L’Ecole doctorale : Sciences et Technologies de l’Information et de la Communication et le Laboratoire de recherche SAMOVAR – Services r\u00e9partis, Architectures, MOd\u00e9lisation, Validation, Administration des R\u00e9seaux<\/p>\n
pr\u00e9sentent \u00ab S\u00e9curit\u00e9 dans le cloud : Framework de d\u00e9tection de menaces internes bas\u00e9 sur l’analyse d’anomalies \u00bb \u00e0 T\u00e9l\u00e9com SudParis Salle C004 Membres du jury :<\/strong><\/p>\n R\u00e9sum\u00e9 :<\/strong><\/p>\n Le Cloud Computing (CC) ouvre de nouvelles possibilit\u00e9s pour des services plus flexibles et efficaces pour les clients de services en nuage (CSC). Cependant, la migration vers le cloud suscite aussi une s\u00e9rie de probl\u00e8mes, notamment le fait que, ce qui autrefois \u00e9tait un domaine priv\u00e9 pour les CSC, est d\u00e9sormais g\u00e9r\u00e9 par un tiers, et donc soumis \u00e0 ses politiques de s\u00e9curit\u00e9. Par cons\u00e9quent, la disponibilit\u00e9, la confidentialit\u00e9 et l’int\u00e9grit\u00e9 des CSC doivent \u00eatre assur\u00e9es. Malgr\u00e9 l’existence de m\u00e9canismes de protection, tels que le cryptage, la surveillance de ces propri\u00e9t\u00e9s devient n\u00e9cessaire. De plus, de nouvelles menaces apparaissent chaque jour, ce qui exige de nouvelles techniques de d\u00e9tection plus efficaces. Les travaux pr\u00e9sent\u00e9s dans ce document vont au-del\u00e0 du simple l\u2019\u00e9tat de l’art, en traitant la menace interne malveillante, une des menaces les moins \u00e9tudi\u00e9es du CC. Ceci s’explique principalement par les obstacles organisationnels et juridiques de l’industrie, et donc au manque de jeux de donn\u00e9es appropri\u00e9s pour la d\u00e9tecter. Nous abordons cette question en pr\u00e9sentant deux contributions principales. Premi\u00e8rement, nous proposons la d\u00e9rivation d\u2019une m\u00e9thodologie extensible pour mod\u00e9liser le comportement d\u2019un utilisateur dans une entreprise. Cette abstraction d’un employ\u00e9 inclut des facteurs intra-psychologiques ainsi que des informations contextuelles, et s’inspire d’une approche bas\u00e9e sur les r\u00f4les. Les comportements suivent une proc\u00e9dure probabiliste, o\u00f9 les motivations malveillantes devraient se produire selon une probabilit\u00e9 donn\u00e9e dans la dur\u00e9e. La contribution principale de ce travail consiste \u00e0 concevoir et \u00e0 mettre en \u0153uvre un cadre de d\u00e9tection bas\u00e9 sur les anomalies pour la menace susmentionn\u00e9e. Cette impl\u00e9mentation s\u2019enrichit en comparant deux points diff\u00e9rents de capture de donn\u00e9es : une vue bas\u00e9e sur le profil du r\u00e9seau local de la entreprise, et une point de vue du cloud qui analyse les donn\u00e9es des services avec lesquels les clients interagissent. Cela permet au processus d’apprentissage des anomalies de b\u00e9n\u00e9ficier de deux perspectives: (1) l’\u00e9tude du trafic r\u00e9el et du trafic simul\u00e9 en ce qui concerne l’interaction du service de cloud computing, de mani\u00e8re de caract\u00e9riser les anomalies; et (2) l’analyse du service cloud afin d’ajouter des statistiques prenant en compte la caract\u00e9risation globale du comportement. La conception de ce cadre a permis de d\u00e9tecter de mani\u00e8re empirique un ensemble plus large d\u2019anomalies de l\u2019interaction d’une entreprise donn\u00e9e avec le cloud. Cela est possible en raison de la nature reproductible et extensible du mod\u00e8le. En outre, le mod\u00e8le de d\u00e9tection propos\u00e9 profite d’une technique d’apprentissage automatique en mode cluster, en suivant un algorithme adaptatif non supervis\u00e9 capable de caract\u00e9riser les comportements en \u00e9volution des utilisateurs envers les actifs du cloud. La solution s’attaque efficacement \u00e0 la d\u00e9tection des anomalies en affichant des niveaux \u00e9lev\u00e9s de performances de clustering, tout en conservant un FPR (Low Positive Rate) faible, garantissant ainsi les performances de d\u00e9tection pour les sc\u00e9narios de menace lorsque celle-ci provient de la entreprise elle-m\u00eame.<\/p>\n Abstract :<\/strong><\/p>\n Cloud Computing (CC) opens new possibilities for more flexible and efficient services for Cloud Service Clients (CSCs). However, one of the main issues while migrating to the cloud is that what once was a private domain for CSCs, now is handled by a third-party, hence subject to their security policies. Therefore, CSCs’ confidentiality, integrity, and availability (CIA) should be ensured. In spite of the existence of protection mechanisms, such as encryption, the monitoring of the CIA properties becomes necessary. Additionally, new threats emerge every day, requiring more efficient detection techniques. The work presented in this document goes beyond the state of the art by treating the malicious