References of "François, Jérôme 40021041"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailPhishStorm: Detecting Phishing With Streaming Analytics
Marchal, Samuel UL; François, Jérôme UL; State, Radu UL et al

in IEEE Transactions on Network and Service Management (2014), 11(December), 458-471

Despite the growth of prevention techniques, phishing remains an important threat since the principal countermeasures in use are still based on reactive URL blacklisting. This technique is inefficient due ... [more ▼]

Despite the growth of prevention techniques, phishing remains an important threat since the principal countermeasures in use are still based on reactive URL blacklisting. This technique is inefficient due to the short lifetime of phishing Web sites, making recent approaches relying on real-time or proactive phishing URL detection techniques more appropriate. In this paper, we introduce PhishStorm, an automated phishing detection system that can analyze in real time any URL in order to identify potential phishing sites. PhishStorm can interface with any email server or HTTP proxy. We argue that phishing URLs usually have few relationships between the part of the URL that must be registered (low-level domain) and the remaining part of the URL (upper-level domain, path, query). We show in this paper that experimental evidence supports this observation and can be used to detect phishing sites. For this purpose, we define the new concept of intra-URL relatedness and evaluate it using features extracted from words that compose a URL based on query data from Google and Yahoo search engines. These features are then used in machine-learning-based classification to detect phishing URLs from a real dataset. Our technique is assessed on 96 018 phishing and legitimate URLs that result in a correct classification rate of 94.91% with only 1.44% false positives. An extension for a URL phishingness rating system exhibiting high confidence rate ( $>$ 99%) is proposed. We discuss in this paper efficient implementation patterns that allow real-time analytics using Big Data architectures such as STORM and advanced data structures based on the Bloom filter. [less ▲]

Detailed reference viewed: 191 (5 UL)
Full Text
Peer Reviewed
See detailPhishScore: Hacking Phishers' Minds
Marchal, Samuel UL; François, Jérôme UL; State, Radu UL et al

in Proceedings of the 10th International Conference on Network and Service Management (2014, November)

Despite the growth of prevention techniques, phishing remains an important threat since the principal countermeasures in use are still based on reactive URL blacklisting. This technique is inefficient due ... [more ▼]

Despite the growth of prevention techniques, phishing remains an important threat since the principal countermeasures in use are still based on reactive URL blacklisting. This technique is inefficient due to the short lifetime of phishing Web sites, making recent approaches relying on real-time or proactive phishing URLs detection techniques more appropriate. In this paper we introduce PhishScore, an automated real-time phishing detection system. We observed that phishing URLs usually have few relationships between the part of the URL that must be registered (upper level domain) and the remaining part of the URL (low level domain, path, query). Hence, we define this concept as intra-URL relatedness and evaluate it using features extracted from words that compose a URL based on query data from Google and Yahoo search engines. These features are then used in machine learning based classification to detect phishing URLs from a real dataset. [less ▲]

Detailed reference viewed: 123 (5 UL)
Full Text
Peer Reviewed
See detailA semantic firewall for Content Centric Networking
Goergen, David UL; Cholez, Thibault UL; François, Jérôme UL et al

in IFIP/IEEE International Symposium on Integrated Network Management (2013, May)

Content-Centric Networking (CCN) is a promising routing paradigm for content dissemination over a future Internet based on named data instead of named hosts. The CCN architecture has aspects that provide ... [more ▼]

Content-Centric Networking (CCN) is a promising routing paradigm for content dissemination over a future Internet based on named data instead of named hosts. The CCN architecture has aspects that provide more scalability, security, collaborative and pervasive networking. However, several key components that secures the current Internet are still missing in CCN, in particular a firewall able to enforce security policies. We provide a comprehensive study of CCN security requirements from which we design the first CCN-compliant firewall, including syntax and definition of rules. In particular, based on CCN features, our firewall can filter packets according to both their authentication and the semantics of the content name. We also provide a performance evaluation of our prototype. [less ▲]

