This axis of the Sotern team focuses on the design of self-protection solutions leveraging the MAPE-k control loop in dynamic and large-scale distributed systems. As part of the four components (Monitor, Analyze, Plan and Execute) the framework encompasses, the team especially emphasizes the Analyse and Plan ones, assuming that the other two are already provided by existing technologies. To argue this positioning, we consider the standardization efforts that are currently either acknowledged or under discussion at the IETF for instance. Regarding the Monitoring block, the team assumes the existence of components instrumentation, data models, and low-level monitoring protocols (e.g., in-band telemetry or flow monitoring) as a substrate, while the Execute block can be implemented through existing orchestration technologies (e.g., Kubernetes) and configuration management protocols (e.g.,Netconf, Openflow). Consequently, the axis focuses on scientific locks related to the analysis of monitoring data to detect deviant behaviors acting as an attack on an operated system and eventually make an enlightened decision to mitigate them, all of this considering the large-scale, dynamic and highly distributed features of the monitored system.
As such, the scientific challenges the Sotern team aims to address in this second axis of the team, whose identifiers can be retrieved in the overall picture of the Sotern team activities, are as follows:
C2-1: Addressing the uncertainty of monitored domains
In this challenge, we wish to empower the security monitoring of large systems, by using Artificial Intelligence to improve the quality of experience of security analysts in their daily work. For example, we seek to extract correlations between alerts raised by SIEMs and infer potential missing observations. These methods would make it possible to identify complex APT or multi-party attacks. The applications of these methods are numerous, from network cores to 5G architectures, including critical infrastructures and industry 4.0.
This challenge is currently addressed in the context of the national program AI@IMT and especially within the PhD thesis of Antoine Rebstock.
C2-2: Designing efficient and scalable distributed detection solutions
In very large-scale systems, typically located at the edge of the Internet such as connected objects or virtualized environments, in which there can be several hundred thousands or even several million of elements to monitor within the same domain, scalable and lightweight detection solutions are essential. In this challenge, the Sotern team proposes to go beyond the limits of state-of-the-art approaches by developing methods which make it possible both to deal with such scales of systems while controlling the costs of computation and communication. It especially considers dedicated communication substrates and machine learning paradigms such as:
- Content-oriented approaches which make it possible to consider monitoring data or detection function results as data exchangeable between probes and cacheable in the network constituted by the components to be monitored;
- Federated Learning (FL), which enables local detection and mitigation with low latency, while collaboratively learning from others and preserving privacy. FL also promises to solve other drawbacks of state-of-the-art Machine Learning based IDS, e.g., local bias due to a lack of heterogeneity in the training dataset.
This challenge is currently addressed within the PhD thesis of Léo Lavaur, funded by the Cyber CNI chaire.
C2-3: Ensuring the trust of managed elements
In current networking infrastructures, managed elements taking part in a network service delivery (e.g., routers, IDS, firewalls, NAT, transcoders, etc.) are of an heterogeneous nature. In such a context, that is highly distributed by nature, and with no real trust: each entity might have its own interest function and want to maximize it. As a consequence, one can legitimately wonder if and how, one can deploy such a service composition while respecting the constraints imposed by it. We focuses especially on the elements necessary to implement a secure composition of network functions in a service, without recourse to a trusted third party.
This challenge is currently addressed in the context of the national BPI 5G and Beyond and especially within the PhD thesis of Pierre-Marie Lechevalier.