To face the large and heterogeneous panel of interconnected networks systems as well as devices, there is a need for on demand security and privacy where the underlying mechanisms are tightly linked to the involved services. Security demands could vary greatly based on the supported services. We need security on demand approaches to deal with security requirements variation allowing adaptive security adjusted to the service and environment multi-constraints while taking into account the following properties: scalability, lightness, autonomy, mobility, and interoperability. Aiming to defend against a high number of critical attacks, the challenges that we addressare: adaptive end-to-end security architectures with lightweight and scalable security functions and protocols, scalable trust management with lightweight cryptographic functions/mechanisms and crypto-agility, identity management and lightweight authentication mechanisms, blockchain-based solutions for cybersecurity mainly for access control, integrity and resilience. These application domains are declined in several research collaborative activities listed below:
- Trusted and Secure Communications in Scalable and Constrained Environment.
In the context of cooperative intelligent transportation (C-ITS), connected and autonomous vehicles are considered as connected objects within a highly scalable hybrid meshed vehicular network. Cybersecurity is a key challenge given the risks arising from any one of the different communication modes and from the potential weaknesses of the intra-vehicle system (bugs, incorrect configuration, software flaws etc.). Our aim was to design an end-to-end security architecture focusing on securing exchanged V2X messages, ensuring protection of personal data, designing trust models and trust mechanisms. Our solutions aim at reaching a trade-off between scalability, security, safety, performance and cost. We also address interoperability issues between trusted C-ITS security systems and propose security solutions for real deployment cases.To establish robust and available communication between vehicles in highly scalable dynamic vehicular ad hoc networks, we design efficient mobility-based clustering algorithms to guarantee cluster stability as well as data transmission efficiency with intermittent connectivity. We mainly validate our research work through simulation, analytical modelling and real. Major achievements of our recent activity are illustrated through three important European pilot deployment projects of cooperative intelligent transportation systems SCOOP@F, InterCor and C-Roads in prospecting for a national roll-out.
Privacy is also a challenging issue that aims at mitigating data leakages, user’s traceability, unauthorized access to data, and to implement anonymization/pseudonymization and accountability functions as required by the European GDPR regulation. We develop a research activity on personal data protection in the context of several application areas: big data, IoT, Cloud and ITS. We aim to propose privacy by design solutions for data storage/generation/processing/transfer while respecting applications and system performances constraints. In the context of ITS-G5 based C-ITS systems, we address pseudonymization/anonymization of V2X messages. In hybrid ITS-G5/LTE networks, we address end-to-end privacy aware-data delivery for V2V, V2I and I2V data communications with mobility based service continuity. We investigate interaction between the system performance and the privacy level.
- Attack Analysis and Countermeasure in Information Network.
This work focuses on the security of computer networks and services and in the design of security solutions. A lot of work has been done in the study and analysis of attacks in different contexts [17, 18]. Classifications have been produced and specific solutions have been developed for each class of attack. This work has been carried out under contracts in particular bilateral with industry (Schneider, OrangeLabs, Renault). We have defined a suitable risk analysis for service resilience needs . We used architectural, protocol, probabilistic and machine learning approaches. This allowed:
- to define entities for attacks detection on Web applications, machine learning WAF (Web Application Firewall) based approach,
- to extend existing protocols like TLS for authentication that preserves customers identity while maintaining interoperability,
- to define and design security architectures and security protocols, including synchronized digital safes integrated into cloud environments, in our approach we rely on standards like HTML5 and the cooperative and secure nature of the Blockchain for the optimization of these solutions), and
- to designnew secure approaches in total disruption with Internet Networks, NDN (Named Data Networking).
To sustain this approach we proposed new solutions and we defined and implemented a specific Blockchain adapted to Information Centric Networking (ICN).
- Attacks and Misbehaviors Detection in Wireless Networks.
We address the increasingly complex problem of protection against cyber-attacks and misbehaviors in vehicular networks and Ad Hoc networks. We focus on designing cybersecurity architecture for such networks ensuring their protection through cooperative paradigms. To tackle Radio Frequency (RF) jamming attacks, we proposed a cooperative anti-jamming beam forming scheme for the control channel jamming problem in vehicular networks. It takes advantage of the multi-antenna and spatial diversity provided by the RSU (Road Side Unit) and relay vehicles to improve the transmission reliability of the victim vehicles. On the other side, vehicular networks are also vulnerable to Sybil attack. Thus we proposed and validated a Support Vector Machine (SVM) based Sybil attack detection method with three SVM kernels functions based classifiers to distinguish malicious and benign nodes by evaluating the difference of their Driving Pattern Matrices (DPM).
