Online Network Traffic Security Inspection

Using MMT Tool

Wissam Mallouli∗ , Bachar Wehbi∗ , Edgardo Montes de Oca∗ and Michel Bourdellès†
∗ Montimage,
39 rue Bobillot, 75013 Paris - France
{wissam.mallouli, bachar.wehbi, edgardo.montesdeoca}@montimage.com
† THALES Communications, SRP Department

160, Bd de Valmy - BP 82, 92704 Colombes Cedex - France

{michel.bourdelles}@fr.thalesgroup.com

Abstract—MMT (Montimage1 Monitoring Tool) is a monitor- addition, if new analysis techniques are needed, it should
ing solution that allows near real-time QoS and security analysis be possible to integrate them as effortlessly as possible.
based on deep packet inspection techniques. For security moni- • Scalability. It must be able to handle the increase of
toring, it relies on a formal description of conditions on sequences
of events called security properties to define security rules (i.e., traffic data as network link speeds and the number
rules that should be respected) or attacks and misbehaviours. of probes increase in the network without performance
These security properties can also integrate: advanced analysis degradation. Scalability can be achieved by reducing
techniques based on statistics and machine learning, notifications, the traffic information collected using efficient packet
alarms (e.g., using syslog), and countermeasures (e.g., using the capturing mechanisms and traffic pre-processing.
iptables library).
In this paper, we give an overview of MMT’s architecture • Real time functioning. It must implement real time
showing its extensibility and adaptability to multi-domains. We mechanisms in order to quickly detect network secu-
also demonstrate the realibity of the tool by its application to rity/performance problems and allow timely execution of
an industrial case study provided by Thales Group dealing with automated or manual countermeasures.
a QoS-aware ad-hoc radio communication protocol. • Granularity. It must be able to track the security and
Keywords: Events extraction, Monitoring, Security Analysis.
performance of each service by capturing and analysing
the traffic belonging to the application of interest.
I. I NTRODUCTION • Diversity. It has to support the network’s diversity as it
contains different types of network devices from multiple
A. Motivation and challenges vendors, protocols stacks, and applications to provide
New and more critical vulnerabilities are constantly being services to the user.
introduced by the evolution of the Internet and mobile com- • Low cost. It should not use excessive amount of comput-
munications where critical infrastructures are more and more ing, storage, and communication resources so the cost of
open and corporate IT is more and more dematerialised (e.g., deploying and operating the monitoring infrastructure is
using cloud services). This is pushing towards the need for low for service providers.
more proactive and automated mechanisms for detecting and • Secure. It should not add vulnerabilities to the network,
preventing anomalies (due to attacks or misbehaviours). In this or disturb normal network operation.
context, Deep Packet Inspection (DPI) is considered as a key
B. Paper content
element in the shift towards advanced monitoring. DPI is the
process of capturing network traffic, analysing and inspecting In this paper, we present MMT tool an online monitoring
it in detail to determine accurately what is really happening solution that allows providing a real-time visibility of network
in the network. This “core component” feeds the different traffic. It provides network, application, flow and user level
monitoring applications with high added value information. visibility. MMT facilitates network security and performance
Starting from this perception, the requirements of a network monitoring and operation troubleshooting. MMT’s rules en-
monitoring system can be summarized as follows: gine can correlate network and application events in order to
• High capturing performance. It must be able to capture
detect operational, security and performance incidents.
traffic at high speeds and under high traffic volume. This In section II, we will describe the security properties
depends on what is to be monitored and where. formalism used to specify the security requirements of the
• Extensibility. If new services are integrated in the net-
system/network under test. Then, we will present MMT tool
work, it must be possible to deploy effortlessly new architecture and security features in section III and show how
monitoring mechanisms for these specific services. In they can answer the security monitoring challenges described
above. The application of MMT to an industrial case study
1 Montimage is an innovative company created in 2004 and located in Paris. provided by Thales Group is given is section IV. Finally,
It is specialized in software development and testing services. we conclude the paper and provide some future directions in
section V. function: φ: P × F → V as the function allowing to provide
