FR3106914A1 - Method for monitoring data exchanged over a network and intrusion detection device - Google Patents

Abstract

Method for monitoring data exchanged on a network and intrusion detection device The method includes, for at least one subset of data: a first step of applying (E20) to said subset a first technique (G) for detecting intrusions; if an anomaly is detected (E30): a second step of applying (E60) a second technique (D) for detecting intrusions to said subset;a third step of applying (E80) a third technique (LF) for detecting intrusions to said subset, using results from the first and second steps of application;a step of using (E100) a result of the third application step for learning the second technique; a step of using (E130) a result of an application (E110) to said subset of the second technique after learning for learning the first technique. Picture 3

Description

Method for monitoring data exchanged on a network and intrusion detection device

The invention relates to the general field of telecommunications.

It concerns more particularly the monitoring of data exchanged on a communications network, and in particular the detection of intrusions or computer attacks (also called “cyber-attacks”). In the remainder of the description, the terms intrusion or attack are used interchangeably.

No limitation is attached to the nature of the network. However, the invention applies in a privileged manner to mobile networks, and in particular to fifth-generation mobile networks or 5G mobile networks.

5G mobile networks, with the advanced communication techniques they implement and the new capacities they offer in terms of speeds, volumes of information and connections, open up new prospects for use which raise real challenges in terms of cyber security. In previous years, many intrusion detection techniques (or IDS for “Intrusion Detection Systems” in English) have been developed, based on proactive approaches allowing on the one hand, to anticipate and reduce the vulnerabilities in computer systems, and on the other hand, to trigger effective mitigation actions when intrusions are detected in these computer systems.

Intrusion detection techniques are generally based on one or more of the following approaches:
- the use of known attack signatures: each of a plurality of known attacks is associated with a set of values of different traffic characteristics (also sometimes referred to as attributes in the following), representative of the traffic of the considered attack and allowing it to be distinguished. Each set of values associated with an attack constitutes a signature of the attack. Values of the same traffic characteristics are determined for the monitored data and then compared to available attack signatures. This approach makes it possible to limit the rate of false positives detected, ie data sets identified as being associated with attack traffic when they are not. However, it only detects known attacks;
- the use of a model of normal behavior of the data to detect the presence of anomalies: this approach is based on the construction, for example by means of an automatic learning algorithm (or "Machine Learning" in English ) supervised or unsupervised, from a model of normal data behavior, in the absence of cyber attacks. If the monitored data does not conform to this pattern, an anomaly is detected in the monitored data. The advantage of this approach is that it offers the possibility of detecting new attacks. However, it has a high rate of false positives.

To remedy the aforementioned drawbacks, so-called hybrid detection techniques, implementing the two approaches, have been proposed. Such a hybrid detection technique is described for example in the article by A. Abduvaliyev et al. entitled “Energy Efficient Hybrid Intrusion Detection System for Wireless Sensor Networks”, International Conference on Electronics and Information Engineering, 2010.

In the approach adopted in this article, the data packets are first inspected by an anomaly detection module. If the anomaly detection module detects an intrusion, the data packets are transmitted for analysis to a signature detection module. The conclusions of the anomaly detection module and of the signature detection module are then provided to a decision module which, on the basis of these conclusions, decides by applying a set of predefined rules whether or not there is an intrusion ( i.e. attack).

This hybrid technique leads to better detection accuracy. This accuracy can be improved even further by having several intrusion detection systems (or IDS systems in the following) collaborate with each other, each system being for example embedded in a different node of the network. Such a collaborative system is for example described, in the context of a wireless sensor network, in the document by H. Sedjelmaci et al. titled “Intrusion Detection Framework of Cluster-based Wireless Sensor Network”, IEEE Symposium on Computers and Communications, 2012. The more nodes involved in the collaboration, the better the accuracy of the detection performed.

However, such collaboration between IDS systems is based on the exchange of critical information between the IDS systems (typically information on the attacks detected by the different IDS systems), which may themselves be the object of attacks threatening the effectiveness of this collaboration.

The invention proposes a solution which makes it possible to remedy the aforementioned drawbacks of the state of the art while offering very high precision in the detection of intrusions (computer attacks) likely to target various constituent elements of a network. No limitation is attached to the nature of these elements: they may be nodes of the network proper (i.e. nodes belonging to the infrastructure of the network or connected to it to benefit for example connectivity), network resources (memory resources, computing resources, network resources, etc.), communication protocols used in the network, etc.

• une première étape d’application audit sous-ensemble d’une première technique de détection d’intrusions ;
• si une anomalie est détectée dans ledit sous-ensemble :
  • une deuxième étape d’application d’une deuxième technique de détection d’intrusions audit sous-ensemble ;
  • une troisième étape d’application d’une troisième technique de détection d’intrusions audit sous-ensemble, ladite troisième technique de détection utilisant des résultats des première et deuxième étapes d’application;
  • une première étape d’utilisation d’un résultat de la troisième étape d’application pour un apprentissage de la deuxième technique de détection;
  • une deuxième étape d’utilisation d’un résultat d’une application audit sous-ensemble de la deuxième technique de détection après ledit apprentissage pour un apprentissage de la première technique de détection.

More specifically, the invention relates to a method for monitoring data exchanged on a network, this method being intended to be implemented by an intrusion detection device and comprising, for at least one subset of data:

• a first step of applying to said subset a first intrusion detection technique;
• if an anomaly is detected in said subset:
  • a second step of applying a second intrusion detection technique to said subset;
  • a third step of applying a third intrusion detection technique to said subset, said third detection technique using results from the first and second applying steps;
  • a first step of using a result of the third application step for learning the second detection technique;
  • a second step of using a result of an application to said subset of the second detection technique after said learning for learning the first detection technique.

• un premier module de détection d’intrusions, configuré pour appliquer audit sous-ensemble une première technique de détection d’intrusions ;
• des modules, activés si une anomalie est détectée par le premier module de détection dans ledit sous-ensemble, comprenant :
  • un deuxième module de détection d’intrusions, configuré pour appliquer une deuxième technique de détection d’intrusions audit sous-ensemble ;
  • un troisième module de détection d’intrusions, configuré pour appliquer une troisième technique de détection d’intrusions audit sous-ensemble, ladite troisième technique de détection utilisant des résultats fournis par les premier et deuxième modules de détection ;

le deuxième module de détection étant en outre configuré pour utiliser un résultat fourni par le troisième module de détection pour un apprentissage de la deuxième technique de détection, et le premier module de détection étant en outre configuré pour utiliser, pour un apprentissage de la première technique de détection, un résultat d’une application audit sous-ensemble de la deuxième technique de détection après ledit apprentissage par le deuxième module de détection.Correlatively, the invention also relates to an intrusion detection device configured to monitor data exchanged on a network, this device comprising modules, activated for at least one subset of data, these modules comprising:

• a first intrusion detection module, configured to apply to said subset a first intrusion detection technique;
• modules, activated if an anomaly is detected by the first detection module in said subset, comprising:
  • a second intrusion detection module, configured to apply a second intrusion detection technique to said subset;
  • a third intrusion detection module, configured to apply a third intrusion detection technique to said subset, said third detection technique using results provided by the first and second detection modules;

the second detection module being further configured to use a result provided by the third detection module for learning the second detection technique, and the first detection module further being configured to use, for learning the first technique detection, a result of an application to said subset of the second detection technique after said learning by the second detection module.

