Modélisation formelle des systèmes de détection d'intrusions

L’écosystème de la cybersécurité évolue en permanence en termes du nombre, de la diversité, et de la complexité des attaques. De ce fait, les outils de détection deviennent inefficaces face à certaines attaques. On distingue généralement trois types de systèmes de détection d’intrusions : détection par anomalies, détection par signatures et détection hybride. La détection par anomalies est fondée sur la caractérisation du comportement habituel du système, typiquement de manière statistique. Elle permet de détecter des attaques connues ou inconnues, mais génère aussi un très grand nombre de faux positifs. La détection par signatures permet de détecter des attaques connues en définissant des règles qui décrivent le comportement connu d’un attaquant. Cela demande une bonne connaissance du comportement de l’attaquant. La détection hybride repose sur plusieurs méthodes de détection incluant celles sus-citées. Elle présente l’avantage d’être plus précise pendant la détection. Des outils tels que Snort et Zeek offrent des langages de bas niveau pour l’expression de règles de reconnaissance d’attaques. Le nombre d’attaques potentielles étant très grand, ces bases de règles deviennent rapidement difficiles à gérer et à maintenir. De plus, l’expression de règles avec état dit stateful est particulièrement ardue pour reconnaître une séquence d’événements. Dans cette thèse, nous proposons une approche stateful basée sur les diagrammes d’état-transition algébriques (ASTDs) afin d’identifier des attaques complexes. Les ASTDs permettent de représenter de façon graphique et modulaire une spécification, ce qui facilite la maintenance et la compréhension des règles. Nous étendons la notation ASTD avec de nouvelles fonctionnalités pour représenter des attaques complexes. Ensuite, nous spécifions plusieurs attaques avec la notation étendue et exécutons les spécifications obtenues sur des flots d’événements à l’aide d’un interpréteur pour identifier des attaques. Nous évaluons aussi les performances de l’interpréteur avec des outils industriels tels que Snort et Zeek. Puis, nous réalisons un compilateur afin de générer du code exécutable à partir d’une spécification ASTD, capable d’identifier de façon efficiente les séquences d’événements.Abstract : The cybersecurity ecosystem continuously evolves with the number, the diversity, and the complexity of cyber attacks. Generally, we have three types of Intrusion Detection System (IDS) : anomaly-based detection, signature-based detection, and hybrid detection. Anomaly detection is based on the usual behavior description of the system, typically in a static manner. It enables detecting known or unknown attacks but also generating a large number of false positives. Signature based detection enables detecting known attacks by defining rules that describe known attacker’s behavior. It needs a good knowledge of attacker behavior. Hybrid detection relies on several detection methods including the previous ones. It has the advantage of being more precise during detection. Tools like Snort and Zeek offer low level languages to represent rules for detecting attacks. The number of potential attacks being large, these rule bases become quickly hard to manage and maintain. Moreover, the representation of stateful rules to recognize a sequence of events is particularly arduous. In this thesis, we propose a stateful approach based on algebraic state-transition diagrams (ASTDs) to identify complex attacks. ASTDs allow a graphical and modular representation of a specification, that facilitates maintenance and understanding of rules. We extend the ASTD notation with new features to represent complex attacks. Next, we specify several attacks with the extended notation and run the resulting specifications on event streams using an interpreter to identify attacks. We also evaluate the performance of the interpreter with industrial tools such as Snort and Zeek. Then, we build a compiler in order to generate executable code from an ASTD specification, able to efficiently identify sequences of events

Novel approaches to applied cybersecurity in privacy, encryption, security systems, web credentials, and education

Applied Cybersecurity is a domain that interconnects people, processes, technologies, usage environment and vulnerabilities in a complex manner. As a cybersecurity expert at CTI Renato Archer- a research institute from Brazilian Ministry of Science, Technology and Innovations, author developed novel approaches to help solve practical and practice-based problems in applied cybersecurity over the last ten years. The needs of the government, industry, customers, and real-life problems in five categories: Privacy, Encryption, Web Credentials, Security Systems and Education, were the research stimuli. Based on prior outputs, this thesis presents a cohesive narrative of the novel approaches in the mentioned categories consolidating fifteen research publications. The customers and society, in general, expect that companies, universities, and the government will protect them from any cyber threats. Fifteen research papers that compose this thesis elucidate a broader context of cyber threats, errors in security software and gaps in cybersecurity education. This thesis's research points out that a large number of organisations are vulnerable to cyber threats and procedures and practices around cybersecurity are questionable. Therefore, society expects a periodic reassessment of cybersecurity systems, practices and policies. Privacy has been extensively debated in many countries due to personal implications and civil liberties with citizenship at stake. Since 2018, GDPR has been in force in the EU and has been a milestone for people and institutions' privacy. The novel work in privacy, supported by four research papers, discusses the private mode navigation in several browsers and shows how privacy is a fragile feeling. The secrets of different companies, countries and armed forces are entrusted to encryption technologies. Three research papers support the encryption element discussed in this thesis. It explores vulnerabilities in the most used encryption software. It provides data exposure scenarios showing how companies, government and universities are vulnerable and proposes best practices. Credentials are data that give someone the right to access a location or a system. They usually involve a login, a username, email, access code and a password. It is customary to have a rigorous demand for security credentials a sensitive system of information. The work on web credentials in this thesis, supported by one research paper, examines a novel experiment that permits the intruder to extract user credentials in home banking and e-commerce websites, revealing common cyber flaws and vulnerabilities. Antimalware systems are complex software engineering systems purposely designed to be safe and reliable despite numerous operational idiosyncrasies. Antimalware systems have been deployed for protecting information systems for decades. The novel work on security systems presented in the thesis, supported by five research papers, explores antimalware attacks and software engineering structure problems. Cybersecurity's primary awareness is expected through school and University education, but the academic discourse is often dissociated from practice. The discussion-based on two research papers presents a new insight into cybersecurity education and proposes an IRCS Index of Relevance in Cybersecurity (IRCS) to classify the computer science courses offered in UK Universities relevance of cybersecurity in their curricula. In a nutshell, the thesis presents a coherent and novel narrative to applied cybersecurity in five categories spanning software, systems, and education

