2025Activity report​​Project-TeamRESIST

6.1.1 ROSCA

• Name:​​​‌
  Robust and Scalable Correlation‌ of Alerts
• Keywords:
  Alert‌​‌ correlation, Intrusion Detection Systems​​ (IDS), Anomaly detection
• Functional​​​‌ Description:
  ROSCA is a‌ transparent solution that can‌​‌ handle a large volume​​ of security alerts to​​​‌ reduce analyst fatigue, delayed‌ responses, and missed attacks.‌​‌ It is suited for​​ in-house adaptation or re-implementation​​​‌ by Security Operations Centers‌ (SOCs). It is grounded‌​‌ in the MITRE ATT&CK​​ kill chain model, and​​​‌ automatically aggregates and correlates‌ alerts based on their‌​‌ shared attributes, enabling the​​ construction of contextualised attack​​​‌ cases. Each case is‌ assigned a score reflecting‌​‌ its threat level, before​​ being presented to analysts​​​‌ within a prioritised queue.‌ Our method handles multi-stage‌​‌ attack patterns and supports​​ rapid processing through a​​​‌ robust, noise-tolerant scoring mechanism‌ designed for interpretability and‌​‌ operational integration. We validate​​ the effectiveness of ROSCA​​​‌ on real-world alert data‌ and compare it against‌​‌ the MATE framework, demonstrating​​​‌ superior prioritisation accuracy and​ more reliable identification of​‌ critical alerts.
• URL:
  https://­gitlab.­inria.­fr/­resist/­watch-rosca-alert-prioritisation/​​
• Publication:
  hal-05351162
• Contact:
  Remi​​​‌ Garcia
• Participants:
  Remi Garcia,​ Abdelkader Lahmadi, Pierre-Francois Gimenez,​‌ an anonymous participant

6.1.2​​ llm-cvx

• Keywords:
  LLM, Cyber​​​‌ attack
• Functional Description:
  This​ repository provides an implementation​‌ of the LLM-CVX Benchmarking​​ Framework to evaluate 14​​​‌ LLMs (listed in data/llms.json​ (https://gitlab.inria.fr/resist/llm-cvx/-/blob/main/data/llms.json?ref_type=heads)) on exploiting 36​‌ CVEs (listed in data/cves.json).​​ The evaluation uses two​​​‌ exploit tools: Metasploit and​ GitHub PoCs, along with​‌ correction-loop prompting strategies, as​​ detailed in the paper​​​‌ linked below.
• Publication:
  hal-05349650/​
• Contact:
  Mohamed Amine El​‌ Yagouby

6.1.3 C-CyberBattleSim

• Name:​​
  Continuous CyberBattleSim
• Keywords:
  Reinforcement​​​‌ learning, Cyber attack, Embedding​ model
• Scientific Description:

  This​‌ repository builds upon the​​ CyberBattleSim framework by introducing​​​‌ a modular, multi-stage pipeline​ with the following core​‌ components:

  1. Automated Scenario​​ Generation: Leverages Shodan and​​​‌ the National Vulnerability Database​ (NVD) data to extract​‌ real-world service distributions and​​ vulnerabilities. It uses this​​​‌ data to generates diverse​ synthetic scenarios via domain​‌ randomization based on configurable​​ parameters.

  2. Game Reformulation:​​​‌ Models the attack environment​ as a Partially Observable​‌ Markov Decision Process (POMDP),​​ allowing more realistic and​​​‌ effective learning.

  3. Embedding​ Model Learning: Uses a​‌ Graph AutoEncoder and Language​​ Models to embed graph​​​‌ and vulnerability information into​ latent continuous spaces.

  4.​‌ Invariant Agent Architecture: Defines​​ observation and action spaces​​​‌ that are independent of​ specific graph topologies or​‌ vulnerability sets by leveraging​​ the previously described latent​​​‌ representations. This framework supports​ the training of Deep​‌ Reinforcement Learning (DRL) algorithms​​ using Stable-Baselines3 implementations, and​​​‌ enables direct comparison with​ the global and local​‌ space formulations introduced in​​ prior work.

• Functional Description:​​​‌
  Continuous CyberBattleSim (C-CyberBattleSim) is​ an advanced extension of​‌ Microsoft’s CyberBattleSim, a simulation​​ tool designed for training​​​‌ and evaluating reinforcement learning​ (RL) agents in cyber-attack​‌ path prediction. C-CyberBattleSim enhances​​ the original tool in​​​‌ three directions: (1) it​ expands the scenario generation​‌ pipeline by leveraging Cyber​​ Threat Intelligence collected from​​​‌ Shodan’s empirical distributions to​ create synthetic network scenarios​‌ that closely reflect real-world​​ conditions, (2) it introduces​​​‌ an automated process for​ simulating the outcomes of​‌ real-world vulnerabilities by inferring​​ potential effects directly from​​​‌ their metadata, and (3)​ it integrates an embedding​‌ model that combines graph​​ neural networks and language​​​‌ models to represent network​ nodes and vulnerabilities in​‌ continuous vector spaces. This​​ approach introduces continuous observation​​​‌ and action spaces for​ RL agents, enabling more​‌ scalable and generalizable learning.​​
• News of the Year:​​​‌
  Simulation tool released with​ the publication "Scalable and​‌ Generalizable RL Agents for​​ Attack Path Discovery via​​​‌ Continuous Invariant Spaces".
• URL:​
  https://­github.­com/­terranovafr/­C-CyberBattleSim
• Contact:
  Franco Terranova​‌
• Participants:
  Abdelkader Lahmadi, Isabelle​​ Chrisment, Franco Terranova
• Partners:​​​‌
  Université de Lorraine, Loria​

Electrical​‌ Microgrid Security Assessment Platform​​

Participants: Abdelkader Lahmadi [contact]​​​‌, Aurélie Kpoze.​

During 2025, we maintained​‌ our electrical microgrid platform​​ and its control part​​​‌ with SDN-based communication network.​ The platform comprises Distributed​‌ Generators (DGs), Open vSwitches​​ (OVSs) installed on Raspberry​​​‌ Pi devices, and a​ POX controller. The platform​‌ allows us to validate​​ and evaluate methods of​​ mitigating Man-in-the-Middle (MitM) attacks​​​‌ by demonstrating the effectiveness‌ of SDN and reinforcement‌​‌ learning approaches in limiting​​ their impact on the​​​‌ microgrid 17.

Programable‌ Networks Cluster

Participants: Jérôme‌​‌ François, Frédéric Beck​​ [contact], Matthews Jose​​​‌.

We develop the‌ PNC (Programmable Networks Cluster)‌​‌ platform to deploy experimentation​​ with fully isolated network​​​‌ slices under user-defined topologies‌ for advanced systems and‌​‌ networking research. The platform​​ allows researchers to describe​​​‌ a target topology and‌ automatically instantiate it as‌​‌ a VXLAN-based slice, where​​ virtual machines are interconnected​​​‌ through programmable hardware and‌ software data paths. Depending‌​‌ on the experiment, the​​ platform allows to pass​​​‌ through heterogeneous resources to‌ the VMs, including programmable‌​‌ switches, SmartNICs with DPDK​​ support, FPGA-based accelerators, GPUs,​​​‌ and OpenFlow-capable devices, enabling‌ realistic in-network processing and‌​‌ high-performance traffic handling. This​​ flexible architecture supports a​​​‌ wide range of use‌ cases such as software-defined‌​‌ networking, programmable data planes,​​ in-network computation, traffic engineering,​​​‌ large-scale traffic generation, and‌ security experiments requiring strict‌​‌ isolation (e.g., malware or​​ DDoS studies). By combining​​​‌ automation, hardware acceleration, and‌ topology isolation, the PNC‌​‌ platform enables both functional​​ validation and realistic performance​​​‌ evaluation of experimental networked‌ systems. In 2025, we‌​‌ finalized the implementation of​​ the differents logical components​​​‌ of this platform, which‌ is now entering a‌​‌ pre-production phase where the​​ current release will be​​​‌ tested in real conditions‌ over the 2026 year.‌​‌ The platform is developped​​ in the scope of​​​‌ the PEPR Cybersecurity Superviz‌ project.

Datasets and models for​​ generalizable RL agents for​​​‌ attack path discovery

• Contributors:‌
  Franco Terranova; Abdelkader Lahmadi;‌​‌ Isabelle Chrisment
• Description:
  This​​ dataset contains all data​​​‌ used to produce the‌ results presented in 23‌​‌. It was generated​​ using the C-CyberBattleSim framework,​​​‌ an extension of Microsoft‌ CyberBattleSim, and includes scraped‌​‌ vulnerability and service data​​ (NVD, Shodan), generated network​​​‌ scenarios, configurations, and experimental‌ results. The repository provides‌​‌ full training, testing, and​​ hyperparameter optimization outputs for​​​‌ the Graph Autoencoder (GAE),‌ reinforcement learning agents, and‌​‌ the multi-label vulnerability classifier​​ used in the study,​​​‌ enabling full reproducibility.
• Dataset‌ PID:
  10.5281/zenodo.15689667
• Project link:‌​‌
  C-CyberBattleSim on Github
• Publications:​​
  23
• Contact:
  Franco Terranova​​​‌
• Release contributions:
  Data scraping,‌ scenario generation, configuration files,‌​‌ model checkpoints, training/testing results,​​ and hyperparameter optimization logs.​​​‌

7.1.1 Security of‌​‌ IPFS DHT

Participants: Thibault​​ Cholez [contact], Victor​​​‌ De Moura Netto [LORELEY‌ Team], Claudia Ignat‌​‌ [LORELEY Team].