By application of an intrusion detection technique to data, it is meant within the meaning of the invention that the detection technique takes as input either directly the monitored data, or characteristics or attributes derived from these data, such as for example statistics evaluated by a processing unit (external or not to the intrusion detection device according to the invention) from these data, etc.

It is also noted that the data monitored by the intrusion detection device according to the invention can be associated with one or more elements of the network as mentioned above that may be the subject of computer attacks and monitored by the detection device. intrusion. These data are, for example, network data or protocol data passing through the network node hosting the intrusion detection device, and conveyed in messages conforming to one or more protocols monitored by the intrusion detection device (for example HTTP2.0 protocol); alternatively, it may be data from a prefix or a target IP address monitored by the intrusion detection device, or data transmitted by the node hosting the intrusion detection device intrusion, etc.

No limitation is attached to the nature of the anomaly triggering the second and third stages of application and the first and second stages of use of the monitoring method according to the invention (respectively activating the second and third detection modules of the device according to the invention). This may be behavior that does not conform to what is considered normal behavior of the monitored data in the absence of an intrusion such as a detected attack targeting the monitored data, etc.; the characterization of the anomaly depends on the intrusion detection techniques considered to implement the invention.

The invention thus proposes an original iterative method, executed locally within a network node hosting the intrusion detection device according to the invention, and relying on several intrusion detection techniques configured to collaborate and communicate between them with a view to reinforcing their respective detection capabilities, and therefore ultimately , of the overall detection carried out by the method. Such reinforcement is enabled in particular by the learning implemented at each iteration of the first and second detection techniques. The exchanges between the detection techniques being implemented locally within the same node/device, the vulnerability of these exchanges in the face of potential computer attacks is thus limited.

The three detection techniques implemented in accordance with the invention play distinct and complementary roles.

More specifically, the inventor was inspired, to define these roles, by the model of generative adversarial networks (or GANs for Generative Adversarial Networks in English), well known in the field of imaging, which he adapted in a original to allow effective and secure detection of computer attacks.

For the record, in a generative adverse network as used in imagery, two networks, one called generator the other called discriminator, are placed "in competition" according to a game theory scenario: the generator network generates a sample ( namely an image in the imaging domain), while its "adversary", the discriminator network, tries to detect if a sample is real or if it is the result of the generator network. The learning of the two networks is carried out jointly and modeled as a zero-sum game (i.e. the gain of one of the networks constitutes a loss for the other network).

The inventor was inspired by this principle in the following way. In the method according to the invention, the first detection technique plays the role of a network generating “abnormal” data. It analyzes the traffic data provided to it (or representative characteristics derived from this data) and determines whether it presents an anomaly (for example, it is representative of attack traffic or does not match normal behavior depending on the nature of the first detection technique). If necessary and only in this case, the second detection technique is activated, and the data or the characteristics representative of this data considered by the first detection technique as presenting an anomaly (in other words, the attributes of the anomaly detected). This supply is for example carried out directly by the first detection technique itself. The second detection technique then plays the role of a discriminator and decides, from the analysis of the "abnormal" data or the characteristics provided to it, whether these effectively reflect the presence of an intrusion or 'an attack.

The first and second detection techniques are learned by “indirectly” taking into account the results delivered by each of these techniques. To this end, the invention provides for the intervention of a third detection technique, applied to the data considered by the first detection technique to be “abnormal”, this third detection technique advantageously having the results resulting from the applications of the first and second detection techniques. This third detection technique aggregates the results of the other two techniques, compares them and uses the result of this comparison in addition to its own analysis to provide its own qualification of the data. It then returns the result obtained to the second detection technique, which uses it for its learning and to reinforce its detection capacity. The second detection technique is once again applied to the data following this learning, and the result of this application is provided to the first detection technique which in turn uses it for its learning. The use of a third detection technique as proposed by the invention thus makes it possible to reduce the false detections made by the first and/or the second detection technique. In other words, the third detection technique plays the role of a so-called loss function which aims to reduce the "losses" of the first and second detection techniques, i.e. in a context of cyber- detection, the bad detections made by them (whether they are false positives or false negatives).

The successive applications of the three detection techniques form an iteration of the process according to the invention, each iteration relating to a distinct set of monitored data, and combining operations of intrusion detection, "loss" detection of the first and second techniques detecting and learning the first and second detection techniques. This iterative process thus makes it possible, over the subsets of data processed, to reinforce the detection capacity of the device according to the invention, although operating locally.

In a particular embodiment, if the result of the application of the second detection technique after learning indicates an anomaly in said subset of data, the method further comprises a step of notifying a third party entity of said anomaly .

Thus, the result generated following the second application of the second detection technique is used to decide whether or not there is an intrusion and notify a third-party entity if necessary. This result advantageously benefits from the return of the third detection technique.

This result can also be used to trigger mitigation operations, etc., known per se, and not described in detail here.

As a variant, the first detection technique can be applied again after learning and the result of this new application of the first detection technique can be used to decide whether or not to notify the third-party entity, trigger mitigation actions, etc.

The notified third-party entity can be, for example, a security operations center to which the device can ask to confirm (or deny) the detected intrusion.

• des caractéristiques d’au moins un sous-ensemble de données présentant une anomalie ;
• des paramètres de ladite première et/ou ladite deuxième technique de détection;
• au moins une anomalie détectée par la troisième technique de détection non détectée par la première et/ou la deuxième technique de détection.

To this end, the method may include in particular a step of transmitting to a security operations center at least one piece of information from among:

• characteristics of at least one subset of data having an anomaly;
• parameters of said first and/or said second detection technique;
• at least one anomaly detected by the third detection technique not detected by the first and/or the second detection technique.

Such a security operations center advantageously has a more global view of the network: it is generally attached to several network nodes each capable of reporting to it the various anomalies that they detect in the data that they monitor and/or or who pass through them. Within the meaning of the invention, the term “data passing through a node or a device” means data received and/or transmitted by the latter.

In addition, such a security operations center often has more hardware and/or software resources (memory, calculation, etc.) dedicated to cyber-detection and can thus implement more powerful and efficient detection techniques. (for example based on automatic learning techniques) that the nodes which are attached to it and report anomalies, and possibly more complex ones.

