PhD Position F/M Moving-target defense driven by artificial intelligence for cloud composite services

The offered position is proposed by the RESIST team of the Inria Nancy Grand Est research lab, the French national public institute dedicated to research in digital Science and technology. The team is one of the European research group in network management, and is particularly focused on empowering scalability and security of networked systems through a strong coupling between monitoring, analytics and network orchestration.

https://team.inria.fr/resist/

This PhD thesis will take place in the context of the TrustInCloudS project. This project is part of the CLOUD PEPR founded by the ANR, and targets the design of new solutions for the major cybersecurity challenges specific to cloud environments, in order to ensure the confidentiality, integrity and availability of data, applications and services. In particular, its main objective is to study and develop new methodologies to strengthen cloud security and implement them over prototyping platforms, in order to contribute to the development a sovereign and trusted cloud. The project is organized in such a way as to work on the one hand on the security of the infrastructures, and on the other hand on the security of the data (in the broad sense) that these infrastructures host. It will carry out scientific actions on these two main themes, with the objective of proposing new methods and tools for securing cloud infrastructures and their data. This theoretical work will lead, when relevant, to prototype implementations to prove the concept, including potential deployment over the shared infrastructures developed in the SLIDES project of the CLOUD PEPR.

Advances in virtualization techniques together with the growing maturity of orchestration languages contribute to the design and deployment of elaborated cloud services. In particular, these services can be easily designed or modified through the composition of multiple elementary services/resources (such as virtual machines) provided by cloud infrastructures. These services are however exposed to a large variety of security attacks. While traditional static defense techniques allow to reduce the attack surface, they also show their limits to counter more advanced and dynamic attacks. Moving-target defense strategies offer new perspectives with that respect, and can be leveraged by artificial intelligence methods to improve their performance, in order to make recognition activities, which can themselves be based on learning, more difficult.

The objective of this PhD thesis is to design and implement new artificial-intelligence-oriented defensive strategies applied to the context of cloud composite services. The proposed methods will define the movements/changes to be operated over time on cloud composite services (which can go from the simple modification of a configuration parameter to the whole redeployment of a cloud service), by taking into account the specificities/properties inherent to cloud computing, such as rapid elasticity, scalability, and on-demand self-service access, and providing guarantees in terms of explainability and verifiability. In particular, these methods should address the dynamicity of these services, whether this dynamicity is external (e.g. threat evolution) or internal (e.g. changes in the configuration of some resources/services). They should also consider the horizontal and vertical dependencies that may exist between different services, particularly in the context of multiple domains. Finally, the implemented solutions should have a limited impact on service performance (cost minimization).

Main activities

The different activities performed during this PhD thesis will include :

- the elaboration of a state-of-the-art about moving-targe defense in cloud infrastructures, including the analysis of the different categories of parameters on which a moving target defense strategy can be applied in a cloud composite service context,

- the design of artificial-intelligence-oriented moving-target defense (MTD) strategies for such services, with guarantee in terms of explainability and verifiability. In particular, we could investigate further the coupling of artificial intelligence together with verification techniques.

- the performance evaluation of these strategies, and their integration with other security mechanisms (such as network and service supervision or threat intelligence activities).

References

- Mohamed Oulaaffart, Rémi Badonnel and Olivier Festor "Towards Automating Security Enhancement for Cloud Services." In the Proceeding of IFIP/IEEE International Sympo-
sium on Integrated Network Management (IFIP/IEEE IM), pp 692-696, IEEE, 2021.

- Mohamed Oulaaffart, Rémi Badonnel, Christophe Bianco. "An Automated SMT-based
Security Framework for Supporting Migrations in Cloud Composite Services. " In the Pro-
ceeding of the IEEE/IFIP Network Operations and Management Symposium (IEEE/IFIP
NOMS). pp 1-9, 2022, IEEE.

- Mohamed Oulaaffart, Rémi Badonnel and Olivier Festor "CMSec: A Vulnerability Preven-
tion Tool for Supporting Migrations in Cloud Composite Services. " In the Proceeding of
the IEEE International Conference on Cloud Networking (IEEE CloudNet). pp 1-9, 2022.

- Mohamed Oulaaffart, Rémi Badonnel and Olivier Festor "C3S-TTP: A Trusted Third
Party for Configuration Security in TOSCA-based Cloud Services", Springer
Journal of Network and Systems Management, 2024.

- Required qualification: Master in Computer Science / Engineering Degree in Computer
Science

- Required knowledge: solid knowledge in computer science and networking, Interest for
(or experience in) network security, formalization/verification methods

- Languages: programming languages (python, java/c)

- Fluent in english (writing and oral communication)

• Subsidized meals
• Partial reimbursement of public transport costs
• Leave: 7 weeks of annual leave + 10 extra days off due to RTT (statutory reduction in working hours) + possibility of exceptional leave (sick children, moving home, etc.)
• Possibility of teleworking (after 6 months of employment) and flexible organization of working hours
• Professional equipment available (videoconferencing, loan of computer equipment, etc.)
• Social, cultural and sports events and activities
• Access to vocational training
• Social security coverage

2100 € gross/month the 1st year