The​​ InterPlanetary File System (IPFS)​​​‌ is a decentralized peer-to-peer‌ (P2P) storage that relies‌​‌ on Kademlia, a Distributed​​ Hash Table (DHT) structure​​​‌ commonly used in P2P‌ systems for its proved‌​‌ scalability. However, DHTs are​​ known to be vulnerable​​​‌ to Sybil attacks, in‌ which a single entity‌​‌ controls multiple malicious nodes.​​ Recent studies have shown​​​‌ that IPFS is affected‌ by a passive content‌​‌ eclipse attack, leveraging Sybils,​​ in which adversarial nodes​​​‌ hide received indexed information‌ from other peers, making‌​‌ the content appear unavailable.​​ Fortunately, the latest mitigation​​​‌ strategy coupling an attack‌ detection based on statistical‌​‌ tests and a wider​​​‌ publication strategy upon detection​ was able to circumvent​‌ it.

In 2025, we​​ made a new active​​​‌ Sybil attack, with malicious​ nodes responding with semantically​‌ correct but intentionally false​​ data, exploiting both an​​​‌ optimized placement of Sybils​ to stay below the​‌ detection threshold and an​​ early trigger of the​​​‌ content discovery termination in​ Kubo, the main IPFS​‌ implementation. Our attack achieves​​ to completely eclipse content​​​‌ on the latest Kubo​ release. When evaluated against​‌ the most recent known​​ mitigation, it successfully denies​​​‌ access to the target​ content in approximately 80%​‌ of lookup attempts. To​​ address this vulnerability, we​​​‌ propose a new mitigation​ called SR-DHT-Store, which enables​‌ efficient, Sybil-resistant content publication​​ without relying on attack​​​‌ detection but instead on​ a systematic and precise​‌ use of region-based queries,​​ defined by a dynamically​​​‌ computed XOR distance to​ the target ID. SR-DHT-Store​‌ can be combined with​​ other defense mechanisms, resulting​​​‌ in a defense strategy​ that completely mitigates both​‌ passive and active Sybil​​ attacks at a lower​​​‌ overhead, while allowing an​ incremental deployment 30.​‌

7.1.2 Optimizing the Transport​​ of Low-latency and High-bitrate​​​‌ Traffic

Participants: Thibault Cholez​ [contact], Olivier Festor​‌, Mohammadreza Ghafari.​​

The rapid advancement of​​​‌ immersive multimedia applications necessitates​ network technologies that can​‌ deliver both low-latency and​​ high-bitrate traffic to ensure​​​‌ a seamless Quality of​ Experience (QoE). Among those​‌ applications, Cloud Gaming (CG)​​ platforms have gained much​​​‌ popularity recently and are​ expected to become a​‌ significant part of Internet​​ traffic in the upcoming​​​‌ years. However, the characteristics​ of their traffic are​‌ challenging for networks to​​ transport and make it​​​‌ difficult to maintain a​ good quality of service​‌ (QoS) in degraded network​​ conditions when congestion occurs.​​​‌ New network architectures such​ as Low Latency, Low​‌ Loss, and Scalable Throughput​​ (L4S) or Big Packet​​​‌ Protocol (BPP) offer new​ technical means to avoid​‌ bufferbloat-induced latency thanks to​​ the network support, but​​​‌ have not yet been​ assessed on real high-bitrate​‌ and low-latency applications. In​​ 2025, we pursued our​​​‌ dissemination work on the​ first evaluation ever made​‌ of L4S transporting real​​ CG traffic. In particular,​​​‌ we received the best​ paper award of the​‌ French networking community conference​​ (CORES 2025 16)​​​‌ and we gave an​ invited talk at the​‌ Internet Congestion Control Research​​ Group (ICCRG) meeting of​​​‌ the IETF.

Then, we​ conducted a new study​‌ 14 to evaluate BPP's​​ Packet Wash mechanism in​​​‌ conjunction with Scalable Video​ Coding (SVC) for real-time​‌ applications like CG. The​​ packet wash mechanism can​​​‌ discard on-the-fly higher-quality payload​ layers in network buffers​‌ during congestion events, preventing​​ gameplay interruptions without requiring​​​‌ server-side negotiation or re-encoding.​ This instantaneous network-based reaction​‌ minimizes the effects of​​ congestion compared to traditional​​​‌ bitrate adaptation methods. Experimental​ results for 2K game​‌ streaming demonstrate that the​​ packet wash mechanism preserves​​​‌ visual quality with negligible​ degradation during sudden bandwidth​‌ drops.

In a follow​​ up study 15,​​​‌ we proposed to leverage​ Region Of Interest (ROI)​‌ based SVC combined with​​ Packet Wash to further​​ improve the Quality of​​​‌ Experience (QoE) under network‌ congestion. Comparative experiments for‌​‌ various coding strategies after​​ applying packet wash show​​​‌ that ROI SVC can‌ handle bandwidth drops more‌​‌ efficiently, up to 52%​​ bitrate reduction, while still​​​‌ maintaining uninterrupted gameplay and‌ satisfactory visual quality in‌​‌ the most critical regions​​ of the game, according​​​‌ our QoE evaluation involving‌ real users. These results‌​‌ indicate that packet wash​​ with ROI SVC provides​​​‌ an effective solution for‌ real-time interactive multimedia streaming,‌​‌ such as cloud gaming.​​

7.1.3 AI driven Monitoring​​​‌ in Cloud-Edge-IoT continuum

Participants:‌ Abdelkader Lahmadi [contact],‌​‌ Ahmad Atwi.

Monitoring​​ large-scale systems such as​​​‌ the Cloud-Edge-IoT continuum is‌ challenging due to their‌​‌ distributed, heterogeneous, and evolving​​ nature. Tracking all components-from​​​‌ cloud servers to IoT‌ devices-demands intensive probe deployment‌​‌ and frequent data collection,​​ causing network traffic, computation,​​​‌ and storage overhead. These‌ challenges are intensified by‌​‌ the lack of prior​​ knowledge about which metrics​​​‌ matter most, often leading‌ to redundant monitoring.

In‌​‌ 10, we explored​​ whether Large Language Models​​​‌ (LLMs) can uncover causal‌ relationships between monitoring metrics‌​‌ using only their textual​​ descriptions. We proposed a​​​‌ novel batch prompting strategy‌ that allows LLMs to‌​‌ reason over multiple variables​​ simultaneously, reducing query complexity​​​‌ while preserving interpretability. Our‌ evaluation across several instruction-tuned‌​‌ LLMs shows stronger inter-model​​ alignment than existing pairwise​​​‌ methods and reveals overlaps‌ with causal graphs from‌​‌ traditional numerical algorithms. These​​ results suggest that LLMs​​​‌ can support intelligent monitoring‌ by identifying influential metrics‌​‌ and minimizing redundancy.

7.2.1 Efficient Distribution​​​‌ of Security Filtering Rules‌ in SDN

Participants: Abdelkader‌​‌ Lahmadi [contact], Wafik​​ Zahwa, Michael Rusinowitch​​​‌ [PESTO team].

Software‌ Defined Networks (SDN) heavily‌​‌ rely on diverse management​​ rules (ACL, traffic control,​​​‌ etc.) to satisfy security‌ and business requirements of‌​‌ their associated services. As​​ these networks are increasing​​​‌ in size and complexity,‌ their management rules configured‌​‌ in devices are becoming​​ more complex. These rules​​​‌ are constantly growing in‌ size and it is‌​‌ challenging to distribute them​​ across network devices with​​​‌ limited capacities. Typically implemented‌ in switches using Ternary‌​‌ Content-Addressable Memory (TCAM), ACLs​​ placement faces challenges due​​​‌ to the limited capacity‌ of TCAM memory.

As‌​‌ communication networks and hosted​​ services expand, the growing​​​‌ complexity and volume of‌ policies require scalable algorithms‌​‌ for effective rule placement.​​ In 24, we​​​‌ developed a novel approach‌ that combines graph embedding‌​‌ neural networks (GNN) with​​ deep Q-learning (DQN) to​​​‌ automate optimized ACL distribution‌ across network switches. Our‌​‌ method efficiently manages TCAM​​ utilization while integrating operational​​​‌ constraints (bandwidth, ordering) and‌ it was extensively evaluated‌​‌ on both synthetic and​​ real-world topologies. Results show​​​‌ that it outperforms heuristic‌ and Integer Linear Programming‌​‌ (ILP) based techniques, offering​​ superior scalability, adaptability, and​​​‌ robustness for ACL rule‌ placement. This work was‌​‌ done in collaboration with​​ Inria PESTO team and​​​‌ NUMERYX Company.

