index - SSIR - Equipe Sécurité des Systèmes d'Information et Réseaux - EA 4039 Access content directly


Computer and network security is nowadays a major concern, as human organizations of any kind and any size depend on its information system.

The answer to this concern essentially lies in the capacity to define and enforce security policies for various computing environments. We are interested in so called « self-organized networks », i.e., networks that have no global authority in charge of defining and managing a security policy. The absence of such an authority leads to the necessity to integrate, on each node of the network, the mechanisms and services that are mandatory to build and manage the network. The notion of self-organized networks is present in the ubiquitous computing with the ad hoc network or MANET (Mobile Ad Hoc
NETwork) and in the distributed systems with the P2P networks.

This first preventive answer must be complemented by a corrective approach. It is indeed important to consider that flaws are always possible and to monitor systems in order to detect possible exploitation of these flaws. This is intrusion detection. Intrusion detection systems currently used can only detect already known attacks (misuse detection). Thus, they face the problem of daily appearing new form of attacks.


In the case of ad hoc networks, the main problem is to establish the routing infrastructure that allows interconnecting the nodes. In the context of the P2P networks, the challenge is to propose a distributed mechanism to share and manage the information of the nodes. From the security point of view, the self-organized networks do not really introduce new problems. However, the absence of a central authority in charge of managing the infrastructures and the services has serious consequences. In particular, each node have to consider that it evolves in an insecure environment, and so has to implement its own mechanisms to enforce its security against malicious nodes, eventually by collaborating with some trusted nodes. For ad hoc networks, we have proposed an approach that allows each node to control the behavior of the other nodes with respect to the routing protocol specification.
Our solution is based on the formal specification of the implicit trust relations between the entities that take part in the ad hoc routing protocol. These relations define rules that allow each node to reason with and about trust, and to take decisions regarding other nodes. In particular, using these rules, each node is able to detect the inconsistency between the received information and the local information, and thus to mistrust the nodes that give wrong information (see the example here after). In P2P networks, we have proposed a distributed access control allowing restricting the network access to a subset of nodes showing an honest behavior. This control is based on a novel adaptive threshold cryptography scheme. To access the network, a node needs to obtain a certificate co-signed by a subset of nodes, each node using SybilGuard (social-based partial sybil protection) to decide whether or not to accept the new node.
Then, misbehaving nodes are detected and their certificates are revoked through the same distributed signature scheme. This network access control is thus both proactive and reactive.

To overcome the incapacity of misuse detection to detect new forms of attacks, “anomaly detection” aims at comparing a current observed behaviour of the monitored entity, to a reference model previously built. Generally the reference model is built through a learning process. For example, an applicative process is, in an initial learning phase, observed during the period of time needed to identify all the possible system call sequences of a given length. Then, in a detection phase, sequences occurring but not present in the identified possible sequences lead to the emission of an alert. Indeed, such a situation may be the result of a code injection attack.

Our contributions to the intrusion detection field are mainly related to anomaly detection. Nevertheless, we avoid, as far as possible, relying on a learning mechanism. Indeed, learning may lead to incorrect (attacks may occurs during the learning phase) or incomplete (it is difficult if not impossible to know if all the possible behaviours have been seen during the learning phase) models. To avoid learning, we have explored several research tracks. For example, the work presented here after proposes to consider an implicit reference model.
Here, the user requests are forwarded to different modules that implements the same functionality but through diverse designs. Any difference between responses that are returned by these modules can be interpreted as a possible corruption of one or several modules. This provides a way to detect intrusions in the diversified system. Another appealing approach lies for us in policy-based intrusion detection.
Here, the detection system is aware of the security policy that constitutes actually the reference model. We have proposed an approach to monitor information flows allowing detecting violation of a security policy even if the information is no more in its original container. Such an approach can be implemented at various levels. We have an implementation for a Linux operating system and another one for the Java Virtual Machine.


  • Self-organized Networks Security

  • Intrusion Detection