Sites Inria

Version française


Jean-Michel Prima - 6/06/2017

A kit for tracking down intrusions

Nicolas Prigent & Christopher Humphries Nicolas Prigent & Christopher Humphries

Security analysts continue to play an irreplaceable role in understanding attacks on information systems. These are the people the events records visualisation solution developed by SplitSec, a start-up being created at the Inria Rennes - Bretagne Atlantique centre, is aimed at.

June 2010: the Stuxnet virus damages 1,000 centrifuges in a uranium factory. 
December 2013: the Target supermarket chain leaks 100 million bank details. 

December 2015: the BlackEnergy malware deprives 700,000 Ukrainians of electricity. 
July 2016: 19,252 Democratic Party emails are leaked to the public in the run-up to the US elections. 

December 2016: Yahoo reveals the leak of a billion passwords.

In the space of a few years, digital crime, espionage and terrorism have stepped up a gear. Consequently, the protection of servers, networks and data is becoming even more crucial, and governments and businesses are working on this. Systems are teeming with firewalls, antiviruses and encryption tools, however these defences are not immune from the use of an as yet unknown vulnerability, called a "zero day". Human judgement therefore remains as relevant as ever.

A thesis funded by the DGA-MI

This role of final protector falls to security analysts, and the intrusion visualisation solution developed by SplitSec - a start-up being created at the Inria Rennes centre - is specifically aimed at them. This innovative tool, called Elvis, is the result of the thesis work carried out by Christopher Humphries , funded by the DGA-MI (French Ministry of Defence Procurement Agency - Information Literacy) and supervised by former researcher Nicolas Prigent when they were both part of Cidre, a scientific team specialising in security.
It all began with an observation: “The machines generate files of all of the events that take place. These are called logs. In order to spot a potential intrusion, these files need to be gone over with a fine-tooth comb. This is difficult to do in practice: they contain hundreds of thousands of rows. In addition, the formats prove to be disparate depending on whether the logs concern web servers or industrial machines, for example. In short, it's like looking for a needle in a haystack, ” Nicolas Prigent summarises.
Of course, software knows how to mine these big data in order to automatically detect - in real time - any intrusions. There is, however, a limit: “like antiviruses, they work using indicators of compromise that they download on a regular basis. They look to identify a trace that, a priori, they know about. However, in the event of a new kind of attack, they will find nothing. ” That is when the expert's insight will make a difference.

Security incident response

"Our solution serves analysts; it provides them with more means to do their job by helping them to better understand what is happening, in particular in the security incident response phase. An example: a phone call from an employee who can no longer log in. Is it an insignificant malfunction or the sign of a more serious problem? When in doubt, the analyst decides to investigate. "
In order to facilitate this work, Elvis first of all standardises the disparate logs. “The experts need to be able to study all of these registers in the same way. If they had a specific tool for each format, it would be difficult on an intellectual level. "


Second contribution: visualisation in the form of maps and graphs. “It is much clearer. We start by presenting a summarised version of the logs. This addresses the problem of "writers' block " - in other words, when I have logs in front of me, what am I going to look for? A priori, I don't know. However, by observing the summarised view, the analyst will notice things. Let's take the case of a web server. If it is operating normally, it only generally returns two types of events: code 200 when the Internet user has correctly received the requested page, and error code 404 when the page is not found. If others appear, then something is happening. For example, 500 codes indicate an internal server error.” An attack? “Not necessarily. But maybe. Analysts will notice these slightly abnormal events in the summarised view.” From there, it's like the beginning of a police investigation...
“Depending on the attack, it may be relevant to analyse a particular type of data on the logs row ”, Christophe Bidan , head of the Cidre team, explains. “Our summaries present the data side-by-side. Analysts can choose to look at a particular piece of data independently or in relation to all the other data. They can correlate the elements in order to slowly unravel, and then get to the root of, the problem For example, they can ask themselves which IP address generated a certain error message. They select two types of data then the tool automatically builds the most suitable visualisation. Once the IP has been identified, the analyst can focus on this address and find all of the other related events. This way, they gradually pick up clues in order to progress with their investigation. "

Intervention kit

2017 will be devoted to the industrialisation of the tool. “The prototype will enable small-scale experimentations to take place. It must be able, from now on, to assimilate logs of several hundred gigabytes ”, Christopher Humphries points out. The marketed solution will first of all be in the form of an intervention kit. “Analysts are often sent off to industrial sites or subsidiaries at the other side of the world. This secure kit is a tool that is adapted to their needs. They open it. They connect it. They start to investigate. ”
Apart from major manufacturers, administrations and the defence sector, this solution will also be aimed at specialised service providers. “That said, in medium-sized companies we are also seeing an increase in the level of in-house expertise. More and more systems administrators have some knowledge of security. And we are convinced that our solution will enable them to take a greater interest in what is happening on their network.

Keywords: Christopher Humphries Sylvain Prigent Splitsec INRIA Rennes - Bretagne Atlantique Cidre Sécurité