Frédéric Majorczyk

École Supérieure d'Electricité | SUPELEC

Among the difficulties encountered in building datasets to evaluate intrusion detection tools, a tricky part is the process of labelling the events into malicious and benign classes. The labelling correctness is paramount for the quality of the evaluation of intrusion detection systems but is often considered as the ground truth by practitioners an...

In this paper we develop an alert correlation framework specifically tailored for Industrial Control Systems (ICSs). Alert correlation is a set of techniques used to process alerts raised by various intrusion detection systems in order to a eliminate redundant alerts, reduce the number of false alerts, and reconstruct attack scenarios. In ICSs the...

Sophisticated process-aware attacks targeting industrial control systems require adequate detection measures taking into account the physical process. This paper proposes an approach relying on automatically mined process specifications to detect attacks on sequential control systems. The specifications are synthesized as monitors that read the exe...

Industrial control systems (ICS) can be subject to highly sophisticated attacks which may lead the process towards critical states. Due to the particular context of ICS, protection mechanisms are not always practical, nor sufficient. On the other hand, developing a process-aware intrusion detection solution with satisfactory alert characterization...

Information systems are prone to attacks. Those attacks can take different forms, from an obvious DDOS to a complex attack scenario involving a step by step stealthy compromise of key nodes in the target system. In order to detect those multi-steps attack scenarios, alert correlation systems are required. Those systems rely on explicit or implicit...

Traditional intrusion detection systems are not adaptive enough to cope with the dynamic characteristics of cloud-hosted virtual infrastructures. This makes them unable to address new cloud-oriented security issues. In this paper we introduce SAIDS, a self-adaptable intrusion detection system tailored for cloud environments. SAIDS is designed to re...

In large distributed information systems, alert correlation systems are necessary to handle the huge amount of elementary security alerts and to identify complex multi-step attacks within the flow of low level events and alerts. In this paper, we show that, once a human expert has provided an action tree derived from an attack tree, a fully automat...

In this article, we present CORGI, a security-oriented log visualization tool that allows security experts to visually explore and link numerous types of log files through relevant representations and global filtering. The analyst can mark values as values of interest and then use these values to pursue the exploration in other log files, allowing...

In this article, we propose ELVIS, a security-oriented log visualization tool that allows security experts to visually explore numerous types of log files through relevant representations. When a log file is loaded into ELVIS, a summary view is displayed. This view is the starting point for exploring the log. The analyst can then choose to explore...

Résumé Aucune collision ne se produit durant une instance de consensus si toutes les valeurs proposées du-rant ce consensus sont identiques. Afin de réduire le temps nécessaire à une prise de décision, certains protocoles de consensus anticipent sur le fait qu'aucune collision ne se produira au cours du prochain consensus exécuté. Ce principe de co...

The Paxos-MIC protocol allows to solve a sequence of consensus instances in an unreliable asynchronous system. It follows the basic principles of Paxos and uses two optimizations of this protocol: a safe one, So that is always activated and a risky one, Ro. The paper focuses on the interest of Ro that has been introduced by Lamport in the Fast Paxo...

The most common anomaly detection mechanisms at application level consist in detecting a deviation of the control-flow of a program. A popular method to detect such anomaly is the use of application sequences of system calls. However, such methods do not detect mimicry attacks or attacks against the integrity of the system call parameters. To enhan...

Rapport de contrat (final)

The expansion of the Internet routing system results in a number of research challenges, in particular, the Border Gateway Protocol (BGP) starts to show its limits a.o. in terms of the number of routing table entries it can dynamically process and control. Dynamic routing protocols showing better scaling properties are thus under investigation. How...

The use of diversity and redundancy in the security domain is an interesting approach to prevent or detect intrusions. Many researchers have proposed architectures based on those concepts where diversity is either natural or artificial. These architectures are based on the architecture of N-version programming and were often instantiated for web se...

L'informatique et en particulier l'Internet jouent un rôle grandissant dans notre société. Un grand nombre d'applications critiques d'un point de vue de leur sécurité sont déployées dans divers domaines comme le domaine militaire, la santé, le commerce électronique, etc. La sécurité des systèmes informatiques devient alors une problématique essenti...

Design diversity is a well-known method to ensure fault tolerance. Such a method has also been applied successfully in various projects to provide intrusion detection and tolerance. Two types of approaches have been investigated: the comparison of the outputs of the diversified services without any knowledge of the internals of the server (black bo...

Les systèmes de détection d'intrusions (IDS) sont des compléments indispensables aux mécanismes de sécurité préventifs présents dans les systèmes informatiques et les réseaux. Une manière de détecter des intrusions consiste à identifier des variations dans le comportement des entités surveillées (approche dite "comportementale"). Les IDS utilisant...

In this paper, we show that the use of diversified COTS servers allows to detect intrusions corresponding to unknown attacks. We present an architecture that ensures both confidentiality and integrity at the COTS server level and we extend it to enhance availability. Replication techniques implemented on top of agreement services are used to avoid...

It is commonly accepted that intrusion detection systems (IDS) are required to compensate for the insufficient security mechanisms that are available on computer systems and networks. However, the anomaly-based IDSes that have been proposed in the recent years present some drawbacks, e.g., the necessity to explicitly define a behaviour reference mo...