Jérôme François


Network monitoring for anomaly and intrusion detection

  • Flow-based anomaly and intrusion detection (DDoS, botnet)
  • Encrypted traffic analysis applied to Web (HTTPS): detection of service used and profiling of service usage (privacy)
  • Fingerprinting: syntactic models for VoIP (SIP protocol) and fine-tuning of Support Vector Machines with dedicated kernel functions
  • Multi-dimensional flow aggregation
  • Behavioral models and adaptation of machine learning techniques (graph-mining, Topological Data analysis
  • Distributed algorithms designed for Hadoop
  • Named Data Networking (NDN) security (interest flooding attack evaluation and mitigation)

DNS security and phishing

  • Passive DNS data analyzis using machine learning to detect malicious domain names
  • Active DNS probing for security assessment
  • Phishing domain name and URLs discovery and prevention techniques relying on natural language processing techniques

Internet-wide security monitoring (In cooperation with the High Security Lab of Inria)

  • Internet topology evaluation to identify Autonomous systems serving as proxy for malware delivery
  • Internet scanning: stochastic model for identification of scans in a telescope, low footprint scanning methods
  • Darknet and honeypot analysis: multiple security sensors correlation

Emerging networking paradigms and technologies

Softwarized networks (Network Function Virtualization and Software-Defined Networking)

  • Fair scheduling of embedded virtual functions in network switches
  • Enhanced security by SDN (filtering and mitigation of attacks)
  • Data-plane programmation: Named Data Networking (NDN) with P4, design of new monitoring-oriented dataplane programming
  • abstraction

Cyber-physical systems

  • IoT (Internet-of-Things): leveraging ICN paradigm for IoT, prediction of security threats
  • Industrial Control Systems: detection and isolation of attacks
  • and faults
  • Blockchain: large-scale experimentation in controllable environment, smart contract management

Ph.D. Thesis

Robustness and Identification of Communicating Applications

The growth of computer networks like the Internet entailed a huge increase of networked applications and the apparition of multiple, various protocols. Their functioning complexity is very variable implying diverse performances. The first objective of my Ph.D is to evaluate precisely the robustness of those networked applications, which are known to be very efficient and seem scalable, like for instance, the botnets. Hence, several botnets protocols are imitated. Furthermore, protocol reverse engineering has skyrocketed because many protocols are not always well documented. In this domain, the first necessary step is to discover the message types and this work introduces a novel technique based on support vector machines and new simple message representations in order to reduce the complexity. Finally, there are multiple applications for a single protocol which can be identified thanks to device fingerprinting techniques whose the domain of application is related to security and network management. The first technique proposed in my Ph.D thesis can work with the previous contribution about reverse engineering because the devices could be identified only based on the types of messages exchanged which are aggregated into a temporal behavioral tree including message delays. Besides, the syntactic tree structure of a message is also a good discriminative feature to distinguish the different devices but was very little considered until now. Available at http://tel.archives-ouvertes.fr/tel-00442008/en/.

Current collaborative projects

SecureIoT: Predictive Security for IoT Platforms and Networks of Smart Objects

  • https://secureiot.eu/
  • H2020-IOT-2017, 2018-2020
  • SecureIoT is an EU-funded project and a joint effort of global leaders in IoT services and IoT cybersecurity to secure the next generation of dynamic, decentralized IoT systems, which span multiple IoT platforms and networks of smart objects, through implementing a range of predictive IoT security services. SecureIoT will integrate its security services in three different application scenarios in the areas of: Digital Automation in Manufacturing (Industry 4.0), Socially assistive robots for coaching and healthcare and Connected cars and Autonomous Driving.

ThreatPredict: From Global Social and Technical Big Data to Cyber Threat Forecast

  • https://threatpredict.inria.fr/
  • NATO Science for Peace and Security programme, 2017-2020
  • Predicting attacks can help to prevent them or at least reduce their impact. Nowadays, existing attack prediction methods make accurate predictions only hours in advance or cannot predict geo-politically motivated attacks. ThreatPredict aims to predict different attack types days in advance. It develops machine-learning algorithms that capture spatio-temporal dynamics of cyber-attacks and global social, geo-political and technical events. Various sources of information are collected, enriched and correlated such as honeypot data, darknet, GDELT, Twitter, and vulnerability databases. In addition to warning about attacks, this project will improve our understanding of the effect of global events on cyber-security.

HuMa: Advanced Persistent Threat Analyzis

  • http://www.huma-project.org/
  • FUI jointly funded by the BPI (Banque Publique d'Investissement) and the Région Grand Est, 2015 - 2019
  • This project targets the analysis of Advanced Persistent Threat. APT are long and complex attacks which thus cannot be captured with standard techniques focused on short time windows and few data sources. Indeed, APTs may last for several months and involve multiple steps with different types of attacks and approaches. The project will address such an issue by leveraging data analytics and visualization techniques to guide human experts, which are the only one able to analyze APT today, rather than targeting a fully automated approach.


PhD students

  • P.-M. Junges, 2018-, security of IoT
  • A. Laraba, 2018-, SDN-based network monitoring, in copperation with the University of Waterloo, Canada
  • P.-O. Brissaud, 2017-, encrypted traffic analysis, in cooperation with Thales
  • P. Chaignon, 2015-2018, software datapaths for multi-tenant packet processing, in cooperation with Orange Labs
  • M. Abderrahim, 2015 - 2018, programmable monitoring for edge computing, in cooperation with Ecole des Mines de Nantes and Orange Labs
  • S. Signorello, 2014 - 2018, a multifold approach to address the security issues of stateful forwarding mechanisms in Information-Centric Networks, in cooperation with the University of Luxembourg, now postdoc at the University of Lisbon, Portugal
  • S. Marchal, 2011-2015, Semantic analysis for DNS and phishing protection, now postdoc at Aalto University, Finland
  • L. Dolberg, 2011-2015, efficient multidimensional aggregation for large acale monitoring, now data scientist at GoodYear, Luxembourg

Postdoc and research engineers

  • S. Blanc, 2017-2019, research engineer on FUI HuMa project
  • V. Dang, 2018, postdoc on FUI HuMa project
  • T. Lacour, research engineer on bi-ateral cooperation with FPC ingénierie
  • S. Lagraa, 2017-2018, postdoc on FUI HuMa project
  • P.-O. Brissaud, 2017, research engineer on FUI HuMa project

Scientific Community Involvement

  • TPC co-chair of IEEE/IFIP International Symposium on Integrated Network Management -- IM 2019
  • Organization chair of RESSI 2018 (French conference on information system security)
  • TPC co-chair of the ETSN Workshop at NetSoft 2018
  • Demo co-chair of IEEE Conference on Network Softwarization (Netsoft) 2018
  • TPC co-chair of the 3rd and 4th IEEE/IFIP Workshop on Security for Emerging Distributed Network Technologies (DISSECT)
  • TPC co-chair of IEEE/IFIP Man2Block 2018 (International Workshop of Managing and Managed by Blockchain)
  • TPC co-chair of IFIP International Conference on Autonomous Infrastructure, Management and Security (AIMS) 2018
  • TPC co-chair of the 9th IFIP International Conference on Autonomous Infrastructure, Management and Security (AIMS), 2015 (Ph.D. Workshop)
  • Guest editor of a special issue in Wiley International Journal of Network Management



  • Office: B132
  • Madynes - Inria Nancy Grand Est
  • 615 rue du Jardin Botanique
  • 54600 Villers-lès-Nancy, FRANCE
  • Phone: +33/(0) 3 83 59 30 66