As a variant, other entities can be notified with the aforementioned information, in addition to or replacing a security operations center, such as, for example, entities capable of triggering actions to mitigate the attack detected by the security device. detection of intrusions according to the invention.

In a particular embodiment, the method according to the invention further comprises a step of receiving, from the security operations center, information intended to be used by the intrusion detection device for learning first, second and/or third detection techniques.

This may be the case for example in the event of disagreement of the security operations center with the anomaly reported by the intrusion detection device according to the invention, or if new attacks have been detected by the operations center security and have not been reported to it by the intrusion detection device according to the invention, or if the latter has information about attacks unknown to the intrusion detection device. Thanks to this information received from the security operations center, it is possible to further strengthen the detection capabilities of the intrusion detection device according to the invention. In addition, this makes it possible to indirectly take into account detections made by other nodes in the network.

No limitation is attached to the intrusion detection techniques likely to be used by the method and by the intrusion detection device according to the invention. Preferably, the first and second intrusion detection techniques implement at least one automatic learning algorithm.

• la première technique de détection est une technique de détection hybride basée sur une technique utilisant des signatures d’attaques connues et sur une technique de détection par renforcement; et/ou
• au moins l’une parmi la deuxième et la troisième technique de détection est une technique de détection par apprentissage automatique.

For example, in a particular embodiment:

• the first detection technique is a hybrid detection technique based on a technique using known attack signatures and on a reinforcement detection technique; and or
• at least one of the second and third detection techniques is a machine learning detection technique.

This choice, based on both a hybrid detection technique and automatic learning detection techniques, makes it possible to obtain reliable detection. Through the use of a first hybrid detection technique, the advantages of techniques using attack signatures (low false positive rate) and reinforcement techniques (high detection rate) are thus combined.

In a particular embodiment, at least one detection technique among the first and the second detection technique uses an artificial neural network, and the learning of this detection technique uses a gradient descent algorithm to update parameters of this artificial neural network.

The gradient descent algorithm can be configured for example to optimize an attack detection rate by said detection technique.

This makes it possible to increase the detection precision of the method according to the invention. Note, however, that other optimization criteria can be considered in place of or in addition to the attack detection rate. Thus, it is also possible to consider minimizing the energy consumption linked to the execution of the detection techniques, maximizing their speed of execution, etc., depending on the context of execution of the invention.

In a particular embodiment, the first detection technique and the second detection technique use artificial neural networks, and the method according to the invention further comprises a step of exchanging between the first and second detection techniques of parameters of said artificial neural networks, said exchanged parameters being taken into account for learning the first and second detection techniques.

Such parameters can be, for example, the number of layers used by each of the artificial neural networks, the number of neurons on each layer, the weights of the synapses, the attributes considered as input to each of the networks (in other words the data or the characteristics of the data they consider to carry out their detections), etc. This embodiment allows more efficient and faster learning of the first and second detection techniques. Indeed, the detection techniques can use the exchanged parameters to converge more quickly and improve their respective classifications of the anomalies they detect in the data they process. They can adapt the attributes they consider (remove or add them in particular) to improve their respective detections.

In a particular embodiment, the third detection technique uses a support vector machine.

Such an automatic learning algorithm advantageously has a low reaction time and a very effective detection capacity compared to other known automatic learning algorithms such as, for example, deep neural networks which are generally more complex in terms of calculation. and therefore have a slower reaction time.

However, all these examples of algorithms for the first, second and third detection techniques are given for illustrative purposes only and of course other algorithms can be considered when implementing the invention.

As mentioned previously, the intrusion detection device according to the invention can advantageously be embedded in different nodes of the network.

Thus, in a particular embodiment, the intrusion detection device according to the invention is integrated into a connected object or user equipment to which the network provides connectivity.

In another embodiment, the intrusion detection device according to the invention is integrated into a server or into other mobile computing equipment (also commonly referred to as MEC server for Mobile Edge Computing), located at the edge of the network. The use of such peripheral equipment makes it possible to collect and process data close to users, and to reduce latency compared to processing carried out at the level of the network infrastructure itself. In addition, MEC equipment has more resources than user equipment, which allows for more precise and efficient detection techniques.

Of course, the invention can be deployed simultaneously for even greater efficiency at each of the aforementioned network nodes (user equipment, connected objects, MEC servers, etc.).

In a particular embodiment of the invention, the monitoring method is implemented by a computer.

The invention also relates to a computer program on a recording medium, this program being able to be implemented in a computer or more generally in a detection device in accordance with the invention and comprises instructions adapted to the implementation of a monitoring method as described above.

This program may use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in partially compiled form, or in any other desirable form.

The invention also relates to an information medium or a recording medium readable by a computer, and comprising instructions of the computer program mentioned above.

The information or recording medium can be any entity or device capable of storing programs. For example, the medium may comprise a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or else a magnetic recording means, for example a hard disk, or a flash memory.

On the other hand, the information or recording medium may be a transmissible medium such as an electrical or optical signal, which may be routed via an electrical or optical cable, by radio link, by wireless optical link or by other ways.

The program according to the invention can in particular be downloaded from an Internet-type network.

Alternatively, the information or recording medium may be an integrated circuit in which a program is incorporated, the circuit being adapted to execute or to be used in the execution of the monitoring method, in accordance with the invention.

• au moins un dispositif de détection d’intrusions selon l’invention; et
• un centre d’opérations de sécurité, configuré pour traiter des informations transmises par ledit dispositif en relation avec les données surveillées par ledit dispositif et/ou les anomalies détectées par ledit dispositif dans ces données et/ou la configuration des techniques de détection utilisées par ledit dispositif pour surveiller lesdites données.

According to another aspect, the invention relates to a system for monitoring data exchanged on a network comprising:

• at least one intrusion detection device according to the invention; And
• a security operations center, configured to process information transmitted by said device in relation to the data monitored by said device and/or anomalies detected by said device in this data and/or the configuration of the detection techniques used by said device for monitoring said data.

The system benefits from the same advantages as the monitoring method and the intrusion detection device according to the invention, mentioned above.

It is also possible, in other embodiments, for the monitoring method, the intrusion detection device and the monitoring system according to the invention to have all or part of the aforementioned characteristics in combination.

Other characteristics and advantages of the present invention will emerge from the description given below, with reference to the appended drawings which illustrate an exemplary embodiment thereof which is devoid of any limiting character. In the figures:
FIG. 1 represents, in its environment, a surveillance system according to the invention in a particular embodiment;
FIG. 2 represents the hardware architecture of an intrusion detection device according to the invention belonging to the surveillance system of FIG. 1, in a particular embodiment;
FIG. 3 illustrates, in the form of a flowchart, the main steps of a monitoring method according to the invention, as it is implemented in a particular embodiment by the intrusion detection device illustrated in FIG. Figure 2;
FIG. 4 compares the performances obtained with a hybrid detection technique and the monitoring method according to the invention for a number of iterations comprised between 1 and 30; And
FIG. 5 compares the performances obtained with a hybrid detection technique and the monitoring method according to the invention for a number of iterations comprised between 30 and 60.

