Clet Boudéhenn
Directeur(s): Yvon Kermarrec & Abdel Boudraa
Encadrant(s): Jean-Christophe Cexus

SUJET DE THÈSE
Data generation for analysis and anomaly detection in naval cybernetic systems
Contexte
Today, more and more means of transport are designed to communicate and interconnect with their environment (the Open World) via increasingly sophisticated computer networks. In the same way as an airplane [1] or a new-generation car [2], on board a ship, computer networks have become complex exchange systems, where a large number of processes interact (communication mechanisms, heterogeneity of nodes, diversity of communication automata, etc.). In addition, user behavior is highly diverse. Ensuring the security of a ship's computer network therefore requires automated tools for analyzing and detecting atypical behavior or anomalies, and innovative tools for adapting to variable time scales and complex topologies.
Thesis subject
The objective of this thesis is the development and validation of new signal processing tools for shipboard computer security issues.
We will be focusing on two ship-related issues:
Anomalies are part of traffic. The aim is to apprehend and identify significant data on the state of traffic on specific, constrained computer networks (such as a ship's computer networks), in order to set up processes for analyzing, detecting and identifying anomalies within these networks. Traffic analysis is based on one or more simultaneous time series generated from incoming traffic or a recorded traffic trace. The time series can correspond, for example, to the number of packets, streams or bytes per time unit [3]-[4].
To achieve these goals, we are focusing on methods that combine cybernetic and signal processing approaches. Among these methods, we can mention time-frequency or time-scale representations (Synchrosqueezing, Empirical Modal Decomposition,...) which are promising in terms of applications [5],[6] and energy operators [7]. Recently applied in the field of Intrusion Detection Systems (IDS), the results of these methods are convincing but raise their share of difficulties [8]. In addition, recent work on novelty detection [9] confirms the possibility of proposing new approaches for detecting anomalies (particularly malicious ones) in a system, by analyzing its deviation from its normal behavior or state.
In the naval sector, the networking of information systems on ships (container carriers, LNG tankers, frigates, etc.) exposes them to attacks which must be protected against. More specifically, these ships are equipped with complex IT and electronic systems, making them highly vulnerable to attacks with potentially serious consequences (shutdown, hijacking, ....). Detecting attacks is therefore a key challenge. More precisely, one of the challenges is to detect hostile and/or low-intensity signals (emerging threats) while reducing the number of false positives (abnormal but benign activities). The other challenge is to classify these anomalies. IDSs are generally insensitive to attacks whose intensities are too low, as their operation relies on the use of signatures built from statistics, in time, which are not very descriptive (mean and standard deviation) [10],[11]. The aim of this thesis is to characterize traffic both in terms of time and frequency, using a time-frequency approach. This means identifying time-frequency signatures that are qualified as anomalous. Potential anomalies will be detected in the time domain, followed by an in-depth time-frequency analysis to reduce false alarms generated by the detection process, and to identify anomaly types. The two main components of this thesis are :
1) Detection of anomalies, particularly of low amplitude, in the time domain,
2) Time-frequency analysis of these anomalies.
The focus will be on developing the best strategy for detecting anomalies induced by the triggering of attacks. One of the scientific hurdles to be overcome is how to distinguish legitimate from illegitimate traffic variations. The second is the choice or construction of an optimal time-frequency representation adapted to the problem of anomaly identification. One solution, for example, is to build a time-frequency representation driven by traffic data [5],[12].
A few references on the subject
[1] S. Gil Casals, “Risk assessment and intrusion detection for airbone networks,” Thèse de Doctorat, Toulouse, INSA, 2014.
[2] M.-J. Kang and K. Je-Won, “Intrusion Detection System Using Deep Neural Network for In-Vehicle Network Security,” PloS one, vol. 11, no. 6, 2016.
[3] S. Farraposo, Ph. Owezarski et Ed. Monteiro, “Détection, classification et identification d’anomalies de trafic”, Colloque Francophone d’Ingénierie des Protocoles, pp. 1-12, 2008.
[4] J. Mazel, P. Casas, R. Fontugne, K. Fukuda and Ph. Owerzarski, “Hunting attacks in the dark : clustering and correlation analysis for unsupervised anomaly detection”, Int. J. Network Management, vol. 25, no. 5, pp. 283-305, 2015.
[5] I. Daubechies, J. Lu, et al., “Synchrosqueezed wavelet transforms; an Empirical Mode Decomposition-like tool,” Appl. Comput. Harmonic Anal. vol. 30, no. 2, pp. 243–261, 2011.
[6] O. Couderc, J.-C. Cexus et al., “ISAR imaging Based on the Empirical Mode Decomposition Time-Frequency Representation,” International Radar Symposium 2016, 2016.
[7] A.O. Boudraa, J.C. Cexus and K. Abed-Meraim, “Cross-Psi_B-energy operator-based signal detection“, Journal of Acoustical Society of America, vol. 132, no. 6, pp. 4283-4289, 2008.
[8] C.-T. Huang, et al., “Signal Processing Applications in Network Intrusion Detection Systems,” EURASIP Journal on Advances in signal Processing, vol. 1, 2009.
[9] M.A.F Pimentel, et al., “A review of novelty detection,” Signal Processing, vol. 99, pp. 215-249, 2014.
[10] V. Paxson, “Bro: a system for detecting network intruders in real time”, Comput. Networks J., vol. 31, no. 23-24, pp. 2435-2463, 1999.
[11] A. Scherrer, N. Larrieu, P. Owezarski, P. Borgnat and P. Abry, “Non-Gaussian and long memory statistical characterisations for internet traffic with anomalies,” IEEE Trans. Dependable and Secure Computing, vol. 4, no. 1, pp. 56-70, 2007.
[12] J.C. Cexus and A.O. Boudraa, “Nonstationary signals analysis by Teager-Huang transform (THT)”, Proc. EUSIPCO, pp. 1-5, 2006.