7.2.2 Characterization‌ and Troubleshooting of Cloud‌​‌ Gaming Applications on Mobile​​ Networks

Participants: Abdelkader Lahmadi​​​‌ [contact], Joël Ky‌.

Detecting abnormal network‌​‌ events is an important​​​‌ activity of Internet Service​ Providers particularly when running​‌ critical applications (e.g., ultra​​ low-latency applications in mobile​​​‌ wireless networks). Abnormal events​ can stress the infrastructure​‌ and lead to severe​​ degradation of user experience.​​​‌ Machine Learning (ML) models​ have demonstrated their relevance​‌ in many tasks including​​ Anomaly Detection (AD) and​​​‌ Root Cause Diagnosis (RCD).​

However they still rely​‌ on expert defined rules​​ or supervised ML models​​​‌ that require extensive labeled​ datasets. This dependence on​‌ manual labeling makes them​​ costly, time-consuming, and impractical​​​‌ for real-world wireless networks​ diagnostics. To overcome these​‌ limitations, we developed RAID​​ (Root cause Anomaly Identification​​​‌ and Diagnosis) 19,​ a two-stage ML framework​‌ that diagnoses Wi-Fi performance​​ issues using time series​​​‌ KPIs collected directly from​ the Wi-Fi access point,​‌ with Cloud VR serving​​ as a use case.​​​‌ RAID combines contrastive learning-based​ anomaly detection with a​‌ lightweight classifier to categorize​​ network impairments. We evaluate​​​‌ RAID, with a real-world​ Cloud VR use case,​‌ in a testbed using​​ NVIDIA CloudXR and a​​​‌ Meta Quest 2, collecting​ Wi-Fi performance metrics on​‌ the access point, under​​ controlled conditions. Results demonstrate​​​‌ that RAID outperforms existing​ RCD methods, achieving high​‌ accuracy even with minimal​​ labeled data. Compared to​​​‌ conventional supervised and self​ supervised time series models,​‌ RAID offers a scalable,​​ real-time solution with a​​​‌ good trade-off between training​ efficiency and inference speed,​‌ making it well-suited for​​ practical deployment in dynamic​​​‌ Wi-Fi network environments. This​ work was done in​‌ collaboration with the University​​ of Waterloo and Orange​​​‌ Innovation. The major results​ of this research activity​‌ are developed in the​​ PhD of Joel KY​​​‌ defended in 2025 25​.

7.2.3 Mitigating Synchronization​‌ Attacks on Distributed and​​ Cooperative Microgrid Control Systems​​​‌

Participants: Abdelkader Lahmadi [contact]​, Satou Aurélie Kpoze​‌, Isabelle Chrisment.​​

Industrial Control Systems (ICSs)​​​‌ are widely used in​ various industries, enabling the​‌ control and monitoring of​​ critical infrastructures such as​​​‌ microgrids. In these infrastructures,​ distributed and cooperative control​‌ systems are commonly employed​​ to synchronize set points​​​‌ through information exchange over​ communication networks. However, these​‌ systems are increasingly vulnerable​​ to various security threats,​​​‌ particularly those targeting synchronization​ data.

A critical challenge​‌ in these systems is​​ the control network reconfiguration​​​‌ in response to synchronization​ attacks targeting communication links.​‌ In 17, we​​ developed a Deep Reinforcement​​​‌ Learning (DRL)-based reconfiguration approach​ that autonomously adjusts the​‌ control network among DGs,​​ considering the microgrid's stability​​​‌ constraints. The main idea​ is to enhance synchronization​‌ in our microgrid by​​ connecting synchronized nodes to​​​‌ unsynchronized ones. Our objective​ is to construct a​‌ minimum spanning tree (MST)​​ that enables the distributed​​​‌ control system to exchange​ synchronization information efficiently and​‌ in a timely manner,​​ while avoiding compromised links​​​‌ and minimizing disruption to​ microgrid stability after reconfiguration.​‌ Our experimental results demonstrate​​ that the DRL-based strategy​​​‌ outperforms a traditional greedy​ algorithm by achieving a​‌ more optimal reconfiguration of​​ the control network.

7.2.4​​​‌ Cyber-Attack Paths Prediction

Participants:​ Abdelkader Lahmadi [contact],​‌ Franco Terranova, Isabelle​​ Chrisment.

Attack paths​​ represent the sequences of​​​‌ network nodes compromised by‌ attackers while exploiting their‌​‌ respective vulnerabilities. Current methods​​ for predicting such attack​​​‌ paths largely depend on‌ existing human expertise or‌​‌ established heuristics. These traditional​​ methods are time-consuming and​​​‌ require highly skilled threat-hunting‌ analysts to identify these‌​‌ attack paths and proactively​​ apply security measures. However,​​​‌ the task becomes challenging‌ when facing large-scale and‌​‌ highly vulnerable networks. Recently,​​ Reinforcement Learning (RL) has​​​‌ gained traction for training‌ agents in identifying these‌​‌ critical paths. However, current​​ solutions typically train RL​​​‌ agents tailored to a‌ specific environment —defined by‌​‌ a fixed network structure​​ and vulnerability set—requiring costly​​​‌ retraining whenever either changes.‌ This limitation arises from‌​‌ optimizing the agent to​​ map between discrete input​​​‌ and output spaces, treating‌ network nodes and vulnerabilities‌​‌ as atomic discrete elements.​​

In 23, we​​​‌ developed a novel method‌ for constructing continuous and‌​‌ invariant input and output​​ spaces for RL agents,​​​‌ enabling them to learn‌ transferable policies that generalize‌​‌ across diverse network configurations​​ and vulnerability sets. We​​​‌ also released Continuous CyberBattleSim‌ (C-CyberBattleSim) 32, an‌​‌ enhanced version of Microsoft​​ CyberBattleSim designed to train​​​‌ agents with the novel‌ continuous spaces. The tool‌​‌ is further extended to​​ integrate real-world vulnerability data​​​‌ and a new scenario‌ generation pipeline to improve‌​‌ the realism of training​​ and testing environments. Agents​​​‌ trained in continuous spaces‌ are assessed in 800‌​‌ scenarios with varying sizes​​ and various allocations of​​​‌ 829 real-world vulnerabilities, demonstrating‌ an average improvement of‌​‌ 9.3x in scalability against​​ agents trained in discrete​​​‌ spaces, as well as‌ an average generalization score‌​‌ of 89% to more​​ complex scenarios when trained​​​‌ in simpler scenarios. A‌ final study evaluates whether‌​‌ continuous agents trained in​​ simulation can adapt to​​​‌ real-world and emulated scans.‌ On average, agents achieve‌​‌ 75% of the score​​ they would have if​​​‌ trained directly on the‌ scans, demonstrating effective knowledge‌​‌ transfer.

7.2.5 Offensive and​​ Defensive Cyber Security Capabilities​​​‌ of Large Language Models‌

Participants: Abdelkader Lahmadi [contact]‌​‌, Mohamed Amine El​​ Yagouby, Olivier Festor​​​‌.

The increasing capabilities‌ of Large Language Models‌​‌ (LLMs) in code generation​​ and reasoning have raised​​​‌ concerns about their potential‌ misuse, particularly for automating‌​‌ or assisting with vulnerability​​ exploitation tasks. This concern​​​‌ highlights the need for‌ a systematic evaluation of‌​‌ the offensive potential of​​ LLMs. Existing methodologies in​​​‌ this context use synthetic‌ vulnerabilities, rely on fixed‌​‌ prompting strategies and exploit​​ tools in their evaluation,​​​‌ and do not consider‌ efficiency.

In 12,‌​‌ we developed LLM-CVX, a​​ novel benchmarking framework designed​​​‌ to systematically evaluate LLMs‌ on real-world CVE exploitation‌​‌ tasks, with extensibility towards​​ prompting strategies and exploit​​​‌ tools, and allowing LLMs‌ to make multiple attempts‌​‌ to capture both effectiveness​​ and efficiency. We implemented​​​‌ this framework to evaluate‌ 14 state-of-the-art LLMs on‌​‌ exploiting 36 real CVEs​​ using 2 exploit tools​​​‌ (Metasploit and GitHub PoC)‌ and a correction loop‌​‌ that enables LLMs to​​ correct their previous exploitation​​​‌ attempts. In this evaluation,‌ we used a novel‌​‌ set of metrics that​​​‌ we developed in 11​, to better capture​‌ the efficiency of these​​ models, in terms of​​​‌ successive attempts, when handling​ binary outcome tasks. Experimental​‌ results reveal variation in​​ the behavior of different​​​‌ LLMs, using both exploitation​ tools, with closed-source models​‌ generally outperforming open-source ones.​​

7.2.6 Security Alerts Correlation​​​‌ and Priorisation

Participants: Abdelkader​ Lahmadi [contact], Rémi​‌ Garcia, Pierre-François Gimenez​​ [PIRAT Team, Inria Rennes]​​​‌.