Description of the invention

FIG. 1 represents, in its environment, a monitoring system 1 in accordance with the invention, in a particular embodiment.

In this embodiment, the monitoring system 1 is configured to monitor the data exchanged on a network NW comprising a plurality of nodes (i.e. of elements), this plurality of nodes including in particular a plurality of connected objects (referenced general by IoTD in Figure 1 for “Internet of Things Device”) to which the NW network provides connectivity and in particular access to the Internet network. For the sake of simplification and in no way limiting, only three IoTD connected objects have been represented in FIG.

No limitation is attached to the nature of IoTD connected objects. These can be, for example, any devices configured to collect (and possibly process) data about their environment, and transmit this data or information extracted from this data to various applications or other service platforms via the NW network. . Such devices are, for example, temperature, pressure or speed sensors, connected watches, drones, connected vehicles, etc. As a variant, IoTD connected objects can refer to other types of equipment, such as user equipment such as mobile telephones (e.g. "smartphones"), digital tablets, or other terminals benefiting from connectivity via the NW network.

Each of the IoTD connected objects incorporates, in the embodiment described here, an intrusion detection device 2 in accordance with the invention, and configured to monitor the data exchanged on the NW network passing through this connected object (e.g. data sent and/or received by the connected object in question). In the embodiment described here, each IoTD connected object has the hardware architecture of a computer as represented in FIG. 2 , and each intrusion detection device 2 embedded in an IoTD connected object relies on the elements of this hardware architecture to implement the monitoring method according to the invention.

It is noted that the monitoring method according to the invention is iterative and applied here to a plurality of subsets of the data monitored by the device 2 for detecting intrusions, each iteration corresponding to the processing carried out by the device 2 for detecting intrusions on a separate data subset. By “applied to a plurality of subsets of data”, it is meant, as indicated previously, that the monitoring method is applied directly to the data monitored by the detection device 2, or indirectly, to values of characteristics or attributes derived from this monitored data, these characteristics or attributes being able to be evaluated and provided in whole or in part by one or more entities external to the intrusion detection device 2 and to the IoTD connected object hosting this device (not represented in FIG. 1), or by the IoTD connected object by means of one or more data processing modules 3 provided for this purpose. In FIG. 1, the data processing module(s) 3 are shown external to the intrusion detection device 2, but they can, as a variant, be integrated into this intrusion detection device 2.

Referring to Figure 2, each IoTD connected object here comprises in particular a processor 4, a random access memory 5, a ROM 6, a non-volatile flash memory 7, as well as communication means 8 comprising one or more communication interfaces itself. allowing in particular to communicate via the NW network.

The read only memory 6 of the IoTD connected object is a recording medium in accordance with the invention, readable by the processor 4 and on which is recorded a computer program PROG according to the invention, which comprises instructions defining the main steps of a monitoring method according to the invention. The program PROG defines functional modules of the intrusion detection device 2 in an equivalent manner, which rely on or control, among other things, the hardware elements 4 to 8 mentioned above, and which are activated iteratively, each iteration here corresponding to the processing of a separate subset of data selected from the data monitored by the device 2 for detecting intrusion. It is recalled that the monitored data can be associated with the same network element or with different network elements monitored by the intrusion detection device 2 (protocol, IP address or prefix, etc.).

The functional modules of the intrusion detection device 2 include in particular, as illustrated in FIG. 1 for only one of the IoTD connected objects for the sake of simplification, a first intrusion detection module 2A, configured to apply during of successive iterations to a plurality of subsets of data, a first technique for detecting intrusions, denoted here G (in reference to its role of "generator" in the device 2 for detecting intrusions, as explained above) .

• d’une part, un algorithme RD mettant en œuvre une détection d’intrusions basée sur des signatures d’attaques déterminées (ou «Rule based Detection» en anglais), connue en soi; et
• d’autre part, un algorithme RLD mettant en œuvre une détection d’intrusions basée sur la reconnaissance d’un comportement anormal des données s’appuyant sur une technique d’apprentissage automatique par renforcement (ou «Reinforcement Learning based Detection» en anglais). L’algorithme RLD est ici non supervisé et peut être initialisé par exemple avec un jeu d’attributs et de décisions représentatifs de comportements anormaux (voire d’attaques) fournis par des experts. Il utilise un réseau de neurones artificiel (ou ANN pour «Artificial Neural Network» en anglais), connu en soi, défini par des paramètres notés Q_G. Ces paramètres comprennent notamment, les attributs des données fournis en entrée du réseau de neurones, le nombre de couches du réseau de neurones, les poids des synapses, etc.

In the embodiment described here, the intrusion detection technique G is a hybrid detection technique implementing:

• on the one hand, an RD algorithm implementing intrusion detection based on determined attack signatures (or “Rule based Detection” in English), known per se; And
• on the other hand, an RLD algorithm implementing intrusion detection based on the recognition of abnormal data behavior based on a technique of automatic learning by reinforcement (or "Reinforcement Learning based Detection" in English) . The RLD algorithm is here unsupervised and can be initialized for example with a set of attributes and decisions representative of abnormal behaviors (even attacks) provided by experts. It uses an artificial neural network (or ANN for “Artificial Neural Network” in English), known per se, defined by parameters denoted Q _G . These parameters include, in particular, the attributes of the data provided as input to the neural network, the number of layers of the neural network, the weights of the synapses, etc.

The first detection module 2A is configured here such that if at least one of the RD or RLD algorithms detects an anomaly in the subset of data that it studies, it is considered that an anomaly is detected by the first intrusion detection technique G and by the first detection module 2A. It is recalled here that the term anomaly is to be considered in the broad sense: it can be a behavior which differs from a normal behavior expected from the data in the absence of a cyber-attack, such as an attack detected by comparison with determined attack signatures.

Of course, other intrusion detection techniques than the one just described can be considered for technique G, whether simple or hybrid. For example, one can consider the hybrid technique described in the article by A. Abduvaliyev et al. previously introduced, or a more elaborate hybrid detection technique combining by means of rules or through another machine learning algorithm, the outputs of the RD and RLD algorithms. As a variant, one can consider the automatic reinforcement learning technique described in the document by A. Servin et al. entitled “Multi-Agent Reinforcement Learning for Intrusion Detection”, European Symposium on Adaptive and Learning Agents and Multi-Agent Systems, Springer, 2008.

