Teses / dissertações sobre o tema "Apprentissage automatique – Réseaux d'ordinateurs – Mesures de sûreté"
Crie uma referência precisa em APA, MLA, Chicago, Harvard, e outros estilos
Veja os 26 melhores trabalhos (teses / dissertações) para estudos sobre o assunto "Apprentissage automatique – Réseaux d'ordinateurs – Mesures de sûreté".
Ao lado de cada fonte na lista de referências, há um botão "Adicionar à bibliografia". Clique e geraremos automaticamente a citação bibliográfica do trabalho escolhido no estilo de citação de que você precisa: APA, MLA, Harvard, Chicago, Vancouver, etc.
Você também pode baixar o texto completo da publicação científica em formato .pdf e ler o resumo do trabalho online se estiver presente nos metadados.
Veja as teses / dissertações das mais diversas áreas científicas e compile uma bibliografia correta.
Maudoux, Christophe. "Vers l’automatisation de la détection d’anomalies réseaux". Electronic Thesis or Diss., Paris, HESAM, 2024. http://www.theses.fr/2024HESAC009.
Texto completo da fonteWe live in a hyperconnected world. Currently, the majority of the objects surrounding us exchangedata either among themselves or with a server. These exchanges consequently generate networkactivity. It is the study of this network activity that interests us here and forms the focus of thisthesis. Indeed, all messages and thus the network traffic generated by these devices are intentionaland therefore legitimate. Consequently, it is perfectly formatted and known. Alongside this traffic,which can be termed ”normal,” there may exist traffic that does not adhere to expected criteria. Thesenon-conforming exchanges can be categorized as ”abnormal” traffic. This illegitimate traffic can bedue to several internal and external causes. Firstly, for purely commercial reasons, most of theseconnected devices (phones, watches, locks, cameras, etc.) are poorly, inadequately, or not protectedat all. Consequently, they have become prime targets for cybercriminals. Once compromised, thesecommunicating devices form networks capable of launching coordinated attacks : botnets. The trafficinduced by these attacks or the internal synchronization communications within these botnets thengenerates illegitimate traffic that needs to be detected. Our first contribution aims to highlight theseinternal exchanges, specific to botnets. Abnormal traffic can also be generated when unforeseen orextraordinary external events occur, such as incidents or changes in user behavior. These events canimpact the characteristics of the exchanged traffic flows, such as their volume, sources, destinations,or the network parameters that characterize them. Detecting these variations in network activity orthe fluctuation of these characteristics is the focus of our subsequent contributions. This involves aframework and resulting methodology that automates the detection of these network anomalies andpotentially raises real-time alerts
Shbair, Wazen M. "Service-Level Monitoring of HTTPS Traffic". Electronic Thesis or Diss., Université de Lorraine, 2017. http://www.theses.fr/2017LORR0029.
Texto completo da fonteIn this thesis, we provide a privacy preserving for monitoring HTTPS services. First, we first investigate a recent technique for HTTPS services monitoring that is based on the Server Name Indication (SNI) field of the TLS handshake. We show that this method has many weakness, which can be used to cheat monitoring solutions.To mitigate this issue, we propose a novel DNS-based approach to validate the claimed value of SNI. The evaluation show the ability to overcome the shortage. Second, we propose a robust framework to identify the accessed HTTPS services from a traffic dump, without relying neither on a header field nor on the payload content. Our evaluation based on real traffic shows that we can identify encrypted HTTPS services with high accuracy. Third, we have improved our framework to monitor HTTPS services in real-time. By extracting statistical features over the TLS handshake packets and a few application data packets, we can identify HTTPS services very early in the session. The obtained results and a prototype implementation show that our method offers good identification accuracy, high HTTPS flow processing throughput, and a low overhead delay
Becker, Sheila. "Conceptual Approaches for Securing Networks and Systems". Phd thesis, Institut National Polytechnique de Lorraine - INPL, 2012. http://tel.archives-ouvertes.fr/tel-00768801.
Texto completo da fonteChaitou, Hassan. "Optimization of security risk for learning on heterogeneous quality data". Electronic Thesis or Diss., Institut polytechnique de Paris, 2023. http://www.theses.fr/2023IPPAT030.