In large organisations​ and complex infrastructures, the​‌ overwhelming volume of security​​ alerts often results in​​​‌ analyst fatigue, delayed responses,​ and missed attacks. Security​‌ Operations Centers (SOCs) typically​​ rely on black-box commercial​​​‌ solutions, offering limited transparency​ into their alert classification​‌ mechanisms and lacking the​​ flexibility for in-house adaptation​​​‌ or re-implementation. To address​ these limitations and improve​‌ situational awareness, in 13​​ we developed ROSCA, an​​​‌ efficient alert prioritisation method​ grounded in the MITRE​‌ ATT&CK kill chain model.​​ The proposed approach automatically​​​‌ aggregates and correlates alerts​ based on their shared​‌ attributes, enabling the construction​​ of contextualised cases. Each​​​‌ case is assigned a​ score reflecting its threat​‌ level, before being presented​​ to analysts within a​​​‌ prioritised queue. Our method​ handles multi-stage attack patterns​‌ and supports rapid processing​​ through a robust, noise-tolerant​​​‌ scoring mechanism designed for​ interpretability and operational integration.​‌ We validate the effectiveness​​ of ROSCA on real-world​​​‌ alert data and compare​ it against the MATE​‌ framework, demonstrating superior prioritisation​​ accuracy and more reliable​​​‌ identification of critical alerts.​ This work was done​‌ in collaboration with Inria​​ PIRAT team and the​​​‌ SOC of the Hospices​ Civils de Lyon.

7.2.7​‌ Assessement of Network Intrusion​​ Dataset

Participants: Jérôme François​​​‌ [contact], Omar Anser​, Isabelle Chrisment.​‌

This work defines an​​ assessement of test set​​​‌ used for evaluating machine​ learning-based network intrusion detection.​‌ It introduces three metrics​​ to capture the specificity​​​‌ of the test set​ space in regard to​‌ the train set space.​​ The objective is to​​​‌ check if the test​ points range in regions​‌ of the space that​​ will challenge the intrusion​​​‌ detector. Our approach, namely​ TATA, is model-agnostic and​‌ we also propose an​​ augmentation technique to improve​​​‌ the quality of the​ dataset. TATA employs a​‌ reinforcement learning (RL) approach​​ guided by the three​​​‌ aforementioned metrics, configuring a​ testbed that produces realistic​‌ data 9.

7.3.1 Traffic Engineering​​​‌ for enhancing Quality of​ Service in 5G networks​‌

Participants: Abdelkader Lahmadi [contact]​​, Santiago Rios-Guiral,​​​‌ Ye-Qiong Song [SIMBIOT Teamm]​.

Programmable networks have​‌ transformed network management, particularly​​ within Traffic Engineering (TE),​​​‌ which aims to optimize​ data flow across the​‌ network. By offering flexibility​​ and efficiency, programmable networks​​​‌ facilitate advanced traffic and​ resource management capabilities. Key​‌ technologies in this area,​​ such as Software-Defined Networking​​​‌ (SDN) and Programmable Data​ Planes (PDPs), enable real-time,​‌ dynamic routing and network​​ control. These frameworks further​​​‌ allow the integration of​ Artificial Intelligence (AI) mechanisms​‌ to automate and refine​​ network management processes. Specifically,​​​‌ Reinforcement Learning (RL) is​ a promising approach for​‌ TE applications due to​​ its adaptability to evolving​​ network conditions.

In 6​​​‌, we elaborated a‌ survey with an in-depth‌​‌ review of TE solutions​​ that leverage RL and​​​‌ programmable networks to improve‌ network performance, including works‌​‌ from 2018 to 2025.​​ The proposed survey includes​​​‌ a timely update on‌ the state-of-the-art and presents‌​‌ a taxonomy that categorizes​​ existing solutions based on​​​‌ RL principles and specific‌ TE objectives. Our analysis‌​‌ highlights key findings and​​ insights, contributing valuable knowledge​​​‌ for implementing TE mechanisms‌ within programmable networks. This‌​‌ work was done in​​ collaboration with the University​​​‌ of Antioquia (Colombia).

In‌ 22, we considered‌​‌ the case study of​​ an autonomous urban transportation​​​‌ system (Urbanloop system) utilizing‌ pod vehicles on dedicated‌​‌ rail circuits and requiring​​ stable, high-performance, and continuous​​​‌ communication. We mainly analyzed‌ how communication QoS impacts‌​‌ this system safety and​​ performance. Using the simulators​​​‌ Veins-Simu5G, we evaluated the‌ effects of packet loss‌​‌ and latency under various​​ communication and mobility scenarios,​​​‌ and the related impacts‌ on safety distance and‌​‌ pod deployment density. Furthermore,​​ we validated our simulation​​​‌ findings through preliminary real-world‌ testing with the OAIBOX‌​‌ platform, built upon the​​ OpenAirInterface framework, confirming the​​​‌ practical relevance of our‌ results for future deployments.‌​‌

7.3.2 Security Configuration for​​ Cloud Services

Participants: Rémi​​​‌ Badonnel [contact], Nicolas‌ Schnepf, Olivier Festor‌​‌.

Cloud infrastructures provide​​ new facilities to build​​​‌ elaborated added-value services by‌ composing and configuring a‌​‌ large variety of computing​​ resources, from virtualized hardware​​​‌ devices to software products.‌ They are however further‌​‌ exposed to security attacks​​ than traditional environments. Preventing​​​‌ vulnerabilities is an important‌ requirement to ensure the‌​‌ security of cloud infrastructures​​ and their services, where​​​‌ distributed and dynamically evolving‌ execution environments may significantly‌​‌ increase the attack surface.​​ Effective vulnerability management in​​​‌ such ecosystems is therefore‌ essential to maintain secure‌​‌ and dependable service execution.​​

We pursued our efforts​​​‌ on vulnerability management by‌ considering the issues related‌​‌ to the edge-cloud continuum,​​ through our collaboration with​​​‌ University of Milano (Italy).‌ The edge-cloud continuum reshapes‌​‌ how we conceptualize and​​ implement computing across diverse​​​‌ environments. This continuum represents‌ a seamless integration of‌​‌ edge computing, which brings​​ computational resources closer to​​​‌ data sources, with traditional‌ cloud computing frameworks, enabling‌​‌ a more distributed, responsive,​​ and efficient computing landscape.​​​‌ We proposed a novel‌ methodology that systematically evaluates‌​‌ the vulnerabilities of potential​​ deployment targets within the​​​‌ edge-cloud continuum. In this‌ manner, it aims to‌​‌ identify the most appropriate​​ deployment options for each​​​‌ service request, taking into‌ consideration the specific security‌​‌ requirements and non-functional properties​​ specified by the user.​​​‌ Furthermore, our methodology provides‌ a framework for managing‌​‌ the migration of services​​ in response to invalidated​​​‌ requirements, ensuring that security‌ and performance integrity of‌​‌ services is maintained throughout​​ their life-cycle. We evaluated​​​‌ the proposed approach through‌ realistic scenarios, demonstrating its‌​‌ effectiveness in enhancing cloud​​ service security while reducing​​​‌ migration overhead. This approach‌ therefore not only contributes‌​‌ to enhance the security​​ of the edge-cloud continuum​​​‌ with respect to vulnerabilities,‌ but also optimizes the‌​‌ alignment between service requirements​​​‌ and the capabilities of​ the deployment infrastructures 27​‌.

We also started​​ to investigate vulnerability prevention​​​‌ for moving target defense​ approaches that tend to​‌ leverage artificial intelligence to​​ protect cloud services. In​​​‌ particular, we considered the​ design of a moving​‌ target defense strategy that​​ combines artificial intelligence with​​​‌ verification techniques. The proposed​ framework relies on two​‌ main components, namely a​​ learning block using reinforcement​​​‌ learning algorithms to automate​ movement selection based on​‌ rewards, and a verifier​​ block using configuration verification​​​‌ techniques to assess these​ movements. We formalized this​‌ approach mathematically, aiming to​​ make movements unpredictable for​​​‌ attackers, while minimizing the​ risk of vulnerable configurations.​‌ We conducted extensive experiments​​ with a proof-of-concept prototype,​​​‌ comparing our approach to​ a baseline strategy and​‌ using vulnerability descriptions from​​ the official OVAL repository.​​​‌ Results show that our​ strategy significantly reduces exposure​‌ to severe attacks with​​ minimal assessment time overhead.​​​‌ Additionally, we evaluated the​ predictability of movements by​‌ attackers and the associated​​ costs in terms of​​​‌ service unavailability 20.​

7.3.3 Intelligent Configuration and​‌ Update for Future Networks​​

Participants: Nicolas Schnepf [contact]​​​‌, Katsuki Isobe,​ Rémi Badonnel.

Effective​‌ management of configuration and​​ software updates on network​​​‌ and security equipments like​ firewalls and intrusion detection​‌ systems is a significant​​ challenge in network operations​​​‌ and management, particularly when​ considering specific performance and​‌ security requirements like ensuring​​ that the traffic will​​​‌ always traverse a certain​ network function. This challenge​‌ is increased by the​​ dynamics and heterogeneity of​​​‌ future networks that are​ ever more driven by​‌ artificial intelligence methods and​​ techniques.