A model for enhancing software project management using software agent technology

The present study has originated from the realisation that numerous software development projects either do not live up to expectations or fail outright. The scope, environment and implementation of traditional software projects have changed due to various reasons such as globalisation, advances in computing technologies and, last but not least, the development and deployment of software projects in distributed, collaborative and virtual environments. As a result, traditional project management methods cannot and do not address the added complexities found in this ever-changing environment. In this study the processes and procedures associated with software project management (SPM) were explored. SPM can be defined as the process of planning, organising, staffing, monitoring, controlling and leading a software project. The current study is principally aimed at making a contribution to enhancing and supporting SPM. A thorough investigation into software agent computing resulted in the realisation that software agent technology can be regarded as a new paradigm that may be used to support the SPM processes. A software agent is an autonomous system that forms part of an environment, can sense the environment and act on it over a period of time, in pursuit of its own agenda. The software agent can also perceive, reason and act by selecting and executing an appropriate action. The unique requirements of SPM and the ways in which agent technology may address these were subsequently identified. It was concluded that agent technology is specifically suited to geographically distributed systems, large network systems and mobile devices. Agents provide a natural metaphor for support in a team environment where cooperation and the coordination of actions toward a common goal, as well as the monitoring and controlling of actions are strongly supported. Although it became evident that agent technology is indeed being applied to areas and sections of the SPM environment, it is not being applied to the whole spectrum, i.e. to all core and facilitating functions of SPM. If software agents were to be used across the whole spectrum of SPM processes, this could provide a significant advantage to software project managers who are currently using other contemporary methods. The "SPMSA" model (Software Project Management supported by Software Agents) was therefore proposed. This model aims to enhance SPM by taking into account the unique nature and changing environment of software projects. The SPMSA model is unique as it supports the entire spectrum of SPM functionality, thus supporting and enhancing each key function with a team of software agents. Both the project manager and individual team members will be supported during software project management processes to simplify their tasks, eliminate the complexities, automate actions and enhance coordination and communication. Virtual teamwork, knowledge management, automated workflow management and process and task coordination will also be supported. A prototype of a section of the risk management key function of the SPMSA model was implemented as `proof of concept'. This prototype may be expanded to include the entire SPMSA model and cover all areas of SPM. Finally, the SPMSA model was verified by comparing the SPM phases of the model to the Plan-Do-Check-Act (PDCA) cycle. These phases of the SPMSA model were furthermore compared to the basic phases of software development as prescribed by the ISO 10006:2003 standard for projects. In both cases the SPMSA model compared favourably. Hence it can be concluded that the SPMSA model makes a fresh contribution to the enhancement of SPM by utilising software agent technology.School of ComputingPh. D. (Computer Science

Anales del XIII Congreso Argentino de Ciencias de la Computación (CACIC)

Contenido: Arquitecturas de computadoras Sistemas embebidos Arquitecturas orientadas a servicios (SOA) Redes de comunicaciones Redes heterogéneas Redes de Avanzada Redes inalámbricas Redes móviles Redes activas Administración y monitoreo de redes y servicios Calidad de Servicio (QoS, SLAs) Seguridad informática y autenticación, privacidad Infraestructura para firma digital y certificados digitales Análisis y detección de vulnerabilidades Sistemas operativos Sistemas P2P Middleware Infraestructura para grid Servicios de integración (Web Services o .Net)Red de Universidades con Carreras en Informática (RedUNCI

Anales del XIII Congreso Argentino de Ciencias de la Computación (CACIC)

Contenido: Arquitecturas de computadoras Sistemas embebidos Arquitecturas orientadas a servicios (SOA) Redes de comunicaciones Redes heterogéneas Redes de Avanzada Redes inalámbricas Redes móviles Redes activas Administración y monitoreo de redes y servicios Calidad de Servicio (QoS, SLAs) Seguridad informática y autenticación, privacidad Infraestructura para firma digital y certificados digitales Análisis y detección de vulnerabilidades Sistemas operativos Sistemas P2P Middleware Infraestructura para grid Servicios de integración (Web Services o .Net)Red de Universidades con Carreras en Informática (RedUNCI