quipe MADYNES

Lquipe exemple est une quipe du LORIA et un projet dInria Grand Est.

Page Web http ://madynes.loria.fr

Objectifs MADYNES (MAnagingDYnamicNEtworks and Services) is a research team devoted to investigatethe management and security issues of new networks and services. Its main objective is to develop novel ap-proaches and algorithms that can cope with the increasing dynamics and scale both major attributes of emergingnetworks.

Thmatique scientifique & Objets de recherche The team investigates : Self-* techniques for network management combining distributed monitoring, self-configuration and hea-

ling approaches for highly dynamic networks, Security management and assessment models, architectures and algorithms for sensitive networked ser-

vices involving a large number of devices, Scalability, uncertainty and robustness issues in both the management and the functional planes of to-

morrows Internet.

Applications We apply and validate our approaches on various application domains including P2P overlays,Internet of Things, Information/Content Centric Networks, industrial systems.

Collaborations industrielles et acadmiques To perform the evaluation and assessment of our models wehave access and contribute to large experimental facilities like the High Security Laboratory at LORIA, Planet-Lab and IoT-LAB. We also develop strong cooperations with both industry and academics through national andeuropean level project like the FLAMINGO Network of Excellence Project focussing on Network and ServiceManagement.

3

Sujet 1Experimentation tools for Software DefinedNetworking and Named Data Networking

Propos par : Lucas Nussbaum

Executive summary : Extend the Grid5000 testbed and the Distem emulator to enable experimentation onSDN and NDNKey technical skills required : interest (and willingness to learn about) for deep & dirty technical stuff inLinux environments. system/network programming and administration.

Research team name : MadynesResearch Unit : LORIA / Inria Nancy Grand EstIntern tutors : Lucas Nussbaum

Internship duration : 4 to 6 monthFollowed by a PhD : possible (but not mandatory)

ContextSoftware Defined Networking (NDN) and Named-Data Networking (NDN) are two new paradigms that aim

at changing the way we design and architecture networks. In a nutshell, SDN is to managing networks whatCloud infrastructures are to managing servers : by moving the control to software, it brings better scalability,elasticity, resilience, etc. Named-Data Networking explores the idea of moving from the current host-centric(IP-address-centric) architecture to one where data and content are at the center of the design.

To evaluate algorithms and software targetting those architectures, experimentation tools are required :simulators, emulators, testbeds.

We are already involved in the design of two experimentation tools : first, the Grid5000 testbed, whichis a major testbed for research on HPC, Clouds, Big Data. Second, the Distem emulator, that relies on Linuxtechnologies to emulate varying performance and arbitrary network topologies on top of clusters of homogeneousnodes (typically from Grid5000).

DescriptionThe goal of this project is to design extensions to Grid5000 and Distem to support experimenta-

tion on SDN and NDN.Typically, the intern will :1. Evaluate requirements for experiments on SDN and/or NDN, by doing a survey of existing experimenta-

tion tools and recent experimental studies.2. Design extensions to Grid5000 and/or Distem to enable/enhance experimental capabilities in the contexts

of SDN and NDN.3. Evaluate those extensions by performing experiments on SDN and NDN.Depending on opportunities for convergence (and on interest of the intern), the internship will focus first on

Grid5000 and SDN, or on Distem and NDN.

Links Distem : http ://distem.gforge.inria.fr/ Grid5000 : http ://www.grid5000.fr/

4

Sujet 2Dimensionnement dun rseau de

passerelles pour lIoTPropos par : Emmanuel Nataf

Informations gnralesEncadrants Emmanuel NatafAdresse LORIA, Campus Scientifique - BP 239, 54506 Vanduvre-ls-NancyTlphone 03 59 20 49Email nataf@loria.frBureau B 128

MotivationsLInternet of Things (IoT) est un domaine dans lequel un certain nombre dobjets (notamment des capteurs),

forment un ou plusieurs rseaux afin de transporter des informations vers une passerelle vers lInternet. Cesrseaux sont sans fil, et ont une topologie qui sadapte aux conditions de lenvironnement et de ltat (notammentde la batterie) des objets.

Ces rseaux vont se multiplier dans une mme zone gographique (btiment, ville [2]) et se pose le problmede dimensionner des passerelles de sorte quun grand rseau de capteurs puisse utiliser plusieurs passerelleset quune mme passerelle puisse connecter plusieurs rseaux vers lInternet [1] [3].

SujetLe sujet consiste proposer une solution qui permette de partager les ressources des passerelles afin de

servir au mieux diffrents rseaux de capteurs. Dun cot, les rseaux ont intrt utiliser le plus de passe-relles possibles car cela limite les communications entre les capteurs, coteuses en nergie. Mais loppos,les passerelles doivent tre disponibles pour accepter le plus de rseaux possibles et donc choisir de ne pas re-layer certains rseaux, suffisamment relays par dautres passerelles, et ainsi de pouvoir accepter de nouveauxrseaux de capteurs.