In the context​​​‌ of the PhD thesis​ of Katsuki Isobe, we​‌ investigated the extension of​​ the Eagle algorithmic solution​​​‌ to address the case​ of dynamic security chains​‌ in 5G/B5G networks 31​​. These efforts were​​​‌ performed in collaboration with​ TU Berlin, Aalborg University​‌ and the Inria DIANA​​ team. The objective is​​​‌ to support the dynamic​ update of service chaining​‌ and their inherent constraints.​​ We specified an automated​​​‌ solution for synthesizing update​ schedules automatically and with​‌ the smallest possible number​​ of update batches—an aspect​​​‌ important for decreasing the​ overall duration of the​‌ complete network update. It​​ supports both vulnerability and​​​‌ congestion awareness. We added​ service chaining constraints specifying​‌ that network flows must​​ traverse several services given​​​‌ as a directed graph​ deployed into the overall​‌ network. We provided two​​ algorithms relying on this​​​‌ approach, the first one​ computing the shortest possible​‌ update sequence, the second​​ one greedily computing each​​​‌ update batch as the​ largest possible set of​‌ remaining nodes to update.​​ We compared these two​​​‌ approaches, and demonstrated their​ practical applicability in the​‌ context of 5G networks,​​ as well as on​​​‌ a large benchmark of​ ISP Internet topologies combined​‌ with different service chaining.​​ An extensive empirical evaluation​​​‌ shows that our approach​ is tractable and scales​‌ to realistic service chaining​​ and network sizes 21​​​‌.

In the meantime,​ we proposed a testbed​‌ architecture for evaluating the​​ performance of LLMs to​​ generate and enrich probabilistic​​​‌ automata characterizing the network‌ behaviour of end device‌​‌ applications. These behavioural automata​​ can then serve as​​​‌ a support to build‌ and configure chains of‌​‌ security functions, that are​​ deployed in network infrastructures.​​​‌ The testbed architecture consists‌ of three main pipelines.‌​‌ The first pipeline specifies​​ a baseline method based​​​‌ on process mining to‌ generate behavioural automata. The‌​‌ second pipeline corresponds to​​ the generation of automata​​​‌ based on LLM techniques.‌ The third pipeline combines‌​‌ the two previous ones.​​ It first generates automata​​​‌ using process mining, and‌ then augments them using‌​‌ LLM techniques. Based on​​ the prototyping of this​​​‌ testbed architecture, we have‌ performed extensive series of‌​‌ experiments to evaluate the​​ performances of LLM techniques​​​‌ with respect to the‌ generation and enrichment of‌​‌ automata, and also to​​ quantify their level of​​​‌ explainability in that context.‌

This work has been‌​‌ achieved in collaboration with​​ Aristide Urli student at​​​‌ TELECOM Nancy, Université de‌ Lorraine.

Numeryx Technologies (Paris,‌ France)

Participants: Abdelkader Lahmadi‌​‌ [contact], Wafik Zahwa​​, Michael Rusinowitch [PESTO​​​‌ team].

• Wafik Zahwa,‌ CIFRE PhD Student, is‌​‌ supervised by Abdelkader Lahmadi,​​ Michael Rusinowitch (Inria PESTO​​​‌ team) and Mondher Ayadi‌ (NUMERYX) on Building Self-Driven‌​‌ Network Functions24.​​ Since October 2022.

Orange​​​‌ Innovation (Lannion, France)

Participants:‌ Abdelkader Lahmadi [contact],‌​‌ Joël Ky.

• Joël​​ Ky, CIFRE PhD Student,​​​‌ is supervised by Abdelkader‌ Lahmadi, Raouf Boutaba (University‌​‌ of Waterloo) and Bertrand​​ Mathieu (Orange Innovation) on​​​‌ Automatic Characterization, Classification and‌ Troubleshooting of Cloud Gaming‌​‌ Applications18, 19​​, 25. PhD​​​‌ defended in April 2025.‌

Hospices Civils de Lyon,‌​‌ France)

Participants: Abdelkader Lahmadi​​ [contact], Rémi Garcia​​​‌, Isabelle Chrisment,‌ Pierre-François Gimenez [PIRAT team]‌​‌.

• Rémi Garcia, Research​​ Engineer, is supervised by​​​‌ Abdelkader Lahmadi, Isabelle Chrisment‌ and Pierre-François Gimenez (Inria‌​‌ PIRAT Team, Rennes) on​​ False Positive Reduction in​​​‌ Intrusion Detection Systems for‌ Hospital Environments13.‌​‌ Since November 2024.

9.1.1 Associate‌ Teams in the framework‌​‌ of an Inria International​​ Lab or in the​​​‌ framework of an Inria‌ International Program

9.1.2 Inria associate team‌​‌ not involved in an​​ IIL or an international​​​‌ program

9.1.3​ Visits of international scientists​‌

9.1.4 Visits​​ to international teams

9.2.1​‌ ANR

9.2.2 PEPR‌​‌

9.2.3 Inria joint Labs‌

AMI CMA: CyMoVE project​‌

Participants: Abdelkader Lahmadi [contact]​​, Ye-Qiong [SIMBIOT team]​​​‌, Marine Minier [CARAMBA​ team].

• Title:
  CYMOVE:​‌ Develop training modules, innovative​​ approaches, and promote careers​​​‌ for the mobility of​ tomorrow
• Coordinator:
  Université de​‌ Haute Alsace (UHA)
• Duration:​​
  2025 to 2029
• Partners:​​​‌
  UHA, Communauté de communes​ de Mulhouse (M2A), Pôle​‌ Véhicule du Futur (PVF),​​ Chambre des Métiers d'Alsace​​​‌ (CMA), Numéum, Lycée Loritz​ de Nancy, Lycée Gustave​‌ Eiffel de Talange, Holo3,​​ Université de Lorraine, Université​​​‌ de Reims Champagne Ardenne​ (URCA)
• Local contact:
  Abdelkader​‌ Lahmadi
• Summary:

  The automotive​​ industry is facing major​​​‌ challenges due to societal,​ regulatory, and technological changes.​‌ The 2021 Climate and​​ Resilience law mandates a​​​‌ transition to electric vehicles​ by 2035. The increasing​‌ connectivity of vehicles heightens​​ cybersecurity challenges, with risks​​​‌ of cyberattacks targeting embedded​ systems and networks. Companies​‌ must also contend with​​ a shortage of skilled​​​‌ labor and the need​ to modernize production. Recent​‌ studies and reports recommend​​ tailored training programs at​​​‌ various levels to address​ these challenges. CyMoVe offers​‌ progressive, modular, and complementary​​ training programs covering all​​​‌ levels and learning modalities,​ ranging from awareness to​‌ technical expertise, from Bac​​ -3 to Bac +5.​​​‌ These programs include cybersecurity,​ energy management, and electric​‌ vehicle maintenance, providing a​​ holistic approach to addressing​​​‌ vulnerabilities. In the Grand​ Est region, the project​‌ aims to train learners​​ at the relevant levels​​​‌ using the modules developed​ within the CyMoVe project.​‌

  RESIST team is involved​​ in developing lightweight security​​​‌ approaches for embedded networking​ protocols in connected cars​‌ including intrusion detection techniques​​ and the benchmarking of​​​‌ lightweight cryptography in collaboration​ with Inria CARAMBA team.​‌

10.1.1 Scientific events: organisation​‌

10.1.2​ Scientific events: selection

10.1.3 Journal‌​‌

10.1.4‌​‌ Invited talks

• Thibault Cholez​​
  • Talk on "Improving Cloud​​​‌ Gaming traffic QoS: a‌ comparison between class-based queuing‌​‌ policy and L4S" in​​ The Internet Congestion Control​​​‌ Research Group (ICCRG), Internet‌ Engineering Task Force (IETF)‌​‌ 122, March 2025
• Abdelkader​​ Lahmadi
  • Talk on "Security​​​‌ Monitoring and Policy Enforcement‌ in Networked Systems" in‌​‌ RESSI (Rendez-Vous de la​​ Recherche et de l’Enseignement​​​‌ de la Sécurité des‌ Systèmes d’Information), May 2025‌​‌
  • Talk on "Artificial Intelligence​​ for Cyber Security: from​​​‌ LLM-Powered Offensive Capabilities to‌ AI-Driven Attack Path Prediction‌​‌ " in the conference​​ CESAR 2025 by DGA,​​​‌ Rennes in November 2025‌
  • Talk on "Cybersecurity Research‌​‌ and Innovation" during the​​ inauguration event of the​​​‌ regional Cyber Security Hub,‌ Metz in October 2025‌​‌
• Remi Badonnel
  • Talk on​​ "Cybersecurity for the Future​​​‌ World" in the Association‌ for the Advancement of‌​‌ Management Event, March 2025​​​‌
  • Talk on "Cybersecurity and​ Networking" in the Rendez-Vous​‌ Informatique of the Programme​​ National de Formation (PNF),​​​‌ April 2025
  • Talk on​ "Cybersecurity Skills and Training​‌ Programs" in the Thales​​ Cyber Luxembourg Event, June​​​‌ 2025
• Omar Anser and​ Franco Terranova delivered a​‌ hands-on tutorial on "Meta-Learning​​ for Reinforcement Learning: Enabling​​​‌ Agents to Generalize to​ Unseen Scenarios" at the:​‌ 25th European Agent Systems​​ Summer School (EASSS 2025)​​​‌

10.1.5 Leadership within the​ scientific community

• Rémi Badonnel​‌ is chair of the​​ IFIP (International Federation for​​​‌ Information Processing) WG6.6 (Working​ Group 6.6) dedicated to​‌ the management of networks​​ and distributed systems, and​​​‌ is member of the​ SSLR Working Group (Security​‌ of Systems, Software and​​ Networks) of the CNRS​​​‌ GDR on Cybersecurity.
• Olivier​ Festor is member of​‌ the NISC Board. NISC​​ stands for NOMS IM​​​‌ steering committee. The board​ coordinates the organization, management​‌ and evolution of the​​ major conferences in the​​​‌ Network and Service Management​ scientific community and interacts​‌ with the associated Scientific​​ and Professionnal organizations.