• un deuxième module 2B de détection d’intrusions, configuré pour appliquer à ce sous-ensemble de données une deuxième technique de détection d’intrusions notée D (en référence à son rôle de «discriminateur» dans le dispositif 2 de détection d’intrusions, comme expliqué précédemment). Dans le mode de réalisation décrit ici, la deuxième technique D utilise un algorithme d’apprentissage automatique connu en soi. Cet algorithme d’apprentissage automatique s’appuie également sur un réseau de neurones artificiel dont les paramètres sont notés Q_D. Cet exemple n’est donné qu’à titre illustratif, et d’autres algorithmes peuvent être utilisés en variante; et
• un troisième module 2C de détection d’intrusions, configuré pour appliquer audit sous-ensemble de données une troisième technique de détection d’intrusions, notée LF (en référence à son rôle de «fonction de pertes» dans le dispositif 2 de détection d’intrusions, comme expliqué précédemment). Conformément à l’invention, la troisième technique de détection LF utilise également comme entrées les résultats fournis par les premier et deuxième modules de détection 2A et 2B (données et/ou attributs extraits de ces données et décisions des premier et deuxième modules de détection 2A et 2B). Dans le mode de réalisation décrit ici, la troisième technique LF utilise un algorithme d’apprentissage automatique multi-classes, et notamment une machine à vecteurs de support (ou SVM pour «Support Vector Machine» en anglais), connue en soi. L’apprentissage de la troisième technique LF est réalisé à partir des informations fournies au troisième module de détection 2C par les premier et deuxième modules de détection 2A et 2B. L’utilisation d’un algorithme SVM permet un temps de réaction faible et une détection efficace des attaques par rapport à des réseaux de neurones profonds. Toutefois, d’autres algorithmes d’apprentissage automatique peuvent bien entendu être envisagés en variante. On note que le troisième module 2C de détection peut être paramétré initialement ou à tout moment par un expert (via une interface idoine prévue à cet effet) avec de nouvelles signatures d’attaques et/ou de nouveaux attributs pour améliorer son efficacité.

The intrusion detection device 2 comprises a plurality of other functional modules defined by the instructions of the program PROG and activated if (and only if here) an anomaly is detected by the first detection module 2A in one of the sub-systems. sets of data that it analyzes. These functional modules include:

• a second intrusion detection module 2B, configured to apply to this subset of data a second intrusion detection technique denoted D (in reference to its role of “discriminator” in the intrusion detection device 2, as explained previously). In the embodiment described here, the second technique D uses an automatic learning algorithm known per se. This automatic learning algorithm is also based on an artificial neural network whose parameters are denoted Q _D . This example is given for illustrative purposes only, and other algorithms can be used alternatively; And
• a third intrusion detection module 2C, configured to apply to said subset of data a third intrusion detection technique, denoted LF (in reference to its role as a “loss function” in the device 2 for detecting intrusions, as explained above). In accordance with the invention, the third detection technique LF also uses as inputs the results supplied by the first and second detection modules 2A and 2B (data and/or attributes extracted from these data and decisions of the first and second detection modules 2A and 2B). In the embodiment described here, the third LF technique uses a multi-class automatic learning algorithm, and in particular a support vector machine (or SVM for “Support Vector Machine” in English), known per se. The third LF technique is learned from the information provided to the third detection module 2C by the first and second detection modules 2A and 2B. The use of an SVM algorithm allows a low reaction time and an efficient detection of attacks compared to deep neural networks. However, other automatic learning algorithms can of course be considered as a variant. It is noted that the third detection module 2C can be parameterized initially or at any time by an expert (via an appropriate interface provided for this purpose) with new attack signatures and/or new attributes to improve its effectiveness.

According to the invention, the second detection module 2B is configured to use, at each iteration, a result provided by the third detection module 2C for learning the second detection technique D, and the first detection module 2A is further configured to use, during said iteration, for learning of the first detection technique G, a result of an application to said subset of data of the second detection technique D, after completion of the learning by the second 2B detection module. The way in which the three intrusion detection modules 2A, 2B and 2C collaborate with each other during each iteration is described in more detail later.

In the embodiment described here, the intrusion detection device 2 comprises another functional module designated in the following description by 2D alert module, configured to notify an anomaly detected in at least one subset of data processed by the intrusion detection device 2, to at least one third party entity. The 2D alert module relies on the means of communication 9 of the IoTD connected object via the NW network.

In the embodiment described here, the 2D alert module is configured to notify a security operations center 8 (also designated by SOC 8) supervising a plurality of distinct nodes of the NW network and in particular the IoTD connected objects. In a known manner, such a security operations center manages the security of the NW network (and possibly other networks) by relying for this purpose on various tools for collection, event correlation, analysis of activities on the networks and on the various elements that make them up (eg databases, applications, servers, user equipment, etc.), as well as on the expertise of analysts and security specialists. He may also have remote intervention means. In other words, it is a trusted entity with great expertise and allowing precise and reliable detection of intrusions into the NW network. Such a security operations center 8 can also trigger, if necessary, actions to mitigate the attacks detected in the network NW.

The security operations center 8 is configured here to manage the alerts sent by the various nodes of the NW network, and more particularly, to process the information transmitted by the 2D alert modules of the intrusion detection devices 2 according to the invention embedded in nodes of the network NW, in relation to the data monitored by the intrusion detection devices 2 and/or the anomalies detected by the latter in these data and/or the configuration of the detection techniques G, D and /or LF used by them to monitor this data.

We will now describe, with reference to FIG. 3 , the main steps of the monitoring method according to the invention, as they are implemented, in a particular embodiment, by the on-board intrusion detection device 2 in each of the IoTD connected objects of the monitoring system 1 in figure 1.

The steps which are described below are implemented iteratively for each subset of data DATA(iter) passing through the IoTD connected object hosting the latter and analyzed by the intrusion detection device 2 (step E00 of initialization at 1 of an iteration index iter, and step E50 of incrementing this index iter).

It is assumed here that the data processing module(s) 3 extract(s) and/or estimate(s) from the data subset DATA(iter) the values FEAT(iter) of the characteristics or attributes taken into account by the device 2 for detecting intrusions. These characteristics or attributes are those which are used by the intrusion detection techniques implemented in the first, second and third detection modules 2A, 2B and 2C to analyze the data subset DATA(iter) and determine whether this corresponds to normal behavior or reflects the presence of a computer attack.

Note that it is not necessarily the same characteristics that are taken into account by the various detection modules. However, it is assumed here, for the sake of simplification, that the same (values of) FEAT(iter) characteristics are provided at the input of each of the detection modules, each of them being free to select only those which are relevant for its detection. .

