Digital Security

Cybersecurity: analysing intrusions with the LHS

Changed on 26/05/2021
How can cyberattacks be anticipated in order to boost IT security? The LHS (Laboratoire de Haute Sécurité - High Security Laboratory), a joint platform developed by engineers from the Inria Nancy - Grand Est research center and Loria, hosts an ultra-secure environment for collecting, experimenting and analysing numerous data sets on attempted intrusions and security attacks. It is used by researchers to monitor trends and to identify potential threats as far in advance as possible.
Salle serveur du Laboratoire Haute Sécurité (LHS)
© Inria / Photo Kaksonen

Targeted, shape-shifting cyberattacks

Cyberattacks are increasingly widespread and are a growing concern for international institutions. “They are often linked to what is going on in the real world, and so it is no surprise that a health crisis like what we have seen with Covid-19 has led to a rise in cyberattacks, observes Abelkader Lahmadi, a lecturer at the University of Lorraine and a researcher as part of the RESIST project team, a joint undertaking involving Inria and Loria. Such an attack took place at Dax hospital in Landes, which had its IT system brought to a standstill by ransomware in early 2021. Cyberattacks have also targeted television stations (TV5 Monde and France Télévisions) and local authorities, such as those in Angers and Douai.

Continuously expanding our knowledge of malware

In France, the High Security Laboratory (LHS - Laboratoire de Haute Sécurité), which was set up in 2008 by the Inria Nancy - Grand Est research centre with support from the ERDF (the European Regional Development Fund), the Grand Est region, the Grand Nancy metropolitan area and the French Ministry for Higher Education and Research, is at the forefront of research on the subject. “To date we have collected and saved somewhere in the region of 35 million types of malware, explains Frédéric Beck, a research engineer. “This ranges from worms, which are quite well-known and which have been around for the past fifteen years or so, to ransomware such as WannaCry or Petya, or programmes that are even more critical and dangerous, which are considered to be 'cyber-weapons’. These are often assigned to us by major partners.” The LHS’s aim is to constantly expand its knowledge of malware and how they evolve over time.

For collection purposes, a network telescope constantly gathers information on malicious codes and signs of upcoming attacks. “The system observes connected objects and machines connected to the internet (computers, smartphones, cameras, scanners, thermostats, etc.) in order to gather information on programmes which are scanning the web seeking out weaknesses to exploit”, explains Frédéric Beck. This is typically the case right now for ports using the Telnet protocol, through which a connected object can be linked up to a server, which are an increasingly common target for attackers. The telescope also helps us to identify trends in terms of what attackers are looking for.” 

The 20 most attacked apps

Scan de la page d'accueil de Visu LHS
@ Frédéric Beck

In 2014 Inria teamed up with the NICT, Japan’s National Institute of Information and Communications, to develop a shared platform for viewing attacks identified using their respective telescopes. The VISU LHS presents a user-friendly top 20 of the most attacked apps in near real-time, with a 3D data map, helping to boost the visibility of the work carried out by the LHS in Nancy, particularly among manufacturers and decision-makers.

Probes and bait

The engineers from Inria Nancy - Grand Est’s testing and development department are responsible for maintaining and developing the laboratory’s platform, which employs two main methods. The first is the so-called “honeypot” method, which involves putting a machine on the network that is artificially made to look vulnerable, the aim being to get an attacker to believe they are attacking a real machine. The second involves analysing the background noise of the internet in order to observe large-scale threats such as scans and distributed denial-of-service attacks by collecting messages sent to unused addresses. In order to prevent any leaks, the programmes and data collected in this way are stored in a secure environment that is not connected to any network and which is protected both digitally and physically.

This information can be viewed confidentially by industrial partners and researchers, including as part of the EU cybersecurity projects SPARTA and CONCORDIA. This is also the case for RESIST, a project team which “designs, develops and validates new models, algorithms and tools for resilient network systems”, explains Abdelkader Lahmadi, and which has developed expertise in intrusion detection and analysing attacks targeting network systems. The researchers from the Loria CARBONE team also use LHS resources to carry out morphological analysis of malware and to graphically represent components which sometimes come from other programmes which that one is based on.” 

Anticipating cyberattacks

Between 2018 and the end of 2020, as part of the NATO-funded ThreatPredict project, researchers from RESIST, Carnegie Mellon University in the USA and the International University of Rabat also developed machine learning algorithms which capture the spatio-temporal dynamics of cyberattacks and social, geopolitical and technological incidents worldwide. 

Ghita Mezzour, who collaborated on this project and who has just founded Dasec (an abbreviation of ‘Data In Seconds’), a Morocco-based start-up specialising in artificial intelligence and big data analysis, explains more: “Our aim was to combine data from the dark web (the underground part of the internet that is not indexed by search engines) and social media in order to predict the types of breaches that might interest attackers in the near future. The international nature of the project really helped us: we had access to vast deposits of analysable data, chiefly from the LHS and from the USA.” This sort of data is the key ingredient for any recipe aimed at improving IT security.