Sites Inria

Version française


Jean-Michel Prima - 25/06/2019

Visualising and tracking intrusion

When it comes to understanding attacks on information systems, security analysts continue to play a vital role. It was with them in mind that Malizen, a start-up that began life within the Inria Rennes - Bretagne Atlantique centre, developed their incident history visualisation solution.

June 2010 :  the Stuxnet virus throws 1,000 centrifuges in a uranium plant out of gear.
December 2013 : Target supermarkets allow 100 million sets of bank details to escape.
December 2015 : the malware BlackEnergy deprives 700,000 people in Ukraine of electricity.
July 2016 : 19,252 emails from the Democratic Party are released into the public domain in the run-up to the US presidential election.
December  2016 : Yahoo ! confesses to a leak involving one billion passwords.
December  2018 : The New York Times reveals that hackers were able to infiltrate the EU’s diplomatic communication network, stealing thousands of confidential reports going back several years.

In the space of a few years, digital terrorism, criminality and espionage have stepped up a gear. Protecting servers, networks and data has never been so important, with governments and businesses getting down to the task. Systems bristle with firewalls, antivirus programs and encryption tools. However, these defence mechanisms are not immune from previously unforeseen flaws, which are known as zero-day vulnerabilities. For this very reason, human judgement is just as relevant as ever.

Research funded by the DGA-MI

Cybersecurity analysts are the last line of defence. It was with them in mind that Malizen , a start-up that began life within the Inria centre in Rennes, developed their intrusion visualisation solution. The company is run by Christopher Humphries , continuing on with the development of ZeroKit , an innovative tool with its origins in his PhD research funded by DGA-MI and developed within Cidre, a scientific team specialising in cybersecurity.

They began by assessing the situation: “Machines generate files on all incidents that take place inside them, known as logs. In order to locate any instances of intrusion, you need to go through all of these files. From a practical point of view, this is difficult, with these files containing hundreds of thousands of lines. What’s more, the formats differ quite markedly depending on whether the logs relate to web servers or industrial machinery, for example. In short, it’s a bit like looking for a needle in a haystack. ” There are of course software programs capable of automatically searching through these vast quantities of data for intrusions in real-time, but they are not without their limitations: “As is the case with antivirus programs, they operate using databases that they regularly update. They seek to identify a trace that they are already familiar with. The problem is that with new types of attacks, they won’t find anything. ” In such cases, expert judgement can make all the difference.

Responding to security incidents

Our solution is designed to make life easier for analysts, giving them more resources with which to carry out their job and helping them to develop a better understanding of what is actually happening. This is particularly true when it comes to responding to security incidents. Example: an employee calls to say that they are unable to log in. Is this just a run-of-the-mill error or an indication that something more serious is taking place? Unsure, the analyst decides to investigate. ” In order to make this task easier, ZeroKit begins by standardising the different types of logs. “The expert needs to be able to assess all of these registers in exactly the same way. If they were forced to use a specific tool for each format, this would render the exercise intellectually complex. ”
 The second benefit is visualisation in the form of maps and graphs. “This is more demonstrative. We begin by presenting a summary of the logs, which can be used to combat ‘blank page syndrome ’. In other words, when I have several logs in front of me, what is it that I’m supposed to look for? At first glance, I don’t know. When they take a look at this summary, however, the analyst will notice certain things. Consider the example of a web server. If a server is functioning normally, it will generally only produce two different types of incidents: code 200 when the internet user has received the requested page, or error code 404 when the page is not found. In the event of others appearing, they will move onto something else. Code 500, for example, indicates an internal server error.” An attack? “Not necessarily. But maybe. The analyst will notice these unusual incidents in the summary. ” From that point onwards, it’s like the start of a police investigation...

Depending on the attack, it can be useful to analyse a specific type of data ”, explains the researcher Christophe Bidan , former head of the Cidre team and scientific advisor for Malizen. “These summaries show the different data next to each other. The analyst will have the option of consulting a piece of data in isolation or in correlation with others in order to tug at the string and to get closer to the source of the problem. They may ask which IP address was responsible for generating a particular error code, for example. They will select two types of data, after which the tool will automatically construct the most suitable visualisation. Once the IP address has been identified, the analyst may choose to focus on this address in an attempt to find all of the other incidents linked to it. They will then be able to pick up clues, helping them to progress with their investigation.”
In order to do so, every corner of the information system must be searched. “It can be difficult to get a comprehensive overview for large entities” , explains Christopher. “There are a lot of different types of data, different departments and different machines. Our tool makes it easier to access this wide range of sources, whether that’s the website, the telephone network or the security badges used to access the premises. Intrusions can happen anywhere, meaning it’s important to take all of these incidents into account.


Security doesn’t begin with crisis management, however. “Our solution can also be used for the purposes of verification. Analysts will be able to use ZeroKit to carry out occasional assessments of their systems as part of their prevention processes. In cybersecurity, speed is very much of the essence. In major systems, it takes an average of 191 days to identify a data leak!” 

Set for release in 2019, the software will be available in the form of an annual license, and is targeted at the defence sector, as well as major industrial groups. “We’re in discussions with DGA-MI and the French Ministry of Defence’s IT defence analysis centre (CALID). We have been meeting with telephone providers, insurance companies, major energy producers, etc. But we’re also looking to devise a package that’s affordable for SMEs. In these companies, it is increasingly common for system administrators to focus on data security. Our solution will enable them to get on top of the situation.”

Keywords: Malizen INRIA Rennes - Bretagne Atlantique Startup Innovation