Texto completo da fonteIntrusion Detection Systems (IDSs) serve as critical components in network security infrastructure.In order to cope with the scalability issues of IDSs using handcrafted detection rules, machine learning is used to design IDSs trained on datasets.Yet, they are increasingly challenged by meta-attacks, called adversarial evasion attacks, that alter existing attacks to improve their evasion capabilities.These approaches, for instance, employ Generative Adversarial Networks (GANs) to automate the alteration process.Several strategies have been proposed to enhance the robustness of IDSs against such attacks, with significant success in strategies based on adversarial training.However, IDSs evasion remains relevant as many contributions also show that adversarial evasion attacks are still efficient despite using adversarial training on IDSs. In this thesis, we investigate this situation and present contributions that improve the understanding of one of its root causes and guidelines to mitigate it.The first step is to better understand the possible sources of variability in IDS or evasion attack performances. Three potential sources are considered: methodological assessment issues, the inherent race to spend more computational resources in attack or defense, or issues in training and dataset acquisition when training IDSs.The first contribution consists of guidelines to conduct robust IDSs assessments beyond the simple recommendation for empirical analysis. These guidelines cover both single experiment design but also sensitivity analysis campaigns.The consequence of applying such guidelines is to obtain more stable results when changing training resource related parameters. Removing artifacts due to inadequate assessment procedures leads us to investigate why some selected parts of the considered dataset tend to be almost not affected by adversarial attacks.The second contribution is the formalization of adversarial neighborhoods: an alternative way to characterize adversarial samples. This formalization allows us to adapt and evaluate data quality criteria used for non-adversarial samples, such as the absence of contradictory samples, and apply similar criteria to adversarial sample datasets. From this concept, four threat situations have been identified with clear qualitative impacts either on the training of a robust IDS or the attacker's ability to find more successful evasion attacks.Finally, we propose countermeasures to the identified threats and then perform an empirical quantitative assessment of both threats and countermeasures.The findings of these experiments highlight the need to identify and mitigate threats associated with a non-empty extended contradictory set. Indeed, this crucial vulnerability should be identified and addressed prior to IDS training
Angoustures, Mark. "Extraction automatique de caractéristiques malveillantes et méthode de détection de malware dans un environnement réel". Electronic Thesis or Diss., Paris, CNAM, 2018. http://www.theses.fr/2018CNAM1221.
Texto completo da fonteTo cope with the large volume of malware, researchers have developed automatic dynamic tools for the analysis of malware like the Cuckoo sandbox. This analysis is partially automatic because it requires the intervention of a human expert in security to detect and extract suspicious behaviour. In order to avoid this tedious work, we propose a methodology to automatically extract dangerous behaviors. First of all, we generate activity reports from malware from the sandbox Cuckoo. Then, we group malware that are part of the same family using the Avclass algorithm. We then weight the the most singular behaviors of each malware family obtained previously. Finally, we aggregate malware families with similar behaviors by the LSA method.In addition, we detail a method to detect malware from the same type of behaviors found previously. Since this detection isperformed in real environment, we have developed probes capable of generating traces of program behaviours in continuous execution. From these traces obtained, we let’s build a graph that represents the tree of programs in execution with their behaviors. This graph is updated incrementally because the generation of new traces. To measure the dangerousness of programs, we execute the personalized PageRank algorithm on this graph as soon as it is updated. The algorithm gives a dangerousness ranking processes according to their suspicious behaviour. These scores are then reported on a time series to visualize the evolution of this dangerousness score for each program. Finally, we have developed several alert indicators of dangerous programs in execution on the system
Zaidi, Abdelhalim. "Recherche et détection des patterns d'attaques dans les réseaux IP à hauts débits". Phd thesis, Université d'Evry-Val d'Essonne, 2011. http://tel.archives-ouvertes.fr/tel-00878783.
Texto completo da fonteAndreoni, Lopez Martin Esteban. "Un système de surveillance et détection de menaces utilisant le traitement de flux comme une fonction virtuelle pour le Big Data". Electronic Thesis or Diss., Sorbonne université, 2018. http://www.theses.fr/2018SORUS035.
