Share Your Research, Maximize Your Social Impacts
Main Menu
Searching By
Main Menu
PARTNERS
PhD and postdoc positions on data analytics and visualisation for cyber-security at Inria Nancy Grand Est
Country/Region : France
Website : http://madynes.loria.fr
Description
The huge growth of Internet exposes many users to various threats. This has been intensified by the large deployment of new devices in addition to traditional computers. This includes smartphones and sensors, and will concern daily life objects in a near future with the emergence of the Internet of Things (IoT) the last years. Hence, this represents a tremendous playground for attackers. To fight them, network security is essential to identify misbehaviors and potential victims as earlier as possible.
The attackers evolve from individuals towards organized cyber-criminal organizations [1] while meantime the attacks being more distributed and complex. For example, the botnets [2] are still a major threat on Internet, where thousands of zombie machines can take part, because they have been successfully adapted from a centralized model based on IRC towards distributed approach, even P2P, taking advantage of traditional protocol (DNS for fast fluxing [3]) and new technologies (social networks for synchronization [4]). In parallel, they are responsible of various attacks including spam, denial of service, credential stealing [5]... Therefore fighting such a threat among others require to collect, analyze and correlate various sources of data to create summarized view that are exploitable by human administrator and, if possible, in real time and in an automated way. This is the current challenge of the network security monitoring [6]. Currently, most of attacks remains unrevealed, but when they are suspected, it is vital to investigate it to confirm, to trace the root causes and attackers. The forensics security teams have very few tools which let them performing analysis mainly manually, which introduces two bias: long delay (from few hours to several months) and human bias due to background and experiences.
In parallel, data-analytics methods have skyrocketed recently and are able to cope with huge volumes of unstructured data and so are good candidates for being adapted and applied to security monitoring challenges by allowing collecting and analyzing multiple sources of relevant data while current approaches focuses on few ones or on simple correlation of several ones.
- Project description:
The objective of the project is to design a methodology for being able to counteract against new threats on Internet by monitoring them through data-consolidation over multiple sources. In parallel, in order to help the security teams, new investigation methods have to be built by empowering the interactivity and the visualization of the information (raw, summarized or consolidated data). To achieve that, it will be necessary to :
define and evaluate an holistic data-analytics approach for complex threats. The objective is to be able to cope with large quantity of heterogeneous data for extracting relevant knowledge about past and ongoing threats.
define methods for interactive and visual investigation of multiple sources of security data. This will consider similar methods that those under the first item but with a hard constraint on the reactivity and the limited quantity of information which can be dealt simultaneously by a human. Hence, these methods may rely on streaming analytics approaches, learning approaches to predict the next requests of the analysts to prepare the results (pre-processing and pre-rendering), combine and select information.
validate the proposed methods on different scenarios. In a first phase, the analysis will be mainly focused on individual data source microscopic analysis (monitoring DNS request to detect botnet activities, analyzing trafic flows to identify DDoS attacks, HTTP trafic for phishing detection, syslog events, security alerts...) before correlating and augmenting them to strengthen the results (monitoring DNS and analyzing flow for botnets, using fingerprinting methods to tag hosts and flows before analysis, traffic causality graphs...).
- Bibliography:
[1] R. Howard, Cyber Fraud: Tactics, Techniques and Procedures. Auerbach Publications, 2009, ch. 5, The Russian Business Network: the Rise and Fall of a Criminal ISP.
[2] Seungwon Shin and Guofei Gu. 2010. Conficker and beyond: a large-scale empirical study. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC '10).
[3] C. Castelluccia, M. A. Kaafar, P. Manils, and D. Perito, “Geolocalization of proxied services and its application to fastflux hidden servers,” ACM SIGCOMM IMC
[4] Shishir Nagaraja, Amir Houmansadr, Pratch Piyawongwisal, Vijit Singh, Pragya Agarwal, Nikita Borisov “Stegobot: A Covert Social Network Botnet”, Information Hiding 2011
[5] Dainotti, A.; King, A.; Claffy, K.; Papale, F.; Pescape, A., "Analysis of a “/0” Stealth Scan From a Botnet," IEEE/ACM Transactions on Networking, no.99
[6] Cloud Security Alliance, “Big Data Analytics for Security Intelligence”, 2013
- Skills and profile:
Required qualification: Master degree, preferably in computer science
Knowledge and skills in the following fields will be appreciated: networking, security, machine learning, data-mining, human-computer interaction
- Additional information:
Research group: Madynes - http://madynes.loria.fr/
To apply:
-- contact Jérôme François (jerome.francois-AT-inria.fr, http://jeromefra.free.fr/)
-- send your CV, a motivation letter, detail about your MSc or PhD (title, summary, supervisors, grades) and at least two contacts that may provide reference letters.
