DÃ©partement RÃ©seau, SÃ©curitÃ© et MultimÃ©dia Rapport d'ActivitÃ©s 2008

More documents

Recommendations

Info

function has a limitation that it depends onservices that are considered [1].The third contribution deals with attackidentification. We consider individual attacksinstead of attack categories. This may help totake some appropriate reactions afterdetection according to the specific attacks. K-Nearest Neighbor (kNN) and PrincipalComponent Analysis (PCA) methods are usedand compared for intrusion detection. KDD 99network data are used for validating the twomethods.The second part of our work in the DADDiproject focuses on the dependability of anintrusion detection architecture based on theimplicit approach. We use an architecture thatensures both confidentiality and integrity atthe COTS server level and we extend it toenhance availability. Replication techniquesimplemented on top of agreement services(based on a consensus protocol) are used toavoid any single point of failure. On the onehand we assume that COTS servers arecomplex softwares that contain somevulnerabilities and thus may exhibit arbitrarybehaviors. While on the other hand other basiccomponents of the proposed architecture aresimple enough to be exhaustively verified [3].We have conducted performance evaluationsto measure the additional cost induced by themechanisms used to ensure the availability ofthe secure architecture. As each HTTP requestinvolves the use of the atomic broadcastservice, its cost had to be carefully evaluated.Moreover, since HTTP requests aresequentially executed, the throughput of theservice can be severly degraded. We aimed atidentifying some of the parameters that mayimpact the cost of the atomic broadcastservice. We measured the mean requestdelivering duration for a fixed arrival frequencyof external requests. We sampled this measurefor a varying number of processes anddifferent consensus round durations. We foundthat the number of processes in the group onlyslightly influences the overall performance ofthe atomic broadcast service. In thisexperiment, the arrival frequency of externalresquests is rather low (one request every400ms). In this case, the consensus roundduration is of limited influence. This parameteris of major influence only when a failureoccurs. In another experiment, we haveconsidered a fixed value for the duration of theconsensus round (1000ms) and we sample themean delivering duration for various arrivalfrequencies of the externam requests and avarying number of processes. We found thatwhen the arrival frequency of requests reachesa critical value, the mean request deliveringduration increases significantly (to bepublished in 2008).ConclusionIn the last period of the project, we haveplanned to apply these new results in explicitand implicit approach to web-based real-lifetraffic to compare and show thecomplementarities of the implicit and explicitapproaches.The web-based traffic has been generated. Itcontains “normal” data, collected with noplayed attack in front of a web serverconnected to Internet. Besides that, attackshave been played directly in front of the webserver. This traffic has been transformed bythe transformation function and will be studiedvery soon.References[1] A. Bsila, S. Gombault and A. Belghith.Improving traffic transformation function todetect novel attacks. SETIT'07: 4thInternational Conference on Sciences ofElectronics, Technologies of Information andTelecommunications, March 25-29,Hammamet, Tunisia, 2007[2] Yacine Bouzida. Application de l’analyse encomposante principale pour la détectiond’intrusion et détection de nouvelles attaquespar apprentissage supervisé. PhD thesis,TELECOM Bretagne, 2006.[3] M. Hurfin, J.-P. Le Narzul, F. Majorczyk, L.Mé, A. Saydane, E. Totel, F. Tronel. ADependable Intrusion Detection ArchitectureBased on Agreement Services. InternationalSymposium on Stabilization, Safety andSecurity of Distributed Systems. November17 th -19 Th , 2006. Dallas (Texas, USA).[4] Wei Wang, Sylvain Gombault and AmineBsila. Building multiple behavioral models fornetwork intrusion detection. 2nd IEEEWorkshop on "Monitoring, Attack Detectionand Mitigation", Toulouse, France, November2007.46 Extract of Pracom’s Annual Report 2008
Malicious behavior detection in ad-hoc networksResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia– Ph.D. Students: Tony RamardKeywords : Intrusion detection, Specification-based detection, Aspect-Oriented Programming, OLSRApplications : Ad-hoc networkPartners & Funding : partially funded by RED Celtic projet and a French DGA (Direction Générale del'armement) grant.IntroductionA Mobile Ad-hoc NETwork (MANET) is acollection of nodes that are able to connect toa wireless medium forming an arbitrary anddynamic network. The routing protocol ensuresthat all nodes at all times can reach alldestinations in the network.In this context, several attacks can occuragainst security in order to disrupt thenetwork. We especially investigate securityproperties of the Optimized Link-State Routing(OLSR) Protocol, a proactive routing protocolfor MANETs. We analyze the possible attacksagainst the integrity of the network routinginfrastructure, and present techniques tocounter some attacks. Our main approach isbased on a formal model to describe normaland incorrect node behaviors. This modelallows us to derive security