10.1.6​​​‌ Scientific expertise

• Isabelle Chrisment​ is the regional scientific​‌ coordinator for the Alliage​​ project in the context​​​‌ of the CPER Grand-Est​ (2021-2027). She served as​‌ a member of the​​ evaluation committee for the​​​‌ ASTRID 2025 call for​ proposals launched by the​‌ French National Research Agency​​ (ANR) and the Defense​​​‌ Innovation Agency (AID).
• Abdelkader​ Lahmadi served as a​‌ member of the ANR​​ committee CE39 (sécurité globale,​​​‌ résilience et gestion de​ crise, cybersécurité) in 2025.​‌ He served as an​​ expert for the European​​​‌ Research Executive Agency (REA)​ in the call HORIZON-JU-SNS-2025-01.​‌
• Rémi Badonnel is, together​​ with Marine Minier, in​​​‌ charge of the coordination​ of research, teaching and​‌ innovation activities on cybersecurity​​ at the University of​​​‌ Lorraine.

10.1.7 Research administration​

• Isabelle Chrisment was Deputy​‌ Scientific Director at Inria​​ in charge of the​​​‌ national scientific domain “Networks,​ Systems ans Services, Distributed​‌ Computing” until June 2025.​​ Since July 1, 2025,​​​‌ she is the Director​ of the Inria Center​‌ at Univesité de Lorraine​​ and the Inria Branch​​​‌ in Strasbourg.
• Abdelkader Lahmadi​ is the responsible of​‌ the research department "Networks,​​ Systems and Services" at​​​‌ LORIA since October 2025.​
• Rémi Badonnel is a​‌ member of the COMIPERS​​ at Inria Nancy Grand​​​‌ Est, and of the​ Commission de la Mention​‌ Informatique (CMI) at University​​ of Lorraine.

10.2.1 Teaching

10.2.2 Supervision

PhD in​​ progress

• Omar Anser, Automation​​​‌ of Attack Mitigations in‌ 5G Environments, since‌​‌ December 2021, supervised by​​ Isabelle Chrisment and Jérôme​​​‌ François.
• Franco Terranova, Reinforcement‌ Learning-Based Approaches for Automated‌​‌ Security Analysis of Networked​​ Systems, since October​​​‌ 2023, supervised by Isabelle‌ Chrisment and Abdelkader Lahmadi.‌​‌
• Mohamed Amine El Yagouby,​​ Modeling and Detection of​​​‌ AI-Assisted Cyberattacks, since‌ November 2024, supervised by‌​‌ Olivier Festor and Abdelkader​​ Lahmadi, in joint supervision​​​‌ with the University International‌ of Rabat (Morocco).
• Ahmad‌​‌ Atwi, Adaptive and Optimal​​ Placement of Monitoring Probes​​​‌ Based on Reinforcement Learning‌, since December 2025,‌​‌ supervized by Abdelkader Lahmadi.​​
• Santiago Rios, Models and​​​‌ Algorithms for the Orchestration‌ System of an On-Demand‌​‌ Rail Transport Network,​​​‌ since March 2025, supervized​ by Abdelkader Lahmadi and​‌ Ye-Qiong Song (SIMBIOT)
• Jhon​​ Sebastian Rojas Rodriguez, Reinforcement​​​‌ Learning for Anomaly Detection​ and Root Cause Analysis​‌ in the Computing Continuum​​, since November 2024,​​​‌ supervized by Abdelkader Lahmadi.​
• Wafik Zahwa, Construction of​‌ network functions based on​​ machine learning, since​​​‌ Octobre 2022, supervized by​ Michael Rusinowitch and Abdelkader​‌ Lahmadi.
• Katsuki Isobe, Security​​ Orchestration at the Edge​​​‌ for Future Networks,​ since October 2024 (pre-thesis​‌ from June to September​​ 2024), supervised by Rémi​​​‌ Badonnel and Nicolas Schnepf.​
• Gaelle Yonga, Moving-target Defense​‌ Driven by Artificial Intelligence​​ for Cloud Composite Services​​​‌, since December 2025,​ supervised by Rémi Badonnel​‌ and Thierry Arrabal.
• Victor​​ Henrique De Moura Netto,​​​‌ Improving security and performance​ of IPFS’s DHT,​‌ supervized by Thibault Cholez​​ and Claudiat Ignat (LORELEY).​​​‌
• Mohammadreza Ghafari, Improving network​ support for low-latency high-bitrate​‌ applications, supervized by​​ Thibault Cholez and Olivier​​​‌ Festor.

Defended PhD

• Enzo​ d'Andréa, Reusable and Adaptable​‌ Machine Learning for Network​​ Security, defended on​​​‌ 1st December 2025, supervized​ by Olivier festor and​‌ Jérôme François.
• Joël Roman​​ Ky, Anomaly Detection and​​​‌ Root Cause Diagnosis for​ Low-Latency Applications in Time-Varying​‌ Capacity Networks, defended​​ on 29th April 2025,​​​‌ supervised by Isabelle Chrisment,​ Raouf Boutaba (University of​‌ Waterloo, Canada), Abdelkader Lahmadi,​​ Bertrand Mathieu (Orange Inovation,​​​‌ France).

10.2.3 Juries

Team​ members participated in the​‌ following PhD defense committees:​​

• Marius Letourneau, PhD in​​​‌ Computer Science from Université​ de Technologie de Troyes​‌ en Sciences pour l'Ingénieur.​​ Title: Impacts et détectabilité​​​‌ des menaces ciblant les​ services réseaux basse latence:​‌ le cas de l'architecture​​ L4S, July 2025​​​‌ - (Abdelkader Lahmadi as​ reviewer and Isabelle Chrisment​‌ as examiner).
• Nischal Aryal,​​ PhD in Computer Science​​​‌ from Institut Polytechnique de​ Paris (Telecom SudParis). Title:​‌ Blockchain-based Collaboration framework for​​ B5G and 6G Cellular​​​‌ Networks, September 2025​ - (Abdelkader Lahmadi as​‌ reviewer).
• Sara Chennoufi, PhD​​ in Computer Science from​​​‌ Institut Polytechnique de Paris​ (Telecom SudParis). Title: Privacy-Preserving​‌ and Robust Attack-Knowledge Sharing​​ in Heterogeneous 5G Networks​​​‌ via Federated Prototype-Based Intrusion​ Detection, December 2025​‌ - (Abdelkader Lahmadi as​​ reviewer).
• Hélène Orsini, PhD​​​‌ in Computer Science from​ CentraleSupélec (France). Title: Weakly-Supervised​‌ Learning for Botnet Traffic​​ Analysis and Adversarial Robustness​​​‌ Assessment, March 2025​ - (Isabelle Chrisment as​‌ reviewer).
• Fatemeh Stodt, PhD​​ in Computer Science from​​​‌ Université de Strasbourg (France).​ Title: Buiding a Secure​‌ and Scalable Distributed Network​​ using Blockchain and Zero​​​‌ Trust for IIoT,​ July 2025 - (Isabelle​‌ Chrisment as president).
• Ildi​​ Alla, PhD in Computer​​​‌ Science from Université de​ Lille (France). Title: Monitoring​‌ for Detection and Localization​​ of Cyber Attacks in​​​‌ Wireless Networks, September​ 2025 - (Isabelle Chrisment​‌ as examiner).
• Ruslan Bondaruc,​​ PhD in Computer Science​​​‌ from University of Milan​ (Italy). Title: An Assurance-Driven​‌ Service Composition for Data-Intensive​​ Pipelines in Cloud-Edge Continuum​​​‌, November 2025 -​ (Thibault Cholez as reviewer).​‌
• Walid Megherbi, PhD in​​ Computer Science from Lyon​​​‌ University (France). Title: Anomaly​ Detection in Graph Streams​‌, April 2025 -​​ (Rémi Badonnel as reviewer).​​
• Yangjie Xu, PhD in​​​‌ Computer Science from Luxembourg‌ University (Luxembourg). Title: Quantum‌​‌ Machine Learning: Diverse perspectives​​ on Application Scenarios,​​​‌ April 2025 - (Rémi‌ Badonnel as reviewer).
• Tan‌​‌ Nhat Linh Le, PhD​​ in Computer Science from​​​‌ Paris Saclay University (France).‌ Title: A Novel AI-based‌​‌ Intrusion Detection System for​​ 3GPP 5G-IoT traffic,​​​‌ December 2025 - (Rémi‌ Badonnel as examiner).
• Grace‌​‌ Tessa Masse, PhD in​​ Computer Science from Avignon​​​‌ University (France). Title: Cyberdeption‌ and Resilience in Federated‌​‌ Learning Systems, December​​ 2025 - (Rémi Badonnel​​​‌ as reviewer).
• Rachid Guedjali,‌ PhD in Computer Science‌​‌ from University of Lorraine​​ (France). Title: Dynamics of​​​‌ validator selection and behavior‌ in byzantine fault tolerant‌​‌ blockchain sytems, December​​ 2025 - (Rémi Badonnel​​​‌ as president).

