Section: New Results

Monitoring

Quality of Experience Monitoring

Participants : Isabelle Chrisment [contact] , Thibault Cholez, Vassili Rivron, Lakhdar Meftah [University of Lille] .

We have pursued our work on smartphone usage monitoring with the SPIRALS team (Inria/Université de Lille) and more specifically on proposing new methods to help measure the QoE and to protect the user’s privacy when collecting such data.

In parallel, to evaluate our methods, we need a testing framework to automate testing of WiFi P2P mobile apps at scale. In [20] we proposed AndroFleet, a large-scale WiFi P2P testing framework. Androfleet can perform User Acceptance Testing for a fleet of emulators, by emulating the hardware behavior of the peer discovery, it gives the developers the ability to control P2P specific behaviors (peers joining and leaving).

Active Monitoring

Participants : Abdelkader Lahmadi [contact] , Jérôme François, Frédéric Beck [LHS] , Loic Rouch [LHS] .

Following the work done in 2016, we pursued our collaboration with the regional PME TracIP (http://www.tracip.fr) on the development of attack assessment and forensics platform dedicated to industrial control systems. The platform involves multiple PLC from different manufacturers and real devices of factory automation systems (see 6.7.1).

During the year 2017, we have demonstrated that off-the-shelf hardware is sufficient to take over any Z-Wave network without knowing its topology or compromising any original devices and remaining unnoticeable for the primary controller. Our attack consists in building an adversary Z-Wave universal controller by reprogramming a mainstream USB stick controller. The technique exploits two features provided by the USB stick which allow (1) to set the network identifier (HomeID) and (2) to learn many devices identifiers even if they are not physically available. The attack has been demonstrated in Blackhat Europe 2017 by Loic Rouch (https://www.blackhat.com/eu-17/briefings/schedule/#a-universal-controller-to-take-over-a-z-wave-network-8459).

Service-level Monitoring of HTTPS traffic

Participants : Thibault Cholez [contact] , Wazen Shbair, Jérôme François, Isabelle Chrisment.

We previously proposed an alternative technique to investigate HTTPS traffic which aims to be robust, privacy-preserving and practical with a service-level identification of HTTPS connections, i.e. to name the services, without relying on specific header fields that can be easily altered. We have defined dedicated features for HTTPS traffic that are used as input for a multi-level identification framework based on machine learning algorithms processing full TLS sessions. Our evaluation based on real traffic shows that we can identify encrypted web services with a high accuracy. In 2017, we finished to develop our solution to make it fully usable in real-time [1]. We now provide our prototype implementation (https://gitlab.inria.fr/swazen/HTTPSFirewall) in open-source. It operates by extending the iptables/netfilter architecture. It receives and demultiplexes the arriving HTTPS packets to a related flow. As soon as the number of packets in a given flow reaches a threshold, the identification engine extracts the features and runs the C4.5 algorithm to predict the HTTPS service of the flow.

Monitoring Programmable Networks

Participants : Jérôme François [contact] , Olivier Festor, Paul Chaignon [Orange Labs] , Kahina Lazri [Orange Labs] , Thibault Delmas [Orange Labs] .

Software-Defined Networking brings new capabilities in operating networks including monitoring. In the state-of-the art many proposals have been made to enhance monitoring of networks using OpenFlow or other proposed programmable frameworks. In a preliminary work [11], we reviewed them in order to highlight what are the remaining challenges to be addressed in that area. The main issue is the trade-off to be made between the strong expressibility (especially stateful operations) and capability of monitoring techniques that are necessary for advanced operation purposes and the complexity it induces if we want to keep the pace with line-rate packet processing. Another important aspect is the security as adding programmable monitoring functions may lead to introduce security threats. Our current work is thus focused on adding monitoring capacity while guaranteeing line-rate operations and safety requirements even when programs are deployed on running network switches.

Smart Contracts Monitoring

Participants : Jérôme François [contact] , Sofiane Lagraa, Radu State [University of Luxembourg] , Jérémy Charlier [University of Luxembourg] .

Blockchain technologies are skyrocketing and the team is interested in assessing the impact of such technologies on networking, and if necessary managing the coupling between them. Indeed, blockchain efficiency resides in an overlay network built on top of a real infrastructure which needs to properly support it. Orchestrating network ressources, i.e. adding some network capacity, might be helpful but supposes first an in-depth monitoring of blockchain interactions. In a first work, we thus evaluated the relation among smart contracts. We defined methods to discover smart contracts interactions and the different group properties. This approach relies on graph modelling and mining techniques as well as tensor modelling combined with stochastic processes. It underlines actual exchanges between smart contracts and targets the predictions of future interactions among the communities. Comparative study between graph analysis and tensor analysis is provided for predictions of smart contract interactions. Finally, virtual reality visualization based on Unity 3D game engine has been applied [12].

Sensor networks monitoring

Participants : Rémi Badonnel, Isabelle Chrisment, Olivier Festor, Abdelkader Lahmadi [contact] , Anthea Mayzaud.

Our work on IoT security monitoring has been published in IEEE Transactions on Network and Service Management [4]. This concerns more specifically our distributed monitoring architecture for detecting attacks against RPL networks. The RPL routing protocol has been standardized by IETF to enable a lightweight and robust routing in lower-power and lossy networks. After having compared existing IoT monitoring solutions, we have proposed a detection strategy for RPL version number attacks. This one relies on our monitoring architecture to preserve constrained node resources, in the context of AMI infrastructures. A versioning mechanism is incorporated into RPL in order to maintain an optimized topology. However, an attacker can exploit this mechanism to significantly damage the network and reduce its lifetime. We have exploited monitoring node collaboration to identify the attacker, the localization process being performed by the root after gathering detection information from all monitoring nodes. We have evaluated our solution through experiments and have analyzed the performance according to defined metrics. We have shown that the false positive rate of our solution can be reduced by a strategic monitoring node placement. We have also considered the scalability issue, by modeling this placement as an optimization problem and quantifying the number of required monitoring nodes to ensure acceptable false positive rates.