The attackers evolve from individuals towards organized cyber-criminal organizations [1] while meantime the attacks being more distributed and complex. For example, the botnets [2] are still a major threat on Internet, where thousands of zombie machines can take part, because they have been successfully adapted from a centralized model based on IRC towards distributed approach, even P2P, taking advantage of traditional protocol (DNS for fast fluxing [3]) and new technologies (social networks for synchronization [4]). In parallel, they are responsible of various attacks including spam, denial of service, credential stealing [5]... Therefore fighting such a threat among others require to collect, analyze and correlate various sources of data to create summarized view that are exploitable by human administrator and, if possible, in real time and in an automated way. This is the current challenge of the network security monitoring [6]. Currently, most of attacks remains unrevealed, but when they are suspected, it is vital to investigate it to confirm, to trace the root causes and attackers. The forensics security teams have very few tools which let them performing analysis mainly manually, which introduces two bias: long delay (from few hours to several months) and human bias due to background and experiences.
In parallel, data-analytics methods have skyrocketed recently and are able to cope with huge volumes of unstructured data and so are good candidates for being adapted and applied to security monitoring challenges by allowing collecting and analyzing multiple sources of relevant data while current approaches focuses on few ones or on simple correlation of several ones.
- Project description:
The objective of the project is to design a methodology for being able to counteract against new threats on Internet by monitoring them through data-consolidation over multiple sources. In parallel, in order to help the security teams, new investigation methods have to be built by empowering the interactivity and the visualization of the information (raw, summarized or consolidated data). To achieve that, it will be necessary to :
define and evaluate an holistic data-analytics approach for complex threats. The objective is to be able to cope with large quantity of heterogeneous data for extracting relevant knowledge about past and ongoing threats.
define methods for interactive and visual investigation of multiple sources of security data. This will consider similar methods that those under the first item but with a hard constraint on the reactivity and the limited quantity of information which can be dealt simultaneously by a human. Hence, these methods may rely on streaming analytics approaches, learning approaches to predict the next requests of the analysts to prepare the results (pre-processing and pre-rendering), combine and select information.
validate the proposed methods on different scenarios. In a first phase, the analysis will be mainly focused on individual data source microscopic analysis (monitoring DNS request to detect botnet activities, analyzing trafic flows to identify DDoS attacks, HTTP trafic for phishing detection, syslog events, security alerts...) before correlating and augmenting them to strengthen the results (monitoring DNS and analyzing flow for botnets, using fingerprinting methods to tag hosts and flows before analysis, traffic causality graphs...).
- Bibliography:
[1] R. Howard, Cyber Fraud: Tactics, Techniques and Procedures. Auerbach Publications, 2009, ch. 5, The Russian Business Network: the Rise and Fall of a Criminal ISP.
[2] Seungwon Shin and Guofei Gu. 2010. Conficker and beyond: a large-scale empirical study. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC '10).
[3] C. Castelluccia, M. A. Kaafar, P. Manils, and D. Perito, “Geolocalization of proxied services and its application to fastflux hidden servers,” ACM SIGCOMM IMC
[4] Shishir Nagaraja, Amir Houmansadr, Pratch Piyawongwisal, Vijit Singh, Pragya Agarwal, Nikita Borisov “Stegobot: A Covert Social Network Botnet”, Information Hiding 2011
[5] Dainotti, A.; King, A.; Claffy, K.; Papale, F.; Pescape, A., "Analysis of a “/0” Stealth Scan From a Botnet," IEEE/ACM Transactions on Networking, no.99
[6] Cloud Security Alliance, “Big Data Analytics for Security Intelligence”, 2013
- Skills and profile:
Required qualification: Master degree, preferably in computer science
Knowledge and skills in the following fields will be appreciated: networking, security, machine learning, data-mining, human-computer interaction
- Additional information:
Research group: Madynes - http://madynes.loria.fr/
To apply:
-- contact Jérôme François (jerome.francois-AT-inria.fr, http://jeromefra.free.fr/)
-- send your CV, a motivation letter, detail about your MSc or PhD (title, summary, supervisors, grades) and at least two contacts that may provide reference letters.
Last modified: 2017-01-05 23:48:43