SLA-Based Continuous Security Assurance in Multi-Cloud DevOps

Multi-cloud applications, i.e. those that are deployed over multiple independent Cloud providers, pose a number of challenges to the security-aware development and operation. Security assurance in such applications is hard due to the lack of insights of security controls ap- plied by Cloud providers and the need of controlling the security levels of all the components and layers at a time. This paper presents the MUSA approach to Service Level Agreement (SLA)-based continuous security assurance in multi-cloud applications. The paper details the proposed model for capturing the security controls in the o ered application Se- curity SLA and the approach to continuously monitor and asses the controls at operation phase. This new approach enables to easily align development security requirements with controls monitored at operation as well as early react at operation to any possible security incident or SLA violation.The MUSA project leading to this paper has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No. 644429

Service Level Agreement-based GDPR Compliance and Security assurance in (multi)Cloud-based systems

Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679) and security assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security mechanisms definition, enforcement and control, including evidence collection. This paper presents a novel DevOps framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any) and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security level objectives in the system Service Level Agreement (SLA) and in their continuous monitoring and enforcement at runtime.The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429 and No 780351, MUSA project and ENACT project, respectively. We would also like to acknowledge all the members of the MUSA Consortium and ENACT Consortium for their valuable help

Dynamic Deployment and Monitoring of Security Policies

INTER-TRUST is a framework for the specification, negotiation, deployment and dynamic adaptation of interoperable security policies, in the context of pervasive systems where devices are constantly exchanging critical information through the network. The dynamic adaptation of the security policies at runtime is addressed using Aspect- Oriented Programming (AOP) that allows enforcing security requirements by dynamically weaving security aspects into the applications. However, a mechanism to guarantee the correct adaptation of the functionality that enforces the changing security policies is needed. In this paper, we present an approach with monitoring and detection techniques in order to maintain the correlation between the security policies and the associated functionality deployed using AOP, allowing the INTERTRUST framework automatically reacts when needed.European Union INTER-TRUST FP7-317731Ministerio de Economía y Competitividad TIN2012-34840Junta de Andalucía FamiWare P09-TIC-5231Junta de Andalucía MAGIC P12-TIC181

A SDN and NFV use-case: NDN implementation and security monitoring

International audienceCombining NFV fast service deployment and SDN fine grained control of data flows allows comprehensive network security monitoring. The DOCTOR architecture 2 allows detecting, assessing and remediating attacks. DOCTOR is an ANR funded project designing a NFV platform enabling to securely deploy virtual network functions. The project relies on open-source technologies providing a platform on top of which a Named Data Networking architecture (NDN [2]) is implemented. NDN is an example of application made possible by SDN and NFV coexistence, since hardware implementation would be too expansive. We show how NDN routers can be implemented and managed as VNFs. Security monitoring of the DOCTOR architecture is performed at two levels. First, host-level monitoring, provided by CyberCAPTOR, uses an attack graph approach based on network topology knowledge. It then suggests remediations to cut attack paths. We show how our monitoring tool integrates SDN and NFV specificities and how SDN and NFV make security monitoring more efficient. Then, application level monitoring relies on the MMT probe. It monitors NDN-specific metrics from inside the VNFs and a central component can detect attack patterns corresponding to known flaws of the NDN protocol. These attacks are fed to the CyberCAPTOR module to integrate NDN attacks in attack graphs

Leveraging NFV for the deployment of NDN: Application to HTTP traffic transport

International audienceFor a few years, Network-Function Virtualization (NFV) acts as the most promising solution for the flexible implementation and management of future network services. If most of current efforts in this area focus on IP-based Virtual Network Functions (VNF), the case of Information-Centric Networking (ICN) is interesting since it can demonstrate that NFV is a promising technology for ISP to deploy such new innovative network stacks. In this context, we propose to design and implement a NFV compliant architecture to easily deploy ICN islands. Especially, at the core of this architecture, we present an HTTP/NDN gateway, which enables our network to carry real HTTP traffic. Finally, we show early functional experimental results of an initial testbed deployment exhibiting the capability of our global infrastructure to retrieve the top-1000 of the most popular web sites

