Ingénieur de recherche : Analysis of cybersecurity logs in hospital environments

This work takes place in the context of a collaboration between the Hospices Civils de Lyon (HCL), Inria Nancy (RESIST Team). and Inria Rennes (CIDRE Team).

In the recent years, the healthcare sector including hospitals and their OT infrastructure are becoming a target of multiple cyber threats and attacks such as  ransomware, data exfiltration, DDoS, etc. The number of these attacks is growing  and the safety of patients is becoming critical in such situations. To mitigate such attacks and reduce their impact, some large hospitals are deploying their own SOC (Security Operating Center) or enhancing the detection capabilities of their existing ones. However, hospital IT infrastructures usually contain a large Operational Technology (OT) environment as well as a large number of medical systems, some of them legacy, and IT security staff  are also faced with high false positive rates due the complexity of the deployed equipments and their specific requirements (realtime operation, healthcare-specific protocols, sometimes outdated and unsupported software, high availability requirements). Thus, more accurate and precise detection tools are required in such environments to provide a more focused counter-measure to avoid blocking critical operations or disrupting patient care.

The objective of this work is to develop a novel approach for the analysis of security logs in a hospital environment by leveraging  Machine Learning (ML) techniques. A large number of logs and alerts is collected daily when monitoring the activities of these networks and their respective deployed equipments. These logs and alerts issued by Intrusion Detection Systems (IDS) and Endpoint Detection and Response (EDR) are mainly stored in SIEM (Splunk). Not all the useful logs are currently collected yet and, for the ones that are collected, they are missing context to distinguish true positive from false positive alerts in order reduce false alarms. This reduction allows the security analyst to focus on a small number of alerts instead of hundreds or thousands per day.

The tasks to be carried by the research engineer are as follows:

• Study of existing attack detection techniques used in hospital and health care environments.
• Analysis of existing logs and the missing ones in order to be able to suitably implement the aforementioned attack detection techniques.
• Development of methods for both cleaning, preprocessing and annotating logs and and alerts. The goal of this task is to build a precise and representative dataset from available logs and alerts provided by the Hospices Civils de Lyon.
• Evaluation of supervised and unsupervised ML techniques for attack detection by using the built dataset.

• Cyber security
• Security protocols analysis
• Python programming 
• Knowledge about formal methods

• Subsidized meals
• Partial reimbursement of public transport costs
• Leave: 7 weeks of annual leave + 10 extra days off due to RTT (statutory reduction in working hours) + possibility of exceptional leave (sick children, moving home, etc.)
• Possibility of teleworking (after 6 months of employment) and flexible organization of working hours
• Professional equipment available (videoconferencing, loan of computer equipment, etc.)
• Social, cultural and sports events and activities
• Access to vocational training
• Social security coverage

From €2765 gross/month depending on qualifications and experience