Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks

Software-defined networks (SDN) offer a high degree of programmability for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications.These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy

The Hazard Value: A Quantitative Network Connectivity Measure Accounting for Failures

International audienceTo meet their stringent requirements in terms of performance and dependability, communication networks should be "well connected". While classic connectivity measures typically revolve around topological properties, e.g., related to cuts, these measures may not reflect well the degree to which a network is actually dependable. We introduce a more refined measure for network connectivity, the hazard value, which is developed to meet the needs of a real network operator. It accounts for crucial aspects affecting the dependability experienced in practice, including actual traffic patterns, distribution of failure probabilities, routing constraints, and alternatives for services with preferences therein. We analytically show that the hazard value fulfills several fundamental desirable properties that make it suitable for comparing different network topologies with one another, and for reasoning about how to efficiently enhance the robustness of a given network. We also present an optimised algorithm to compute the hazard value and an experimental evaluation against networks from the Internet Topology Zoo and classical datacenter topologies, such as fat trees and BCubes. This evaluation shows that the algorithm computes the hazard value within minutes for realistic networks, making it practically usable for network designers

Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks

International audienceSoftware-defined networks (SDN) offer a high degree of programmabil-ity for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications. These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in Pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy

Generation of SDN policies for protecting Android environments based on automata learning

International audienceSoftware-defined networking offers new opportu-nities for protecting end users and their applications. In that context, dedicated chains can be built to combine different security functions, such as firewalls, intrusion detection systems and services for preventing data leakage. To configure these security chains, it is important to have an adequate model of the patterns that end user applications exhibit when accessing the network. We propose an automated strategy for learning the networking behavior of end applications using algorithms for generating finite state models. These models can be exploited for inferring SDN policies ensuring that applications respect the observed behavior: such policies can be formally verified and deployed on SDN infrastructures in a dynamic and flexible manner. Our solution is prototypically implemented as a collection of Python scripts that extend our Synaptic verification package. The performance of our strategy is evaluated through extensive experimentations and is compared to the Synoptic and Invarimint automata learning algorithms

A Tool Suite for the Automated Synthesis of Security Function Chains

International audienceSoftware-defined networking may serve as a support for the elaboration of security chains capable of protecting end-userdevices. These chains may be composed of different security functions, such as firewalls and intrusion detection systems.This demonstration showcases a tool suite for automating such a generation, from the learning of the behavior of applications, to the factoring and instanciation of security chains

Synaptic: A formal checker for SDN-based security policies

International audienceSoftware-defined networking offers new opportunities for protecting end users by designing dynamic security policies. In particular, security chains can be built by combining security functions, such as firewalls, intrusion detection systems and services for preventing data leakage. The configuration of these security functions and their associated policies is based on behavioural models of end-user applications when accessing the network. In this demo, we present our tool Synaptic, a SDN-based framework intended for the formal verification of security policies as well as for automatically generating such policies based on automata learning methods applied on NetFlow records of end-user applications collected at the device level

Automated Factorization of Security Chains in Software-Defined Networks

International audienceSoftware-defined networking (SDN) offers new perspectives with respect to the programmability of networks and services. In particular in the area of security management, it may serve as a support for building and deploying security chains in order to protect devices that may have limited resources. These security chains are typically composed of different security functions, such as firewalls, intrusion detection systems, or data leakage prevention mechanisms. In previous work, we suggested the use of techniques for learning automata as a basis for generating security chains. However, the complexity and the high number of these chains induce significant deployment and orchestration costs. In this paper, we propose and evaluate algorithms for merging and simplifying these security chains in software-defined networks, while keeping acceptable accuracy. We first describe the overall system supporting the generation and factorization of the security chains. We then present the different algorithms supporting their merging, and finally we evaluate the solution through an extensive set of experiments

Quantification of toxins in a Cry1Ac + CpTI cotton cultivar and its potential effects on the honey bee Apis mellifera L.

Transgenic Cry1Ac + CpTI cotton (CCRI41) is increasingly planted throughout China. However, negative effects of this cultivar on the honey bee Apis mellifera L., the most important pollinator for cultivated ecosystem, remained poorly investigated. The objective of our study was to evaluate the potential side effects of transgenic Cry1Ac + CpTI pollen from cotton on young adult honey bees A. mellifera L. Two points emphasized the significance of our study: (1) A higher expression level of insecticidal protein Cry1Ac in pollen tissues was detected (when compared with previous reports). In particular, Cry1Ac protein was detected at 300 ± 4.52 ng g−1 [part per billion (ppb)] in pollen collected in July, (2) Effects on chronic mortality and feeding behaviour in honey bees were evaluated using a no-choice dietary feeding protocol with treated pollen, which guarantee the highest exposure level to bees potentially occurring in natural conditions (worst case scenario). Tests were also conducted using imidacloprid-treated pollen at a concentration of 48 ppb as positive control for sublethal effect on feeding behaviour. Our results suggested that Cry1Ac + CpTI pollen carried no lethal risk for honey bees. However, during a 7-day oral exposure to the various treatments (transgenic, imidacloprid-treated and control), honey bee feeding behaviour was disturbed and bees consumed significantly less CCRI41 cotton pollen than in the control group in which bees were exposed to conventional cotton pollen. It may indicate an antifeedant effect of CCRI41 pollen on honey bees and thus bees may be at risk because of large areas are planted with transgenic Bt cotton in China. This is the first report suggesting a potential sublethal effect of CCRI41 cotton pollen on honey bees. The implications of the results are discussed in terms of risk assessment for bees as well as for directions of future work involving risk assessment of CCRI41 cotton

Search for new particles in events with energetic jets and large missing transverse momentum in proton-proton collisions at root s=13 TeV

A search is presented for new particles produced at the LHC in proton-proton collisions at root s = 13 TeV, using events with energetic jets and large missing transverse momentum. The analysis is based on a data sample corresponding to an integrated luminosity of 101 fb(-1), collected in 2017-2018 with the CMS detector. Machine learning techniques are used to define separate categories for events with narrow jets from initial-state radiation and events with large-radius jets consistent with a hadronic decay of a W or Z boson. A statistical combination is made with an earlier search based on a data sample of 36 fb(-1), collected in 2016. No significant excess of events is observed with respect to the standard model background expectation determined from control samples in data. The results are interpreted in terms of limits on the branching fraction of an invisible decay of the Higgs boson, as well as constraints on simplified models of dark matter, on first-generation scalar leptoquarks decaying to quarks and neutrinos, and on models with large extra dimensions. Several of the new limits, specifically for spin-1 dark matter mediators, pseudoscalar mediators, colored mediators, and leptoquarks, are the most restrictive to date.Peer reviewe