Previous | 
Home
Section: New Results
Intrusion Detection
Metamorphic codes :
In [12] , we have proposed a advance code obfuscation technique for metamorphic codes (i.e., codes that automatically recode themselves each time they propagates or are distributed). We have shown that the detection of such codes was a problem for classical nowadays static detection tools. In [25] , we focus on a new dynamic detection approach which allows to detect variants produced by our metamorphic engine. In addition, our approach can detect unknown malware as long as their behavior approaches that of a known malware. For this, we propose to use a measure of similarity between program behaviors. This measure is obtained by lossless compression of execution traces in terms of system calls.
Intrusion Detection based on an Analysis of the Flow Control :
In [13] , intrusion detection mechanisms based on the construct a model of normal behavior of the supervised entity are studied. Such a model is used during the detection phase to raise an alarm when a deviation is observed. This approach allows to detect unknown attacks.
The most common anomaly detection mechanisms at application level consist in detecting a deviation of the control-flow of a program. A popular method to detect such anomaly is the use of application sequences of system calls. However, such methods do not detect mimicry attacks or attacks against the integrity of the system call parameters. To enhance such detection mechanisms, we propose in [27] an approach to detect in the application the corruption of data items that have an influence on the system calls. This approach consists in building automatically a data-oriented behavior model of an application by static analysis of its source code. The proposed approach is illustrated on various examples, and an injection method is experimented to obtain an approximation of the detection coverage of the generated mechanisms.
Most of today's MAC implementations can be turned into permissive mode, where no enforcement is performed but alerts are raised instead. This behavior is very close to an anomaly IDS except that the system is configured through a MAC policy. MAC implementations such as SELinux and AppArmor come with a default policy including real life and practical rules ready to be used as is or as a basis for a custom policy. In [30] , we first propose an extension of an IDS based on information flow control. We address issues concerning programs execution and improve its expressiveness in terms of security policy. This extended model can be configured to reach a wide variety of different security goals. Particularly, it allows for information flow checking based on users and/or programs dependent policy rules. Furthermore, suspicious modification of binary programs can be detected to avoid malware execution. We also propose an algorithm for deriving an AppArmor MAC policy into an information flow policy, and thus get the advantage of having a ready to use policy offering good security. An integration within Android is described in [37] .
Flow based Interpretation of Access Control Policies :
In [32] , we introduce a formal property characterizing access control policies for which the interpretations of access control as mechanism over objects and as mechanism over information contained into objects are similar. This leads us to define both a flow based interpretation of access control policies and the information flows generated during the executions of a system implementing an access control mechanism. When these two interpretations are not equivalent, we propose to add a mechanism dedicated to illegal information flow detection to the mechanism of access control over objects. Such a mechanism is parameterized by the access control policy and is proved sound and complete. We also briefly describe two real implementations, at two levels of granularity, of our illegal flow detection mechanism: one for the Linux operating system and one for the Java Virtual Machine.
Intrusion Detection based on Invariants :
RRABIDS (Ruby on Rails Anomaly Based Intrusion Detection System) [40] is an application level intrusion detection system for applications implemented with the Ruby on Rails framework. The goal of this intrusion detection system is to detect attacks against data in the context of web applications. This anomaly based IDS focuses on the modeling of the normal application profile using invariants. These invariants are discovered during a learning phase. Then, they are used to instrument the web application at source code level, so that a deviation from the normal profile can be detected at run-time. On simple examples we show how the approach detects well known categories of web attacks that involve a state violation of the application, such as SQL injections. Finally, an assessment phase is performed to evaluate the accuracy of the detection provided by the proposed approach.
Alert Correlation :
Alert correlation is a crucial problem for monitoring and securing computer networks. It consists in analyzing the alerts triggered by intrusion detection systems (IDSs) and other security related tools in order to detect complex attack plans, discover false alerts, etc. The huge amounts of alerts raised continuously by IDSs and the impossibility for security operators to efficiently analyze them requires tools for eliminating false and redundant alerts on the one hand and prioritize them according the detected activities? dangerousness and preferences of the analysts on the other hand. In [35] , we describe an architecture that combines AI-based approaches for representing and reasoning with security operators? knowledge and preferences. Moreover, this architecture allows to combines experts' knowledge with machine learning and classifier based tools. This prototype collects the alerts raised by security related tools and analyzes them automatically.
Trust-Based IDS for the AODV Protocol :
Routing in ad hoc networks is based on mutual trust between collaborating nodes. Security problems arise when supposedly honest nodes lie deliberately to maximize their profit. In [11] , we are interested in detecting misbehaving nodes within the ad hoc routing protocol AODV. We propose and implement a real-time intrusion detection system based on implicit trust relations: a node implementing this system collects its neighbors' routing messages and reasons on them to decide on their honesty. We also evaluate our implementation, and, based on simulations, show that the system we have developed to detect dishonest behavior is efficient.
Modelization and Simulation of Zombies Behaviours :
In [26] , we study the modelization and simulation of zombie machines for the evaluation of Network Intrusion Detection Systems (NIDS), used to detect botnets. We propose an automatic method to infer zombies behaviours through the analysis of messages exchanged with their masters. Once computed, a model provides a way to generate realistic and manageable traffic, which is mandatory for an NIDS evaluation. We propose to use a Stochastic Mealy Machine to model zombies behaviours, and an active inference algorithm to learn it. With our approach, it is possible to generate a realistic traffic corresponding to the communications of botnets while ensuring its controllability in the context of an NIDS evaluation.