Joint Security-vs-QoS Framework:Optimizing the Selection of Intrusion Detection Mechanisms in 5G networks

The advent of 5G technology introduces new - and potentially undiscovered - cybersecurity challenges, with unforeseen impacts on our economy, society, and environment. Interestingly, Intrusion Detection Mechanisms (IDMs) can provide the necessary network monitoring to ensure - to a big extent - the detection of 5G-related cyberattacks. Yet, how to realize the attack surface of 5G networks with respect to the detected risks, and, consequently, how to optimize the cybersecurity levels of the network, remains an open critical challenge. In respect, this work focuses on deploying multiple distributed Security Agents (SAs) that can run different IDMs over various network components and proposes a cybersecurity mechanism for optimizing the network’s attack surface with respect to the Quality of Service (QoS). The proposed approach relies on a new closed-form utility function to describe the trade-off between cybersecurity and QoS and uses multi-objective optimization to improve the selection of each SA detection level. We demonstrate via simulations that before optimization, an increase in the detection level of SAs brings a direct decrease in QoS as more computational, bandwidth and monetary resources are utilized for IDM processing. Thereby, after optimization, we demonstrate that our mechanism can strike a balance between cybersecurity and QoS while showcasing the impact of the importance of different objectives of the joint optimization

Implementation of Content Poisoning Attack Detection and Reaction in Virtualized NDN Networks

International audienceThe orchestration of countermeasures in the context of security incidents remains a challenging task for network operators. The main objective of this demonstration is to present how this orchestration is possible in the context of a virtualized NDN network. Based on an adaptation of the TOSCA topology and orchestration model, it is possible to trigger these countermeasures after the detection of NDN specific attacks. We show how the Montimage Monitoring Tool (MMT) has been adapted to detect typical Content Poisoning Attack (CPA), and how the orchestrator can trigger reactions to mitigate their impact on the network

A formal approach for testing security policies

Les politiques de sécurité sont devenues de nos jours un point clé dans toutes les infrastructures modernes. La spécification et le test de telles politiques constituent deux étapes fondamentales dans le développement d'un système sécurisé dans la mesure où toute erreur dans l'une de ces règles est susceptible de nuire à la sécurité globale du système. Pour faire face à ces deux défis, nous proposons une approche formelle pour spécifier les politiques de sécurité et vérifier leur déploiement sur des systèmes d'informations en réseau. Pour atteindre cet objectif, nous nous basons dans ce manuscrit sur deux approches différentes de test: l'approche active et l'approche passive. Le principe du test actif consiste à générer automatiquement une suite de scénarios de tests qui peut être appliquée sur un système sous test pour en étudier sa conformité par rapport à ses besoins en matière de sécurité. Quand au test passif, il consiste à observer et analyser passivement le système sous test, sans interrompre le flux normal de ses opérations. Pour l'approche active, nous proposons une méthodologie qui permet de générer automatiquement des séquences de test afin de valider la conformité d'un système par rapport à sa politique de sécurité. Le comportement fonctionnel du système est spécifié en utilisant un modèle formel basé sur des machines à états finis étendues (EFSM). Tandis que les besoins de sécurité sont spécifiés en utilisant deux langages formels (Or-BAC et Nomad). L'intégration de règles de sécurité au sein de la spécification fonctionnelle du système est réalisée grâce à des algorithmes dédiés et permet l'obtention d'une spécification sécurisée du système. La génération automatique des tests est ensuite effectuée en utilisant des outils développés dans notre laboratoire et permet d'obtenir des cas de tests abstraits décrits dans des notations standards (TTCN ou MSC) facilitant ainsi leur portabilité. Dans l'approche passive, nous spécifions la politique de sécurité que le système sous test doit respecter en utilisant le langage formel Nomad. Nous analysons ensuite les traces d'exécution d'un système afin d'élaborer un verdict sur leur conformité par rapport à la politique de sécurité. Plusieurs algorithmes sont fournis dans ce manuscrit pour vérifier si les traces recueillies sont conformes à la politique de sécurité. Nous avons appliqué notre méthodologie à divers systèmes allant des réseaux sans fil (le protocole de routage ad hoc OLSR) à des systèmes informatiques comme les systèmes d'audit (SAP R/3), les Web services (application Travel de France Télécom) et des applications Web (Weblog). Cette large gamme d'applications permet de démontrer l'efficacité et la fiabilité des approches proposées.Security is a critical issue especially in dynamic and open distributed environments such as World Wide Web or wireless networks. To ensure that a certain level of security is always maintained, the system behavior must be restrained by a security policy. In this thesis, we propose a framework to specify security policies and test their implementation on networking and information systems. Security policies, nowadays, are a key point for the success of every modern infrastructure. The specification and the testing of security policies are the fundamental steps in the development of a secure system since any error in a set of rules is likely to harm the global security. We rely on two different test approaches to build our framework: the active and the passive approaches. The active testing consists in generating a set of test cases that can be applied on a specific implementation to study its conformance according to its security requirements. Whereas, the passive testing consists in passively observing the traffic of the system under test, without interrupting its normal operations. In the active approach, we propose a framework to automatically generate test sequences to validate the conformance of a security policy. The functional behavior of the system is specified using a formal description technique based on Extended Finite State Machines (EFSM), while the security requirement is specified using two formals languages (Or-BAC and Nomad). We developed specific algorithms to integrate the security rules within the functional system specification. In this way, we obtain a complete specification of the secured system. Then, the automatic test generation is performed using dedicated tools to produce test suites in a standard language (TTCN or MSC) facilitating their portability. In the passive testing approach, we specify, using Nomad formal language, the security policy the system under test has to respect. We analyze then the collected traces of the system execution in order to deduce verdicts of their conformity with respect to the system security requirements. Several algorithms are developed to check whether the collected traces conform or not to the security policy. We applied our framework on diverse systems ranging from wireless networking (OLSR ad hoc routing protocol) to computer systems including audit systems (SAP R/3), web services (France Télécom Travel) and web applications (Weblog Application). This wide range of applications allows to demonstrate the efficiency and the reliability of the proposed approaches.EVRY-BU (912282101) / SudocEVRY-INT (912282302) / SudocSudocFranceF