Texto completo da fonteThe late detection of security threats causes a significant increase in the risk of irreparable damages, disabling any defense attempt. As a consequence, fast real-time threat detection is mandatory for security administration. In addition, Network Function Virtualization (NFV) provides new opportunities for efficient and low-cost security solutions. We propose a fast and efficient threat detection system based on stream processing and machine learning algorithms. The main contributions of this work are i) a novel monitoring threat detection system based on streaming processing, ii) two datasets, first a dataset of synthetic security data containing both legitimate and malicious traffic, and the second, a week of real traffic of a telecommunications operator in Rio de Janeiro, Brazil, iii) a data pre-processing algorithm, a normalizing algorithm and an algorithm for fast feature selection based on the correlation between variables, iv) a virtualized network function in an Open source Platform for providing a real-time threat detection service, v) near-optimal placement of sensors through a proposed heuristic for strategically positioning sensors in the network infrastructure, with a minimum number of sensors, and finally vi) a greedy algorithm that allocates on demand a sequence of virtual network functions
Becker, Sheila. "Conceptual Approaches for Securing Networks and Systems". Electronic Thesis or Diss., Université de Lorraine, 2012. http://www.theses.fr/2012LORR0228.
Texto completo da fontePeer-to-peer real-time communication and media streaming applications optimize their performance by using application-level topology estimation services such as virtual coordinate systems. Virtual coordinate systems allow nodes in a peer-to-peer network to accurately predict latency between arbitrary nodes without the need of performing extensive measurements. However, systems that leverage virtual coordinates as supporting building blocks, are prone to attacks conducted by compromised nodes that aim at disrupting, eavesdropping, or mangling with the underlying communications. Recent research proposed techniques to mitigate basic attacks (inflation, deflation, oscillation) considering a single attack strategy model where attackers perform only one type of attack. In this work, we define and use a game theory framework in order to identify the best attack and defense strategies assuming that the attacker is aware of the defense mechanisms. Our approach leverages concepts derived from the Nash equilibrium to model more powerful adversaries. We apply the game theory framework to demonstrate the impact and efficiency of these attack and defense strategies using a well-known virtual coordinate system and real-life Internet data sets. Thereafter, we explore supervised machine learning techniques to mitigate more subtle yet highly effective attacks (frog-boiling, network-partition) that are able to bypass existing defenses. We evaluate our techniques on the Vivaldi system against a more complex attack strategy model, where attackers perform sequences of all known attacks against virtual coordinate systems, using both simulations and Internet deployments
Andreoni, Lopez Martin Esteban. "Un système de surveillance et détection de menaces utilisant le traitement de flux comme une fonction virtuelle pour le Big Data". Thesis, Sorbonne université, 2018. http://www.theses.fr/2018SORUS035/document.
Texto completo da fonteThe late detection of security threats causes a significant increase in the risk of irreparable damages, disabling any defense attempt. As a consequence, fast real-time threat detection is mandatory for security administration. In addition, Network Function Virtualization (NFV) provides new opportunities for efficient and low-cost security solutions. We propose a fast and efficient threat detection system based on stream processing and machine learning algorithms. The main contributions of this work are i) a novel monitoring threat detection system based on streaming processing, ii) two datasets, first a dataset of synthetic security data containing both legitimate and malicious traffic, and the second, a week of real traffic of a telecommunications operator in Rio de Janeiro, Brazil, iii) a data pre-processing algorithm, a normalizing algorithm and an algorithm for fast feature selection based on the correlation between variables, iv) a virtualized network function in an Open source Platform for providing a real-time threat detection service, v) near-optimal placement of sensors through a proposed heuristic for strategically positioning sensors in the network infrastructure, with a minimum number of sensors, and finally vi) a greedy algorithm that allocates on demand a sequence of virtual network functions
Shbair, Wazen M. "Service-Level Monitoring of HTTPS Traffic". Thesis, Université de Lorraine, 2017. http://www.theses.fr/2017LORR0029/document.
