Post-Doctoral Research Visit F - M Explainable And Extensible Machine Learning-Driven Intrusion Detection System With Encrypted Network Traffic Flows H/F INRIA

Post-Doctoral Research Visit F/M Explainable and Extensible Machine Learning-driven Intrusion Detection System with Encrypted Network Traffic Flows
Le descriptif de l'offre ci-dessous est en Anglais
Type de contrat : CDD

Niveau de diplôme exigé : Thèse ou équivalent

Fonction : Post-Doctorant

Niveau d'expérience souhaité : Jeune diplômé

A propos du centre ou de la direction fonctionnelle

The Inria Rennes - Bretagne Atlantique Centre is one of Inria's eight centres and has more than thirty research teams. The Inria Center is a major and recognized player in the field of digital sciences. It is at the heart of a rich R&D and innovation ecosystem: highly innovative PMEs, large industrial groups, competitiveness clusters, research and higher education players, laboratories of excellence, technological research institute, etc

Contexte et atouts du poste

InriaPIRAT team (https://team.inria.fr/pirat/) is hiring one postdoctoral researcher at Rennes with a strong background on the research and practices of Machine Learning-driven intrusion detection systems. In this project, the PIRAT teamwill be funded by BPI-France project Cyberte and collaborate with Scality, a start-up on Cloud Service(https://www.scality.com/).

Previous practices of Machine Learning (ML)-driven intrusion detection systems (IDS) suffer from two bottlenecks. First of all, the attack behaviors evolve persistently. New attack techniques / campaigns emerge and may change drastically the malicious payloads that recorded in the data, e.g., system logs or network traffics. Such change over malicious behaviors can lead to failure of Machine Learning-driven intrusion detection. Second, beyond evaluating the detection accuracy, it is interesting to understand the decision logics learned by the intrusion detection model. Current practices of ML-based intrusion detection methods depend heavily on black-box prediction models. It is therefore difficult to the owner of IDS to assess and identify potential bias in the detection output.

Therefore, the goal of this post-doctoral position is twofold. We will first focus on developping fast and adaptive ML methods that can detect and update the model to cope with the variation of attack behaviors. Furthermore, we expect the trained detection model to be interpretable. It can evaluate the informativeness of attributes in security reports.It can reveal the causal relationship between these raw attributes and the detection and classification results. Notably, we will specially focus on using ML techniques to unveil suspicious attack behaviours with encrypted traffic flows.

The post-doc researcher will be hosted at Rennes and may be required to travel to work withScality regularly, which is located in Paris.Travel expenses will be covered within the limits of the scale in force.

Mission confiée

Assignments :

With the help of the researchers atPIRAT and AI engineers at Scality, the recruitedpost-doc researcherwill be taken to conduct research in two perspectives. We aim first to provide transferable ML-based intrusion detection systems. In this study, the ML-based intrusion detection modelshouldbe designed to be easily adapted to different network traffic data sources without relearning from scratch. For example, we first train an intrusion detection model using network traffics from some attack campaigns from CIC-IDS-2018 [1]. After that, we want to identify the optimal hyperparameters or the optimal detection model using a few network flows of the other attack campaigns of the same dataset. The adapted model should achieve accurate detection over the other attack campaigns during test. In this sense, the designed ML-based detection model can be flexibly reused without the intense retraining cost in different network intrusion detection applications. Potential Machine Learning methodologies, e.g. meta learning [2] or transfer learning [3], could be useful to achieve fast adaption of the intrusion detection methods across different data sources, or across the drift of attack behaviours.

In a further step, wewill also focus on providing interpretable intrusion detection algorithms. The expected ML-driven intrusion detection model should automatically discover malicious payload signatures and attack behaviors from network traffic data. These ML-generated signatures can help understand the process of stealth attacks, such as APT attacks, and make the decision of ML-based detection models more reliable compared to black box ML models. In this respect, we plan to explore if the popular examplanable methods, e.g. Shapley value [4] or LIME [5] could be applied to interpret the detection logics and highlight the important attributes of cyber attack behaviours.

[1]

[2]Chelsea Finn, Pieter Abbeel, Sergey Levine (2017). Model-Agnostic Meta-Learning for Fast Adaptation of Deep Networks arXiv:1703.03400

[3] Jeeyung Kim, Alex Sim, Jinoh Kim, Kesheng Wu, and Jaegyoon Hahm. 2020. Transfer Learning Approach for Botnet Detection Based on Recurrent Variational Autoencoder. In Proceedings of the 3rd International Workshop on Systems and Network Telemetry and Analytics (SNTA '20).

[4]https://shap.readthedocs.io/en/latest/

[5]https://github.com/marcotcr/lime

Responsibilities :
The person recruited will be in charge ofpursuing and maintaining the contact between the team and help sync up the research progress over the topic with our external collaborators.

Principales activités

Main activities:

- Co-development of extensible Machine Learning methods to deliver fast adaption of intrusion detection use across different attack behaviours, as well as across different data sources. In this study, we especially focus on network traffic flow-based intrusion detection.
- Preprocessing andmeasurement study of theproposed methods using publica datasets and network flows collected by the team members
- Development of explanable machine learning approaches to produce interpretations to the detection logics of state-of-the-art Deep Learning-based intrusion detection models.
- Maintaining regular interactions with the team members.
- Writing reports / papers.

Compétences

Technical skills and level required :

- Knowledge in intrusion detection systems. Previous experiences with network flow-based intrusion detection systems will be favored.
- Knowledge insemi-supervised Machine Learning / Meta Learning.
- Proficient in programming in python. Experience with programming using pytorch and GPU platform will be preferred.

Relational skills

- Good communications skills
- Reasonablepresentations skills

Languages : English

Avantages

- Subsidized meals
- Partial reimbursement of public transport costs
- Leave: 7 weeks of annual leave + 10 extra days off due to RTT (statutory reduction in working hours) + possibility of exceptional leave (sick children, moving home, etc.)
- Possibility of teleworking (after 6 months of employment) and flexible organization of working hours
- Professional equipment available (videoconferencing, loan of computer equipment, etc.)
- Social, cultural and sports events and activities
- Access to vocational training
- Social security coverage

Rémunération

Monthly gross salary amounting to 2788 euros