the value of a field in a specific packet of the trace T :
II. MMT-S ECURITY PROPERTIES FORMALISM
• φ(pi , f m,n ) = vi,n if f m,n ∈ pi and
A. Formalism description • φ(pi , f m,n ) = NULL if f m,n ∈ / pi
The main objective of MMT security properties is to for-
mally specify security goals and attack behaviors related to An MMT-Security property is an IF-THEN property. It
the application or protocol under test. The “MMT-Security allows expressing specific constraints on network events. Each
property" model is inspired from LTL logic [3] and can refer event is a set of conditions on some of the field values of the
to two types of properties: “Security rules" and “Attacks" exchanged packets.
described as follows:
Definition 3: (Conditions) Conditions are predicates on
• A Security rule describes the expected behavior of the ap-
packets’ fields values. Let pi and pi 0 be two captured packets,
plication or protocol under-test whether it is functional or
V be the domain of values, fi, j be a field of the packet pi , fi0, j0
security oriented. The non-respect of the MMT-Security
be a field of pi 0 and x ∈ V . Let op be an operator element of
property indicates an abnormal behavior, e.g. the access
OR ∪ OS where OR ={≤,≥,=,6=,∈ etc.} and OS ={equal, not
to a specific service must always be preceded by an
equal, contain, not contain etc.}2 . Two types of conditions can
authentication phase.
be defined: cs (simple condition) and cc (complex condition):
• An Attack describes a malicious behavior whether it is
an attack model, a vulnerability or a misbehavior. Here, • cs ::= φ(pi , f i, j ) op x. We say that the packet pi satisfies
the respect of the MMT-Security property indicates the cs iff vi, j op x is true.
detection of an abnormal behavior that might indicate the • cc ::= φ(pi , f i, j ) op φ(pi0 , f i0, j0 ). We say that packet pi
occurrence of an attack, e.g. a big number of requests satisfies cc iff vi, j op vi0, j0 is true.
from the same user in a limited period of time can be
considered as a behavioral attack. Definition 4: (Basic event) An event e j is a set of conditions
Sm j
It must be noted that the events that we take into account on relevant fields of captured packets. e j = k=1 c j,k , m j being
within MMT-Security properties are related to observable sys- the number of conditions (simple and/or complex).Let pi be a
tem/network communications. In the case of a telecommuni- packet and e j an event with m j conditions and c j,k the kth
cation network, they refer to traffic packets and flows. In other condition of e j . A packet pi satisfies an event e j if and only if
contexts, they can relate to any action that can be stored in a ∀ k ∈ [1, m j ], c j,k is true.
server/database/software log file. In the following, we formally
present the concepts of MMT-Security properties in the context Definition 5: (Abstention of having an event) If e is an
of telecommunication networks. The main definition of an event, then ¬e is also an event. ¬e is satisfied if no packet
MMT-Security property is provided by definition number 10. that satisfies the event e occurs in the collected trace.
The other definitions allow understanding the basics of the
used model. In the rest of this document the terms: “packet", Definition 6: (Repetition an event) If e is an event and n ∈
“message" and “event" are used interchangeably. N ∗ , then n × e is a complex event. n × e is satisfied if n packets
satisfying the event e occur in the collected trace.
Definition 1: (Live Trace) A collected live trace during a
period of time is a set of ordered captured packets. Definition 7: (Complex events: Successive events) Let n ∈
• A live trace T =
Sn
i=1 pi where n is the number of the
N∗ , t ∈ R+∗ and e1 and e2 be two basic events. (e1 ; e2 )n,t is
captured packets, p1 is the first packet captured in the a complex event. It is composed of two basic events. [p1 , p2 ]
trace and pn the last one. satisfies (e1 ; e2 )n,t ⇔
• Each packet pi has a rank ri that corresponds to its • p1 satisfies e1 and
position in theStrace T . • p2 satisfies e2 and
mi
• ∀pi ∈ T , pi = j=1 f i, j where f i, j is a field of the packet • time(p1 ) < time(p2 ) < time(p1 )+t and
pi and mi is the number of fields of the packet pi . Each • rank(p1 ) < rank(p2 ) < rank(p1 )+n.
field fi, j of the packet pi has a value vi, j .
• ∀pi ∈ T , ∃ f i, j ∈ pi / f i, j = ti where ti is the timestamp In other words, [p1 , p2 ] satisfies (e1 ; e2 )n,t iff p2 follows p1
when pi was captured. and they are separated by at most n packets and t units of
• ∀ri , r j where ri is rank of pi and r j is rank of p j , if ri > time.
r j then ti > t j
Definition 8: (complex events: AND) Let n ∈ N∗ , t ∈ R+∗
Definition 2: (Value function φ) Let T be a collected trace and e1 and e2 two basic events. (e1 ∧ e2 )n,t is a complex event.
of n packets, F the set of fields of all the packets pi of the 2 O is the classical set of operators that can be applied on real numbers
R
trace T , V the domain of values and P the set of packets. V = in the domain R. OS is the classical set of operators that can be applied on
