Véronique Legrand - Academia.edu (original) (raw)
Uploads
Papers by Véronique Legrand
Foundations and Practice of Security, 2018
The advent of massive and highly heterogeneous information systems poses major challenges to prof... more The advent of massive and highly heterogeneous information systems poses major challenges to professionals responsible for IT security. The huge amount of monitoring data currently being generated means that no human being or group of human beings can cope with their analysis. Furthermore, fully automated tools still lack the ability to track the associated events in a fine-grained and reliable way. Here, we propose the HuMa framework for detailed and reliable analysis of large amounts of data for security purposes. HuMa uses a multianalysis approach to study complex security events in a large set of logs. It is organized around three layers: the event layer, the context and attack pattern layer, and the assessment layer. We describe the framework components and the set of complementary algorithms for security assessment. We also provide an evaluation of the contribution of the context and attack pattern layer to security investigation. This work was partially supported by the French Banque Publique d'Investissement (BPI) under program FUI-AAP-19 in the frame of the HuMa project.
Mots clé Ingénierie inverse, ingénierie des traces, « logs », abduction, recherche de causes, app... more Mots clé Ingénierie inverse, ingénierie des traces, « logs », abduction, recherche de causes, approche systémique. I INTRODUCTION La sécurisation de grandes architectures de type Cloud montre une complexité immense qui mobilise d'ores et déjà une multiplicité de compétences. Il convient alors de compléter les enseignements classiques favorisant plutôt une compréhension par composant (pare-feu,..) par l'enseignement de l'architecture du SI dans sa globalité. II MOTIVATIONS Afin de comprendre la sécurité d'architectures complexes, la variété des méthodes d'apprentissage et de formation est un atout. Aujourd'hui, l'enseignement par des cours, TD ou TP, développe bien le fonctionnement d'un mécanisme spécifique et par thème (IP, VPN, VOIP....) mais ne permet pas de comprendre les interactions qu'entretiennent ces divers mécanismes lors de leurs fonctionnement. Afin d'accomplir l'enseignement de la vision globale, nous pensons que l'apprena...
EURASIP Journal on Information Security, 2018
Current attacks are complex and stealthy. The recent WannaCry malware campaign demonstrates that ... more Current attacks are complex and stealthy. The recent WannaCry malware campaign demonstrates that this is true not only for targeted operations, but also for massive attacks. Complex attacks can only be described as a set of individual actions composing a global strategy. Most of the time, different devices are involved in the same attack scenario. Information about the events recorded in these devices can be collected in the shape of logs in a central system, where an automatic search of threat traces can be implemented. Much has been written about automatic event correlation to detect multi-step attacks but the proposed methods are rarely brought together in the same platform. In this paper, we propose OMMA (Operator-guided Monitoring of Multi-step Attacks), an open and collaborative engineering system which offers a platform to integrate the methods developed by the multi-step attack detection research community. Inspired by a HuMa access (Navarro et al., HuMa: A multi-layer framework for threat analysis in a heterogeneous log environment, 2017) and Knowledge and Information Logs-based System (Legrand et al., Vers une architecture «big-data» bio-inspirée pour la détection d'anomalie des SIEM, 2014) systems, OMMA incorporates real-time feedback from human experts, so the integrated methods can improve their performance through a learning process. This feedback loop is used by Morwilog, an Ant Colony Optimization-based analysis engine that we show as one of the first methods to be integrated in OMMA.
Proceedings of the 8th international conference on New technologies in distributed systems - NOTERE '08, 2008
Many works have been carried out in events correlation and intrusion detection. Although they use... more Many works have been carried out in events correlation and intrusion detection. Although they use different methods or correlation approaches, they all highlight the importance of time in their modeling process. In this paper, we suggest a new time consideration for our previous works Bayesian behavior intrusion detection. Using a probabilistic approach, we introduce time consideration in the profile of
Non-digestible food additives are prepared by heating starch with an edible di- or tri-basic carb... more Non-digestible food additives are prepared by heating starch with an edible di- or tri-basic carboxylic acid and anhydrides thereof acid at 140 DEG to 220 DEG C. under reduced pressure and in the presence of less than 5% water for sufficient time to form a non-digestible product.
... Page 2. Page 3. Remerciements Je tiens tout d'abord à remercier Salem Benferhat et Djama... more ... Page 2. Page 3. Remerciements Je tiens tout d'abord à remercier Salem Benferhat et Djamal Zeghlache d'avoir accepté d'être mes rapporteurs, ainsi que Mireille Ducassé et Benjamin Morin qui m'ont fait l'honneur d'être dans mon jury. ...
Second International Conference on Internet Monitoring and Protection (ICIMP 2007), 2007
This paper describes a diagnosis model and architecture for enterprise level security event corre... more This paper describes a diagnosis model and architecture for enterprise level security event correlation called DIM (Diagnostic and Investigation Models). Our work is motivated by the existing limits of holistic Information System security surveillance solutions suited to monitoring information systems. We address this issue in this paper and propose an architectural foundation. Our approach is based on an ontology-driven diagnosis process coupled with enriched CIM (Common Information Model) derived information model and a policy model.
