Science Hackathons for Cyberphysical System Security Research: Putting CPS testbed platforms to good use

A challenge is to develop cyber-physical system scenarios that reflect the diversity and complexity of real-life cyber-physical systems in the research questions that they address. Time-bounded collaborative events, such as hackathons, jams and sprints, are increasingly used as a means of bringing groups of individuals together, in order to explore challenges and develop solutions. This paper describes our experiences, using a science hackathon to bring individual researchers together, in order to develop a common use-case implemented on a shared CPS testbed platform that embodies the diversity in their own security research questions. A qualitative study of the event was conducted, in order to evaluate the success of the process, with a view to improving future similar events

Using an Intrusion Detection Alert Similarity Operator to Aggregate and Fuse Alerts

An important problem in the field of intrusion detection is the management of alerts. Intrusion Detection Systems tend to produce a high number of alerts, most of them being false positives. But producing a high number of alerts does not mean that the attack detection rate is high. In order to increase the detection rate, the use of multiple IDSs based on heterogeneous detection techniques is a solution but in return it increases the number of alerts to process. Aggregating the alerts coming from multiple heterogeneous IDSs and fusing them is a necessary step before processing the content and the meaning of the alerts. We propose in this paper to define a similarity operator that takes two IDMEF alerts and outputs a similarity value between 0 and 1. We then propose some algorithms to process the alerts in a on-line or off-line approach using this operator. The article ends up with experimentations made with the Nmap tool and th

Systematic Analysis of Label-flipping Attacks against Federated Learning in Collaborative Intrusion Detection Systems

With the emergence of federated learning (FL) and its promise of privacy-preserving knowledge sharing, the field of intrusion detection systems (IDSs) has seen a renewed interest in the develop- ment of collaborative models. However, the distributed nature of FL makes it vulnerable to malicious contributions from its participants, including data poisoning attacks. The specific case of label-flipping attacks, where the labels of a subset of the training data are flipped, has been overlooked in the context of IDSs that leverage FL primi- tives. This study aims to close this gap by providing a systematic and comprehensive analysis of the impact of label-flipping attacks on FL for IDSs. We show that such attacks can still have a significant impact on the performance of FL models, especially targeted ones, depending on parameters and dataset characteristics. Additionally, the provided tools and methodology can be used to extend our find- ings to other models and datasets, and benchmark the efficiency of existing countermeasures

Fusion, corrélation pondérée et réaction dans un environnement de détection d'intrusions coopérative

Les systèmes informatiques doivent respecter certaines propriétés telles que la con dentialité, l'intégrité et la disponibilité. Cependant, il existe des vulnérabilités qui permettent de violer la politique de sécurité. La détection d intrusions a pour but de détecter l'exploitation de ces vulnérabilités. L'approché consistant à faire coopérer plusieurs sondes de détection d intrusions permet d améliorer le diagnostic fournit. Cette thèse développe les notions de fusion, corrélation pondérée et réaction. La fusion d alerte regroupe les alertes redondantes pour les fusionner. La corrélation pondérée identi e des scénarios d'intrusions et sélectionne le plus plausible. La réaction bloque un scénario d'intrusions en cours d exécution ou modi e l état du système pour éliminer une vulnérabilité ou compenser les effets d une attaque. Des résultats expérimentaux obtenus sur plusieurs scénarios d intrusions à partir d un prototype implantant les notions développées sont présentés.LENS-CRIL (624982203) / SudocTOULOUSE-ISAE (315552318) / SudocSudocFranceF

F.: Reaction Policy Model Based on Dynamic Organizations and Threat Context

Abstract. The tasks a system administrator must fulfill become more and more complex as information systems increase in complexity and connectivity. More specifically, the problem of the expression and update of security requirements is central. Formal models designed to express security policies have proved to be necessary since they provide non ambiguous semantics to analyze them. However, such models as RBAC or OrBAC are not used to express reaction requirements which specify the reaction policy to enforce when intrusions are detected. We present in this article an extension of the OrBAC model by defining dynamic organizations and threat contexts to enable the expression and enforcement of reaction requirements