R ∪ S ∪ NULL where S is a finite set of strings. We define the strings of the domain S.
It is composed of two basic events.[p1 , p2 ] satisfies (e1 ∧ e2 )n,t • If the context is verified and the trigger is not, then a
⇔ [p1 , p2 ] satisfies (e1 ; e2 )n,t or [p1 , p2 ] satisfies (e2 ; e1 )n,t . property non-respect occurrence is detected.
Intuitively, p1 and p2 satisfy (e1 ∧ e2 )n,t iff p2 and p1 are – In the case of a “security rule”, this means that the
separated by at most n packets and t units of time. context of the rule has been found and, since the
trigger was not, we conclude that the “security rule”
Definition 9: (complex events: OR) Let e1 and e2 two basic has been violated.
events. (e1 ∨ e2 ) is a complex event.p1 satisfies (e1 ∨ e2 ) ⇔ p1 – In the case of an “attack”, this means that the context
satisfies e1 or p1 satisfies e2 . of an attack has occurred but the trace was attack
free.
Definition 10: (MMT-Security property) Let W ∈ • If the context and the trigger are verified, then a property
{BEFORE, AFT ER}, n ∈ N, t ∈ R+∗ and e1 and e2 respect occurrence is detected.
two events (basic or not). An MMT-Security property is an – In the case of a “security rule”, this means that the
IF-THEN expression that describes constraints on network context of the rule has been found, as well as the
events captured in a trace T = {p1 , ..., pm0 }. It has the trigger. We conclude that the “security rule” has been
following syntax: respected.
W,n,t
e1 −−−→ e2 – In the case of an “attack”, this means that the context
This property expresses that if the event e1 is satisfied (by one of an attack has occurred, as well as the trigger. We
or several packets pi , i ∈ {1, ..., m}), then event e2 must be conclude that the attack has been detected.
satisfied (by another set of packets p j , j ∈ {1, ..., m}) before Table I illustrates a security property derived from the case
or after (depending on the W value) at most n packets and t study described in section IV.
units of time. e1 is called triggering context and e2 is called
clause verdict. C. Multi data sources management for security analysis
In the context of MMT, DPI (Deep Packet Inspection) and
B. Formalism implementation
DFI (Deep Flow Inspection) are used to help detect and
The MMT-Security property model allows expressing com- tackle harmful traffic and security threats; and, to throttle
plex security properties derived from security best practices or block undesired behaviours. We define a set of security
and from domain-specific security requirements. These MMT- properties for network traffic, at both control and data levels, to
Security properties are described using an XML format to detect interesting events. Indeed, based on the defined security
make interpretation easier for both humans and software. properties, we register the attributes to be extracted from the
inspected packets and flows. These attributes are of three
Property of type
SECURITY_RULE types:
or ATTACK
• Real attributes: They can be directly extracted from
the inspected packet. They correspond to a protocol field
Left branch Right branch
representing context representing trigger value.
<operator> tag <operator> tag
• Calculated attributes: They are calculated within a
flow. Packets from the same flow are grouped and se-
<operator> tag ... ... ... curity/performance indicators are calculated (e.g. delays,
jitter, packet loss rate) and made available for the security
analysis engine.
... ... ... • Meta attributes: These attributes are linked to each
packet to describe capture information. The time of
<event> tag
capture of each packet (timestamp attribute) is the main
meta attribute in the current version of MMT.
Figure 1. MMT property structure. The extracted attributes needed for security analysis can
emanate from different data sources (probes and/or interfaces).
Each property begins with a <property> tag and ends with This is managed in the MMT monitoring solution during the
</property>. A property is a “general ordered tree” as shown specification phase of the security properties. Indeed, the data
in figure 1. The nodes of the property tree are: the property sources identifiers are part of the meta-attributes that can be
node (required), operator nodes (optional) and event nodes used in the specification of the relevant events for security
(required). The property node is forcibly the root node and the analysis. Three architectures are taken into account in MMT:
event nodes are forcibly leaf nodes. The left branch represents • Local analysis: the collected traffic is analysed for secu-
the context and the right branch represents the trigger. This rity purposes in one probe that captures network traffic
means that the property is found valid when the trigger is from one or several interfaces.
found valid; and the trigger is checked only if the context is • Centralized analysis: the traffic capture is distributed but
valid. In other words: the security analysis is centralized. All data sources send
 Table I
E XAMPLE OF MMT-S ECURITY PROPERTY