Texto completo da fonteIn this thesis, we provide a privacy preserving for monitoring HTTPS services. First, we first investigate a recent technique for HTTPS services monitoring that is based on the Server Name Indication (SNI) field of the TLS handshake. We show that this method has many weakness, which can be used to cheat monitoring solutions.To mitigate this issue, we propose a novel DNS-based approach to validate the claimed value of SNI. The evaluation show the ability to overcome the shortage. Second, we propose a robust framework to identify the accessed HTTPS services from a traffic dump, without relying neither on a header field nor on the payload content. Our evaluation based on real traffic shows that we can identify encrypted HTTPS services with high accuracy. Third, we have improved our framework to monitor HTTPS services in real-time. By extracting statistical features over the TLS handshake packets and a few application data packets, we can identify HTTPS services very early in the session. The obtained results and a prototype implementation show that our method offers good identification accuracy, high HTTPS flow processing throughput, and a low overhead delay
Angoustures, Mark. "Extraction automatique de caractéristiques malveillantes et méthode de détection de malware dans un environnement réel". Thesis, Paris, CNAM, 2018. http://www.theses.fr/2018CNAM1221.
Texto completo da fonteTo cope with the large volume of malware, researchers have developed automatic dynamic tools for the analysis of malware like the Cuckoo sandbox. This analysis is partially automatic because it requires the intervention of a human expert in security to detect and extract suspicious behaviour. In order to avoid this tedious work, we propose a methodology to automatically extract dangerous behaviors. First of all, we generate activity reports from malware from the sandbox Cuckoo. Then, we group malware that are part of the same family using the Avclass algorithm. We then weight the the most singular behaviors of each malware family obtained previously. Finally, we aggregate malware families with similar behaviors by the LSA method.In addition, we detail a method to detect malware from the same type of behaviors found previously. Since this detection isperformed in real environment, we have developed probes capable of generating traces of program behaviours in continuous execution. From these traces obtained, we let’s build a graph that represents the tree of programs in execution with their behaviors. This graph is updated incrementally because the generation of new traces. To measure the dangerousness of programs, we execute the personalized PageRank algorithm on this graph as soon as it is updated. The algorithm gives a dangerousness ranking processes according to their suspicious behaviour. These scores are then reported on a time series to visualize the evolution of this dangerousness score for each program. Finally, we have developed several alert indicators of dangerous programs in execution on the system
Bouzida, Yacine. "Application de l'analyse en composante principale pour la détection d'intrusion et détection de nouvelles attaques par apprentissage supervisé". Télécom Bretagne, 2006. http://www.theses.fr/2006TELB0009.
Texto completo da fonteKenaza, Tayeb. "Modèles graphiques probabilistes pour la corrélation d'alertes en détection d'intrusions". Electronic Thesis or Diss., Artois, 2011. http://www.theses.fr/2011ARTO0401.
Texto completo da fonteIn this thesis, we focus on modeling the problem of alert correlation based on probabilistic graphical models. Existing approaches either require a large amount of expert knowledge or use simple similarity measures which are not enough to detect coordinated attacks. We first proposed a new modeling for the alert correlation problem, based on naive Bayesian classifiers, which can learn the coordination between elementary attacks that contribute to the achievement of an attack scenario. Our model requires only a slight contribution of expert knowledge. It takes advantage of available data and provides efficient algorithms for detecting and predicting attacks scenario. Then we show how our alert correlation approach can be improved by taking into account contextual information encoded in description logics, particularly in the context of a cooperative intrusion detection. Finally, we proposed several evaluation measures for a naive Bayesian multi-classifiers. This is very important for evaluating our alert correlation approach because it uses a set of naive Bayesian classifiers to monitor multiple intrusion objectives simultaneously
Faour, Ahmad. "Une architecture semi-supervisée et adaptative pour le filtrage d'alarmes dans les systèmes de détection d'intrusions sur les réseaux". Phd thesis, INSA de Rouen, 2007. http://tel.archives-ouvertes.fr/tel-00917605.
Texto completo da fonteYamak, Zaher Rabah. "Multiple identities detection in online social media". Thesis, Normandie, 2018. http://www.theses.fr/2018NORMIR01/document.