Il sagit dun problme doptimisation qui doit tre paramtr par diffrents facteurs, comme la qualit deservice demande par un rseau, la charge que reprsente le relais,. . .

Cadre du travailNous travaillons avec un protocole de routage standardis par lIETF [4], qui est implant dans le systme

dexploitation Contiki, programm en C. Les capteurs peuvent tre tout dabord simuls dans Cooja avant depasser aux capteurs rels (de type Sky). Les passerelles seront implantes dans des nano-ordinateurs (rasp-berry) quips de carte de communication avec les capteurs.

Aprs une tude de lexistant, le travail devra comporter des propositions de formulation du problmedoptimisation et une mthode de rsolution. Laspect dynamique des rseaux de capteurs sera prendre encompte. Suivant lapparition ou la disparition des capteurs, les passerelles devront sadapter pour respecter lescontraintes. En revanche, le nombre et la position des passerelles est fixe et connu.

Rfrences

[1] Zachariah, Thomas and Klugman, Noah and Campbell, Bradford and Adkins, Joshua and Jackson, Nealand Dutta, Prabal The Internet of Things Has a Gateway Problem In Proceedings of the 16th InternationalWorkshop on Mobile Computing Systems and Applications. ACM - 2015

[2] Okabayashi, Vitor Hugo and Ribeiro, Igor Cesar Gonzalez and Passos, Diego Menezes and Albuquerque,Clio Vinicius Neves A Resilient Dynamic Gateway Selection Algorithm Based on Quality Aware Metricsfor Smart Grids In Proceedings of the 18th ACM International Conference on Modeling, Analysis andSimulation of Wireless and Mobile Systems. 2015

[3] Preetha Thulasiraman RPL Routing for Multigateway AMI Networks Under Interference Constraints InIEEE International Conference on Communications (ICC) 2013

[4] T. Winter, P. Thubert and all RPL : IPv6 Routing Protocol for Low-Power and Lossy Networks Request forComments 6550 - IETF

5

Sujet 3Automating Security Function Chaining

for Protecting SmartphonesPropos par : Rmi Badonnel, Abdelkader Lahmadi

Informations gnralesEncadrants Rmi Badonnel, Abdelkader Lahmadi, Olivier FestorAdresse LORIA - INRIA Nancy Grand Est, Campus Scientifique, 54500 Vanduvre-ls-NancyTlphone 03 54 95 86 39Email badonnel@loria.frBureau B 126

MotivationsHigh-speed mobile networking has led to the large-scale deployment of smart devices, such as android smart-

phones and tablets, offering multiple services and applications for end-users, but also being an attractive targetfor attackers. Most of current security solutions for them are available in the form of applications or packagesto be directly installed on the devices themselves. Such on-device approaches offer some advantages, includinga consistent view of the system state during security operations, as well as the self-contained aspect they adopt.However, these approaches generally induce significant resources consumption on the devices leading to thereduction of the battery lifetime. In the meantime, current cloud-based solutions deal with this issue by of-floading the most of the workload on a remote server, while only installing lightweight agents on the devices.Such solutions permit to reduce the amount of used resources on the devices, but it remains at least two majorproblems. The first one is the implication of the users, who generally do not have the required knowledge toproperly perform security decisions in case of settings or alerts for instance. The second one is the flexibility ofsuch solutions and their capacity to contextualize the device state to know how and when to use them.

SujetThis Master thesis will consist in proposing, evaluating and implementing an approach for automating secu-

rity function chaining in order to protect smartphones. The security functions, hosted on cloud infrastructuresor locally kept on the devices, will be activated and chained dynamically depending on contextual parameters.A first part of the work will be dedicated to the analysis of security function chaining methods and techniques.The targeted environment will be the Android operating system due to its large-scale deployment. A particularfocus will be given to software-defined networking and network function virtualization in that context. A secondpart will be centred on the elaboration of an orchestrator and its algorithms, built on top of a software-definednetworking controller, in order to support the protection of android smartphones based on chained securityfunctions.

Cadre du travailThe internship will take place in the MADYNES research team at LORIA - INRIA Nancy Grand Est. First,

the Master student will get familiar with security function outsourcing and chaining in the context of cloudinfrastructures. He will then propose and implement an orchestrator and its algorithms for driving the dy-namic chaining of security functions. The proposed strategy will be evaluated based on analytical results andexperimentations. Required skills : strong skills in programming (Python/Java), networking and systems, solidmathematical background.

Rfrences[1] G. Hurel, R. Badonnel, A. Lahmadi, O Festor. Behavioral and Dynamic Security Functions Chaining For

Android Devices. Proceedings of the IFIP/IEEE/In Assoc. with ACM SIGCOMM International Conferenceon Network and Service Management (CNSM), Nov 2015, Barcelone, France.