Foundations and Practice of Security, 2018
The advent of massive and highly heterogeneous information systems poses major challenges to prof... more The advent of massive and highly heterogeneous information systems poses major challenges to professionals responsible for IT security. The huge amount of monitoring data currently being generated means that no human being or group of human beings can cope with their analysis. Furthermore, fully automated tools still lack the ability to track the associated events in a fine-grained and reliable way. Here, we propose the HuMa framework for detailed and reliable analysis of large amounts of data for security purposes. HuMa uses a multianalysis approach to study complex security events in a large set of logs. It is organized around three layers: the event layer, the context and attack pattern layer, and the assessment layer. We describe the framework components and the set of complementary algorithms for security assessment. We also provide an evaluation of the contribution of the context and attack pattern layer to security investigation. This work was partially supported by the French Banque Publique d'Investissement (BPI) under program FUI-AAP-19 in the frame of the HuMa project.
Mots clé Ingénierie inverse, ingénierie des traces, « logs », abduction, recherche de causes, app... more Mots clé Ingénierie inverse, ingénierie des traces, « logs », abduction, recherche de causes, approche systémique. I INTRODUCTION La sécurisation de grandes architectures de type Cloud montre une complexité immense qui mobilise d'ores et déjà une multiplicité de compétences. Il convient alors de compléter les enseignements classiques favorisant plutôt une compréhension par composant (pare-feu,..) par l'enseignement de l'architecture du SI dans sa globalité. II MOTIVATIONS Afin de comprendre la sécurité d'architectures complexes, la variété des méthodes d'apprentissage et de formation est un atout. Aujourd'hui, l'enseignement par des cours, TD ou TP, développe bien le fonctionnement d'un mécanisme spécifique et par thème (IP, VPN, VOIP....) mais ne permet pas de comprendre les interactions qu'entretiennent ces divers mécanismes lors de leurs fonctionnement. Afin d'accomplir l'enseignement de la vision globale, nous pensons que l'apprena...
EURASIP Journal on Information Security, 2018
Current attacks are complex and stealthy. The recent WannaCry malware campaign demonstrates that ... more Current attacks are complex and stealthy. The recent WannaCry malware campaign demonstrates that this is true not only for targeted operations, but also for massive attacks. Complex attacks can only be described as a set of individual actions composing a global strategy. Most of the time, different devices are involved in the same attack scenario. Information about the events recorded in these devices can be collected in the shape of logs in a central system, where an automatic search of threat traces can be implemented. Much has been written about automatic event correlation to detect multi-step attacks but the proposed methods are rarely brought together in the same platform. In this paper, we propose OMMA (Operator-guided Monitoring of Multi-step Attacks), an open and collaborative engineering system which offers a platform to integrate the methods developed by the multi-step attack detection research community. Inspired by a HuMa access (Navarro et al., HuMa: A multi-layer framework for threat analysis in a heterogeneous log environment, 2017) and Knowledge and Information Logs-based System (Legrand et al., Vers une architecture «big-data» bio-inspirée pour la détection d'anomalie des SIEM, 2014) systems, OMMA incorporates real-time feedback from human experts, so the integrated methods can improve their performance through a learning process. This feedback loop is used by Morwilog, an Ant Colony Optimization-based analysis engine that we show as one of the first methods to be integrated in OMMA.
Proceedings of the 8th international conference on New technologies in distributed systems - NOTERE '08, 2008
Many works have been carried out in events correlation and intrusion detection. Although they use... more Many works have been carried out in events correlation and intrusion detection. Although they use different methods or correlation approaches, they all highlight the importance of time in their modeling process. In this paper, we suggest a new time consideration for our previous works Bayesian behavior intrusion detection. Using a probabilistic approach, we introduce time consideration in the profile of
Non-digestible food additives are prepared by heating starch with an edible di- or tri-basic carb... more Non-digestible food additives are prepared by heating starch with an edible di- or tri-basic carboxylic acid and anhydrides thereof acid at 140 DEG to 220 DEG C. under reduced pressure and in the presence of less than 5% water for sufficient time to form a non-digestible product.
... Page 2. Page 3. Remerciements Je tiens tout d'abord à remercier Salem Benferhat et Djama... more ... Page 2. Page 3. Remerciements Je tiens tout d'abord à remercier Salem Benferhat et Djamal Zeghlache d'avoir accepté d'être mes rapporteurs, ainsi que Mireille Ducassé et Benjamin Morin qui m'ont fait l'honneur d'être dans mon jury. ...
Second International Conference on Internet Monitoring and Protection (ICIMP 2007), 2007
This paper describes a diagnosis model and architecture for enterprise level security event corre... more This paper describes a diagnosis model and architecture for enterprise level security event correlation called DIM (Diagnostic and Investigation Models). Our work is motivated by the existing limits of holistic Information System security surveillance solutions suited to monitoring information systems. We address this issue in this paper and propose an architectural foundation. Our approach is based on an ontology-driven diagnosis process coupled with enriched CIM (Common Information Model) derived information model and a policy model.