Section: New Results

Monitoring

Quality of Experience Monitoring

Participants : Isabelle Chrisment [contact] , Thibault Cholez, Vassili Rivron.

We have pursued our work on smartphone usage monitoring. In [26], we presented an exploratory smartphone usage study with logs collected from users in the wild, combined with the sociodemographic, technological and cultural information provided by them. We have shown that application usage among users is highly diverse. However when the applications are grouped as services, interesting relations appear between user profiles and types of services used. We found significant correlations between service usage and socio-demographic profile. We have proposed several possible use cases of how sociological information can be used to renew the official statistics, to recommend suitable applications to potential users.

Active Monitoring

Participants : Abdelkader Lahmadi [contact] , Jérôme François, Frédéric Beck [LHS] , Loic Rouch [LHS] .

Following preliminary work in 2015, we pursued our assessment of industrial system exposition in the Internet. Industrial systems are composed of multiple components whose security has not been addressed for a while. Even if recent propositions target to improve it, they are still often exposed to vulnerabilities, since their components are hard to update or replace. In parallel, they tend to be more and more exposed in the public Internet for convenience. Although awareness of such a problem has been raised, there is no precise evaluation of such a risk. We thus defined a methodology to measure the exposure of industrial systems through Internet. In particular, a carefully designed scanning approach and software with a low footprint, named WiScan, consists in optimizing the distance between consecutively scanned IP addresses but being fast to compute. It has been applied on the entire IPv4 address space, by targeting specific SCADA ports. This work is reported in [20].

During the year 2016, we are also working with the regional PME TracIP http://www.tracip.fr on the development of attack assessment and forensics platform dedicated to industrial control system. The platform involves multiple PLC from different manufactures and real devices of factory automation systems.

SDN enhanced monitoring

Participants : Jérôme François [contact] , Lautaro Dolberg [University of Luxembourg] .

Software-Defined Networking (SDN) provides a highly flexible flow management platform through a logically centralized controller that exposes network capabilities to the applications. However, most applications do not natively use SDN. An external entity is thus responsible for defining the corresponding flow management policies. This is mainly the role of the network administrator, which also prefers to keep the control of its network rather than fully let the control to users or applications.

Usually network operators prefer to control the flow management policies, rather than granting full control to the applications. Although IP addresses and port numbers can suffice to identify users and applications in ISP networks and determine the policies applicable to their flows, such an assumption does not hold strongly in cloud environments. IP addresses are allocated dynamically to the users, while port numbers can be freely chosen by users or cloud-based applications. These applications, like computing or storage frameworks, use diverse port numbers which amplifies this phenomenon. We have proposed higher-level abstractions for defining user- and application-specific policies. In this scope, our framework transparently maps application-level policies (involving application and user names) to OpenFlow rules (IP addresses, protocols and port numbers), which alleviates the necessity for the control applications (those interacting with the Northbound interface of the controller) to keep track of the network characteristics (like location) of users and applications themselves. To achieve this end, application-level information is retrieved in real-time through local remote system agents, which can be easily deployed in a cloud platform where both network and computational infrastructure are hosted by the same entity.

Thus our work enables the association of flows with applications and users. It led to a publication [19].

Service-level Monitoring of HTTPS traffic

Participants : Thibault Cholez [contact] , Shbair Wazen, Jérôme François, Isabelle Chrisment.

We previously investigated the latest technique for HTTPS traffic filtering that is based on the Server Name Indication (SNI) field of TLS and which has been recently implemented in many firewall solutions. We showed that SNI has two weaknesses, regarding (1) backward compatibility and (2) multiple services using a single certificate. On the other side, HTTPS proxy suffers from privacy issues by decrypting users' sensitive traffic. This led us to the development of new reliable methods to investigate the increasing number of HTTPS traffic with a proper level of identification (service-level) that allows the management of the traffic while other methods are either too broad (protocol-lvl identification) or too precise (page-level identification).

We proposed to improve HTTPS traffic monitoring based on SNI. Our investigation shows that 92% of the HTTPS websites surveyed can be accessed with fake-SNI. Our approach verifies the coherence between the real destination server and the claimed value of SNI by relying on a trusted DNS service. Experimental results show the ability to overcome the shortage of SNI-based monitoring by detecting forged SNI values while having a very small false positive rate (1.7%). The overhead of our solution only adds negligible delays to access HTTPS websites. The proposed method opens the door to improve global HTTPS monitoring and firewall systems and was published in the IEEE STAM workshop [31].

We proposed an alternative technique to investigate HTTPS traffic which aims to be robust, privacy-preserving and practical with a service-level identification of HTTPS connections, i.e. to name the services, without relying on specific header fields that can be easily altered. We have defined dedicated features for HTTPS traffic that are used as input for a multi-level identification framework based on machine learning algorithms processing full TLS sessions. Our evaluation based on real traffic shows that we can identify encrypted web services with a high accuracy. This work was published in IFIP/IEEE NOMS [30] and is now extended in the frame of the CNRS PEPS NEFAE project to address the challenge of real-time monitoring of HTTPS. We extract statistical features on TLS handshake packets and progressively on application data packets, so that we can identify HTTPS services very early in the session. Extensive experiments performed over a significant and open dataset show that our method offers a good accuracy and a prototype implementation confirms that the real-time requirement of monitoring HTTPS services is satisfied.

Sensor networks monitoring

Participants : Rémi Badonnel, Isabelle Chrisment, Olivier Festor, Abdelkader Lahmadi [contact] , Anthea Mayzaud.

This year, we have pursued our work on IoT security monitoring, based on our distributed architecture specified in [24]. This one exploits the multi-instance mechanisms of the RPL protocol, to build a monitoring plane using high-order nodes, in the context of Advanced Metering Infrastructures (AMI). It permits to preserve more constrained node resources, by passively monitoring the network. We have shown in [23] its benefits for detecting version number attacks. A DODAG versioning system is incorporated into the RPL protocol, in order to ensure an optimized topology. However, an attacker can exploit this mechanism to damage the network and reduce its lifetime. We have therefore proposed a detection strategy with a set of algorithms capable of identifying malicious nodes performing such attacks. We have evaluated our solution through experiments and have analyzed the performance according to defined metrics. We have shown that false positive rates can be reduced by a strategic monitoring node placement. In particular, we have addressed scalability considerations, as an optimization problem which can be easily adapted to different topologies. By resolving this problem, we were able to quantify the number of monitoring nodes required to ensure an acceptable false positive rate for different topologies.

Our taxonomy on security attacks in these networks has also been published in [2]. The RPL protocol is exposed to a large variety of attacks, whose consequences can be quite significant in terms of network performance and resources. The attacks against resources reduce network lifetime through the generation of fake control messages or the building of loops. The attacks against the topology make the network converge to a sub-optimal configuration or isolated nodes. Attacks against network traffic let a malicious node capture and analyse large part of the traffic. This classification serves as a support to prioritize attacks depending on the damages they may cause to the network, and can be exploited for risk management purposes in order to select counter-measures.