Monitoring techniques in practice: experiences and lessons learned

International audienceTesting techniques are used to check if a given system implementation satisfies its specification or some predefined properties. These testing techniques can be active, based on the execution of specific test sequences against the implementation under test, or passive, based on the observation of the exchange of messages (input and output events) of the implementation under test during run-time. In the last years an important research activity has been taken place on the definition of monitoring techniques based on passive testing and verification techniques. In this talk, we will present the main characteristics of monitoring techniques, their advantages and limitations. We will also present the monitoring in practice; in particular, we will present the Montimage Monitoring Tool, an industrial prototype developed by the SME Montimag

Automated Generation of 5G Fine-Grained Threat Models: A Systematic Approach

Fifth-generation technology standard for broadband cellular networks, 5G, delivers a significant increase in data speeds and capacity, as well as new capabilities such as higher energy efficiency, lower latency, and the ability to connect a large number of devices. These advances come with a new set of security challenges, as 5G networks will be more complex and integrated with critical infrastructure than previous generations. In order to correctly address such challenges there is the need for fine-grained threat models, that collect a set of well-detailed threats, each of them clearly addressing a system component, taking into account how components are connected and interact with each other, the specific technology and/or the protocols are involved. A fine-grained threat model can be used to support the definition of a penetration testing plan or to identify and verify the effectiveness of technical countermeasures. This paper extends an existing automated threat modelling methodology focusing on 5G architecture and defines a process to build in a systematic way the catalogue of threats on which the technique relies. In order to obtain such results, we extended our modelling technique, in order to model 5G architectures, defined a process to extend our methodology to address additional domains and applied the approach to a concrete case study, applying our technique to a common 5G open-source architecture proposed by our industrial partner. The main contribution of this paper can be summarized as follows: 1) technique to systematically produce an extension of our modelling technique and a threat catalogue for a specific Domain; 2) 5G systems threat catalogue; 3) 5G systems graph-based modelling technique. As an additional result, we validated our approach, applying our technique in a real context and involving industrial experts for the evaluation of the generated fine-grained threat model