The FEAT(iter) characteristics can be estimated at a given instant or over a given period of time corresponding to the DATA(iter) data subset considered. By way of example, such characteristics may be a number of lost packets, a quality of the signal received by the IoTD connected object, a communication time, a number of failed connections of the IoTD connected object, a number of “unnecessary” packets emitted or passing through the IoTD connected object, a number of incorrect connections on a site, etc. The way in which these characteristics are acquired is known to those skilled in the art and is not described in detail here. As mentioned previously, as a variant, these FEAT characteristics can be provided to the processing module(s) by entities external to the IoTD connected object.

The FEAT(iter) characteristics are supplied to the intrusion detection device 2 and more particularly to the first intrusion detection module 2A for application of the first intrusion detection technique G (E10).

In the embodiment described here, the first technique for detecting intrusions G being hybrid, the module 2A applies sequentially or in parallel to the characteristics FEAT(iter) the algorithms RD and RLD (step E20). Each of these algorithms provides a decision as to the presence or not of an attack in view of the FEAT(iter) characteristics analyzed. More precisely here, the RD algorithm indicates in its decision denoted DEC_RD(iter) if, in view of the known attack signatures available to it, the characteristics FEAT(iter) correspond to one of them, and the The RLD algorithm indicates in its decision DEC_RLD(iter) whether or not the characteristics FEAT(iter) correspond to normal behavior.

Note that the DEC_RD(iter) and DEC_RLD(iter) decisions can take different forms depending on the algorithms behind these decisions. Thus, by way of illustration, in the example considered here, the decision DEC_RD(iter) can comprise a binary element, equal to 0 if no attack has been detected or to 1 if an attack has been detected, and when a attack has been detected, include information about this attack such as the name of the attack, the resources affected, etc. The DEC_RLD(iter) decision can take the form of a real number between 0 and 1, a value close to 0 indicating the presumption of abnormal behavior (and therefore the presence of an attack), a value close to 1 indicating on the contrary a behavior close to normality (and therefore the absence of an attack).

The pair formed of the decisions DEC_RD(iter) and DEC_RLD(iter) constitutes a result DEC_G(iter) of the application of the detection technique G within the meaning of the invention.

• au deuxième module 2B de détection d’intrusions pour application de la deuxième technique de détection d’intrusions D; et
• au troisième module 2C de détection d’intrusions.

If one and/or the other of the DEC_RD(iter) and/or DEC_RLD(iter) decisions indicates the presence of an anomaly in the DATA(iter) data (i.e. in the example considered here, if an attack is detected by the RD algorithm and/or an abnormal behavior is detected by the RLD algorithm) (answer yes to test step E30), the characteristics FEAT(iter) and the pair of decisions DEC_G(iter)=(DEC_RD(iter),DEC_RLD(iter)) are provided by the first module 2A (step 40):

• to the second intrusion detection module 2B for application of the second intrusion detection technique D; And
• to the third intrusion detection module 2C.

Furthermore, in the embodiment described here, the module 2A supplies the module 2B with the current parameters Q _G (iter) of the artificial neural network implemented by the RLD algorithm.

Otherwise (answer no to test step E30), the iteration index iter is incremented (step E50) and a new subset of data is analyzed by the intrusion detection device 2.

As mentioned previously, by analogy with GAN networks, the first intrusion detection technique G therefore plays here a sort of generator role in the sense that it "generates" (or more precisely provides) to the second detection technique intrusions D attributes extracted from data that it considers representative of a computer attack. It is noted that the FEAT(iter) attributes are not necessarily provided directly by the first detection module 2A, but under its control (it can in particular send a control signal to the processing module 3 so that the latter provides the relevant attributes for the second detection technique D once it has detected an anomaly).

The reception of the characteristics/attributes FEAT(iter) and of the decision DEC_G(iter) by the second detection module 2B activates the latter and triggers the application by the module 2B of the second detection technique D to the characteristics FEAT(iter) of the data subset DATA(iter) (step E60). In accordance with the invention, the second detection technique D also uses as input, in addition to the characteristics FEAT(iter), the decision DEC_G(iter) provided by the module 2A, result of the application of the first detection technique G on the data subset DATA(iter).

The application of the second detection technique D results in a decision DEC_D(iter). This decision DEC_D(iter) provided by the second detection technique D indicates here whether or not it has detected abnormal behavior or an attack from the characteristics FEAT(iter) representative of the data DATA(iter) and the decision DEC_G (iter) provided by module 2A. As mentioned previously for the detection technique G, this decision can take different forms depending on the algorithm implemented by the detection technique D. In the example considered here, the decision DEC_D(iter) takes the form of a real number comprised between 0 and 1, a value close to 0 indicating the presumption of abnormal behavior (and therefore the presence of an attack), a value close to 1 on the contrary indicating behavior close to normality (and therefore the absence of attack).

The decision DEC_D(iter) is then supplied by the module 2B to the third detection module 2C, possibly if necessary with the characteristics of the data DATA(iter) used by the second detection technique D if these differ from those used by the first detection technique G (step E70).

Thus, as mentioned previously, by analogy with the GAN networks, the second detection technique D plays the role of a discriminator in a way, since it determines from the inputs provided to it by the generator (i.e. the module 2A putting in implements the detection technique G) whether or not it is an attack.

Following receipt of the decision DEC_D(iter), the module 2C applies the third detection technique LF to the various inputs at its disposal, namely to the characteristics FEAT(iter) representative of the data DATA(iter) and to the decisions DEC_G(iter )=(DEC_RD(iter),DEC_RLD(iter)) and DEC_D(iter) taken by the modules 2A and 2B from the data DATA(iter) (step E80). The purpose of the third LF detection technique is to provide its own decision on the characteristics FEAT(iter) while taking into account the decisions DEC_G(iter) and DEC_D(iter). It thus plays the role of loss function in the sense that it aims to correct the “losses” of the detection techniques G and D, in other words in the field of cyber-detection, of the bad detections carried out by the latter. For this purpose, as indicated previously, the third function LF can interact occasionally or regularly for its learning with an expert via an interface provided for this purpose (based for example on the means of communication 9 of the connected object IoTD or via an appropriate graphical interface).

Application of the LF detection technique results in a DEC_LF(iter) decision indicating whether or not the LF detection technique has detected an attack based on the FEAT(iter) characteristics and taking into account the DEC_G(iter) and DEC_D( iter). This decision DEC_LF(iter) is supplied by the module 2C to the module 2B (step E90), for learning the detection technique D.

It is noted that during step E90, the module 2C can provide other information to the module 2B intended to be used for learning the detection technique D, or even to be subsequently transmitted by the module 2B to the module 2A for the learning of the detection technique G (as a variant, it is possible to envisage that the module 2C provides the module 2A directly with the information intended to reinforce the learning of the detection technique G). In particular, if the decision of the module 2C differs from that taken by the module 2B (respectively by the module 2A) from the attributes FEAT(iter), the module 2C can transmit to the module 2B attribute values to be taken into account by the detection technique D (respectively by the detection technique G) for its learning to improve its detection. In a variant, the module 2C can also transmit to the module 2B signatures of new attacks which have been provided to it by experts, or new rules to be applied to detect abnormal behavior, or new attributes to be considered for detection, etc. .