XML code Explanation

<property value=“THEN" property_id=“1" type_property = “SECU- Security rule (that should be respected) with id=1 of the form: if the
RITY_RULE" description=“If one node receives two successive context holds then the trigger should have occurred.
MSG_SPHY_DATA_IND messages from the same source, then these
two messages must to be separeted by 50 slots">
<operator value=“THEN" delay_min="0+" delay_max="99"> Two successive events that occured within a delay in ]0,99].
<event value=“COMPUTE" event_id=“1" description = An event with id=1 that satifies the boolean expression. It is an
“MSG_SPHY_DATA_IND message" boolean_expression = SPHY_DATA_IND message identified by the message code = 8193
“((THALES_META.MSG_CODE == 8193) &amp;&amp; and a slot type = 0 (SCH broadcast channel type).
(MSG_SPHY_DATA_IND.SLOT_TYPE == 0))" />
<event value=“COMPUTE" event_id=“2" description = An event with id=2 that satifies the boolean expression. It is an
“MSG_SPHY_DATA_IND message" boolean_expression = SPHY_DATA_IND message identified by the message code = 8193
“((THALES_META.MSG_CODE == 8193) &amp;&amp; and a slot type = 0 (SCH broadcast channel type). It has the same
((MSG_SPHY_DATA_IND.SLOT_TYPE == 0) &amp;&amp; node source address as event 1 and is received by the same node.
((MSG_SPHY_DATA_IND.ADDRESS_SOURCE ==
MSG_SPHY_DATA_IND.ADDRESS_SOURCE.1)
&amp;&amp; (THALES_META.NODE_ID ==
THALES_META.NODE_ID.1))))"/>
</operator> End of the operation.
<event value=“COMPUTE" event_id=“3" description = An event with id=3 that checks that the time slot between the two first
“MSG_SPHY_DATA_IND messages must to be separeted by events are seperated by 50.
50 slots" boolean_expression = “((THALES_META.TIME_SLOT.1 +
50) == THALES_META.TIME_SLOT.2)"/>
</property> End of property

