/2076-3417\/12\/2\/852\" title=\"https:\/\/www.mdpi.com\/2076-3417\/12\/2\/852\/htm https:\/\/www.mdpi.com\/2076-3417\/12\/2\/[...]\" target=\"_blank\">https:\/\/www.mdpi.com\/2076-3417\/12\/2\/852\/htm https:\/\/www.mdpi.com\/2076-3417\/12\/2\/[&#8230;]<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.3390\/app12020852\" title=\"DOI de seguimiento:10.3390\/app12020852\" target=\"_blank\">doi:10.3390\/app12020852<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('263','tp_links')\">Cerrar<\/a><\/p><\/div><\/div><\/div><\/div><\/div><\/div><div><p>\u00a0<\/p><h3><span style=\"color: #038daa;\">Datos<\/span><\/h3><ul><li><b>Biblio-US17 <\/b>&#8211; Base de datos de peticiones HTTP reales etiquetada (42 M de registros) <a href=\"\/neus-cslab\/recursos\/ds-biblio\/\"><span class=\"tp_pub_type\">M\u00e1s informaci\u00f3n<\/span><\/a><\/li><li><b>IoT SmartHome<\/b> &#8211; Dataset real de tr\u00e1fico en Smart Home<a href=\"\/neus-cslab\/recursos\/ds-iot\/\"><span class=\"tp_pub_type\">M\u00e1s informaci\u00f3n<\/span><\/a><\/li><li><b>IoT SmartLighting<\/b> &#8211; Dataset real de tr\u00e1fico en despliegue Smart Lighting <a href=\"https:\/\/dtstc.ugr.es\/neus-cslab\/recursos\/ds-smartlighting\/\"><span class=\"tp_pub_type\">M\u00e1s informaci\u00f3n<\/span><\/a><\/li><\/ul><h3><span style=\"color: #038daa;\">Software \/ sistemas<\/span><\/h3><ul><li><b>Monitorizaci\u00f3n red Smart Home<\/b> &#8211; Red para la monitorizaci\u00f3n y captura de tr\u00e1fico real en Smart Home \u00a0 <a href=\"\/neus-cslab\/recursos\/monitorizacion-smarthome\/\"><span class=\"tp_pub_type\">M\u00e1s informaci\u00f3n<\/span><\/a><\/li><li><b>Inspectorlog <\/b>&#8211; Herramienta de an\u00e1lisis de trazas HTTP basada en firmas <a href=\"\/neus-cslab\/recursos\/inspectorlog\/\"><span class=\"tp_pub_type\">M\u00e1s informaci\u00f3n<\/span><\/a><\/li><li><b>NE-SIEM<\/b> &#8211; Prototipo de sistema integral de detecci\u00f3n con capacidad multifuente y multiplanta<\/li><li><b>Laboratorio\u00a0 ciberseguridad<\/b> &#8211; Laboratorio h\u00edbrido orientado a la experimentaci\u00f3n y docencia en ciberseguridad \u00a0 <a href=\"\/neus-cslab\/recursos\/lab-cs\/\"><span class=\"tp_pub_type\">M\u00e1s informaci\u00f3n<\/span><\/a><\/li><\/ul><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Periodo 1-SEPT-2021 a 31-AGO-2024 Progreso 100% Detecci\u00f3n de ciberataques en \u201cindustria conectada\u201d e IoT mediante integraci\u00f3n y correlaci\u00f3n de alertas multifuente (COINCYDE) Referencia PID2020-115199RB-I00 Organismos \/ empresas Ministerio de Ciencia e Innovaci\u00f3n Investigadores Jes\u00fas E. D\u00edaz Verdejo &#8211; IP Juan Carlos Cubero Talavera &#8211; IP Francisco Cortijo Bon Antonio Estepa Alonso Rafael Estepa Alonso Germ\u00e1n [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":500,"parent":735,"menu_order":1,"comment_status":"closed","ping_status":"closed","template":"","meta":{"ocean_post_layout":"full-width","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"0","ocean_second_sidebar":"0","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"off","ocean_display_header":"on","ocean_header_style":"","ocean_center_header_left_menu":"0","ocean_custom_header_template":"0","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"0","ocean_menu_typo_font_family":"0","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"enable","ocean_disable_heading":"enable","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"on","ocean_display_footer_bottom":"on","ocean_custom_footer_template":"0","footnotes":""},"class_list":["post-643","page","type-page","status-publish","has-post-thumbnail","hentry","entry","has-media"],"_links":{"self":[{"href":"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-json\/wp\/v2\/pages\/643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-json\/wp\/v2\/comments?post=643"}],"version-history":[{"count":29,"href":"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-json\/wp\/v2\/pages\/643\/revisions"}],"predecessor-version":[{"id":3202,"href":"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-json\/wp\/v2\/pages\/643\/revisions\/3202"}],"up":[{"embeddable":true,"href":"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-json\/wp\/v2\/pages\/735"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-json\/wp\/v2\/media\/500"}],"wp:attachment":[{"href":"https:\/\/dtstc.ugr.es\/neus-cslab\/wp-json\/wp\/v2\/media?parent=643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}