[2] G. Hurel, R. Badonnel, A. Lahmadi, O Festor. Towards Cloud-Based Compositions of Security Functions ForMobile Devices. Proceedings of the IFIP/IEEE International Symposium on Integrated Network Manage-ment (IM15), May 2015, Ottawa, Canada.

[3] J. Bergstra and M. Burgess. Handbook of Network and System Administration. Elsevier Edition, 2007.http ://research.iu.hio.no/asysadm.php.

6

Sujet 4Automated Generation of Complex Attack

TreesPropos par : Abdelkader Lahmadi

Informations gnrales

Encadrants Abdelkader Lahmadi, Olivier Festor, Jrme FranoisAdresse LORIA, Campus Scientifique - BP 239, 54506 Vanduvre-ls-NancyTlphone 03 54 95 84 78Email lahmadi@loria.frBureau B 266

MotivationsComplex and targeted attacks are one of the most fast growing information threats that companies, orga-

nization and government agencies are facing today. This has been intensified by the large deployment of newdevices in addition to traditional computers, and mainly because attackers have evolved from individuals to-wards organized cyber-criminal organizations to be able to make more sophisticated and complex attacks. Acomplex attack is characterized by its low profile and slow mode involving several attack that some of them aredetected by traditional detection system (IDS, IPS, Firewall, Antivirus, . . .), however these steps are scatteredspatially and temporally, seems to be unrelated but as a whole they constitute a single powerful attack. There-fore fighting such a threat require to model, analyze and correlate various sources of data to create summarizedview that are exploitable by security analyst and, if possible, in real time and in an automated way.

SujetThe objective of this master thesis is to design and develop a methodology to generate in an automated way

attack trees that will be useful to model required steps of an attacker to reach its goal. In first par of the work,we will mainly rely on common attack pattern enumeration and classifications CAPEC provided by MITREto generate attack tree models. A second part will de dedicated to their enrichment and matching regardingmonitoring data and attack traces.

Cadre du travailThe internship will take place in the Madynes research team at LORIA - INRIA Nancy Grand Est. In this

work, we will use several network data sets including full data sets from LHS (Laboratory of High Security)and also data sets from a running national project.

Rfrences

[1] The MITRE corporation. Common Attack Pattern Enumeration and Classification.[2] E. Godefroy, E. Totel, M. Hurfin, F. Majorczyk Automatic Generation of Correlation Rules to Detect Complex

Attack Scenarios. In 2014 International Conference on Information Assurance and Security (IAS 2014), Nov2014, Okinawa, Japan. IEEE, pp.6 .

[3] S. Paul. Towards Automating the Construction & Maintenance of Attack Trees : a Feasibility Study InProceedings of the 1st International Workshop on Graphical Models for Security (GraMSec 2014) co-locatedwith The European Joint Conferences on Theory and Practice of Software (ETAPS 2014), (pp. 31-46)

[4] S.A Camtepe, B. Yener Modeling and detection of complex attacks In Security and Privacy in Communica-tions Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on , vol., no.,pp.234-243, 17-21 Sept. 2007.

7

Sujet 5Formal Verification of Security Function

ChainsPropos par : Rmi Badonnel, Abdelkader Lahmadi

Informations gnralesEncadrants Rmi Badonnel, Abdelkader Lahmadi, Olivier Festor, Stephan MerzAdresse LORIA - INRIA Nancy Grand Est, Campus Scientifique, 54500 Vanduvre-ls-NancyTlphone 03 54 95 86 39Email badonnel@loria.frBureau B 126

MotivationsHigh-speed mobile networking has led to the large-scale deployment of smart devices, such as android smart-

phones and tablets, offering multiple services and applications for end-users, but also being an attractive targetfor attackers. Most of current security solutions for them are available in the form of applications or packagesto be directly installed on the devices themselves. Such on-device approaches offer some advantages, includinga consistent view of the system state during security operations, as well as the self-contained aspect they adopt.However, these approaches generally induce significant resources consumption on the devices leading to the re-duction of the battery lifetime. In the meantime, current cloud-based solutions deal with this issue by offloadingthe most of the workload on a remote server, while only installing lightweight agents on the devices. Such solu-tions permit to reduce the amount of used resources on the devices, but it remains at least two major problems.The first one is the implication of the users, who generally do not have the required knowledge to properly per-form security decisions in case of settings or alerts for instance. The second one is the flexibility of such solutionsand their capacity to contextualize the device state to know how and when to use them. In MADYNES team,we proposed a solution based on Network Function Virtualization (NFV) and Software Defined networks (SDN)to elaborate service function chains to offload mobile security functions to the cloud. However, inconsistent orincomplete chains could cause break-down of the supporting monitoring infrastructure.