Texto completo da fonteSince 2004, online social medias have grown hugely. This fast development had interesting effects to increase the connection and information exchange between users, but some negative effects also appeared, including fake accounts number growing day after day. Sockpuppets are multiple fake accounts created by a same user. They are the source of several types of manipulation such as those created to praise, defend or support a person or an organization, or to manipulate public opinion. In this thesis, we present SocksCatch, a complete process to detect and group sockpuppets, which is composed of three main phases: the first phase objective is the process preparation and data pre-processing; the second phase objective is the detection of the sockpuppet accounts using machine learning algorithms; the third phase objective is the grouping of sockpuppet accounts created by a same user using community detection algorithms. These phases are declined in three stages: a model stage to represent online social medias, where we propose a general model of social media dedicated to the detection and grouping of sockpuppets; an adaptation stage to adjust the process to a particular social media, where we instantiate and evaluate the SocksCatch model on a selected social media; and a real-time stage to detect and group the sockpuppets online, where SocksCatch is deployed online on a selected social media. Experiments have been performed on the adaptation stage using real data crawled from English Wikipedia. In order to find the best machine learning algorithm for sockpuppet's detection phase, the results of six machine learning algorithms are compared. In addition, they are compared with the literature, and the results show that our proposition improves the accuracy of the detection of sockpuppets. Furthermore, the results of five community detection algorithms are compared for sockpuppet's grouping phase, in order to find the best community detecton algorithm that will be used in real-time stage
Kenaza, Tayeb. "Modèles graphiques probabilistes pour la corrélation d'alertes en détection d'intrusions". Thesis, Artois, 2011. http://www.theses.fr/2011ARTO0401/document.
Texto completo da fonteIn this thesis, we focus on modeling the problem of alert correlation based on probabilistic graphical models. Existing approaches either require a large amount of expert knowledge or use simple similarity measures which are not enough to detect coordinated attacks. We first proposed a new modeling for the alert correlation problem, based on naive Bayesian classifiers, which can learn the coordination between elementary attacks that contribute to the achievement of an attack scenario. Our model requires only a slight contribution of expert knowledge. It takes advantage of available data and provides efficient algorithms for detecting and predicting attacks scenario. Then we show how our alert correlation approach can be improved by taking into account contextual information encoded in description logics, particularly in the context of a cooperative intrusion detection. Finally, we proposed several evaluation measures for a naive Bayesian multi-classifiers. This is very important for evaluating our alert correlation approach because it uses a set of naive Bayesian classifiers to monitor multiple intrusion objectives simultaneously
Smache, Meriem. "La sécurité des réseaux déterministes de l’Internet des objets industriels (IIoT)". Thesis, Lyon, 2019. http://www.theses.fr/2019LYSEM033.
Texto completo da fonteTime synchronization is a crucial requirement for the IEEE802.15.4e based Industrial Internet of Things (IIoT). It is provided by the application of the Time-Slotted Channel-Hopping (TSCH) mode of the IEEE802.15.4e. TSCH synchronization allows reaching low-power and high-reliability wireless networking. However, TSCH synchronization resources are an evident target for cyber-attacks. They can be manipulated by attackers to paralyze the whole network communications. In this thesis, we aim to provide a vulnerability analysis of the TSCH asset synchronization. We propose novel detection metrics based on the internal process of the TSCH state machine of every node without requiring any additional communications or capture or analysis of the packet traces. Then, we design and implement novel self-detection and self-defence techniques embedded in every node to take into account the intelligence and learning ability of the attacker, the legitimate node and the real-time industrial network interactions. The experiment results show that the proposed mechanisms can protect against synchronization attacks
Ma, Mingxiao. "Attack Modelling and Detection in Distributed and Cooperative Controlled Microgrid Systems". Electronic Thesis or Diss., Université de Lorraine, 2021. http://www.theses.fr/2021LORR0111.