insider threat, one of the least studied threats in CC. This is mainly due to the organizational and legal barriers from the industry, and therefore the lack of appropriate datasets for detecting it. We tackle this matter by addressing two challenges. First, the derivation of an extensible methodology for modeling the behavior of a user in a company. This abstraction of an employee includes intra psychological factors, contextual information and is based on a role-based approach. The behaviors follow a probabilistic procedure, where the malevolent motivations are considered to occur with a given probability in time. The main contribution, a design and implementation of an anomaly-based detection framework for the aforementioned threat. This implementation enriches itself by comparing two different observation points: a profile-based view from the local network of the company, and a cloud-end view that analyses data from the services with whom the clients interact. This allows the learning process of anomalies to benefit from two perspectives: (1) the study of both real and simulated traffic with respect to the cloud service’s interaction, in favor of the characterization of anomalies; and (2) the analysis of the cloud service in order to aggregate data statistics that support the overall behavior characterization. The design of this framework empirically shows to detect a broader set of anomalies of the company’s interaction with the cloud. This is possible due to the replicable and extensible nature of the mentioned insider model. Also, the proposed detection model takes advantage of the autonomic nature of a clustering machine learning technique, following an unsupervised, adaptive algorithm capable of characterizing the evolving behaviors of the users towards cloud assets. The solution efficiently tackles the detection of anomalies by showing high levels of clustering performance, while keeping a low False Positive Rate (FPR), ensuring the detection performance for threat scenarios where the threat comes from inside the enterprise.<\/p>\n","protected":false},"excerpt":{"rendered":" L’Ecole doctorale : Sciences et Technologies de l’Information et de la Communication et le Laboratoire de recherche SAMOVAR – Services r\u00e9partis, Architectures, MOd\u00e9lisation, Validation, Administration des R\u00e9seaux pr\u00e9sentent l\u2019AVIS DE SOUTENANCE de Madame Pamela CARVALLO Autoris\u00e9e \u00e0 pr\u00e9senter ses travaux en vue de l\u2019obtention du Doctorat de l’Universit\u00e9 Paris-Saclay, pr\u00e9par\u00e9 \u00e0 T\u00e9l\u00e9com SudParis en Informatique […]<\/p>\n","protected":false},"author":1,"featured_media":1122,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[314],"tags":[],"class_list":["post-1123","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-theses-2018-fr","entry","has-media"],"_links":{"self":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts\/1123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/comments?post=1123"}],"version-history":[{"count":1,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts\/1123\/revisions"}],"predecessor-version":[{"id":1496,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts\/1123\/revisions\/1496"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/media\/1122"}],"wp:attachment":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/media?parent=1123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/categories?post=1123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/tags?post=1123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nl\u2019AVIS DE SOUTENANCE de Madame Pamela CARVALLO<\/strong>
\nAutoris\u00e9e \u00e0 pr\u00e9senter ses travaux en vue de l\u2019obtention du Doctorat de l’Universit\u00e9 Paris-Saclay, pr\u00e9par\u00e9 \u00e0 T\u00e9l\u00e9com SudParis en Informatique<\/p>\n
\nLUNDI 17 decembre 2018 \u00e0 10h30<\/strong><\/p>\n
\n9 Rue Charles Fourier, 91000 \u00c9vry<\/p>\n\n\n
\n M. St\u00e9phane MAAG, Professeur, T\u00e9l\u00e9com SudParis, FRANCE<\/td>\n Directeur de th\u00e8se<\/td>\n<\/tr>\n \n Mme Natalia KUSHIK, Ma\u00eetre de Conf\u00e9rences, T\u00e9l\u00e9com SudParis, FRANCE<\/td>\n Examinatrice<\/td>\n<\/tr>\n \n Mme Ana CAVALLI, Professeure Em\u00e9rite, T\u00e9l\u00e9com SudParis, FRANCE<\/td>\n Examinatrice<\/td>\n<\/tr>\n \n M. Wissam MALLOULI, Ing\u00e9nieur de Recherche, Montimage, FRANCE<\/td>\n Examinateur<\/td>\n<\/tr>\n \n M. Pascal POIZAT, Professeur, LIP6, FRANCE<\/td>\n Examinateur<\/td>\n<\/tr>\n \n M. Abdelhamid MELLOUK, Professeur, Universit\u00e9 de Cr\u00e9teil, FRANCE <\/td>\n Examinateur<\/td>\n<\/tr>\n \n Mme H\u00e9l\u00e8ne WAESELYNCK, Directrice de Recherche, LAAS, FRANCE<\/td>\n Rapporteur<\/td>\n<\/tr>\n \n Mme Norah CUPPENS, Directrice de Recherche, IMT Atlantique, FRANCE<\/td>\n Rapporteur<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n