Pablo Moriano

Pablo Moriano, Ph.D.

Research Scientist
Computer Science and Mathematics Division
Oak Ridge National Laboratory
moriano [at] ornl.gov  

I am a research scientist in the Computer Science and Mathematics Division at Oak Ridge National Laboratory. I received Ph.D. and M.S. degrees in Informatics from the School of Informatics, Computing, and Engineering at Indiana University Bloomington. Previously, I received M.S. and B.S. degrees in Electrical Engineering at Pontificia Universidad Javeriana in Colombia. I am the recipient of best paper awards at the 9th International Workshop on Managing Insider Security Threats (MIST) 2017 in conjuntion with CCS and the 4th International Workshop on Automative and Autonomous Vehicle Security (AutoSec) 2022 in conjunction with NDSS. In the past, I have done research internships at Cisco Systems, Inc. with the Advanced Security Research Group. I am a senior member of IEEE, and a member of ACM and SIAM. Here is a link to an official bio and my CV.

My research lies at the intersection of data science, network science, and cybersecurity. In particular, I use data-driven and computational methods to discover and understand anomalous behavior in large-scale networked systems. I rely on this approach to design and develop innovative solutions to address these. Applications of my research range across multiple disciplines, including, the detection of exceptional events in social media, Internet route hijacking, insider threat behavior in version control systems, and intrusion detection in cyber-physical systems. Here is a word cloud built out of the abstracts of my papers.

Wordle
Graph ML Improves JIT Defect Prediction
Graph ML JIT Defect Prediction

By leveraging these contribution graphs, our research shows the potential of using graph-based ML to improve Just-In-Time (JIT) defect prediction. We hypothesize that features extracted from the contribution graphs may be better predictors of defect-prone changes than intrinsic features derived from software characteristics. We corroborate our hypothesis using graph-based ML for classifying edges that represent defect-prone changes. This new framing of the JIT defect prediction problem leads to remarkably better results.

Masquerade Attack Detection Using Unsupervised Learning in CPS
Signal-Based IDS

We show that the similarity of time series clusters under benign conditions exhibits statistically significant differences from the similarity of time series clusters under attack conditions. We demonstrated these differences under different attack scenarios with different levels of sophistication using data from the ROAD dataset. This work shows that it is possible to detect masquerade attacks by effectively using the time series clustering representation of signals in the CAN bus and appropriate choices of parameters to group them.

Bursty Announcements for Detecting Routing Anomalies
Burstiness

We developed a method for detecting routing anomalies based on the analysis of bursty BGP announcements. I hypothesize that BGP announcements that are associated with disruptive updates tend to occur in groups of relatively high frequency, followed by periods of infrequent activity or high burstiness. I demonstrate the efficacy of this method across different case studies ranging from a hundred thousand to a dozen compromised prefixes.

Event Detection in Large-Scale Temporal Networks
Event detection

We proposed a method for detecting large events based on the structure of temporal communication networks. I hypothesize that global events trigger viral information cascades that easily cross community boundaries and can thus be detected by monitoring intra- and inter-community communications. By comparing the amount of communications within and across communities, I show that it is possible to detect large-scale events, even when they do not trigger a significantly larger communication volume.

Insider Threat in Version Control Systems
Insider threat

We proposed an unsupervised learning framework to evaluate whether potential insider threat events are triggered following precipitating events. The analysis leverages a bipartite graph of user and system interactions. The approach shows a clear correlation between precipitating events and the number of apparent anomalies. The results of this empirical analysis evidence a clear shift in behaviors after events that previously have shown to increase insider threat incidents.

Macroeconomics of Routing Anomalies
Macro BGP anomalies

We analyzed reported routing anomalies and macroeconomic indicators over a four-year period. There are well-documented hijacks resulting from errors, for profit, or for national security and national intelligence purposes. Any individual hijack could be an accident, a crime, or an attack. I report on an empirical investigation into the macroeconomics of routing anomalies that addresses these three explanations.

Google Scholar    ResearchGate    dblp    ORCID    Publons    GitHub   

Graduate

Undergraduate

Note: Deadlines vary and some require coordination with an ORNL sponsor. Therefore, contact me well in advance if you are interested.

Journal Referee

Technical Program Committees

Oak Ridge National Laboratory
One Bethel Valley Road
PO Box 2008, MS6013
Oak Ridge, TN 37831, USA