their collected traffic (filtered or not) to the same master protocols or messages, and a public API for integration
server that correlates the traces (i.e., need to synchronize into third party probes.
probes to be able to perform this task). • MMT-Security is a security analysis engine based on
• Distributed analysis: the traffic capture is distributed MMT-Security properties. MMT-Security analyzes and
and the analysis is performed by all the probes that correlates network and application events to detect op-
communicate together to share information. This analysis erational and security incidents. For each occurrence
can be very interesting in some specific case studies like of a security property, MMT-Security allows detecting
ad hoc networks. The communication between probes is whether it was respected or violated.
an on-going work for MMT tool. • MMT-Operator is a visualization application for MMT-
The originality of the MMT security properties with respect to Security currently under development. It allows collecting
existing intrusion detection techniques lies in that they are not and aggregating security incidents to present them via a
based on just pattern matching (i.e., signatures) as in SNORT graphical user interface. MMT-Operator is conceived to
[5] nor requiring writing executable scripts as in BRO [4]. be customizable, i.e., the user will be able to define new
They allow a more abstract description of sequence of events views or customize one from a large list of predefined
that can represent normal/abnormal behaviour. They can also views. With its generic connector, MMT-Operator can
integrate pattern matching, statistics and machine learning be integrated with third party traffic probes. At the time
techniques; but describing this here is out of scope for this of writing this paper, a web based representation of the
paper. analysis results is provided.