We designed and validated a fully distributed detection mechanism of malicious nodes performing packet dropping attacks to disrupt the routing services in Mobile Ad hoc Networks. To tackle attacks performed by malicious nodes, in context of smart cities , we proposed and validated through simulation a prediction framework extending the detection mechanism already mentioned using a Markov chain model to handle the problem of periodic packet dropping attacks. This framework allows keeping track of the evolution of network nodes over a time period in order to predict their stationary states.
- Misbehaviors Detection in Cloud Computing.
Security of Cloud Computing is often overlooked and that can have disastrous consequences: the conversion of cloud computing into an attack vector. Botnets supporting Distributed Denial of Service (DDoS) attacks are among the greatest beneficiaries of this malicious use. To tackle this issue, we designed and validated a source-based detection scheme that aims at detecting the abnormal virtual machines behavior through a cooperative system. The detection method is based on Principal Component Analysis (PCA) to detect anomalies that can be signs of botcloud’s behavior supporting DDoS flooding attacks. We evaluated our approach using simulations that rely on real workload traces showing the detection system effectiveness and low overhead, as well as its support for incremental deployment in real cloud infrastructures.
Enforcing Security and Trust in Information and Networking Systems.
We design innovative paradigms and protocol based on tamper resistant computing resources such as secure elements (SE). We deal with the security for Cloud application, IoT platforms, mobile payments or applications and blockchain transactions. Four IETF drafts were published to push new protocols towards standardization. Four demonstrations addressing security features for the IoT were selected by the IEEE ComSoc society for the CES International Exhibition. An innovative mobile payment project was demonstrated during the annual Orange research days in 2015. In the European project SecFuNet, new research directions were explored in order to store sensitive data such as keys and cryptographic algorithm executions in remote secure elements hosted by dedicated RACS (Remote APDU Call Secure) servers . This approach creates a Virtual
Machine identity and secures the VM migrations. The first RACS protocol draft was issued in 2013, and the first open software in 2017 for Raspberry, Linux, and Windows. Security issues for IoT were addressed by considering highly constrained computing nodes embedding communication stack such as TLS in tamper resistant environments. As an illustration multi modal SE supporting Mifare, ISO7816 and NFC interfaces establish secure bridges between the cloud (for credentials downloading) and mifare IoT devices such as locks. We designed the original LLCPS (Logical Link Control Protocol Secure) dedicated to NFC peer to peer (P2P) communications. We did pioneer work dealing with the security of Host Card Emulation (HCE) services. In 2017, we deliver a research work for the French governmental agency AFIMB and the ADCET association to evaluate the threats induced by the next generation of Calypso mobile HCE application. In 2017 we release an open software as a first milestone for trusted blockchain transaction.
Securing Communications in Industrie 4.0.
Industrie 4.0 is a name for the current trend of automation and data exchange in manufacturing technologies. OPC UA is an open M2M communication protocol for industrial automation developed by the OPC Foundation and normalized under EN/IEC 62541. OPC UA is becoming increasingly important in industrial networks because it has, from the beginning, incorporated safety and security into its principles. In the Cluster Connexion project, we developed a partial C/C++ implementation of OPC UA. We backed up our implementation of the OPC UA stack, responsible of data transfer, with ROSA designed at Telecom ParisTech which is dedicated to path recovery. It allows securing the routing providing we have a large number of nodes in the network [16, 15]. Our OPC UA has been used as the standardized interface of the industrial WSN OCARI. It also has been incorporated in the INGOPCS project, supported par l’ANSSI, which at providing a totally proved and secured stack for OPC UA: code analyzed by the Frama C software from CEA and certified by Common Criteria at level EAL4 (Evaluation Assurance Level). We changed our stack for the INGOPCS stack
Secure Access Control in Industrial IoT.
We designed a security protocol that meets the IoT requirements. It is made of a lightweight mutual authentication mechanism, the one-time password (OTP) algorithm and an AES-GCM/CCM mechanism for protecting data. It allows authentication of devices and encryption of transferred data on the industrial WSN OCARI. To
ensure a secure, flexible and transparent migration of things from a network to another, we created a decentralized authentication mechanism based on private Blockchain (Ethereum) that allows a high mobility of things especially designed for constrained devices. We used a formal validation using AVISPA (Automated Validation of Internet Security Protocols and Applications) from European FET Open and then, using the Scyther tool of Oxford University. We realized a real implementation in C language and TestRPC. We made many experiences to evaluate the time and energy consumption of our approach.
That’s all folks !