The learning of the detection technique D implemented by the module 2B is carried out, in the embodiment described here, by using a gradient descent algorithm (step E100). More precisely, the module 2B evaluates from the decision DEC_LF(iter), the rate X_D(iter) of correct decisions taken by the detection technique D, the decisions DEC_LF serving for this purpose as references as good decisions. In other words, at iteration iter, the rate X_D(iter) corresponds to the ratio of the number of decisions DEC_D taken by the detection technique D coinciding with the decisions DEC_LF taken by the detection technique LF up to the current iteration iter , and the number of anomalies M reported by the detection module 2A.

The gradient descent algorithm is applied to the parameters Q _D (iter) of the detection technique D with a view to maximizing the rate X_D(iter) of correct decisions thus estimated. The module 2B can for this purpose proceed for example as described in the document by DP Kingma et al. titled “Adam: A method for stochastic Optimization”, 3rd International Conference for Learning Representations, 2015.

It should be noted that other criteria can be considered as a replacement or in addition to the rate of correct decisions during the learning of the decision technique D, such as, for example, a minimum consumption rate, a minimum computational complexity, etc. Furthermore here, the module 2B having the parameters Q _G (iter) of the decision technique G, it can use these parameters to update, if necessary, the parameters Q _D (iter) of the decision technique D, for example by defining an objective function to be optimized including all or part of the Q _G (iter) parameters (eg in the form of constraints to be respected). This exchange between the modules 2A and 2B of the parameters of the artificial neural networks that they implement respectively can make it possible to accelerate the learning of the detection techniques D and G and to reduce their respective complexities (for example if the parameters Q _G ( iter) report a number of layers lower than that used by the detection technique D, this information can be exploited when learning the detection technique D to try to reduce the number of layers used by its network of artificial neurons when this optimizes the rate of correct detections).

Then in accordance with the invention, the decision technique D is again applied, after learning (and possible updating of the parameters Q _D (iter) during this learning), to the characteristics FEAT (iter) and a new decision DEC_D' (iter) resulting from this application is generated by the module 2B (step E110). It is noted that the parameters Q _D (iter) possibly updated during the learning carried out in step E100 are intended to be used at the following iteration iter+1 by the detection technique D and are thus stored in a variable denoted Q _D (iter+1).

The decision DEC_D'(iter) is supplied by the module 2B to the module 2A, also here with the parameters Q _D (iter+1) of the detection technique D updated if necessary (step E120). If information intended for the module 2A (eg new attributes, new attack signatures, etc.) has been provided by the module 2C to the module 2B during step E90, this information is also transmitted during step E120 to module 2A by module 2B.

The decision DEC_D'(iter) and the parameters Q _D (iter+1) of the detection technique D are then used by the module 2A for learning the detection technique G, and more specifically here for learning the RLD algorithm (step E130). This learning is carried out here in a manner similar to what was described previously for the detection technique D. The algorithm RD can possibly be updated with new signatures provided if necessary by the module 2C during step E90 .

More specifically, for learning the RLD algorithm, the module 2A uses a gradient descent algorithm optimizing the rate X_G(iter) of correct decisions taken by the detection technique G (we consider here the decisions DEC_G combining the decisions combined algorithms RD and RLD), the decisions DEC_D' serving for this purpose as references as good decisions. In other words, at iteration iter, the rate X_G(iter) corresponds to the ratio of the number of decisions DEC_G taken by the detection technique G coinciding with the decisions DEC_D' taken by the detection technique D after learning up to the current iteration iter, and the number of anomalies/attacks M′ detected by the detection module 2B.

The gradient descent algorithm is applied to the Q parameters _G (iter) of the detection technique G (and more specifically here of the neural network implemented by the RLD algorithm) in order to maximize the rate X_G(iter) of decisions correct as estimated. The module 2A can for this purpose proceed for example as described in the document by DP Kingma et al. cited previously. Other criteria can be considered as a replacement or in addition to the rate of correct decisions when learning the decision technique G, such as, for example, a minimum consumption rate, a minimum computational complexity, etc. Moreover here, the module 2A having the parameters Q _D (iter+1) of the decision technique D, it can use these parameters to update, if necessary, the parameters Q _G (iter) of the decision technique G, for example by defining an objective function to be optimized including all or part of the parameters Q _G (iter) (eg in the form of constraints to be respected). This exchange of parameters Q _D (iter+1) can make it possible to accelerate the learning of the detection technique G as previously described for the detection technique D and to reduce the complexity of the detection techniques D and G. It is noted that the parameters Q _G (iter) possibly updated during the learning performed at step E130 are intended to be used at the next iteration iter+1 by the detection technique G and are thus stored in a variable denoted Q _G (iter+1).

Furthermore, in the embodiment described here, if the decision DEC_D'(iter) indicates the presence of an anomaly in the data subset DATA(iter) (for example an attack is detected by the decision technique D ) (answer yes to test step E140), then the 2D alert module of the intrusion detection device 2 notifies the security operations center 9 of the anomaly detected (step E150). Thus, in this embodiment, it is the decision DEC_D'(iter) which serves as the final decision taken by the intrusion detection device 2 as to the reliability of the data DATA(iter).

As a variant, it is possible to consider applying the detection technique G again after learning and using the output of the detection technique G as the final decision.

• la décision DEC_D’(iter);
• les caractéristiques du sous-ensemble de données DATA(iter) présentant une anomalie ;
• les paramètres Q_D(iter+1) et Q_G(iter+1) des techniques de détection;
• au moins une anomalie détectée par la technique de détection LF non détectée par l’une au moins des techniques de détection D et G.

When notifying the security operations center 9, the alert 2D module can transmit all or part of the following information:

• the decision DEC_D'(iter);
• the characteristics of the data subset DATA(iter) presenting an anomaly;
• the Q _D (iter+1) and Q _G (iter+1) parameters of the detection techniques;
• at least one anomaly detected by the LF detection technique not detected by at least one of the D and G detection techniques.

Of course, this list is not exhaustive and other information can be transmitted to the security operations center 9. In addition, other third-party entities can be notified of the detected anomaly such as, for example, entities likely to trigger mitigation actions to stop the progression of the attack detected by the device 2 for detecting intrusions.

In the embodiment described here, the notification of step E150 triggers a verification by the security operations center 9 of the validity (correction) of the decision DEC_D'(iter). To this end, the security operations center 9 can apply, for example, a more powerful intrusion detection technique than those applied by the intrusion detection device 2, and/or exploit other information received from other IoTD objects connected to the NW network.

