2019-01357 - Post-Doctoral Research Visit F/M Identifying and Breaking IoT Intrusion Chains [S]

Contract type : Public service fixed-term contract

Renewable contract : Oui

Level of qualifications required : PhD or equivalent

Fonction : Post-Doctoral Research Visit



This postdoctoral activity will be achieved in the context of the Inria Project SCUBA that aims at developing a full framework for automated assessment and security of IoT. It is also linked to the activities of the group in the project H2020 SecureIoT (https://secureiot.eu/) and with the PhD project of a student focusing on fingerprinting technique for IoT. The postdoc will thus have the opportunity to be part of a whole team working on IoT security (mainly 2 researchers, 2 engineers, 2 PhD students) and to use our dedicated Iot platform including numerous devices from different brands and using different protocols for validation purposes.

Supervision and contact: Jérôme François (jerome.francois@inria.fr), Abdelkader Lahmadi (abdelkader.lahmadi@loria.fr)

Additional links: RESIST team website (https://team.inria.fr/resist/), J. François’s homepage (http://jeromefra.free.fr)


Scientific Context:

In last years, Internet-of-Things became a reality with numerous protocols, platforms and devices [8] being developed and used to support the growing deployment of smart* services: smart-home, -transport, -health, -city... and even the rather usual rigid systems with industry 4.0. Providing new services have required first the development of new functionalities with as underlining goals to have more power- and compute- efficient devices which can embed various sensors. Obviously, IoT also supposes a full infrastructure to guarantee the efficiency of communications and processing of information. The embedded devices are thus completed by access points, routers, servers, etc. At the higher levels services are developed and provided to the users. This ecosystem is very rich and cannot be controlled by a unique entity, e.g. services are often developed by third parties, manufacturer of embed devices are different to those providing connectivity... As a result, such a complex system is naturally a source of potential threats and real cases recently demonstrates that IoT can be affected by naïve weaknesses [1,6]. At Inria, we even demonstrated how simple and cheap can it be take over the control of a Z-Wave home installation in a silent manner [2].


Therefore, security is paramount of importance. In last decade, many IoT architectures have been proposed, such as the reference model IoT-A [3], including security modules. However, as highlighted before, security cannot be guaranteed without failure or by-design and this is all the more true with evolving ecosystems such as IoT, with now the emerging trend of using fog-based architecture rather than well-established cloud models. Therefore, vulnerabilites related to IoT are now documented [14] and can be exploited. Looking at the last years, major attacks including the Mirai botnet, Cold in Finland, Brickerbot and the botnet barrage [13] are proofs of the real security concerns that are brought.


There is thus a clear need to automate the security of IoT that can adapt in real-time to the evolving IoT ecosystem (devices appearing, disappearing, configuration changes, updates…). All changes may introduce new threats. Actually, evaluting the security of single device is vital but most of all, considering a set of deivces interacting together in their IoT environment is paramount of importance as complex interactions open the way to complex and stealthy attacks. Due to the large number of possible device types, different deployment scenarios and vulnerabilites, manual inspection is impracticable. There is a need for discovering automatically intrusion chains in IoT environments and automatically break those chains to guarantee the security.

Main activities

The goal of this work is to automatically prevent the intrusions by first identifying the potential intrusion chains. We can thus summarize the global process as follows: (1) identification of the IoT deployment through topology discovery and fingerprinting, (2) mapping vulnerability to atomic elements of the IoT deployment based on public documentations (3) building intrusion chains (4) break intrusion chains in an optimized manner to limit the impact on the end-users.

While there is room for improvement in step (1), we will mainly rely on state-of-the-art technique around topology discovery and fingerprinting. There exist dedicated techniques for IoT [9]. The postdoc will thus focus on the three other steps that can be grouped into two main tasks:

  • Consolidation of public vulnerability descriptions with information retrieved in step (1). Actually, most of Cyber-Threat Intelligence databases such as those provided by MITRE (CAPEC, CVE, CWE, ATT&CK...) are far from being complete, in particular in the context of IoT that is emerging. Also, many vulnerabilities are similar but documented in a different manners, as for example regarding their implication in the realization of an exploit. There is a lack of a comprehensive integration of all these documents into a unique database. Our proposal is to build a graph-based knowledge base that rely on identified similarities and correlations among all public documents that are human-written. To realize this objective, the postodoc will mainly rely on NLP (Natural, we will rely on NLP (Natural Language Processing) techniques and existing annotation tools, such as Brat [10] or Prodigy [11] to build the recognition models. They will allow to classify and group descriptions, that will extend existing (document) relationships.
  • Intrusion chain analysis. The objective here is to derive and map the previously built database onto a real deployment of IoT and then derive the intrusion chains. To identify intrusion chains, we propose to model every threat in terms of predicate including pre and post-condition. Logic inference can be thus used. However, as the knowledge graph and its mapping are based on uncertain assumptions (such as similarities), we will also leverage Probabilistic Logic Network [12] (PLN). It allows to model causal relations with some uncertainty. Indeed, having a perfect knowledge about dependency among the pre- and postcondition is impossible in our case. Therefore, different solutions could be used for modeling uncertainty. Each event could be quantified as a single probability within a Bayesian models but it is impracticable for precise inference. A more advanced technique is to use a probability distribution but this assumes to know it, which may not be always the case, at least with a high confidence level. PLN comes into the game by being a kind of intermediary solution between single probability- and probability distribution-based models. Once intrusion chains are identified and actually weighted thatnks to the previous techniques, all of them can be merged into a single graph that can be mined to precisely identify the best places to cut links to break all single itnrusion chains while limiting the number of cut. Rather than focusing on a fixed snaphot at a fixed time, predicting future evolution of the graph (or most probable areas that can be extended) will be considered to break the graph at a point that may also automatically break future intrusion chains “under-construction” (preventive security).


[1] Manos Antonakakis et. al , Understanding the Mirai Botnet, USENIX Security, 2017

[2] L. Rouch et. Al, A Universal Controller to Take Over a Z-Wave Network, Black Hat Europe, 2017

[3] Alessandro Bassi, Martin Bauer, Martin Fiedler, Thorsten Kramp, Rob van Kranenburg, Sebastian Lange, Stefan Meissner (eds), “Enabling Things to Talk”, Designing IoT solutions with the IoT Architectural Reference Model, Springer, 2013

[4] J. François et. al, PTF: Passive Temporal Fingerprinting, IFIP/IEEE International Symposium on Integrated Network Management (IM), 2011

[5] BF Van Dongen et. al, The prom framework: A new era in process mining tool support, ICATPN 2005

[6] C. Kolias, G. Kambourakis, A. Stavrou and J. Voas, "DDoS in the IoT: Mirai and Other Botnets," in Computer, vol. 50, no. 7, pp. 80-84, 2017.

[7] Markus Miettinen, Samuel Marchal, Ibbad Hafeez, N. Asokan, Ahmad-Reza Sadeghi, Sasu Tarkoma: IoT SENTINEL: Automated Device-Type Identification for Security Enforcement in IoT. ICDCS 2017:

[8] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari and M. Ayyash, "Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications," in IEEE Communications Surveys & Tutorials, vol. 17, no. 4, pp. 2347-2376, Fourthquarter 2015.

[9] IoT SENTINEL: Automated Device-Type Identification for Security Enforcement in IoT," 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), Atlanta, GA, 2017

[10] P. Stenetorp, S. Pyysalo, G. Topi ́c, T. Ohta, S. Ananiadou, and J. Tsujii, BRAT : a web-based tool for NLP-assisted text annotation in Demonstrations, 13th Conf. of the European Chapter of the Association for Computational Linguistics. Association for Computational Linguistics, 2012.

[11] https://prodi.gy/, Radically efficient machine teaching. An annotation tool powered by active learning.

[12] B. Goertzel, M. Ikl, I. F. Goertzel, and A. Heljakka, Probabilistic Logic Networks: A Comprehen-

sive Framework for Uncertain Inference. Springer, 2008.

[13] J. Wallen. “Five nightmarish attacks that show the risks of IoT security”. ZDNet June 2017. Available at: http://www.zdnet.com/article/5-nightmarish-attacks-that-show-the-risks-of-iot-security/

[14] https://www.owasp.org/index.php/Top_IoT_Vulnerabilities


Required qualifications :

  • Required qualification: PhD diploma in computer science
  • Good expertise in networking, security, machine learning, logic and stochastic modeling
  • Knowledge in NLP methods will be appreciated
  • Computer skills: familiar with Linux, Scala/Python programming


Language: English

Benefits package

  • Subsidized meals
  • Partial reimbursement of public transport costs
  • Leave: 7 weeks of annual leave + 10 extra days off due to RTT (statutory reduction in working hours) + possibility of exceptional leave (sick children, moving home, etc.)
  • Possibility of teleworking (after 6 months of employment) and flexible organization of working hours
  • Professional equipment available (videoconferencing, loan of computer equipment, etc.)
  • Social, cultural and sports events and activities
  • Access to vocational training
  • Social security coverage


Salary: 2653€ gross/month