Detailed reference viewed: 39 (3 UL)
Full Text
Peer Reviewed
See detailASMATRA: Ranking ASs Providing Transit Service to Malware Hosters
Wagner, Cynthia UL; François, Jérôme UL; State, Radu UL et al

in IFIP/IEEE International Symposium on Integrated Network Management IM2013 (2013)

The Internet has grown into an enormous network offering a variety of services, which are spread over a multitude of domains. BGP-routing and Autonomous Systems (AS) are the key components for maintaining ... [more ▼]

The Internet has grown into an enormous network offering a variety of services, which are spread over a multitude of domains. BGP-routing and Autonomous Systems (AS) are the key components for maintaining high connectivity in the Internet. Unfortunately, Internet Service Providers (ISPs) operating ASs do not only host normal users and content, but also malicious content used by attackers for spreading malware, hosting phishing web-sites or performing any kind of fraudulent activity. Practical analysis shows that such malware-providing ASs prevent themselves from being de-peered by hiding behind other ASs, which do not host the malware themselves but simply provide transit service for malware. This paper presents a new method for detecting ASs that provide transit service for malware hosters, without being malicious themselves. A formal definition of the problem and the metrics are determined by using the AS graph. The PageRank algorithm is applied to improve the scalability and the completeness of the approach. The method is assessed on real and publicly available datasets, showing promising results. [less ▲]

Detailed reference viewed: 23 (1 UL)
Full Text
Peer Reviewed
See detailMulti-dimensional Aggregation for DNS Monitoring'
Dolberg, Lautaro UL; François, Jérôme UL; Engel, Thomas UL

in Presented as part of the 26th Large Installation System Administration Conference (LISA 12) (2013)

Detailed reference viewed: 16 (1 UL)
Full Text
Peer Reviewed
See detailSecurity monitoring for Content Centric Networking
Goergen, David UL; Cholez, Thibault UL; François, Jérôme UL et al

in Data Privacy Management and Autonomous Spontaneous Security (2013)

Content-Centric Networking (CCN) is one of the most promising research area for a future Internet. The goal is to obtain a more scalable, secure, collaborative Internet supporting context-aware services ... [more ▼]

Content-Centric Networking (CCN) is one of the most promising research area for a future Internet. The goal is to obtain a more scalable, secure, collaborative Internet supporting context-aware services. However, as a new overlay infrastructure, CCN raises the need of a new monitoring architecture to assess security of CCN devices. In particular, the stateful nature of CCN routers introduces new attack threats that need to be addressed. We propose in this paper a monitoring approach for the instrumentation of CCN enabled network nodes. The rationale of our monitoring approach is demonstrated through real experimentations to detect and mitigate network level attacks against CCN. [less ▲]

Detailed reference viewed: 52 (6 UL)
Full Text
Peer Reviewed
See detailSemantic based DNS Forensics
Marchal, Samuel UL; François, Jérôme UL; State, Radu UL et al

in Proceedings of the IEEE International Workshop on Information Forensics and Security (2012, December)

In network level forensics, Domain Name Service (DNS) is a rich source of information. This paper describes a new approach to mine DNS data for forensic purposes. We propose a new technique that leverages ... [more ▼]

In network level forensics, Domain Name Service (DNS) is a rich source of information. This paper describes a new approach to mine DNS data for forensic purposes. We propose a new technique that leverages semantic and natural language processing tools in order to analyze large volumes of DNS data. The main research novelty consists in detecting malicious and dangerous domain names by evaluating the semantic similarity with already known names. This process can provide valuable information for reconstructing network and user activities. We show the efficiency of the method on experimental real datasets gathered from a national passive DNS system. [less ▲]

Detailed reference viewed: 114 (3 UL)
Full Text
Peer Reviewed
See detailProactive Discovery of Phishing Related Domain Names
Marchal, Samuel UL; François, Jérôme UL; State, Radu UL et al

in Proceedings of the 15th International Symposium on Research in Attacks, Intrusions and Defenses, Amsterdam 12-14 September 2012 (2012, September)

Phishing is an important security issue to the Internet, which has a significant economic impact. The main solution to counteract this threat is currently reactive blacklisting; however, as phishing ... [more ▼]

