82 Hits in 0.93 sec

Realistic simulation of users for IT systems in cyber ranges [article]

Alexandre Dey, Benjamin Costé, Éric Totel, Adrien Bécue
2021 arXiv   pre-print
Generating user activity is a key capability for both evaluating security monitoring tools as well as improving the credibility of attacker analysis platforms (e.g., honeynets). In this paper, to generate this activity, we instrument each machine by means of an external agent. This agent combines both deterministic and deep learning based methods to adapt to different environment (e.g., multiple OS, software versions, etc.), while maintaining high performances. We also propose conditional text
more » ... eneration models to facilitate the creation of conversations and documents to accelerate the definition of coherent, system-wide, life scenarios.
arXiv:2111.11785v1 fatcat:fz7dpgpgcvfgtm3ky6deqinxfu

Building an Application Data Behavior Model for Intrusion Detection [chapter]

Olivier Sarrouy, Eric Totel, Bernard Jouga
2009 Lecture Notes in Computer Science  
Application level intrusion detection systems usually rely on the immunological approach. In this approach, the application behavior is compared at runtime with a previously learned application profile of the sequence of system calls it is allowed to emit. Unfortunately, this approach cannot detect anything but control flow violation and thus remains helpless in detecting the attacks that aim pure application data. In this paper, we propose an approach that would enhance the detection of such
more » ... tacks. Our proposal relies on a data oriented behavioral model that builds the application profile out of dynamically extracted invariant constraints on the application data items. Related Work Most recent application level anomaly-based intrusion detection systems rely on the immunological approach introduced by Forrest and al. [11] . This approach is
doi:10.1007/978-3-642-03007-9_21 fatcat:a4l44alkcfhxjhbfqzyo2vql4a

COTS Diversity Based Intrusion Detection and Application to Web Servers [chapter]

Eric Totel, Frédéric Majorczyk, Ludovic Mé
2006 Lecture Notes in Computer Science  
It is commonly accepted that intrusion detection systems (IDS) are required to compensate for the insufficient security mechanisms that are available on computer systems and networks. However, the anomaly-based IDSes that have been proposed in the recent years present some drawbacks, e.g., the necessity to explicitly define a behaviour reference model. In this paper, we propose a new approach to anomaly detection, based on the design diversity, a technique from the dependability field that has
more » ... een widely ignored in the intrusion detection area. The main advantage is that it provides an implicit, and complete reference model, instead of the explicit model usually required. For practical reasons, we actually use Components-off-the-shelf (COTS) diversity, and discuss on the impact of this choice. We present an architecture using COTS-diversity, and then apply it to web servers. We also provide experimental results that confirm the expected properties of the built IDS, and compare them with other IDSes.
doi:10.1007/11663812_3 fatcat:birw43kf3benlfohc4zeu7gv2y

Preventing data leakage in service orchestration

Thomas Demongeot, Eric Totel, Yves Le Traon
2011 2011 7th International Conference on Information Assurance and Security (IAS)  
Web Services are currently the base of a lot a ecommerce applications. Nevertheless, clients often use these services without knowing anything about their internals. Moreover, they have no clue about the use of their personal data inside the global applications. In this paper, we offer the opportunity to the user to specify constraints on the use of its personal data. To ensure the privacy of data at runtime, we define a distributed security policy model. This policy is configured at runtime by
more » ... the user of the BPEL program. This policy is enforced within a BPEL interpreter, and ensures that no information flow can be produced from the user data to unauthorized services. However, the dynamic aspects of web services lead to situations where the policy prohibits the nominal operation of orchestration (e.g., when using a service that is unknown by the user). To solve this problem, we propose to let user to dynamically permit exceptional unauthorized flows. In order to make decision, the user is provided with all information necessary for decisionmaking. We also present an implementation inside the Orchestra BPEL interpreter. As far as we know this implementation is the first information flow monitor for web services that is also enduser configurable.
doi:10.1109/isias.2011.6122806 dblp:conf/IEEEias/DemongeotTT11 fatcat:qzzazxhm4ncgxcw3k4rpbcn2zy

Detecting attacks against data in web applications

Romaric Ludinard, Eric Totel, Frederic Tronel, Vincent Nicomette, Mohamed Kaaniche, Eric Alata, Rim Akrout, Yann Bachy
2012 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS)  
RRABIDS (Ruby on Rails Anomaly Based Intrusion Detection System) is an application level intrusion detection system for applications implemented with the Ruby on Rails framework. It is aimed at detecting attacks against data in the context of web applications. This anomaly based IDS focuses on the modeling of the application profile in the absence of attacks (called normal profile) using invariants. These invariants are discovered during a learning phase. Then, they are used to instrument the
more » ... b application at source code level, so that a deviation from the normal profile can be detected at run-time. This paper illustrates on simple examples how the approach detects well known categories of web attacks that involve a state violation of the application, such as SQL injections. Finally, an assessment phase is performed to evaluate the accuracy of the detection provided by the proposed approach.
doi:10.1109/crisis.2012.6378943 dblp:conf/crisis/LudinardTTNKAAB12 fatcat:6dulmccizne2fb2ddf5we67a6i