Team members‌ participated in the following‌​‌ Habilitation Degree committees:

• Daphné​​ Tuncer, HDR in Computer​​​‌ Science from Conservatoire National‌ des Arts et Métiers‌​‌ (France). Title: On the​​ Complexity of Managing Communication​​​‌ and Information System Infrastructures‌, May 2025 -‌​‌ (Isabelle Chrisment as reviewer​​ and Olivier Festor as​​​‌ examiner).
• Mališa Vučinić, HDR‌ in Compuer Science from‌​‌ Université PSL (France). Title:​​ Lightweight Solutions for a​​​‌ Secure Internet of Things‌, October 2025 -‌​‌ (Isabelle Chrisment as reviewer).​​

10.2.4 Specific official responsibilities​​​‌ in science outreach structures‌

• Rémi Badonnel coordinated in‌​‌ 2025 the organization of​​ two Capture The Flag​​​‌ events on cybersecurity which‌ took place at TELECOM‌​‌ Nancy, the Engineering school​​ of Computer Science of​​​‌ University of Lorraine, which‌ targets Bachelor-level and Master-level‌​‌ students in Cybersecurity, with​​ the objective of finding​​​‌ the maximum number of‌ vulnerabilities on a specific‌​‌ system hosted over a​​ cyber-range platform.
• Rémi Badonnel​​​‌ coordinated in 2025 the‌ local organization of REMPAR‌​‌ 2025 at TELECOM Nancy.​​ REMPAR is the largest​​​‌ national cyber crisis management‌ exercise managed by ANSSI‌​‌ (the French National Cybersecurity​​ Agency). This exercise mobilized​​​‌ a total of 5000‌ professionals from nearly 1000‌​‌ organizations at the national​​ level, including private companies,​​​‌ local authorities, prefectures, and‌ regional Computer Security Incident‌​‌ Response Teams (CSIRTs).
• Rémi​​ Badonnel participated to the​​​‌ organization of the Cyber‌ Humanum Est event, which‌​‌ corresponds to a 5-days​​ cyber wargame exercise dedicated​​​‌ to cyber crisis management,‌ bringing together more than‌​‌ 100 participants, and organized​​ under the aegis of​​​‌ the Cyber Defense Command‌ (COMCYBER) of the Ministry‌​‌ of Armed Forces, and​​ of Lorraine INP, the​​​‌ Collegium of Engineering Schools‌ of the University of‌​‌ Lorraine.

10.2.5 Participation in​​ Live events

This year​​​‌ Franco Terranova, Mohamed Amine‌ El Yagouby and Jhon‌​‌ Sebastian Rojas Rodriguez, three​​ RESISTteam PhD students participed​​​‌ to the national day‌ "Fête de la‌​‌ Science" (Science in​​ Fest): Quand l'IA anticipe​​​‌ les hackers (When IA‌ anticipates hackers)

International​​​‌ journals

• 6 articleS.​Santiago Ríos-Guiral, A.​‌Abdelkader Lahmadi, J.​​Juan F.Botero and S.​​​‌ A.Sergio A Gutiérrez​. Leveraging Reinforcement Learning​‌ for Traffic Engineering in​​ Programmable Networks: A Survey​​​‌.Communications Surveys and​ Tutorials, IEEE Communications Society​‌2025, 1 -​​ 1HALDOIback​​​‌ to textback to​ text

Invited conferences

• 7​‌ inproceedingsF.Franco Terranova​​, S.Sana Rekbi​​​‌, A.Abdelkader Lahmadi​ and I.Isabelle Chrisment​‌. Multi-Taxonomy Vulnerability Classification​​ with Hierarchically Finetuned Language​​​‌ Models.DIMVA 2026​ - Conference on Detection​‌ of Intrusions and Malware​​ and Vulnerability AssessmentChania,​​​‌ Crete, GreeceJuly 2026​HAL