Texto completo da fonteModern low-voltage microgrid systems rely on distributed and cooperative control approaches to guarantee safe and reliable operational decisions of their inverter-based distributed generators (DGs). However, many sophisticated cyber-attacks can target these systems, deceive their traditional detection methods and cause a severe impact on the power infrastructure. In this thesis, we systematically study the vulnerabilities and threats of distributed controlled microgrid systems. We design a novel attack named "measurement-as-reference" (MaR) attack and take it as a typical stealthy attack example to theoretically analyze the attack impact on the microgrid system and use numerical simulation results to verify the analysis. We provide mathematical models of possible false data injection (FDI) and denial of service (DoS) attacks in a representative distributed and cooperative controlled microgrid system. We propose a secure control framework with an attack detection module based on machine learning techniques. To validate the effectiveness of this framework, we implement two typical attacks, MaR attack and delay injection attack, on a hardware platform modeled after a microgrid system. We collect datasets from the platform and validate the performance of multiple categories of machine learning algorithms to detect such attacks. Our results show that tree-based classifiers (Decision Tree, Random Forest and AdaBoost) outperform other algorithms and achieve excellent performance in detecting normal behavior, delay injection and false data attacks
Zakroum, Mehdi. "Machine Learning for the Automation of Cyber-threat Monitoring and Inference". Electronic Thesis or Diss., Université de Lorraine, 2023. http://www.theses.fr/2023LORR0108.
Texto completo da fonteOver the past few decades, cyber-threats have known a significant increase and continue to grow exponentially. Network operators and security practitioners are constantly striving to automate their defense strategies against large-scale cyber incidents and smaller-scale peculiar events targeting their networks. Improving the monitoring of security events and detecting attacks at an early stage are key features to prevent against eventual damages or at least alleviate their impact. The traffic captured by network sensors such as network telescopes, also known as darknets, constitute a rich source of cybersecurity intelligence. The data recorded by such sensors include different types of traffic ranging from benign traffic like regular scans performed by organizations for statistical purpose, to malicious cyber incidents like worms spread, vulnerability scans, and backscatter packets that come as a side effect spoofed source of Denial of Service attacks. These data could be leveraged to automate and improve cyber-threat monitoring solutions and attack modeling and prediction. To this end, this thesis combines research works on the salient topics of cyber-threat monitoring and cyber-attack classification and forecasting
Khatib, Natasha al. "Intrusion detection with deep learning for in-vehicle networks". Electronic Thesis or Diss., Institut polytechnique de Paris, 2023. http://www.theses.fr/2023IPPAT009.
Texto completo da fonteIn-vehicle communication which refers to the communication and exchange of data between embedded automotive devices plays a crucial role in the development of intelligent transportation systems (ITS), which aim to improve the efficiency, safety, and sustainability of transportation systems. The proliferation of embedded sensor-centric communication and computing devices connected to the in-vehicle network (IVN) has enabled the development of safety and convenience features including vehicle monitoring, physical wiring reduction, and improved driving experience. However, with the increasing complexity and connectivity of modern vehicles, the expanding threat landscape of the IVN is raising concerns. A range of potential security risks can compromise the safety and functionality of a vehicle putting the life of drivers and passengers in danger. Numerous approaches have thus been proposed and implemented to alleviate this issue including firewalls, encryption, and secure authentication and access controls. As traditional mechanisms fail to fully counterattack intrusion attempts, the need for a complementary defensive countermeasure is necessary. Intrusion Detection Systems (IDS) have been thus considered a fundamental component of every network security infrastructure, including IVN. Intrusion detection can be particularly useful in detecting threats that may not be caught by other security measures, such as zero-day vulnerabilities or insider attacks. It can also provide an early warning of a potential attack, allowing car manufacturers to take preventive measures before significant damage occurs. The main objective of this thesis is to investigate the capability of deep learning techniques in detecting in-vehicle intrusions. Deep learning algorithms have the ability to process large amounts of data and recognize complex patterns that may be difficult for humans to discern, making them well-suited for detecting intrusions in IVN. However, since the E/E architecture of a vehicle is constantly evolving as new technologies and requirements emerge, we propose different deep learning-based solutions for different E/E architectures and for various tasks including anomaly detection and classification
Masure, Loïc. "Towards a better comprehension of deep learning for side-channel analysis". Electronic Thesis or Diss., Sorbonne université, 2020. http://www.theses.fr/2020SORUS443.