A Language Driven Intrusion Detection System for Event and Alert Correlation [chapter]

Eric Totel, Bernard Vivinis, Ludovic Mé
2004 Security and Protection in Information Processing Systems  
It is weil known th at security pr evention mechanisms are not sufficient to proteet effi cient ly an inform a tion system . Intrusion det eetion systems are required . But these syste ms pr esent many imperfections. In parti cular, th ey can eit her generate false positi ves (i.e., a larms that should not be pr oduced) or miss attacks (false negatives). However, th e main problem is th e generation of false positives that ca n overwhelm th e inform ation sys te m administ ra tor. In this paper
more » ... , we follow th e notion of correlat ion proposed by others . The objective is to aim at correlating eith er events in th e ana lyser or alerts in the man ager. We first pres ent th e ADeLe language, wh ich provides a way to define the corre lation properties. Then we pr esent which algorit hms have been carried out in our IDS to handle AD eLe signatures. Finally, we show the stress tests that have been ap plied to th e probe algorithms th at we have impl em ented.
doi:10.1007/1-4020-8143-x_14 dblp:conf/sec/TotelVM04 fatcat:fmhoqbmujvhgxdmoq644saad7a

A Dependable Intrusion Detection Architecture Based on Agreement Services [chapter]

Michel Hurfin, Jean-Pierre Le Narzul, Frédéric Majorczyk, Ludovic Mé, Ayda Saidane, Eric Totel, Frédéric Tronel
2006 Lecture Notes in Computer Science  
In this paper, we show that the use of diversified COTS servers allows to detect intrusions corresponding to unknown attacks. We present an architecture that ensures both confidentiality and integrity at the COTS server level and we extend it to enhance availability. Replication techniques implemented on top of agreement services are used to avoid any single point of failure. On the one hand we assume that COTS servers are complex softwares that contain some vulnerabilities and thus may exhibit
more » ... arbitrary behaviors. While on the other hand other basic components of the proposed architecture are simple enough to be exhaustively verified. That's why we assume that they can only suffer from crash failures. The whole system is assumed to be asynchronous and furthermore messages can be lost. In the particular case of Web servers connected to databases, we identify the properties that have to be maintained and the alarms that have to be raised. We describe in details how the different replicated levels interact together and, for each level, we precise the reasons that have led us to use a particular agreement service. Performance evaluations are conducted to measure the quality of service of the Intrusion Detection System (quantity of false positives and lack of false negatives) and the additional cost induced by the mechanisms used to ensure the availability of this secure architecture.
doi:10.1007/978-3-540-49823-0_27 fatcat:da4mehxsxbfzjk6koaaba65bom

Detecting Illegal System Calls Using a Data-Oriented Detection Model [chapter]

Jonathan-Christofer Demay, Frédéric Majorczyk, Eric Totel, Frédéric Tronel
2011 IFIP Advances in Information and Communication Technology  
The most common anomaly detection mechanisms at application level consist in detecting a deviation of the control-flow of a program. A popular method to detect such anomaly is the use of application sequences of system calls. However, such methods do not detect mimicry attacks or attacks against the integrity of the system call parameters. To enhance such detection mechanisms, we propose an approach to detect in the application the corruption of data items that have an influence on the system
more » ... lls. This approach consists in building automatically a data-oriented behaviour model of an application by static analysis of its source code. The proposed approach is illustrated on various examples, and an injection method is experimented to obtain an approximation of the detection coverage of the generated mechanisms.
doi:10.1007/978-3-642-21424-0_25 fatcat:fe3jaczhmzfe7e5bkfh2tktziq

STARLORD: Linked security data exploration in a 3D graph

Laetitia Leichtnam, Eric Totel, Nicolas Prigent, Ludovic Me
2017 2017 IEEE Symposium on Visualization for Cyber Security (VizSec)  
In this paper, we present a novel modelization and visualization approach for heterogeneous sources of data. We represent our data by using a model inspired by STIX. Then, we use clustering algorithms to select interesting information to explore in a visualization panel. The visualization is based on a 3D graph representation that highlights the link between malicious event and allows to focus on relevant security artifacts. We illustrate our approach with two case studies using datasets containing network capture of the wannacry attack.
doi:10.1109/vizsec.2017.8062203 dblp:conf/vizsec/LeichtnamTPM17 fatcat:nvd44zohsjge7lftap5yi3365e

Connectivity extraction in cloud infrastructures

Pernelle Mensah, Samuel Dubus, Wael Kanoun, Christine Morin, Guillaume Piolle, Eric Totel
2017 2017 13th International Conference on Network and Service Management (CNSM)  
To determine the threat exposure of a virtualized environment, attack graphs generation, coupled to a risk-based assessment can be used. The first roadblock to lift to that end is the extraction of the topology. We will present in this paper the stategy we intend to use to obtain a near real-time view of the connectivity existing in a virtual infrastructure.
doi:10.23919/cnsm.2017.8256010 dblp:conf/cnsm/MensahDKMPT17 fatcat:xuevc7p7jvbj3e7wq7kkqpfulu

Hypercollecting semantics and its application to static analysis of information flow