International peer-reviewed conferences​‌

• 8 inproceedingsT.Tillmann​​ Angeli, F.Frédéric​​​‌ Beck, D.Daishi​ Kondo, I.Isabelle​‌ Chrisment, H.Hideki​​ Tode and H.Hans​​​‌ Schotten. Demo: SweetsPot:​ A Distributed Honeypot Federation​‌ Platform.Local Computer​​ Networks (LCN)Sydney, Australia​​​‌October 2025HALback​ to text
• 9 inproceedings​‌O.Omar Anser,​​ J.Jérôme François,​​​‌ I.Isabelle Chrisment and​ D.Daishi Kondo.​‌ TATA: Benchmark NIDS Test​​ Sets Assessment and Targeted​​​‌ Augmentation.ESORICS 2025​ - 30th European Symposium​‌ on Research in Computer​​ SecurityToulouse, FranceSeptember​​​‌ 2025HALback to​ textback to text​‌
• 10 inproceedingsA.Ahmad​​ Atwi and A.Abdelkader​​​‌ Lahmadi. LLM-Driven Causal​ Discovery for Monitoring Metrics​‌ in Computing Continuum Systems:​​ A Comparative Study.​​​‌LCN 2025 - IEEE​ 50th Conference on Local​‌ Computer NetworksSydney, Australia​​IEEEOctober 2025,​​​‌ 1-8HALDOIback​ to textback to​‌ text
• 11 inproceedingsM.​​ A.Mohamed Amine El​​​‌ Yagouby, A.Abdelkader​ Lahmadi, M.Mehdi​‌ Zakroum, O.Olivier​​ Festor and M.Mounir​​ Ghogho. Evaluating LLMs​​​‌ Efficiency Using Successive Attempts‌ on Binary-Outcome Tasks.‌​‌Actes de CORIA-TALN-RJCRI-RECITAL 2025.​​ Actes de l’atelier Évaluation​​​‌ des modèles génératifs (LLM)‌ et challenge 2025 (EvalLLM)‌​‌CORIA-TALN-RJCRI-RECITAL 2025Marseille, France​​June 2025, 120-126​​​‌HALback to text‌
• 12 inproceedingsM. A.‌​‌Mohamed Amine El Yagouby​​, A.Abdelkader Lahmadi​​​‌, M.Mehdi Zakroum‌, O.Olivier Festor‌​‌ and M.Mounir Ghogho​​. LLM-CVX: A Benchmarking​​​‌ Framework for Assessing the‌ Offensive Potential of LLMs‌​‌ in Exploiting CVEs.​​AISec 2025 - 18​​​‌ th ACM Workshop on‌ Artificial Intelligence and Security‌​‌Taipei, TaiwanOctober 2025​​HALDOIback to​​​‌ text
• 13 inproceedingsR.‌Rémi Garcia, A.‌​‌Abdelkader Lahmadi, P.-F.​​Pierre-François Gimenez and C.​​​‌Charles Sala. ROSCA:‌ Robust and Scalable Security‌​‌ Alert Correlation and Prioritisation​​ using the MITRE ATT&CK​​​‌ Framework.WATCH 2025‌ - First International Workshop‌​‌ on Analytics, Telemetry, and​​ Cybersecurity for HPCC (High​​​‌ Performance Computing and Communications)‌Taipei, Taiwan2025HAL‌​‌DOIback to text​​back to text
• 14​​​‌ inproceedingsM.Mohammadreza Ghafari‌, T.Thibault Cholez‌​‌ and O.Olivier Festor​​. Evaluation of Packet​​​‌ Wash for Low-Latency High-Bitrate‌ Game Streaming.EMS‌​‌ 2025 - 3rd Workshop​​ on Emerging Multimedia Systems​​​‌Coimbra, PortugalACMSeptember‌ 2025, 7-12HAL‌​‌DOIback to text​​back to text
• 15​​​‌ inproceedingsM.Mohammadreza Ghafari‌, T.Thibault Cholez‌​‌ and O.Olivier Festor​​. QoE Evaluation of​​​‌ BPP Packet Wash Using‌ ROI-based Scalable Video Coding‌​‌.ISM 2025 -​​ 27th IEEE International Symposium​​​‌ on MultimediaNaples, Italy‌IEEEDecember 2025,‌​‌ 1-8HALback to​​ textback to text​​​‌
• 16 inproceedingsP.Philippe‌ Graff, X.Xavier‌​‌ Marchal, T.Thibault​​ Cholez, S.Stéphane​​​‌ Tuffin, B.Bertrand‌ Mathieu and O.Olivier‌​‌ Festor. Amélioration de​​ la QoS du trafic​​​‌ de Cloud-Gaming : une‌ comparaison entre HTB et‌​‌ L4S.CORES 2025​​ - 10èmes Rencontres Francophones​​​‌ sur la Conception de‌ Protocoles, l'Evaluation de Performances‌​‌ et l'Expérimentation des Réseaux​​ de CommunicationCORES 2025​​​‌ - 10èmes Rencontres Francophones‌ sur la Conception de‌​‌ Protocoles, l'Evaluation de Performances​​ et l'Expérimentation des Réseaux​​​‌ de CommunicationSaint Valery-sur-Somme,‌ FranceJune 2025HAL‌​‌back to textback​​ to text
• 17 inproceedings​​​‌A.Aurélie Kpoze,‌ A.Abdelkader Lahmadi,‌​‌ M.Mingxiao Ma,​​ I.Isabelle Chrisment,​​​‌ J.Jules Degila and‌ A.Arnaud Ahouandjinou.‌​‌ Reconfiguration of Distributed Cooperative​​ Microgrid Control Systems via​​​‌ Deep Reinforcement Learning to‌ Mitigate Synchronization Attacks.‌​‌SmartGridComm 2025 - IEEE​​ International Conference on Communications,​​​‌ Control, and Computing Technologies‌ for Smart Grids2025‌​‌ IEEE International Conference on​​ Communications, Control, and Computing​​​‌ Technologies for Smart Grids‌ (SmartGridComm)North York, Canada‌​‌IEEEOctober 2025,​​ 1-7HALDOIback​​​‌ to textback to‌ textback to text‌​‌
• 18 inproceedingsJ. R.​​Joël Roman Ky,​​​‌ B.Bertrand Mathieu,‌ A.Abdelkader Lahmadi and‌​‌ R.Raouf Boutaba.​​ CATS: Contrastive learning for​​​‌ Anomaly detection in Time‌ Series.2024 IEEE‌​‌ International Conference on Big​​​‌ Data (Big Data)Washinghton​ DC, United StatesIEEE​‌January 2025HALDOI​​back to textback​​​‌ to text
• 19 inproceedings​J. R.Joël Roman​‌ Ky, B.Bertrand​​ Mathieu, A.Abdelkader​​​‌ Lahmadi, M.Minqi​ Wang, N.Nicolas​‌ Marrot and R.Raouf​​ Boutaba. RAID: Root​​​‌ cause Anomaly Identification and​ Diagnosis.ECML PKDD​‌ 2025 - European Conference​​ on Machine Learning and​​​‌ Principles and Practice of​ Knowledge Discovery in Databases​‌16020Lecture Notes in​​ Computer SciencePorto (Portugal),​​​‌ PortugalSpringer Berlin Heidelberg​October 2026, 438-455​‌HALDOIback to​​ textback to text​​​‌back to text
• 20​ inproceedingsM.Mohamed Oulaaffart​‌, R.Rémi Badonnel​​, N.Nicolas Schnepf​​​‌ and C.Christophe Bianco​. Enhancing Artificial Intelligence​‌ with Verification Techniques to​​ Support Automated Moving Target​​​‌ Defense in Cloud Composite​ Services.2025 IEEE​‌ 11th International Conference on​​ Network Softwarization (NetSoft)Budapest,​​​‌ FranceIEEEJune 2025​HALDOIback to​‌ textback to text​​
• 21 inproceedingsN.Nicolas​​​‌ Schnepf, R.Remi​ Badonnel, D.Damien​‌ Saucez, S.Stefan​​ Schmid and J.Jiří​​​‌ Srba. Eagle: Vulnerability​ and Congestion Aware Software​‌ Update Synthesis in Softwarized​​ Networks with a 5G​​​‌ Network Case Study.​IEEE XploreNOMS 2025​‌ - IEEE Network Operations​​ and Management SymposiumNOMS​​​‌ 2025-2025 IEEE Network Operations​ and Management SymposiumHawaii,​‌ United StatesIEEEMay​​ 2025, 1-9HAL​​​‌DOIback to text​back to text
• 22​‌ inproceedingsR.Runbo Su​​, A.Abdelkader Lahmadi​​​‌, Y.-Q.Ye-Qiong Song​ and J.-P.Jean-Philippe Mangeot​‌. Assessing 5G Connectivity​​ for Urbanloop: a Pod-based​​​‌ Autonomous Railway Transport System​.2025 IEEE 102nd​‌ Vehicular Technology ConferenceChengdu,​​ China2025HALback​​​‌ to textback to​ text
• 23 inproceedingsF.​‌Franco Terranova, A.​​Abdelkader Lahmadi and I.​​​‌Isabelle Chrisment. Scalable​ and Generalizable RL Agents​‌ for Attack Path Discovery​​ via Continuous Invariant Spaces​​​‌.2025 28th International​ Symposium on Research in​‌ Attacks, Intrusions and Defenses​​ (RAID)Gold Coast, Australia​​​‌October 2025, 440-457​HALDOIback to​‌ textback to text​​back to textback​​​‌ to text
• 24 inproceedings​W.Wafik Zahwa,​‌ A.Abdelkader Lahmadi,​​ M.Michaël Rusinowitch and​​​‌ M.Mondher Ayadi.​ Deep Reinforcement Learning for​‌ In-Network Placement of ACL​​ Rules Under Constraints.​​​‌IEEE ExploreCNSM 2025​ - 21st International Conference​‌ on Network and Service​​ ManagementBologne, ItalyOctober​​​‌ 2025HALback to​ textback to text​‌

Doctoral dissertations and habilitation​​ theses

• 25 thesisJ.​​​‌ R.Joël Roman Ky​. Anomaly Detection and​‌ Root Cause Diagnosis for​​ Low-Latency Applications in Time-Varying​​​‌ Capacity Networks.Université​ de LorraineApril 2025​‌HALback to text​​back to textback​​​‌ to text
• 26 thesis​A.Abdelkader Lahmadi.​‌ Contributions to the Monitoring​​ and Security of Networked​​​‌ Systems.Université de​ Lorraine (UL)March 2025​‌HAL

Reports & preprints​​

• 27 miscR.Ruslan​​​‌ Bondaruc, N.Nicolas​ Schnepf, R.Rémi​‌ Badonnel, C. A.​​Claudio A. Ardagna and​​ M.Marco Anisetti.​​​‌ Towards Secure Service Deployment‌ in Cloud-Edge Continuum.‌​‌January 2025HALback​​ to textback to​​​‌ text
• 28 reportH.‌Hervé Debar, L.‌​‌Ludovic Mé, J.​​Jean Leneutre, V.​​​‌Vincent Nicomette, J.‌Jérôme François, C.‌​‌Cédric Gouy-Pailler, G.​​Gregory Blanc and S.​​​‌Stéphane Mocanu. SuperviZ‌ supervision et orchestration de‌​‌ la sécurité Rapport d’avancement​​ à mi-projet.Télécom​​​‌ SudParis (Institut Mines-Télécom); Inria‌October 2025, 1-56‌​‌HAL
• 29 reportH.​​Hervé Debar, L.​​​‌Ludovic Mé, J.‌Jean Leneutre, V.‌​‌Vincent Nicomette, J.​​Jérôme François, C.​​​‌Cédric Gouy-Pailler, G.‌Gregory Blanc and S.‌​‌Stéphane Mocanu. Superviz​​ project mid-term progress report​​​‌.Télécom SudParis (Institut‌ Mines-Télécom); InriaOctober 2025‌​‌HALback to text​​
• 30 miscV. H.​​​‌Victor Henrique de Moura‌ Netto, T.Thibault‌​‌ Cholez and C.-L.Claudia-Lavinia​​ Ignat. Active Sybil​​​‌ Attack and Efficient Defense‌ Strategy in IPFS DHT‌​‌.May 2025HAL​​back to text
• 31​​​‌ miscN.Nicolas Schnepf‌, R.Rémi Badonnel‌​‌, D.Damien Saucez​​, J.Jiri Sbara​​​‌ and S.Stephan Schmid‌. Towards Vulnerability and‌​‌ Congestion Aware Software Update​​ Synthesis for Softwarized Networks​​​‌.January 2025HAL‌back to textback‌​‌ to text

Software

• 32​​ softwareF.Franco Terranova​​​‌, A.Abdelkader Lahmadi‌ and I.Isabelle Chrisment‌​‌. Continuous CyberBattleSim.​​1.0.0July 2025 lic:​​​‌ https://spdx.org/licenses/MIT.HALSoftware‌ HeritageVCSback to‌​‌ text