Section: New Results
Monitoring
Encrypted Traffic Analysis
Participants : Jérôme François [contact] , Pierre-Olivier Brissaud, Pierre-Marie Junges, Isabelle Chrisment, Thibault Cholez, Olivier François, Olivier Bettan [Thales] .
Nowadays, most of Web services are accessed through HTTPS. While preserving user privacy is important, it is also mandatory to monitor and detect specific users' actions, for instance, according to a security policy. Our paper [4] presents a solution to monitor HTTP/2 traffic over TLS. It highly differs from HTTP/1.1 over TLS traffic what makes existing monitoring techniques obsolete. Our solution, H2Classifier, aims at detecting if a user performs an action that has been previously defined over a monitored Web service, but without using any decryption. It is thus only based on passive traffic analysis and relies on random forest classifier. A challenge is to extract representative values of the loaded content associated to a Web page, which is actually customized based on the user action. Extensive evaluations with five top used Web services demonstrate the viability of our technique with an accuracy between 94% and 99%.
We were also interested by Internet of Things (IoT) as related devices become widely used and their control is often provided through a cloud-based web service that interacts with an IoT gateway, in particular for individual users and home automation. Therefore, we propose a technique demonstrating that is possible to infer private user information, i.e., actions performed, by considering a vantage point outside the end-user local IoT network. By learning the relationships between the user actions and the traffic sent by the web service to the gateway, we have been able to establish elementary signatures, one for each possible action, which can be then composed to discover compound actions in encrypted traffic. We evaluated the efficiency of our approach on one IoT gateway interacting with up to 16 IoT devices and showed that a passive attacker can infer user activities with an accuracy above 90%. This work has been published in [16] and is related to the H2020 SecureIoT project (section 9.3.1.2).
Predictive Security Monitoring for Large-Scale Internet-of-Things
Participants : Jérôme François [contact] , Rémi Badonnel, Abdelkader Lahmadi, Isabelle Chrisment, Adrien Hemmer.
The Internet-of-Things has become a reality with numerous protocols, platforms and devices being developed and used to support the growing deployment of smart services. Providing new services requires the development of new functionalities, and the elaboration of complex systems that are naturally a source of potential threats. Real cases recently demonstrated that the IoT can be affected by naïve weaknesses. Therefore, security is of paramount importance.
In that context, we have proposed a process mining approach, that is capable to cope with a variety of devices and protocols, for supporting IoT predictive security [14]. We have described the underlying architecture and its components, and have formalized the different phases related to this solution, from the building of behavioral models to the detection of misbehaviors and potential attacks. The pre-processing identifies the states characterizing the IoT-based system, while process mining methods elaborate behavioral models that are compatible with the heterogeneity of protocols and devices [26]. These models are then exploited to analyze monitoring data at runtime and detect misbehaviors and potential attacks preventively. Based on a proof-of-concept prototype, we have quantified the detection performances, as well as the influence of time splitting and clustering techniques. The experimental results clearly show the benefits of our solution combining process mining and clustering techniques. As future work, we are interested in comparing it to other alternative learning techniques, as well as in evaluating to what extent the generated alerts can be exploited to drive the activation of counter-measures.
This work has been achieved in the context of the H2020 SecureIoT project (section 9.3.1.2).
Monitoring of Blockchains' Networking Infrastructure
Participants : Thibault Cholez [contact] , Jean-Philippe Eisenbarth, Olivier Perrin.
With the raise of blockchains, their networking infrastructure becomes a critical asset as more and more money and services are made on top of them. However, they are largely undocumented and may be prone to performance issues and severe attacks so that the question of the resiliency of their overlay network arises. With regard to the state of the art on P2P networks security, the fact that a service infrastructure is distributed is not sufficient to assess its reliability, as many bias (for instance, if nodes are concentrated in a given geographical location) and attacks (eclipse, Sybil or partition attacks) are still possible and may severely disturb the network.
Overall, according to the scientific literature, the security provided by the proof of work consensus and the huge size of the main public blockchains seem to protect them well from large scale attacks (51% attack, selfish mining attack, etc.) whose cost to be successful becomes prohibitive and often exceeds the expected gain. However, rather than only focusing on the application level, an attacker could rather try to disturb the underlying P2P network to weaken the consensus in some specific parts of the blockchain network to gain advantage. Our current work uses a third-party crawler to get an accurate view of the Bitcoin overlay network. We are currently analyzing the data with graph theory metrics to identify possible anomalies or flaws that could be exploited by attackers.
Quality of Experience Monitoring
Participants : Isabelle Chrisment [contact] , Antoine Chemardin, Frédéric Beck, Lakhdar Meftah [University of Lille] , Romain Rouvoy [University of Lille] .
We carried on our collaboration with the SPIRALS team (Inria/Université de Lille). Even though mobile crowdsourcing allows industrial and research communities to build realistic datasets, it can also be used to track participants' activity and to collect insightful reports from the environment (e.g., air quality, network quality). While data anonymization for mobile crowdsourcing is commonly achieved a posteriori on the server side, we have proposed a decentralized approach, named Fougere [19], which introduces an a priori data anonymization process. In order to validate our privacy preserving proposal, two testing frameworks (ANDROFLEET and PEERFLEET [20]) have been designed and implemented. They allows developers to automate reproducible testing of nearby peer-to-peer (P2P) communications.
In the context of both ANR BottleNet (section 9.2.1.1) and IPL BetterNet (section 9.2.5.1) projects, we continued to work on our open measurement platform for the quality of mobile Internet access (i.e., setup and manage the backend infrastructure for data collection and analysis). This platform is hosted by the High Security Laboratory (https://lhs.loria.fr) located at Inria Nancy Grand-Est. A collect campaign has been performed with a small set of volunteer users selected by the INSEAD-Sorbonne Université Behavioural Lab (https://www.insead.edu/centres/insead-sorbonne-universite-lab-en).