properties. Thealgorithm checks if these security propertiesare violated. If they are, detection occurs toallow the normal node to find a path withoutincorrect node behavior.This work is supported by the RED Celticproject and a French DGA (Direction Généralede l'armement) grant.RealizationThe Optimized Link State Routing protocol(OLSR) is the most popular routing protocol forMANETS. OLSR is based on an optimizedflooding mechanism for diffusing link-stateinformation. The core optimization is that ofMultipoint Relays (MPRs): Each node mustselect MPRs from among its neighbor nodessuch that a message emitted by a node andrepeated by the MPR nodes will be received byall nodes two hops away.The availability properties in MANET routingprotocols, especially OLSR, have been studied.Our approach is based on specifying theseproperties thanks to node profiles (honest andcooperative nodes). For this purpose, we usethe Nomad model [1] to express nodebehaviors (normal and incorrect behaviors).Nomad combines deontic and temporal logics.Deontic logic is used to model permissions,prohibitions and obligations whereas temporallogic provides means to specify temporal andtemporized constraints about actions occurringin the model. In Nomad, we model conditionalprivileges and obligations with deadlines. Wealso formally analyze how privileges on nonatomic actions can be decomposed into morebasic privileges on elementary actions.From these expressions, we can deriveproperties to specify a security policy [2].These properties are woven into the OLSRprotocol using Aspect-Oriented Programming(AOP) languages such as AspectJ. Theseproperties are checked when a message isreceived in order to detect intrusions. Usingthis approach, a node can detect severalmalicious behavior of other nodes includinglazy, selfish, lying and secretive nodes.If a property is violated, a reaction occurs andthe node attempts to find another path orMultipoint Relay (MPR) keeping the maliciousnode away. In this case, the node sendsrelevant information related to the detection toits neighborhood. The neighbors of this noderecord this information but do not fully trust it.A function allows nodes to compute thereputation in their neighbors. The reputationquantification allows nodes to choose the bestpath to reach another node.This approach has been validated throughsimulation. The simulation results show thedifferent contents in the routing tables ofnodes following two modes: (1) when theanalysis mechanism is activated (i.e. nodescheck if the security properties are violated)and (2) when the analysis mechanism isdeactivated. We then analyze the topologywith the normal node behavior, the topologywith an intruder and without the analysismechanism, and finally the topology with anintruder and the analysis mechanism.Pracom’s Annual Report 2008 47
Page 2 and 3:
Présentation générale...........
Page 4 and 5:
Activités d’enseignementLe dépa
Page 6 and 7:
Activités de rechercheLe départem
Page 8 and 9:
Notre implication dans les organism
Page 10 and 11:
le cadre du projet NextTV4all où l
Page 12 and 13:
cloisonnement par domaine tels qu
Page 14 and 15:
- le GIS ITS (Intelligent Transport
Page 16 and 17:
Twente aux Pays Bas, Université de
Page 18 and 19:
Liste des doctorants présents en 2
Page 20 and 21:
Annexe 2 : liste des publicationsAr
Page 22 and 23: COMA-BREBEL Céline, CUPPENS Nora,
Page 24 and 25: PHAN LE Cam Tu, CUPPENS Frédéric,
Page 26 and 27: Annexe 3 : description détaillée
Page 28 and 29: Access Control ....................
Page 30 and 31: schemes specifically suitable for l
Page 32 and 33: An easy-to-use solution for IPv6 co
Page 34 and 35: Loss Synchronization and Router Buf
Page 36 and 37: Sensor NetworksRandom Walk Techniqu
Page 38 and 39: Suppressing Neighbor Discovery in W
Page 40 and 41: Media and NetworksIP-based transmis
Page 42 and 43: One of the most difficult aspects o
Page 44 and 45: Another direction is the associatio
Page 46 and 47: classes. In our simple study case,
Page 48 and 49: Management of Multiple Access Netwo
Page 50 and 51: Adaptation of Multimedia Flows in a
Page 52 and 53: Optimized mobility management in he
Page 54 and 55: ecause it offers a generic framewor
Page 56 and 57: Future workOur next step is to fina
Page 58 and 59: Security Analysis and ValidationAna
Page 60 and 61: RealizationFigure 1 shows a classif
Page 62 and 63: Policy AdministrationResearch Staff
Page 64 and 65: execution in a distributed manner.
Page 66 and 67: Intrusion DetectionDetection and co
Page 68 and 69: eported alerts have to be managed b
Page 70 and 71: inside the corresponding detection
Page 74 and 75: 1) Normal Node behavior simulation:
Page 76 and 77: negotiation. These strategies speci
Page 78 and 79: A Fast Adaptative Secure Technology
Page 80 and 81: estricted to the organization to wh
Page 82 and 83: ights and external identities, and
Page 84 and 85: Peer 2 peerP2PIm@gesResearch Staff
Page 86 and 87: Managing a Peer-to-Peer Storage Sys
Page 88 and 89: Applications of networks to transpo
Page 90 and 91: Adaptive Application Support in Mob
Page 92 and 93: Wireless Mesh NetworksResearch Staf
Page 94 and 95: TestbedsA showroom for practical IP
Page 96 and 97: egistrar and proxies, video streami
show all

DÃ©partement RÃ©seau, SÃ©curitÃ© et MultimÃ©dia Rapport d'ActivitÃ©s 2008

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?