Juliette Dromard - Academia.edu (original) (raw)

Papers by Juliette Dromard

Les reseaux mesh sans fil (Wireless Mesh Networks-WMNs) sont des reseaux facilement deployables e... more Les reseaux mesh sans fil (Wireless Mesh Networks-WMNs) sont des reseaux facilement deployables et a faible cout qui peuvent etendre l’Internet dans des zones ou les autres reseaux peuvent difficilement acceder. Cependant, plusieurs problemes de qualite de service (QoS) et de securite freinent le deploiement a grande echelle des WMNs. Dans cette these, nous proposons un modele de controle d’admission (CA) et un systeme de reputation afin d’ameliorer les performances du reseau mesh et de le proteger des nœuds malveillants. Notre systeme de CA vise a assurer la QoS des flux admis dans le reseau en termes de bande passante et de delai tout en maximisant l’utilisation de la capacite du canal. L’idee de notre solution est d’associer au controle d’admission une planification de liens afin d’augmenter la bande passante disponible. Nous proposons egalement un systeme de reputation ayant pour but de detecter les nœuds malveillants et de limiter les fausses alertes induites par la perte de pa...

Advances in Intelligent Systems and Computing, 2019

Network anomalies are unusual traffic mainly induced by network attacks or network failures. Ther... more Network anomalies are unusual traffic mainly induced by network attacks or network failures. Therefore it is important for network operators as end users to detect and diagnose them to protect their network. However, these anomalies keep changing in time, it is therefore important to propose detectors which can learn from the traffic and spot anomalies without relying on any previous knowledge. Unsupervised network anomaly detectors reach this goal by taking advantage of machine learning and statistical techniques to spot the anomalies. There exists many unsupervised network anomaly detectors in the literature. Each algorithm puts forward its good detection performance, therefore it is difficult to select one detector among the large set of available detectors. Therefore, this paper, presents an extensive study and assessment of a set of well known unsupervised network anomaly detectors, and underlines their strengths and weaknesses. This study overwhelms previous similar evaluation by considering for the comparison some new, original and of premier importance parameters as detection similarity, detectors sensitivity and curse of dimensionality, together with the classical detection performance, and execution time parameters.

Deliverable D4.3 aims at presenting the experimental evaluation of algorithms for online network ... more Deliverable D4.3 aims at presenting the experimental evaluation of algorithms for online network characterization. These algorithms aim at characterizing the network by detecting anomalies in real time and in an unsupervised way. The first part of this document presents the experimental design exploited to test the platform and the algorithms, and provides detailed information about their configuration and parameterization. This deliverable is used as a base for the implementation of the use case 1 prototype in the context of WP5. Sections 4, 5 and 7 presents the works performed on unsupervised network anomaly detection. Section 4 describes the generation of a ground truth called SynthONTS for Synthetic Network Traffic Characterization of the ONTS Dataset. This ground truth is used to validate the unsupervised network anomaly detector presented in section 4. We claim that this ground truth is realistic, contains many different anomalies and is exhaustive in the anomaly labelling. Se...

Deliverable D5.3 purpose is to provide information about how the algorithms developed in scientif... more Deliverable D5.3 purpose is to provide information about how the algorithms developed in scientific work packages have been applied in use cases. Although it is possible to assume that integration should have been straightforward, in general, adaptations, configurations, and transformations are needed. For instance, the following adaptation could have been needed: Interface adaptation: it means not only protocol (many times a specific protocol wrapper has been designed), but also data model adaptation. Sometimes it has been also interconnected using other off-the-self systems such as data brokers, cloud platforms... Redesign if the algorithm was designed in a language/technology different from the one used in the use case. Also, the following information would be needed in order to fully understand how the algorithms are run: The parameters used in the algorithm implementation within the use case. For instance, if considering a Spark Streaming-based algorithm, the size of the window...

2017 IEEE 2nd International Workshops on Foundations and Applications of Self* Systems (FAS*W), Sep 1, 2017

Traffic anomaly detection is of premier importance for network administrators as anomalies have a... more Traffic anomaly detection is of premier importance for network administrators as anomalies have a dramatic impact on network performances, and QoS perceived by users. It is, however, a very time consuming and costly task that often requires decision from network and security experts. For making anomaly detection autonomous, many research works started investigating the use of unsupervised machine learning techniques, and in most cases traffic clustering. Identifying the clusters corresponding to anomalous traffic classes among the full set of detected clusters still remains a challenge. This is mostly due to the nature of clustering techniques that work on traffic samples of a given duration, each cluster being classified after an uncertain post processing stage. In this paper, we show how anomaly detectors can benefit from keeping a temporal track of the clustering results along time. This improvement has been added to ORUNADA (Online Real-time Unsupervised Network Anomaly detection Algorithm) that aimed at providing efficient anomaly detection on high speed networks. This new ORUNADA version-called H-ORUNADA for History-ORUNADA-is then evaluated on a new ground truth, called SynthONTS, that is currently designed to provide a modern and complete dataset with labeled anomaly. H-ORUNADA has also been implemented on Spark Streaming for being able to work on very high speed networks (targeting several hundreds of Gbits/s), and evaluated on the Google Cloud Platform.