Phishing is an important security issue to the Internet, which has a significant economic impact. The main solution to counteract this threat is currently reactive blacklisting; however, as phishing attacks are mainly performed over short periods of time, reactive methods are too slow. As a result, new approaches to early identify malicious websites are needed. In this paper a new proactive discovery of phishing related domain names is introduced. We mainly focus on the automated detec- tion of possible domain registrations for malicious activities. We leverage techniques coming from natural language modelling in order to build pro- active blacklists. The entries in this list are built using language models and vocabularies encountered in phishing related activities - “secure”, “banking”, brand names, etc. Once a pro-active blacklist is created, ongoing and daily monitoring of only these domains can lead to the efficient detection of phishing web sites. [less ▲]

Detailed reference viewed: 51 (1 UL)
Full Text
Peer Reviewed
See detailSemantic Exploration of DNS
Marchal, Samuel UL; François, Jérôme UL; Wagner, Cynthia UL et al

in Proceedings of the 11th International IFIP TC 6 Networking Conference, Prague, Czech Republic, May 21-25 2012 (2012, May)

The DNS structure discloses useful information about the organization and the operation of an enterprise network, which can be used for designing attacks as well as monitoring domains supporting malicious ... [more ▼]

The DNS structure discloses useful information about the organization and the operation of an enterprise network, which can be used for designing attacks as well as monitoring domains supporting malicious activities. Thus, this paper introduces a new method for exploring the DNS domains. Although our previous work described a tool to generate existing DNS names accurately in order to probe a domain automatically, the approach is extended by leveraging semantic analysis of domain names. In particular, the semantic distributional similarity and relatedness of sub-domains are considered as well as sequential patterns. The evaluation shows that the discovery is highly improved while the overhead remains low, comparing with non semantic DNS probing tools including ours and others. [less ▲]

Detailed reference viewed: 39 (0 UL)
Full Text
Peer Reviewed
See detailDNSSM: A large-scale Passive DNS Security Monitoring Framework
Marchal, Samuel UL; François, Jérôme UL; Wagner, Cynthia UL et al

in IEEE/IFIP Network Operations and Management Symposium (2012, April)

We present a monitoring approach and the supporting software architecture for passive DNS traffic. Monitoring DNS traffic can reveal essential network and system level activity profiles. Worm infected and ... [more ▼]

We present a monitoring approach and the supporting software architecture for passive DNS traffic. Monitoring DNS traffic can reveal essential network and system level activity profiles. Worm infected and botnet participating hosts can be identified and malicious backdoor communications can be detected. Any passive DNS monitoring solution needs to address several challenges that range from architectural approaches for dealing with large volumes of data up to specific Data Mining approaches for this purpose. We describe a framework that leverages state of the art distributed processing facilities with clustering techniques in order to detect anomalies in both online and offline DNS traffic. This framework entitled DSNSM is implemented and operational on several networks. We validate the framework against two large trace sets. [less ▲]

Detailed reference viewed: 78 (0 UL)
Peer Reviewed
See detailMachine Learning Techniques for Passive Network Inventory
François, Jérôme UL; Abdelnur, Humberto J.; State, Radu UL et al

in IEEE Transactions on Network and Service Management (2010), 7(4), 244-257

Being able to fingerprint devices and services, i.e., remotely identify running code, is a powerful service for both security assessment and inventory management. This paper describes two novel ... [more ▼]

Being able to fingerprint devices and services, i.e., remotely identify running code, is a powerful service for both security assessment and inventory management. This paper describes two novel fingerprinting techniques supported by isomorphic based distances which are adapted for measuring the similarity between two syntactic trees. The first method leverages the support vector machines paradigm and requires a learning stage. The second method operates in an unsupervised manner thanks to a new classification algorithm derived from the ROCK and QROCK algorithms. It provides an efficient and accurate classification. We highlight the use of such classification techniques for identifying the remote running applications. The approaches are validated through extensive experimentations on SIP (Session Initiation Protocol) for evaluating the impact of the different parameters and identifying the best configuration before applying the techniques to network traces collected by a real operator. [less ▲]

Detailed reference viewed: 57 (1 UL)