Texto completo da fonteThe recent improvements in deep learning (DL) have reshaped the state of the art of side-channel attacks (SCA) in the field of embedded security. Yet, their ``black-box'' aspect nowadays prevents the identification of the vulnerabilities exploited by such adversaries. Likewise, it is hard to conclude from the outcomes of these attacks about the security level of the target device. All those reasons have made the SCA community skeptical about the interest of such attack techniques in terms of security evaluation. This thesis proposes to draw a better understanding of deep learning for SCA. We show how the training of such estimators can be analyzed through the security evaluation prism, in order to estimate a priori the complexity of an SCA, without necessarily mounting the attack. We also remark on simulated experiments that those models, trained without prior knowledge about the counter-measures added to protect the target device, can reach the theoretical security bounds expected by the literature. This validates the relevance or not of some counter-measures such as secret-sharing or hiding, against DL-based SCA. Furthermore, we explain how to exploit a trained neural network to efficiently characterize the information leakage in the observed traces, even in presence of counter-measures making other classical charactertization techniques totally inefficient. This enables a better understanding of the leakage implicitly exploited by the neural network, and allows to refine the evaluator's diagnosis, in order to propose corrections to the developer
Azorin, Raphael. "Traffic representations for network measurements". Electronic Thesis or Diss., Sorbonne université, 2024. http://www.theses.fr/2024SORUS141.
Texto completo da fonteMeasurements are essential to operate and manage computer networks, as they are critical to analyze performance and establish diagnosis. In particular, per-flow monitoring consists in computing metrics that characterize the individual data streams traversing the network. To develop relevant traffic representations, operators need to select suitable flow characteristics and carefully relate their cost of extraction with their expressiveness for the downstream tasks considered. In this thesis, we propose novel methodologies to extract appropriate traffic representations. In particular, we posit that Machine Learning can enhance measurement systems, thanks to its ability to learn patterns from data, in order to provide predictions of pertinent traffic characteristics.The first contribution of this thesis is a framework for sketch-based measurements systems to exploit the skewed nature of network traffic. Specifically, we propose a novel data structure representation that leverages sketches' under-utilization, reducing per-flow measurements memory footprint by storing only relevant counters. The second contribution is a Machine Learning-assisted monitoring system that integrates a lightweight traffic classifier. In particular, we segregate large and small flows in the data plane, before processing them separately with dedicated data structures for various use cases. The last contributions address the design of a unified Deep Learning measurement pipeline that extracts rich representations from traffic data for network analysis. We first draw from recent advances in sequence modeling to learn representations from both numerical and categorical traffic data. These representations serve as input to solve complex networking tasks such as clickstream identification and mobile terminal movement prediction in WLAN. Finally, we present an empirical study of task affinity to assess when two tasks would benefit from being learned together
Labonne, Maxime. "Anomaly-based network intrusion detection using machine learning". Electronic Thesis or Diss., Institut polytechnique de Paris, 2020. http://www.theses.fr/2020IPPAS011.
Texto completo da fonteIn recent years, hacking has become an industry unto itself, increasing the number and diversity of cyber attacks. Threats on computer networks range from malware to denial of service attacks, phishing and social engineering. An effective cyber security plan can no longer rely solely on antiviruses and firewalls to counter these threats: it must include several layers of defence. Network-based Intrusion Detection Systems (IDSs) are a complementary means of enhancing security, with the ability to monitor packets from OSI layer 2 (Data link) to layer 7 (Application). Intrusion detection techniques are traditionally divided into two categories: signatured-based (or misuse) detection and anomaly detection. Most IDSs in use today rely on signature-based detection; however, they can only detect known attacks. IDSs using anomaly detection are able to detect unknown attacks, but are unfortunately less accurate, which generates a large number of false alarms. In this context, the creation of precise anomaly-based IDS is of great value in order to be able to identify attacks that are still unknown.In this thesis, machine learning models are studied to create IDSs that can be deployed in real computer networks. Firstly, a three-step optimization method is proposed to improve the quality of detection: 1/ data augmentation to rebalance the dataset, 2/ parameters optimization to improve the model performance and 3/ ensemble learning to combine the results of the best models. Flows detected as attacks can be analyzed to generate signatures to feed signature-based IDS databases. However, this method has the disadvantage of requiring labelled datasets, which are rarely available in real-life situations. Transfer learning is therefore studied in order to train machine learning models on large labeled datasets, then finetune them on benign traffic of the network to be monitored. This method also has flaws since the models learn from already known attacks, and therefore do not actually perform anomaly detection. Thus, a new solution based on unsupervised learning is proposed. It uses network protocol header analysis to model normal traffic behavior. Anomalies detected are then aggregated into attacks or ignored when isolated. Finally, the detection of network congestion is studied. The bandwidth utilization between different links is predicted in order to correct issues before they occur
Brogi, Guillaume. "Real-time detection of Advanced Persistent Threats using Information Flow Tracking and Hidden Markov Models". Electronic Thesis or Diss., Paris, CNAM, 2018. http://www.theses.fr/2018CNAM1167.
