Sites Inria

Version française


Jean-Michel Prima - 27/11/2015

Viewing for a better diagnosis

Christopher Humphries et Nicolas Prigent from Inria project-team Cidre Christopher Humphries et Nicolas Prigent sont membres de Cidre, une équipe de recherche rennaise spécialiste de la détection d'intrusion.

When analysing an attack on a system, human intervention is still a key factor. But the event logs on the operator's screen display a flood of data. How do you identify the right information? Elvis is a research prototype developed at Rennes. It offers an innovative display technique to highlight the relevant phenomena.

Look at this chart. Users of a website log in by entering their password. We can see the IP addresses of the computers and the connection time. You will immediately notice something strange: a repetition of connections that occurs regularly here, drawing a very specific pattern. People do not behave in such a mechanical way in real life. So, what you are seeing here is a botnet: a group of machines trying to penetrate the system. To try to keep a low profile, it regularly changes its IP address. It only tests a few passwords each time. Few enough to avoid triggering the intrusion alert. This simple example shows us the utility of developing display tools. ” Christopher Humphries is preparing a doctoral thesis in the Cidre team at Centrale Supelec Rennes, with funding from DGA-MI. He is working on Elvis, a research prototype that helps security controllers view attacks.

“Cryptography, firewalls, access control, etc. Several barriers in succession will provide a priori security to a system,explains Nicolas Prigent, a researcher in the same team.But if an attacker breaks through these defences in spite of everything, you must be able to detect them and take action.
There are people who do this professionally. When you do this type of monitoring, for example on a company network, you are actually exploring logs. In other words: activity journal files generated by the applications.

And that is where things get complicated.

 “For a long time, analysts had to go through these logs manually. This means that they had to sift through lines of text looking for the right information. A tedious task; perhaps even a crazy one. "Nowadays, these logs are measured in terabytes. Talk about 'big data': the term is no exaggeration in this case. ”  Naturally, automated systems have taken over this task. The Cidre team is developing intrusion detection mechanisms of this kind. “They look at what is happening. They compare the observed events to their knowledge base. They have learnt that this type of phenomenon is the sign of an attack. ”

 But these automated systems have their limitations. “The problem is to define what constitutes normal behaviour. For example: I know that this person always inputs his password very quickly on the keyboard. And now, suddenly, it's not happening that way. Is this an intrusion? Maybe not. In real life, circumstances can sometimes change. ” Injured arm in a plaster cast, for example. “A break from the routine is not necessarily a sign of an attack. ” On the contrary: attackers do their best to recreate ordinary behaviour to avoid attracting attention. Conclusion: “despite all this technology, there is still a risk.

Exploiting contextual knowledge

And that is where a human being can make the difference. “Unlike a machine, he/she knows how to use a whole additional set of contextual knowledge. I notice that so-and-so is logging onto the server by entering the correct password. But I doubt it's really him, because he has just gone away on holiday. ”  Moreover, “our brain is very good at analysing data presented in visual form. It extracts information from it. It identifies trends. It detects anomalies. That is why in many fields we take digital data and convert it into charts, graphs, maps, etc. It is very eloquent. ”

 So, with Elvis, the researchers want to provide an image to make the information more relevant to the human eye, making a diagnosis easier, especially after a security incident. The first difficulty: not all applications produce identical log files. Each one places the emphasis on certain data more than others. In addition, each one stores the elements in the order that suits it best: IP address of the machine, port number, user ID, etc. The structure of the data we want to display will need to be identified at a previous stage. “However, for the most common applications such as Apache web servers, we already know the syntax.

Data typing

Next stage: data typing. “This involves distinguishing ordinal data, which can be categorised by size, from categorical data, for which there is no order relationship. So, messages can be sorted according to size, but IP addresses cannot. Each one is a category of its own. "This typing task will then make it possible to automatically choose the most relevant graphical representation according to the data. “Based on IP addresses, for example, the user will be able to access a map displaying the location of the machines that connect to the server. ”

 For the time being, Elvis is still a research prototype. Industrialisation and industrial transfer conditions. But the tool is giving promising results. “We are testing it on data used in scientific competitions. It has allowed us to flag up intrusions that the winners of those competitions had not detected. ”

Keywords: Cybersecurity INRIA Rennes - Bretagne Atlantique Nicolas Prigent Elvis Cidre