SujetThis Master thesis will consist in using formal methods for the verification and generation of service func-

tions chains applied for security monitoring. The security functions, hosted on cloud infrastructures or locallykept on the devices, will be activated and chained dynamically depending on contextual parameters. A firstpart of the work will be dedicated to the elaboration of a methodology to cut efficiently security configurationsbetween a device and the cloud. The cutting problem will be formulated as a constraint satisfaction problemand solved using SAT or SMT solvers. The second part, will be dedicated to the extension of the proposedmethodology for the verification of the obtained network function chains regarding their consistency with thesecurity requirements the targeted environment that will be the Android operating system due to its large-scaledeployment.

Cadre du travailThe internship will take place in the MADYNES research team at LORIA - INRIA Nancy Grand Est. First,

the Master student will get familiar with security function outsourcing and chaining in the context of cloudinfrastructures. He will then propose and elaborate the methodology using formal tools and techniques for theverification in virtualized environments. Required skills : strong skills in programming (Python/Java), solidformal methods background.

Rfrences

[1] G. Hurel, R. Badonnel, A. Lahmadi, O Festor. Behavioral and Dynamic Security Functions Chaining ForAndroid Devices. Proceedings of the IFIP/IEEE/In Assoc. with ACM SIGCOMM International Conferenceon Network and Service Management (CNSM), Nov 2015, Barcelone, France.

8

[2] G. Hurel, R. Badonnel, A. Lahmadi, O Festor. Towards Cloud-Based Compositions of Security Functions ForMobile Devices. Proceedings of the IFIP/IEEE International Symposium on Integrated Network Manage-ment (IM15), May 2015, Ottawa, Canada.

[3] M-K. Shin, K. Nam, S. Pack, S. Lee, R. Krshnan, T. Kim. Verification of NFV Services : Problem Statementand Challenges. https://tools.ietf.org/html/draft-shin-nfvrg-service-verification-04.

9

Sujet 6Security Monitoring Using Virtual Reality

PlatformsPropos par : Abdelkader Lahmadi

Informations gnrales

Encadrants Abdelkader Lahmadi, Jrme FranoisAdresse LORIA, Campus Scientifique - BP 239, 54506 Vanduvre-ls-NancyTlphone 03 54 95 84 78Email lahmadi@loria.fr and jerome.francois@loria.frBureau B 138

MotivationsThe huge growth of Internet exposes many users to various threats. This has been intensified by the large

deployment of new devices in addition to traditional computers. This includes smartphones and sensors, andwill concern daily life objects in a near future with the emergence of the Internet of Things (IoT) the last years.Hence, this represents a tremendous playground for attackers. To fight them, security monitoring is an essen-tial activity to identify misbehaviors and potential victims as earlier as possible. Usually, this activity relies onsecurity analysts where they are using several visualization tools to perform analysis of data, helping them toidentify attack patterns and malicious activities. However, currently this discovery process using data visuali-zation is becoming challenging since the volume, the rate and the complexity of log data are growing, where theyare multi-dimensional (events, logs, IP addresses, ports, text, etc) and also multi-source (network flows, DNSrecords, network trafic, balcklist records, server logs, firewall logs , etc). Massive data vectors collected whenmonitoring systems, networks and services encapsulate key features for discovering and finding attack activi-ties, security breaches and anomalies, and in the same time they require new tools and techniques to supporttheir analysis and investigation activities.

SujetIn this master thesis, the goal is to develop a novel visual exploration technique based on a virtual reality

platform for the analysis and discovery of patterns inside monitoring data. Visualization is a well establishedtechnique to link the content of data and human intuition to discover knowledge and extract patterns. However,humans are used to see the world in 3 dimensions. A first part of the work will be dedicated to the transformof multi-dimensional data vectors generated by security monitoring tool in 3D objets, and the second part willdedicated to the development of techniques using devices from immersive virtual reality to build an interactiveand visual exploration platform.

Cadre du travailThe internship will take place in the Madynes research team at LORIA - INRIA Nancy Grand Est. In this

work, the student will use several network data sets including full data sets collected from LHS (Laboratory ofHigh Security). It will also get famiand with Oculus Rift devices programming and environments. In this work,the student will also use big data techniques for data processing and web based virtual reality technologies forvisualization.

Rfrences

[1] C. Donalek, et al. Immersive and Collaborative Data Visualization Using Virtual Reality Platforms. Inproceedings of IEEE International Conference on Big Data, page 609, 2014.

[2] Cloud Security Alliance. Big Data Analytics for Security Intelligence.[3] W Lidong, W Guanghui and A Cheryl Ann Big Data and Visualization : Methods, Challenges and Technology

Progress In Digital Technologies, Volume 1, Number 1, Pages 33-38, 2015.10