Texto completo da fonteIn this thesis, we present the risks posed by Advanced Persitent Threats (APTs) and propose a two-step approach for recognising when detected attacks are part of one. This is part of the Akheros solution, a fully autonomous Intrusion Detection System (IDS) being developed in collaboration by three PhD students. The idea is to use machine learning to detect unexpected events and check if they present a security risk. The last part, and the subject of this thesis, is the highlighting of APT. APTs campaigns are particularly dangerous because they are performed by skilled attackers with a precise goal and time and money on their side.We start with the results from the previous part of the Akheros IDS: a list of events, which can be translated to flows of information, with an indication for events found to be attacks. We find links between attacks using Information Flow Tracking. To do so, we create a new taint for each detected attack and propagate it. Whenever a taint is on the input of an event that is part of another attack, then the two attacks are linked. However, the links are only potential because the events used are not precise enough, which leads to erroneously propagated taints. In the case of an undetected attack, no taint is created for that attack, but the other taints are still propagated as normal so that previous attack is still linked to the next attack, only skipping the undetected one. The second step of the approach is to filter out the erroneous links. To do so, we use a Hidden Markov Model to represent APTs and remove potential attack campaign that do not fit the model. This is possible because, while each APT is different, they all go through the same phases, which form the hidden states of our model. The visible observations are the kind of attacks performed during these phases. In addition, the results in one phase dictate what the attackers do next, which fits the Markov hypothesis. The score used to rank potential attack campaign from most likely an APT to least likely so is based on a customised Viterbi algorithm in order to take into account potentially undetected attacks
Brogi, Guillaume. "Real-time detection of Advanced Persistent Threats using Information Flow Tracking and Hidden Markov Models". Thesis, Paris, CNAM, 2018. http://www.theses.fr/2018CNAM1167/document.
Texto completo da fonteIn this thesis, we present the risks posed by Advanced Persitent Threats (APTs) and propose a two-step approach for recognising when detected attacks are part of one. This is part of the Akheros solution, a fully autonomous Intrusion Detection System (IDS) being developed in collaboration by three PhD students. The idea is to use machine learning to detect unexpected events and check if they present a security risk. The last part, and the subject of this thesis, is the highlighting of APT. APTs campaigns are particularly dangerous because they are performed by skilled attackers with a precise goal and time and money on their side.We start with the results from the previous part of the Akheros IDS: a list of events, which can be translated to flows of information, with an indication for events found to be attacks. We find links between attacks using Information Flow Tracking. To do so, we create a new taint for each detected attack and propagate it. Whenever a taint is on the input of an event that is part of another attack, then the two attacks are linked. However, the links are only potential because the events used are not precise enough, which leads to erroneously propagated taints. In the case of an undetected attack, no taint is created for that attack, but the other taints are still propagated as normal so that previous attack is still linked to the next attack, only skipping the undetected one. The second step of the approach is to filter out the erroneous links. To do so, we use a Hidden Markov Model to represent APTs and remove potential attack campaign that do not fit the model. This is possible because, while each APT is different, they all go through the same phases, which form the hidden states of our model. The visible observations are the kind of attacks performed during these phases. In addition, the results in one phase dictate what the attackers do next, which fits the Markov hypothesis. The score used to rank potential attack campaign from most likely an APT to least likely so is based on a customised Viterbi algorithm in order to take into account potentially undetected attacks
Bernichi, Mâamoun. "Surveillance logicielle à base d'une communauté d'agents mobiles". Phd thesis, Université Paris-Est, 2009. http://tel.archives-ouvertes.fr/tel-00480718.
Texto completo da fonte