Mounir Assaf, David A. Naumann, Julien Signoles, Éric Totel, Frédéric Tronel
2017 SIGPLAN notices  
We show how static analysis for secure information flow can be expressed and proved correct entirely within the framework of abstract interpretation. The key idea is to define a Galois connection that directly approximates the hyperproperty of interest. To enable use of such Galois connections, we introduce a fixpoint characterisation of hypercollecting semantics, i.e. a "set of sets" transformer. This makes it possible to systematically derive static analyses for hyperproperties entirely
more » ... the calculational framework of abstract interpretation. We evaluate this technique by deriving example static analyses. For qualitative information flow, we derive a dependence analysis similar to the logic of Amtoft and Banerjee (SAS'04) and the type system of Hunt and Sands (POPL'06). For quantitative information flow, we derive a novel cardinality analysis that bounds the leakage conveyed by a program instead of simply deciding whether it exists. This encompasses problems that are hypersafety but not k-safety. We put the framework to use and introduce variations that achieve precision rivalling the most recent and precise static analyses for information flow.
doi:10.1145/3093333.3009889 fatcat:ifwqbqou7jhnbph6fsg3h2s3fu

Sec2graph: Network Attack Detection Based on Novelty Detection on Graph Structured Data [chapter]

Laetitia Leichtnam, Eric Totel, Nicolas Prigent, Ludovic Mé
2020 Lecture Notes in Computer Science  
Being able to timely detect new kinds of attacks in highly distributed, heterogeneous and evolving networks without generating too many false alarms is especially challenging. Many researchers proposed various anomaly detection techniques to identify events that are inconsistent with past observations. While supervised learning is often used to that end, security experts generally do not have labeled datasets and labeling their data would be excessively expensive. Unsupervised learning, that
more » ... s not require labeled data should then be used preferably, even if these approaches have led to less relevant results. We introduce in this paper a unified and unique graph representation called security objects' graphs. This representation mixes and links events of different kinds and allows a rich description of the activities to be analyzed. To detect anomalies in these graphs, we propose an unsupervised learning approach based on auto-encoder. Our hypothesis is that as security objects' graphs bring a rich vision of the normal situation, an autoencoder is able to build a relevant model of this situation. To validate this hypothesis, we apply our approach to the CICIDS2017 dataset and show that although our approach is unsupervised, its detection results are as good, and even better than those obtained by many supervised approaches.
doi:10.1007/978-3-030-52683-2_12 fatcat:qn52lph33jez5j6uneiztzibnm

Program Transformation for Non-interference Verification on Programs with Pointers [chapter]

Mounir Assaf, Julien Signoles, Frédéric Tronel, Éric Totel
2013 IFIP Advances in Information and Communication Technology  
Novel approaches for dynamic information flow monitoring are promising since they enable permissive (accepting a large subset of executions) yet sound (rejecting all unsecure executions) enforcement of non-interference. In this paper, we present a dynamic information flow monitor for a language supporting pointers. Our flow-sensitive monitor relies on prior static analysis in order to soundly enforce non-interference. We also propose a program transformation that preserves the behavior of
more » ... l programs and soundly inlines our security monitor. This program transformation enables both dynamic and static verification of non-interference.
doi:10.1007/978-3-642-39218-4_18 fatcat:3fgieivyvbb5re6hi7hrtzs43y

An Invariant-Based Approach for Detecting Attacks Against Data in Web Applications

Romaric Ludinard, Éric Totel, Frédéric Tronel, Vincent Nicomette, Mohamed Kaâniche, Éric Alata, Rim Akrout, Yann Bachy
2014 International Journal of Secure Software Engineering  
A third approach, as defined by (Sarrouy, Totel, & Jouga, 2009) , consists in checking the correctness of the data used by the program during its execution, rather than verifying the consistency of the  ... 
doi:10.4018/ijsse.2014010102 fatcat:pvkeqjttmvfmhnfzx6udwgut7a

An Efficient and Scalable Intrusion Detection System on Logs of Distributed Applications [chapter]

David Lanoë, Michel Hurfin, Eric Totel, Carlos Maziero
2019 IFIP Advances in Information and Communication Technology  
Although security issues are now addressed during the development process of distributed applications, an attack may still affect the provided services or allow access to confidential data. To detect intrusions, we consider an anomaly detection mechanism which relies on a model of the monitored application's normal behavior. During a model construction phase, the application is run multiple times to observe some of its correct behaviors. Each gathered trace enables the identification of
more » ... ant events and their causality relationships, without requiring the existence of a global clock. The constructed model is dual: an automaton plus a list of likely invariants. The redundancy between the two sub-models decreases when generalization techniques are applied on the automaton. Solutions already proposed suffer from scalability issues. In particular, the time needed to build the model is important and its size impacts the duration of the detection phase. The proposed solutions address these problems, while keeping a good accuracy during the detection phase, in terms of false positive and false negative rates. To evaluate them, a real distributed application and several attacks against the service are considered.
doi:10.1007/978-3-030-22312-0_4 fatcat:2i544kbb5vecjgwi6p6jvzka3q
« Previous Showing results 1 — 15 out of 82 results