Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks

Software-defined networks (SDN) offer a high degree of programmability for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications.These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy

A Process Mining Approach for Supporting IoT Predictive Security

International audienceThe growing interest for the Internet-of-Things (IoT) is supported by the large-scale deployment of sensors and connected objects. These ones are integrated with other Internet resources in order to elaborate more complex and value-added systems and applications. While important efforts have been done for their protection, security management is a major challenge for these systems, due to their complexity, their heterogeneity and the limited resources of their devices. In this paper we introduce a process mining approach for detecting misbehaviors in such systems. It permits to characterize the behavioral models of IoT-based systems and to detect potential attacks, even in the case of heterogenous protocols and platforms. We then describe and formalize its underlying architecture and components, and detail a proof-of-concept prototype. Finally, we evaluate the performance of this solution through extensive experiments based on real industrial datasets

Towards Automating Security Enhancement for Cloud Services

International audienceCloud infrastructures provide new facilities (elasticity, load balancing, easy integration) to build and maintain elaborated services built from multiple resources in a flexible manner. The changes that continuously affect these services, in particular the migration of resources amongst such cloud infrastructures, induce configuration changes. These latter may generate new vulnerabilities that can compromise the confidentiality, integrity and availability of services. Our approach aims at automating the security enhancement of cloud composite services during the migration of their elementary resources. In that context, it first relies on investigating to what extent orchestration languages can be extended to support such automation. It then requires the design of a framework enabling security automation, in order to adapt and complement the configuration of these elementary resources. This includes specifying dedicated algorithms for selecting adequate security mechanisms before, during and after the migration of one or several resources composing an elaborated service. Finally, it should exploit the complementary of endogenous and exogenous mechanisms for supporting such security enhancement

Managing Risks at Runtime in VoIP Networks and Services

International audienceIP telephony is less confined than traditional PSTN telephony. As a consequence, it is more exposed to security attacks. These attacks are specific to VoIP protocols such as SPIT, or are inherited from the IP layer such as ARP poisoning. Protection mechanisms are often available, but they may seriously impact on the quality of service of such critical environments. We propose to exploit and automate risk management methods and techniques for VoIP infrastructures. Our objective is to dynamically adapt the exposure of a VoIP network with regard to the attack potentiality while minimizing the impact for the service. This paper describes the challenges of risk management for VoIP, our runtime strategy for assessing and treating risks, preliminary results based on Monte-Carlo simulations and future work

An Automated SMT-based Security Framework for Supporting Migrations in Cloud Composite Services

International audienceThe growing maturity of orchestration languages is contributing to the elaboration of cloud composite services, whose resources may be deployed over different distributed infrastructures. These composite services are subject to changes over time, that are typically required to support cloud properties, such as scalability and rapid elasticity. In particular, the migration of their elementary resources may be triggered by performance constraints. However, changes induced by this migration may introduce vulnerabilities that may compromise the resources, or even the whole cloud service. In that context, we propose an automated SMT 1-based security framework for supporting the migration of resources in cloud composite services, and preventing the occurrence of new configuration vulnerabilities. We formalize the underlying security automation based on SMT solving, in order to assess the migrated resources and select adequate countermeasures , considering both endogenous and exogenous security mechanisms. We then evaluate its benefits and limits through large series of experiments based on a proof-ofconcept prototype implemented over the CVC4 commonly-used open-source solver. These experiments show a minimal overhead with regular operating systems deployed in cloud environments

An Ensemble Learning-Based Architecture for Security Detection in IoT Infrastructures

International audienceThe Internet of Things has known an important development. However, security management is still a key challenge in particular for deploying complex IoT systems that provide sophisticated services. In this paper, we design an ensemble learning-based architecture to support early security detection in the context of multi-step attacks, by leveraging the performance of different detection techniques. The architecture relies on a total of five major methods, including process mining, elliptic envelope, one class support vector machine, local outlier factor and isolation forest. We describe the main components of this architecture and their interactions, from the data preprocessing to the generation of alerts, through the calculation of scores. The different detection methods are executed in parallel, and their results are combined by an ensemble learning strategy in order to improve the overall detection performance. We develop a proof-of-concept prototype and perform a large set of experiments to quantify the benefits and limits of this approach based on industrial datasets

A Process Mining Tool for Supporting IoT Security

International audienceThe development of the Internet has been characterized by a growing interest for the Internet-of-Things (IoT). In particular, connected devices are integrated to other Internet resources (such as cloud resources) to elaborate value-added services. However, they pose important challenges with respect to security management due to their heterogeneity, their distribution , and their limited resources. In this demonstration, we present a process mining toool for supporting IoT security. This tool is capable to automate the detection of misbehaviours and attacks in large and heterogeneous IoT infrastructures, based on process mining techniques combined with normalization and clustering data pre-processing. We detail the different building blocks of this tool provided into a docker container, and illustrate its operations with different scenarios

Softwarization of networks, clouds, and internet of things

11Ysciescopu

Automating the Provisioning of Application Services with the BPEL4WS Workflow Language

We describe the architecture and implementation of a novel workflow-driven provisioning system for application services, such as multi-tiered e-Commerce systems. These services need to be dynamically provisioned to accomodate rapid changes in the workload patterns. This, in turn, requires a highly automated service provisioning process, for which we were able to leverage a general-purpose workflow language and its execution engine. We have successfully integrated a workflowbased change management system with a commercial service provisioning system that allows the execution of automatically generated change plans as well as the monitoring of their execution

Proceedings of the 15th International Conference on Network and Service Management (CNSM 2019)

International audienc