III. M ONTIMAGE M ONITORING T OOL B. MMT-Security features and innovation

Granular traffic analysis capabilities: MMT allows parsing
A. MMT-Security architecture
a wide range of protocol packet types (e.g., TCP, UDP, ARP,
MMT-Security is composed of three complementary, but HTTP, etc.) and extracting various performance indicators.
independent, modules: The extraction is powered by a plugin architecture that allows
• MMT-Extract is the core packet processing module. adding the analysis of new protocol packet formats or even
It is a C library that analyses network traffic using structured application generated messages (e.g., traces, logs).
Deep Packet/Flow Inspection (DPI/DFI) techniques in Application classification: Prior to extracting protocol packet
order to identify network and application based events attributes, MMT uses DPI techniques for application identi-
by analyzing: protocols’ fields values; network and ap- fication and classification. This is essential when analyzing
plication Quality of Service (QoS) parameters; and, Key applications that use non-standard port numbers (e.g., P2P,
Performance Indicators (KPI). In a similar way, it also Skype). To be able to classify encrypted packets such as Skype,
allows analyzing any structured information generated by both signature detection and flow state are used [2].
applications (e.g., traces, logged messages). MMT-Extract Properties engine: Allows the detection of complex sequence
incorporates a plugin architecture for the addition of new of events that conventional monitoring does not detect (see
 MMT Operator • analysing any structured information (e.g. network pack-
ets, messages, application logs); and,
· Monitoring & reporting
• combining centralized and distributed analysis to detect
· Web technology
· Manages multiple probes 0-day attacks using machine learning techniques (work in
progress).
Traffic Furthermore, MMT uses an algorithm that only stores the
Config
DB information needed to verify the properties and does not do
MMT Probe any backtracking to verify, for instance, that an event happened
before.
MMT allows defining properties with a high degree of
Traffic Quality Security expressiveness that include conditions on time, order of events,
Monitoring Monitoring Analysis packet parameters, payload information, KPI, statistical and
machine learning analysis. The expressiveness of the proper-
ties allows detecting complex events. This makes MMT a very
MMT Extract flexible tool that can be applied in several domains. It also
· DPI functionalities makes it possible to deploy probes that will work together
· Traffic classification (150+ protocols) to obtain a more complete view of the network. This work
· Protocol decoding & attributes extraction in progress can also be used as a Complex Event Processing
· Extraction of metrics (Quality Index) engine for Business Activity Monitoring.
MMT can be installed as (1) a standalone tool that allows
Protocol Plugins the analysis of live or pre-recorded traces or as (2) a set of
two libraries for integration into third party probes.
Figure 2. MMT global architecture.
IV. C ASE S TUDY
A. Experiment description
description in section II). This is used to monitor: i) ac- MMT tool has been used to analyze an industrial case
cess control policies (e.g., verify that authorized users are study provided by Thales Group. This case study is based
authenticated prior to using a critical business application); ii) on an ad-hoc radio network. The security issues that were
anomaly or attacks (e.g., detect excessive login attempts on the explored focused on intrusion capabilities from over-the-air
application server); iii) performance (e.g., identify VoIP calls threats and also on radio network disruptions due to in-
with QoS parameters exceeding acceptable quality thresholds); correct radio unit behaviour. Since these disruptions could
etc. affect routing capabilities of a network of several dozens
Configurable reports: MMT traffic reports and charts can of radio units, the verification of these security issues has
be configured by the user. The user can edit pre-configured been done using a simulation platform based on OMNET++
reports and create new ones. Different chart types and graphs [6]. OMNET++ acted as a client and MMT as a server that
can be used including: pie, histograms, time charts, stacked received all the exchanged data between ad-hoc network nodes
area charts, sequence charts, tables, hierarchical tables, etc. to analyse them.
Multi-platform solution: MMT is available on Windows and A set of 25 security properties derived from identified radio
Linux based distributions. It can be installed as software protocol requirements were formally specified. They were then
on commodity hardware or optimized for integration with checked using the MMT-Security tool on a set of collected
dedicated probes. traces delivered by Thales and generated using the CertifyIt
Modular solution: MMT is a modular solution composed Smartesting tool [1]. This tool allows performing active testing
of three components: MMT-Extract for the traffic processing based on test purposes.
and data decoding; MMT-Security for properties analysis; and, The security properties specified and validated are based
MMT-Operator for data aggregation, correlation and reporting. on the neighbourhood management of a radio nodes. Each
It is possible to integrate MMT-Extract and MMT-Security in node manages the resource allocation of the 1 and 2 hops
third party traffic probes and to connect MMT-Operator with radio nodes it can communicate with. The neighbour node
existing systems. detection and release is processed by exchange of specific
The novelty in the approach used by MMT is that it allows: PDU information exchange between these nodes. As all the
• detecting both wanted (e.g., security rules) and unwanted network topology is built from these peer nodes dynamic
(e.g., attacks) behaviour; detection, this protocol part is very vulnerable to attacks and
• using performance indicators, e.g., to detect bottlenecks misfunction of these PDU message exchange and processing.
caused by attacks;
• defining countermeasures, e.g., change the iptable; B. Preliminary analysis results
• combining active and passive approaches (e.g., can be The specified security properties allowed to detect the dif-
used to verify that generated tests passed or failed); ferent attack scenarios. At least one specified security property
 Table II
S UMMARY OF RESULTS ACCORDING THE SPECIFIED ATTACK SCENARIO 1

