Section: New Results


Security analytics

Participants : Jérôme François [contact] , Abdelkader Lahmadi, Giulia de Santis, Marc Coudriau, Olivier Festor.

During 2016, active collaboration with the High Security Lab in Nancy continues especially in the context of the FUI HuMa project. First we developed a method to automatically analyze darknet data. A darknet or telescope is a whole subnetwork, which is announced over Internet such that packets sent to the IP addresses are properly routed over but not replied to. In our case, the darknet is a /20 network meaning that we monitor 212 addresses. The main challenge we faced was to cope with the volume of data in order to extract inter-twined phenomena characterized by groups of packets. We proposed a clustering and visualisation method derived from the Mapper algorithm that has been developed in the field of Topological Data Analysis (TDA). The developed method and its associated tool are able to analyze a large number of IP packets in order to make malicious activity patterns easily observable by security analysts. The results show that our method is able to exhibit observable patterns which have been missed by Suricata, a widely used State-of-the-Art IDS https://hal.inria.fr/hal-01403950/document.

Second scannings have been particularly studied as they represent the first phase of recognition in advanced persistent threats. While it is known that every exposed systems is always being actively scanned from multiple sources, it is still challenging to fingerprint them, in particular to identify what are the distributed sources of a single synchronized scan and what is the tool used to generate it. As a first step, we proposed a methodology based on Hidden Markov Models (HMMs) to model scanning activities monitored by a darknet [18]. The HMMs of scanning activities are built on the basis of the number of scanned IP addresses within a time window and fitted using mixtures of Poisson distributions.

We are also still maintaining an IRTF draft [50] to promote a standardization effort towards the extension of IP Flow-based monitoring with geographic information. Associating Flow information with their measurement points geographic locations will enable security applications to detect anomalous activities. In the case of mobile devices, the characterization of communication patterns using only time and volume is not enough to detect unusual location-related communication patterns. The draft went through an IRSG review and a feedback is still required from the OPSWAG IETF working group.

DDoS Signaling

Participants : Jérôme François [contact] , Abdelkader Lahmadi, Giovane Moura [SIDN Labs, Netherland] , Marco Davids [SIDN Labs, Netherlands] .

A distributed denial-of-service (DDoS) attack aims at rendering machines or network resources unavailable. These attacks have grown in frequency, intensity and target diversity. In the context of Flamingo, Madynes contributed to the definition of an opportunistic signaling protocol in cooperation with SIDN Labs in Netherlands. The goal is to provide an efficient mechanism where nodes in an IPv6 network facing a DDoS attack can deliver a DOTS (DDoS Open Threat Signaling) signal message sent by a DOTS client to the DOTS server. The specified mechanism does not generate transport packets to carry the DOTS signal message but it only relies on existing IPv6 packets in the network to include within them a hop-by-hop extension header which contains an encoded DOTS signal message.

This work is done under the umbrella of our standardization activities especially within the IETF DOTS working group [45] and was presented during IETF 96 in Berlin.

NDN Security

Participants : Thibault Cholez [contact] , Xavier Marchal, Olivier Festor.

Named-Data Networking (NDN) is one of the most advanced ICN architecture but the security of NDN or NFD (NDN Forwarding Deamin) is still in the early stages and not ready for real deployment. In the context of the ANR Doctor project, we investigate NDN security in order to unveil issues and propose remediations.

First, we discovered a new vulnerability of NDN which is easy to exploit and can lead to very serious attacks, badly affecting the network. This vulnerability is due to an absence of control at the precise moment when NFD receives an incoming Data. In fact, NFD only checks two points: if the Data belongs to the localhost scope, or if it matches an existing PIT entry, but not if the Data comes from a valid Face. This is a critical shortage because it allows malicious users to directly send Data to perform attacks like DoS and cache poisoning without having to register a prefix in the router's FIB beforehand to receive legitimate Interests. After these checks, NFD continues to process the Data packet. The NDN protocol makes the hypothesis that a node cannot send a Data packet without having previously received the corresponding Interest (receiver driven communication). However, NFD should consider malicious nodes that decide to not follow the standard way to proceed with NDN communications and send Data unexpectedly. We further described two serious attack scenarios exploiting this vulnerability based on the fact that malicious nodes can send unexpected Data that can consume legitimate PIT entries. We also propose two ways to prevent it with minor modifications in NFD. This work was published and demonstrated at the ACM-ICN conference [46].

Second, we addressed the Content Poisoning Attack (CPA), known to be one of the major threats in NDN. So far, existing works in that area have fallen into the pit of coupling a biased and partial phenomenon analysis with a proposed solution, hence lacking a comprehensive understanding of the attack's feasibility and impact in a real network. In the context of the ANR Doctor Project, and in collaboration with UTT, we demonstrated through an experimental measurement campaign that CPA can easily and widely affect NDN. We proposed three realistic attack scenarios relying on both protocol design and implementation weaknesses and presented their implementation and evaluation in a testbed based on the latest NFD version. We analyzed their impact on the different ICN nodes composing a realistic topology (clients, access and core routers, content provider) in order to fully characterize the CPA. This work has been accepted and will be published in IFIP/IEEE IM 2017 conference.

Configuration security automation

Participants : Rémi Badonnel [contact] , Abdelkader Lahmadi, Olivier Festor, Nicolas Schnepf, Maxime Compastie.

We have pursued during year 2016 our efforts on the orchestration of security functions in the context of mobile smart environments, with a joint work with Stephan Merz of the VeriDis project-team at Inria Nancy. In particular, Nicolas Schnepf studied during his Master thesis formal techniques for the automatic verification of chains of security functions in a setting of software-defined networks (SDN). Concretely, he defined an extension of the Pyretic language [51] which takes into account the data plane of SDN controllers and implemented a translation of that extension to the input languages of the nuXmv model checker and of SMT solvers. The approach and its scalability were validated over crafted security chains, and a conference paper describing the results is going to be submitted shortly. Nicolas Schnepf started a PhD thesis on the same topic in October 2016 with joint supervision by members of the Madynes and VeriDis Inria project-teams.

In addition, we have analyzed and evaluated the usage of OpenFlow messages for security applications [29], jointly with Bundeswehr University of Munich. The purpose was to quantify the performances of security solutions that are built on top of software-defined networking infrastructures. We have considered overloading attacks and information gathering attacks, that are quite common in these environments, and have detailed regular and sdn-based mitigation mechanisms that have been designed for tackling them. We have then analyzed for each category the dependencies of these mechanisms to the OpenFlow protocol commonly supporting the communications between sdn controllers and switches. These dependencies have been identified through the mapping of OpenFlow messages to security functionalities in that context. Based on this analysis, we performed series of experiments on two different testbeds for comparing and evaluating the accuracy and reliability that can be expected with respect to these messages.

We have also investigated in [16] a software- defined security framework, for supporting the enforcement of security policies in distributed cloud environments. These latter require security mechanisms able to address their multi-tenancy and multi-cloud properties. This framework relies on the autonomic paradigm to dynamically configure and adjust these mechanisms to distributed cloud constraints, and exploit the software-defined logic to express and propagate security policies to the considered cloud resources. It exploits a security orchestrator, policy decision points (PDP) and policy enforcement point (PEP) interacting according to a dedicated set of protocols, and will take advantage of facilities offered by unikernel and micro-services techniques to reduce the security exposure of cloud resources. The proposed framework has been evaluated so far through a set of validation scenarios corresponding to a realistic use cases including cloud resource allocation/deallocation, cloud resource state change, and dynamic access control.