If the security operations center 9 does not confirm the anomaly reported by the decision DEC_D'(iter), in the embodiment described here, it sends to the intrusion detection device 2 various information intended to be used by him for learning G, D and/or LF detection techniques. Such information is for example attributes and/or signatures associated with attacks not known to the intrusion detection device 2, etc.

If the DEC_D'(iter) decision reflects normal behavior of the data subset DATA(iter) (response no to test step E140), then no notification is sent here to the security operations center.

The iteration index iter is incremented (step E50) and a new subset of data is analyzed by the intrusion detection device 2 according to the steps E10 to E150 which have just been described.

Thus, the invention makes it possible to improve the rate of detection of intrusions thanks to the collaboration of the detection techniques G, D and LF while preserving the confidentiality of the information used for the detection.

It should be noted that in the embodiment which has been described here, a context was considered in which the network NW comprised a plurality of connected objects embedding detection devices 2 according to the invention. The invention applies of course in other contexts, and in particular, the intrusion detection device 2 according to the invention can be integrated into other equipment of the network NW, such as for example in computing servers mobiles (or MEC servers) located on the outskirts of the NW network.

By way of illustration, FIGS. 4 and 5 compare the performance of a hybrid intrusion detection technique such as that used by the detection module 2A in the embodiment which has just been described, with the performance of the method of surveillance according to the invention as it is implemented by the device 2 for detecting intrusion. These performances were obtained by simulation.

• N désigne le nombre d’attaques considérées lors de la simulation,
• sont des facteurs de pondération réels compris entre 0 et 1 avec et Pour la simulation envisagée ici, les valeurs suivantes ont été appliquées , , et ;
• et désignent respectivement le taux de détection d’attaques lorsque des attaques connues (i.e. avec lesquelles les techniques de détection ont été initialisées), respectivement inconnues, ont été simulées;
• and désignent respectivement le taux de faux positifs lorsque des attaques connues, respectivement inconnues, ont été simulées.

The performances presented illustrate, depending on the iterations (first 30 iterations in Figure 4, and the next 30 in Figure 5), the values obtained (expressed as a percentage) for a detection accuracy metric M defined as follows: Or:

• N designates the number of attacks considered during the simulation,
• are real weighting factors between 0 and 1 with And For the simulation considered here, the following values were applied , , And ;
• And denote respectively the attack detection rate when known attacks (ie with which the detection techniques have been initialized), respectively unknown, have been simulated;
• and respectively designate the rate of false positives when known attacks, respectively unknown, were simulated.

Figures 4 and 5 show that the monitoring method according to the invention improves the detection accuracy metric M compared to a hybrid detection technique. This improvement is all the more important as the number of iterations increases. This is due to the enhanced detection and improved detection accuracy achieved through the collaboration between G and D detection techniques.

Claims (14)

Method for monitoring data exchanged on a network (NW), said method being intended to be implemented by an intrusion detection device (2) and comprising, for at least one subset of data (DATA(iter) ):

• a first step of applying (E20) to said subset a first technique (G) for detecting intrusions;
• if an anomaly is detected in said sub-assembly (E30):
  • a second step of applying (E60) a second technique (D) for detecting intrusions to said subset;
  • a third step of applying (E80) a third technique (LF) for detecting intrusions to said subset, said third detection technique using results (DEC_G(iter), DEC_D(iter)) of the first and second application steps;
  • a step of using (E100) a result of the third application step (DEC_LF(iter)) for learning the second detection technique (D);
  • a step of using (E130) a result (DEC_D'(iter)) of an application (E110) to said subset of the second detection technique after said learning for learning the first technique (G) of detection.

Monitoring method according to Claim 1, in which the first and/or the second and/or the third decision technique is applied to characteristics (FEAT(DATA)) previously derived from the subset of data. Monitoring method according to claim 1 or 2 wherein said data (DATA(iter)) is associated with a plurality of elements monitored by the network device. Monitoring method according to any one of Claims 1 to 3, in which:

• the first detection technique (G) is a hybrid detection technique based on a technique (RD) using known attack signatures and on a technique (RLD) of reinforcement detection; and or
• at least one of the second and third detection technique (D,LF) is a machine learning detection technique.

Monitoring method according to any one of Claims 1 to 4, in which at least one detection technique (G,D) among the first and the second detection technique uses an artificial neural network, and in which the learning of this detection technique uses a gradient descent algorithm to update parameters (Q _G (iter), Q _D (iter)) of said artificial neural network. Monitoring method according to any one of Claims 1 to 5, in which the first detection technique and the second detection technique (G, D) use artificial neural networks, and the said method further comprises an exchange step (E40, E120) between the first and second techniques for detecting parameters of said artificial neural networks, said exchanged parameters being taken into account for learning the first and second detection techniques. A monitoring method according to any of claims 1 to 6 wherein the third detection technique (LF) uses a support vector machine. Monitoring method according to any one of Claims 1 to 7, in which, if the result of the application of the second detection technique after learning indicates an anomaly in the said data subset (E140), a notification step ( E150) from a third party entity (9) of said anomaly. Monitoring method according to any one of claims 1 to 8 comprising a step of transmitting (E150) to a security operations center (9) at least one piece of information from among:

• characteristics of at least one subset of data having an anomaly;
• parameters of said first and/or said second detection technique;
• at least one anomaly detected by the third detection technique not detected by the first and/or the second detection technique.

Monitoring method according to claim 9 comprising a step of receiving, from the security operations center (9), information intended to be used by the device for learning the first, second and/or third detection. Device (2) for detecting intrusions configured to monitor data exchanged on a network (NW), said device comprising modules, activated for at least a subset of data, said modules comprising:

• a first intrusion detection module (2A), configured to apply to said subset a first intrusion detection technique;
• modules, activated if an anomaly is detected by the first detection module in said subset, comprising:
  • a second intrusion detection module (2B), configured to apply a second intrusion detection technique to said subset;
  • a third intrusion detection module (2C), configured to apply a third intrusion detection technique to said subset, said third detection technique using results provided by the first and second detection modules;

the second detection module being further configured to use a result provided by the third detection module for learning the second detection technique, and the first detection module further being configured to use, for learning the first technique detection, a result of an application to said subset of the second detection technique after said learning by the second detection module. Device (2) according to claim 11 integrated in a connected object (IoTD) or in user equipment to which said network provides connectivity or in a mobile computing server located at the edge of the network. System (1) for monitoring data exchanged on a network comprising:

• at least one intrusion detection device (2) according to claim 11 or 12; And
• a security operations center (9), configured to process information transmitted by said intrusion detection device in relation to the data monitored by said device and/or the anomalies detected by said device in these data and/or the configuring sensing techniques used by said device to monitor said data.

Computer program comprising instructions for the execution of a monitoring method according to any one of claims 1 to 10, when said program is executed by a computer.