Return to search

Détection d'intrusions dans les systèmes distribués par propagation de teinte au niveau noyau

Modern organisations rely intensively on information and communication technology infrastruc- tures. Such infrastructures offer a range of services from simple mail transport agents or blogs to complex e-commerce platforms, banking systems or service hosting, and all of these depend on distributed systems. The security of these systems, with their increasing complexity, is a chal- lenge. Cloud services are replacing traditional infrastructures by providing lower cost alternatives for storage and computational power, but at the risk of relying on third party companies. This risk becomes particularly critical when such services are used to host privileged company information and applications, or customers' private information. Even in the case where companies host their own information and applications, the advent of BYOD (Bring Your Own Device) leads to new security related issues. In response, our research investigated the characterization and detection of malicious activities at the operating system level and in distributed systems composed of multiple hosts and services. We have shown that intrusions in an operating system spawn abnormal information flows, and we developed a model of dynamic information flow tracking, based on taint marking techniques, in order to detect such abnormal behavior. We track information flows between objects of the operating system (such as files, sockets, shared memory, processes, etc.) and network packets flowing between hosts. This approach follows the anomaly detection paradigm. We specify the legal behavior of the system with respect to an information flow policy, by stating how users and programs from groups of hosts are allowed to access or alter each other's information. Illegal information flows are considered as intrusion symptoms. We have implemented this model in the Linux kernel4 , as a Linux Security Module (LSM), and we used it as the basis for practical demonstrations. The experimental results validated the feasibility of our new intrusion detection principles. This research is part of a joint research project between Supélec (École supérieure d'éléctricité) and QUT (Queensland University of Technology).

Identiferoai:union.ndltd.org:CCSD/oai:tel.archives-ouvertes.fr:tel-00932618
Date19 June 2013
CreatorsHauser, Christophe
PublisherUniversité Rennes 1
Source SetsCCSD theses-EN-ligne, France
Languagefra
Detected LanguageEnglish
TypePhD thesis

Page generated in 0.0022 seconds