IEEE Transactions on Network and Service Management

Nowadays, network intrusion detectors mainly rely on knowledge databases to detect suspicious tra... more Nowadays, network intrusion detectors mainly rely on knowledge databases to detect suspicious traffic. These databases have to be continuously updated which requires important human resources and time. Unsupervised network anomaly detectors overcome this issue by using "intelligent" techniques to identify anomalies without any prior knowledge. However, these systems are often very complex as they need to explore the network traffic to identify flows patterns. Therefore, they are often unable to meet real-time requirements. In this paper, we present a new Online and Real-time Unsupervised Network Anomaly Detection Algorithm: ORUNADA. Our solution relies on a discrete time-sliding window to update continuously the feature space and an incremental grid clustering to detect rapidly the anomalies. The evaluations showed that ORUNADA can process online large network traffic while ensuring a low detection delay and good detection performance. The experiments performed on the traffic of a core network of a Spanish intermediate Internet service provider demonstrated that ORUNADA detects in less than half a second an anomaly after its occurrence. Furthermore, the results highlight that our solution outperforms in terms of TPR and FPR existing techniques reported in the literature.

annals of telecommunications - annales des télécommunications, 2015

Communications in Computer and Information Science, 2015

Network anomaly detection relies on intrusion detection systems based on knowledge databases. How... more Network anomaly detection relies on intrusion detection systems based on knowledge databases. However, building this knowledge may take time as it requires manual inspection of experts. Actual detection systems are unable to deal with 0-day attack or new user's behavior and in consequence they may fail in correctly detecting intrusions. Unsupervised network anomaly detectors overcome this issue as no previous knowledge is required. In counterpart, these systems may be very slow as they need to learn trac's pattern in order to acquire the necessary knowledge to detect anomalous ows. To improve speed, these systems are often only exposed to sampled trac, harmful trac may then avoid the detector examination. In this paper, we propose to take advantage of new distributed computing framework in order to speed up an Unsupervised Network Anomaly Detector Algorithm, UNADA. The evaluation shows that the execution time can be improved by a factor of 13 allowing UNADA to process large traces of trac in real time.

2013 27th International Conference on Advanced Information Networking and Applications Workshops, 2013

Lecture Notes in Computer Science, 2014

Wireless mesh networks (WMNs) are very attractive networks as they are low cost and able to exten... more Wireless mesh networks (WMNs) are very attractive networks as they are low cost and able to extend Internet rapidly in areas where other networks (e.g., Wi-Fi, MANETs, wired networks, 3G) cannot access due to their technical and/or economical limitations. However, these networks have to deal with security issues which prevent their deployment. In this paper, we propose a new reputation scheme which aims at preventing nodes from falsely detecting their neighbors as misbehaving due to packet loss over their links. The proposed reputation scheme is based on the fact that a link's packet loss ratio, when it is computed over a large quantity of observations, is quite stable over time. To detect misbehaving neighbors, a node, via its IDS, compares with the statistical method CUSUM (cumulative sum control chart) whether the distribution of packet loss rate observed for each of its neighbors follows the expected distribution or not. The validation of our solution shows that it allows to assign to nodes a trust value which reects their real behavior.

Lecture Notes in Computer Science, 2012

Global Information Infrastructure Symposium - GIIS 2011, 2011

... Technologies of Troyes (UTT), STMR, UMR CNRS 6279 12, rue Marie Curie 10000 - Troyes, France ... more ... Technologies of Troyes (UTT), STMR, UMR CNRS 6279 12, rue Marie Curie 10000 - Troyes, France Email: rida.khatoun@utt.fr, lyes.khoukhi@utt ... In this way, a hacker node cannot intercept the password by listening to the network, and this prevents problems of using passwords ...

Le présent délivrable présente le résultat du travail mené durant les trois premiers mois du proj... more Le présent délivrable présente le résultat du travail mené durant les trois premiers mois du projet GIS 3SGS Acda-P2P dont l'objectif est de proposer une architecture collaborative pour la détection d'attaques dans les réseaux pairà pair. Il présente unétat de l'art qui couvre les différents aspects scientifiques et techniques du projet. Dans un premier temps, les réseaux pairà pair et leurs architectures sont détaillés. Dans un second temps, les méthodes de supervision pour ce type de réseaux sont présentées et comparées. Dans un troisième temps, les failles de sécurité dans les réseaux pairà pair sont mises enévidence. Enfin, dans un quatrième temps, les approches collaboratives, comme solutions pour la sécurité des réseaux et services, sont exposées. 1

Background: Wireless mesh networks (WMNs) are a very attractive new field of research. They are l... more Background: Wireless mesh networks (WMNs) are a very attractive new field of research. They are low cost, easily deployed, and a high-performance solution to last-mile broadband Internet access. In WMNs, admission control (AC) is one of the key traffic management mechanisms that should be deployed to provide quality of service (QoS) support for real-time traffic. Results: In this paper, we introduce a novel admission control model, based on bandwidth and delay parameters, which integrates a dynamic link scheduling scheme. The proposed model is built on two different methods to access the medium: on a contention-based channel access method for control packets and on a dynamic time division multiple access (DTDMA) for data packets. Each time a new flow is admitted in the network, the WMN's link scheduling is modified according to the flows' requirement and network conditions while respecting the signal-to-interference-plus-noise ratio (SINR); this allows establishing collision-free transmissions. Conclusions: Using extensive simulations, we demonstrate that our model achieves high resource utilization by improving throughput, establishing collision-free transmission, as well as respecting requirements of admitted flows in terms of delay and bandwidth.