Abstract: A technique for collecting information relating to a flow routed in a communication network. This network includes, in a data plane, packet-processing devices that are configured so as to process packets on the basis of flow-processing rules and, in a control plane, at least one control device that is configured so as to control packet-processing devices and to manage the flow-processing rules. An analysis device identifies at least one flow-processing rule configured so as to process a flow including a first characteristic associated with a first endpoint device of a flow to be sought in the communication network and applied by a processing device. Based on the identified processing rule, the control device determines a second characteristic associated with a second endpoint device.

Abstract: A method including: identifying a set of dependent virtualised network functions included in a first virtual network, the set including at least a virtualised network function to be updated; creating a second virtual network including clones of virtual machines implementing the dependent virtualised network functions of the set; interconnecting, in the second virtual network, clones of the dependent virtualised network functions, identically to an interconnection in the first network of dependent virtualised network functions; identifying an input data packet of the dependent virtualised network functions, duplicating the packet and sending the duplicated packet to the second network; applying a patch to the clone of the virtualised network function to be updated in the second network; triggering an alert when a performance value of a dependent virtualised network function of the first virtual network differs from a performance value on the clone of the virtualised network function in the second network.

Abstract: A technique for collecting information relating to a flow routed in a communication network. This network includes, in a data plane, packet-processing devices that are configured so as to process packets on the basis of flow-processing rules and, in a control plane, at least one control device that is configured so as to control packet-processing devices and to manage the flow-processing rules. An analysis device identifies at least one flow-processing rule configured so as to process a flow including a first characteristic associated with a first endpoint device of a flow to be sought in the communication network and applied by a processing device. Based on the identified processing rule, the control device determines a second characteristic associated with a second endpoint device.

Abstract: A method including: identifying a set of dependent virtualised network functions included in a first virtual network, the set including at least a virtualised network function to be updated; creating a second virtual network including clones of virtual machines implementing the dependent virtualised network functions of the set; interconnecting, in the second virtual network, clones of the dependent virtualised network functions, identically to an interconnection in the first network of dependent virtualised network functions; identifying an input data packet of the dependent virtualised network functions, duplicating the packet and sending the duplicated packet to the second network; applying a patch to the clone of the virtualised network function to be updated in the second network; triggering an alert when a performance value of a dependent virtualised network function of the first virtual network differs from a performance value on the clone of the virtualised network function in the second network.

Abstract: A method and a detection entity for detecting attacks in a system including at least two host servers. Each host server hosts a set of virtual machines. The detection entity performs acts of: detecting that a number of migrations of virtual machines from one server to another during a current time period is greater than a threshold value; partitioning the virtual machines of the system into a first subset having a stable profile of consumption of at least one resource, and into a second subset having a fluctuating profile; calculating, for the pairs of virtual machines of the second subset, a value of temporal correlation between the two profiles of the pair; and identifying in the second subset the virtual machines for which the correlation value is greater than or equal to a threshold correlation value, the machines being identified as constituting the origin of the attack.

Abstract: The invention relates to a method for detecting attacks on at least one virtual machine in a system including at least one host server (10) hosting a set of virtual machines (VM1, VM2, VM3, etc.), the method including the steps of: receiving (E2) an alert indicating a breakdown in performance in a virtual machine; verifying (E3) that a mechanism for managing resource contention has been implemented for the virtual machine; detecting (E5), over a given time interval, at least one time correlation between the breakdown in performance that occurred in the virtual machine and a variation in the use of at least one resource of the host server by at least one other virtual machine, data representing the use of resources being collected at regular intervals.

Abstract: A method and a detection entity for detecting attacks in a system including at least two host servers. Each host server hosts a set of virtual machines. The detection entity performs acts of: detecting that a number of migrations of virtual machines from one server to another during a current time period is greater than a threshold value; partitioning the virtual machines of the system into a first subset having a stable profile of consumption of at least one resource, and into a second subset having a fluctuating profile; calculating, for the pairs of virtual machines of the second subset, a value of temporal correlation between the two profiles of the pair; and identifying in the second subset the virtual machines for which the correlation value is greater than or equal to a threshold correlation value, the machines being identified as constituting the origin of the attack.

Abstract: The invention relates to a method for detecting attacks on at least one virtual machine in a system including at least one host server (10) hosting a set of virtual machines (VM1, VM2, VM3, etc.), the method including the steps of: receiving (E2) an alert indicating a breakdown in performance in a virtual machine; verifying (E3) that a mechanism for managing resource contention has been implemented for the virtual machine; detecting (E5), over a given time interval, at least one time correlation between the breakdown in performance that occurred in the virtual machine and a variation in the use of at least one resource of the host server by at least one other virtual machine, data representing the use of resources being collected at regular intervals.