logo EDITE Guillaume BROGI
Identité
Guillaume BROGI
État académique
Thèse en cours...
Sujet: Unsupervised adverse learning in the detection and countermeasure of advanced persistent threat campaigns
Direction de thèse:
Laboratoire:
Voisinage
Ellipse bleue: doctorant, ellipse jaune: docteur, rectangle vert: permanent, rectangle jaune: HDR. Trait vert: encadrant de thèse, trait bleu: directeur de thèse, pointillé: jury d'évaluation à mi-parcours ou jury de thèse.
Productions scientifiques
oai:hal.archives-ouvertes.fr:hal-01417612
TerminAPTor: Highlighting Advanced Persistent Threats through Information Flow Tracking
International audience
Long lived attack campaigns known as Advanced Persistent Threats (APTs) have emerged as a serious security risk. These attack campaigns arecustomised for their target and performed step by step during months on end. The major difficulty in detecting an APT is keeping track of the different steps logged over months of monitoring and linking them. In this article, we describe TerminAPTor, an APT detector which highlights links between the traces left by attackers in the monitored system during the different stages of an attack campaign. TerminAPTor tackles this challenge by resorting to Information Flow Tracking (IFT). Our main contribution is showing that IFT can be used to highlight APTs. Additionally, we describe a generic representation of APTs and validate our IFT-based APT detector.
8th IFIP International Conference on New Technologies, Mobility and Security https://hal.inria.fr/hal-01417612 8th IFIP International Conference on New Technologies, Mobility and Security, Nov 2016, Larnaca Cyprus. 2016, <http://www.ntms-conf.org/ntms2016/> http://www.ntms-conf.org/ntms2016/ARRAY(0x7f5470540040) 2016-11-21
oai:hal.archives-ouvertes.fr:hal-01533275
Sharing and replaying attack scenarios with Moirai
National audience
Datasets are necessary for evaluating and comparing security solutions. Today, the most well-known public dataset is still the oft-decried IDEVAL dataset. Even if we don't take into account all the inherent shortcomings of this dataset, the fact that it dates back to 1999 means its relevance is all but lost. Without a public dataset, new security solutions cannot be compared to existing ones. In this article, we argue for the need of a public and modern dataset for the evaluation of security solutions. Moreover, we argue that traditional datasets are too restrictive in the approaches they allow. Thus, we present Moirai. Instead of sharing datasets, Moirai shares the scenarios used to create datasets. This allows for the creation of complex scenarios which could, for example, represent an Advanced Persistent Threat (APT). By sharing the scenarios, Moirai allows solutions based on disparate ideas to be compared.
RESSI 2017: Rendez-vous de la Recherche et de l'Enseignement de la Sécurité des Systèmes d'Information https://hal.archives-ouvertes.fr/hal-01533275 RESSI 2017: Rendez-vous de la Recherche et de l'Enseignement de la Sécurité des Systèmes d'Information, May 2017, Autrans, FranceARRAY(0x7f546ffeea58) 2017-05-17