Projet de recherche doctoral numero :3395


Date depot: 1 janvier 1900
Titre: Study of attack mitigation techniques in cross-domain environments using privacy-aware monitoring
Directeur de thèse: Hervé DEBAR (LTCI (EDMH))
Domaine scientifique: Sciences et technologies de l'information et de la communication
Thématique CNRS : Non defini

Resumé: {{SUJET ATTRIBUE NE PAS CANDIDATER}} --- This PhD proposal addresses the domain of information systems and networks security, and more specifically operational network security. The objective of operational network and system security is to monitor information systems and networks, looking for evidence of attacks. The PhD will address three activities related to privacy-aware monitoring and threat mitigation : -* The work will investigate novel cooperative distributed detection algorithms aimed at recognizing global events - most prominently DDoS and botnet operations, but also ongoing malware infections and spam campaigns originated by botnets over email, Internet Telephony and Instant Messaging - based on a the exchange of partial information as available after aggregation and privacy protection. In other words, the detection algorithms traditionally designed to work with complete information from a local observation point will be evolved and complemented with global but incomplete information from other domains, in a combination of local and global processing. Moreover, the interplay between local and global processing must be dynamic and closed-loop: the output of global cooperative processing can provide input for and steer the local processing, e.g. by requiring a tighter analysis of certain traffic components recognized as suspicious, or instructing the local probes to adapt the local processing parameters to the global traffic status. -* The work will move beyond the IP-centric approach (where only IP-headers and IP-flows are analyzed) and explore novel cross-layer detection methods, where also application-layer data are extracted and analyzed in combination to network-level data. In this way the task of botnet and spam detection can benefit from the availability of application-level semantic and more complete end-to-end information between the remote users. In this regard the project will provide proof-of-concept detection modules focused on a selected set of applications, to be identified in the first phase of the project. -* The work will finally design and implement novel strategies for cross-operator cooperative mitigation and reaction that take advantage from the global view provided by the project’s platform. The challenge here is to develop strategies that can co-exist with individual operators’ policies and deployed legacy systems, allowing each operator to maintain full control over the information (e.g. alerts) received by and exported to other domains.

Doctorant.e: Hachem Nabil