id Property description Respected Violated

1 Security rule: If one node receives two successive MSG_SPHY_DATA_IND messages from the 12 2
same source, then these two messages must to be separeted by 50 slots
2 Security rule: If one node receives two MSG_SPHY_DATA_IND messages from different 15 0
sources, then these two messages must have two differents slot ids
3 SECURITY RULE: If node A receives from B an MSG_SPHY_DATA_IND message claiming 14 0
A as a neighbor, then this means that A received from B at least 4 MSG_SPHY_DATA_IND
messages in the last 5 periods (One period = 50 TS)
4 SECURITY RULE: DataUMAC within MSG_SPHY_DATA_IND (SCH) message must have a 30 0
management status equal to 10 and a channel presence equal to 10 (hexa values)
5 SECURITY RULE: Number of neighbors must be between 0 and 127 30 0
6 SECURITY RULE: DataUMAC within MSG_SPHY_DATA_IND message should have K, J, C 30 0
bytes (broadcast channel) as follows: K between 1 and 255, J between 3 and 11 and C between
0 and 7
7 SECURITY RULE: DataUMAC within MSG_SPHY_DATA_IND message is well formatted 19 11
(can replace rules 4, 5, 6 and more !). All neighbors should respect the broadcast channels
limitations defined in rule 6
8 SECURITY RULE: The declared neighbors of a node are distinct 30 0
9 SECURITY RULE: The neighbors declared by a node A do not contain the source node A 30 0
10 SECURITY RULE: The bit Z1 in KJC must be equal to 0 (Tolerance X% = 0) 30 0
12 SECURITY RULE: The directivity byte in BLOC3 (if any) must be equal to 0 or 1) 30 0
13 SECURITY RULE: KJCs in BLOC2 (if any) must be different from KJC in BLOC 1) 30 0
14 SECURITY RULE: All channels in BLOC2 are distinct 30 0
15 SECURITY RULE:If node A receives from B an MSG_SPHY_DATA_IND message claiming 16 0
A as a neighbor with a bidirectivity bit = 1, then this means that A received from B at least 4
MSG_SPHY_DATA_IND messages in the last 5 periods (One period = 50 TS)
.. ... .. ..
.. ... .. ..
25 Security rule: If a node receives two SPHY_DATA_IND messages from two different nodes, the 15 0
two messages need to have different broadcast Channels

was violeted during an attack. This demonstrates the efficiency technologies (wireless, mobile, web) and industrial domains
of MMT and its relevance in detecting intrusions in ad hoc (telecom, banking) and aims to raise different monitoring
networks. In the following paragraph, we present an attack challenges presented in this paper.
example simulated by OMNET+ and the results provided by Unlike active testing, passive monitoring does not inject
MMT. traffic in the network, nor modify the traffic that is being
Security requirement: Every node must periodically send a transmitted in the network. Nevertheless, active testing, com-
notification message that includes the list of its neighbors on bined with passive testing, can be very useful to stimulate
its allocated service slot. In order to verify this requirement, critical systems and detect vulnerabilities and security flaws
we should check that two consecutive notifications from the early in the development process. The results obtained show
same source are seperated by a specified number of slots (50 in that passive monitoring for detecting security flaws can help
our example) and that two notifications from different sources improve the reliability of the resulting products.
have different slots ids. ACKNOWLEDGEMENT
Attack scenario 1: A malicious node sends a message on a
The research leading to these results has received partial
non allocated service slot.
funding from the French ANR PIMI Project and the European
Specified security properties: Two security rules to detect this
ITEA2 Diamonds project.
attack are specified (c.f. properties 1 and 2 in table II). The
first property is described in details in the example of table I. R EFERENCES
Table II describes an example of results provided by MMT [1] http://www.smartesting.com/index.php/cms/en/product/certify-it.
tool during an online analysis. The next step (ongoing work) [2] Kimberly C. Claffy Alberto Dainotti, Antonio Pescapè. Issues and future
directions in traffic classification. IEEE Network (NETWORK), 26(1):35–
is to allow collaboration between network node to identify 40, 2012.
intruder(s) and perform a suitable countermesearument ac- [3] Alessandro Armando, Roberto Carbone, and Luca Compagna. LTL model
cording a some pre-defined strategies. This is only possible checking for security protocols. Journal of Applied Non-Classical Logics,
19(4):403–429, 2009.
if communication between nodes (and probes) is possible. [4] Vern Paxson. Bro: a system for detecting network intruders in real-time.
Computer Networks (CN), 31(23-24):2435–2463, 1999.
V. C ONCLUSION [5] Martin Roesch. Snort: Lightweight intrusion detection for network.
The MMT monitoring tool allows bringing near real-time Proceedings of LISA ’99: 13th Systems Administration Conference, pages
229–238, 1999.
visibility and operational intelligence into system communi- [6] András Varga. Omnet++. In Klaus Wehrle, Mesut Günes, and James
cations so that the quality and reliability can be studied and Gross, editors, Modeling and Tools for Network Simulation, pages 35–
verified. By developing this tool, Montimage targets different 59. Springer, 2010.