Network security: new ways to detect intruders

Play your favorite playlist, turn your lights on or off, close the shutters...your connected speaker is your everyday companion in your smart home. However, like all Internet of Things (IoT) devices, it is vulnerable to cyberattacks. Gregory Blanc's job is to detect these attacks, as well as intrusions into communication networks, particularly in businesses and industrial environments.

“There are two ways to detect an intrusion or attack on a network,” says the senior lecturer in network security at the Distributed Services, Architecture Modeling, Validation, and Network Administration (SAMOVAR*) laboratory at Télécom SudParis. “Either by detecting the signatures characteristic of each attack, or by detecting anomalies on the network.” As attacks evolve and their perpetrators seek to circumvent signature detection, Gregory Blanc and his team are focusing their research on identifying anomalies. 

Knowing the characteristics of your network

The scientist has therefore developed a specific detection methodology that requires some contextual explanation: each object communicating in a network produces flows—data packets—that can be reconstructed using an anomaly detector. This is actually an autoencoder (a neural network) trained with network data. When the network flows are fed into the encoder, it compresses the corresponding data in an optimized manner, and then a decoder reconstructs it as accurately as possible after decompression. Thus, any unknown data packets entering the encoder (attacks, intrusions) will generate easily detectable differences among the reconstructed data packets at the output.

For this to work optimally, it was first necessary to identify the behavior of objects present on the networks (IoT objects). “To do this, we studied the size of the data packets exchanged and the time elapsed between each one (inter-arrival time). We then distinguished and classified each object and acquired in-depth knowledge of the networks, which enabled us to develop our anomaly detector,” explains the senior lecturer. In the course of this work, SAMOVAR scientists also noticed that there was no reliable framework for evaluating intrusion detectors. The team therefore took the opportunity to develop one, based on the study of data from the worlds of AI, cybersecurity, and networks.

Attack or natural behavior?

But let's get back to anomaly detection. Networks generate natural deviations in their behavior that must be distinguished from the consequences of an attack. “This is what we call false positives,” says Gregory Blanc. To reduce uncertainty, the researcher and his team set about carefully characterizing legitimate traffic on a network. To do this, they relied on federated learning, a system in which several machines collaboratively train an AI model while keeping the data locally.

Gregory Blanc obtained a PhD in computer security from the Nara Institute of Science and Technology (Japan) in the field of malicious script analysis in web browsers in 2012. He then joined the SAMOVAR laboratory at Télécom SudParis as a postdoctoral researcher and contributed to setting up and leading European collaborative projects such as NECOMA (a European-Japanese project). Since 2015, he has been a lecturer in security and networks at Télécom SudParis, where he coordinates the specialization in systems and network security. He currently coordinates the ANR GRIFIN project, in which he explores the contributions of machine learning to making the security loop autonomous in order to improve the resilience of future networks: monitoring, detection, selection of countermeasures, and deployment of security policies.

>> Gregory Blanc on Google Scholar

>> Grégory Blanc on the SAMOVAR's website

>> Gregory Blanc's personnal webpage