Cross layer Intrusion detection System

advertisement
‫تقرير نهائي لمشروع بحث‬
Research project final report /
Rapport final du projet de recherche
1
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
‫مستند إداري‬
Administrative Document
--------
Administrative information / ‫المعلومات اإلداري‬
:‫المرجع‬
Project Title - )‫عنوان المشروع (عربي وأجنبي‬
‫التقاط هجمات اإلنترنت متعدد الطبقات‬
Cross layer Intrusion detection System
Principal Investigator - ‫الباحث الرئيسي‬
‫كلية العلوم‬
‫العنوان‬
‫الحدث‬
Address
abhijaz@ul.edu.lb
03 760214
‫الجامع اللبناني‬
‫رقم الهاتف‬
‫عباس حسن حجازي‬
Abbas HIJAZI
‫االسم والشهرة‬
‫الجامع اللبناني‬
‫المؤسسة‬
Institution
‫أستاذ‬
‫الوظيفة‬
Telephone
Name &
surname
Post
Co-investigators - ‫الباحثون المشاركون‬
‫العنوان االلكتروني‬
e-mail
kaled.el-dassouki@telecomsudparis.eu
‫المؤسسة‬
Institution
‫الجامعة اللبنانية‬
‫االسم والشهرة‬
Name and surname
)‫خالد الدسوقي (طالب دكتوراه‬
2
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
.1
Duration and starting date of the research / ‫المدة التعاقدي للمشروع وتاريخ بدء البحث‬
‫سنتين‬
Duration (year) / ‫المدة التعاقدية للمشروع‬
01/10/2011
Starting date of the research /‫وتاريخ بدء البحث‬
Scientific Information / ‫العلمي‬
‫ المعلومات‬.2
ّ
Objectives - ‫الهدف‬
(mandatory field to fill 5-8 lines) – )‫ أسطر‬8-5 : ‫( معلومات إلزامية‬
The objective of our project is to propose and test new detection techniques that should be
used by Network Intrusion Detection Systems (NIDS). Our goal is to create an anomaly
based intrusion detection system that is using the specification technical in building the
normal profile. We are proposing to use this technique in a way that the NIDS will better
understand the semantic of the communication. To achieve our goal the detection
mechanism will inspect all the TCP/IP protocols used by the communication. All the
results of this inspection should be correlated in a way to better understand the semantic
of the communication. Our technique will be implemented using IDS Bro.
Achievements - ‫أالنجازات المحقق‬
(mandatory field to fill 5-8 lines) – )‫ أسطر‬8-5 : ‫( معلومات إلزامية‬
 We proposed a mechanism that is capable of detecting congestions by monitoring passively an
aggregation link. This mechanism does not need parameterizations since all the used
parameters are deduced from public real internet traces. Experimental results have shown that
the proposed mechanism is able to detect congestion rapidly and does not suffer from false
alarms.
 We proposed a security mechanism that protects SIP sessions against such attacks. The
mechanism uses SIP fingerprint to authenticate messages, in order to prevent spoofing. We
validate our robust mechanism using Openssl and Sipp.
Perspectives - ‫آفاق البحث‬
(mandatory field to fill 5-8 lines) – )‫ أسطر‬8-5 : ‫( معلومات إلزامية‬
Our future work will be focusing on the upper layers. The proposed security mechanism has
two limitations that we plan to solve in future work; the first is that it is unable of securing
messages initiated by intermediate proxies. The second is related to SBCs (Session Border
Controllers). SBCs are SIP elements used by network operators to secure and control SIP
flows. The behavior of these elements is not conform to the proxy behavior described in
SIP specification.They have a direct impact on our mechanism by breakingend to end SIP
communications and changing the mandatory SIP headers.
3
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
Publications & Communications - ‫المنشورات والمساهمات في المؤتمرات‬
 A publication was composed and will be submitted very soon to an international scientific
journal.
 IEEE – ICCIT, Third International Conference on Communications and Information
Technology (ICCIT) 2013 - “A TCP delay based mechanism for detecting congestion in the
internet”.
 IEEE – NTMS2014 Sixth international conference on new technologies, mobility and
security (NTMS) 2014. “End to end mechanism to protect SIP from signaling attacks”
 Poster - Journées Scientifiques à l’Ecole Doctorale de Sciences et Technologie-2011/2012.
 Poster - Journées Scientifiques à l’Ecole Doctorale de Sciences et Technologie-2012/2013 Cross layer Intrusion detection System.
 Oral presentation – Third Doctoral Forum EDST – Lebanese University - 25-26 June 2013
– “Cross layer Intrusion Detection System”
Abstract - ‫موجز عن نتائج البحث‬
(mandatory field to fill 5-8 lines) – )‫ أسطر‬8-5 : ‫( معلومات إلزامية‬
In our work we have proposed two algorithms: the first is a passive congestion detection
algorithm capable of efficiently detecting congestions by monitoring an aggregation link. Our
proposed mechanism, implemented using IDS Bro, could be deployed near a gateway router, a
server or a client. Our mechanism was able to detect congestion rapidly. We also showed that our
algorithm does not suffer from false alarms when the network is not congested. The second is an
end to end security mechanism that uses message fingerprints to protect SIP sessions from
signaling attacks. The mechanism uses SIP fingerprint to authenticate messages, in order to
prevent spoofing. We validate our mechanism using Openssl and Sipp and show that it is light and
robust.
‫توقيع الباحث‬
4
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
Final report /
Rapport Final
Warning / Avertissement
1. The final report must be limited to results directly related to the research project
supported by the Council excluding any other activity carried out by the investigator
otherwise the report will be rejected.
2. Appendices may be added or attached to the report.
1. Le rapport final doit être limité aux résultats directement liés au projet de recherche
soutenu par le Conseil à l'exclusion de toute autre activité menée par le chercheur
sous peine de rejet.
2. Des annexes peuvent être ajoutées ou attachées au rapport.
1. Principal investigator / Chercheur principal
Name and surname /
Nom et prénoms
Abbas HIJAZI
Institution of affiliation /
Institution d'affiliation
Lebanese University
2. Title of the project as proposed in the original application /
Titre du projet tel qu'il a été proposé dans la demande originale
(English and French / Anglais et Français)
Cross layer Intrusion detection System
Système de Détection d’Intrusion dans les inter-Couches
5
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
3. Purpose of the project / Objectifs du projet
(1page)
IP networks are becoming more and more complex. New services are implemented every day
and a variety of users are granted access to these networks thanks to the variety of access
technologies (Wifi, 3G, FTTH…). Understanding the semantic of the communication is
becoming a key factor in enhancing the detection mechanisms of intrusion detection systems.
The purpose of our project is to propose and test new detection technics that should be used
by Network Intrusion Detection Systems (NIDS). A NIDS is a network component that
detects network attacks by monitoring the traffic that passes through it. There is two detection
technics used by NIDS; Signature based and anomaly based. The first technic detects
intrusions by comparing network traffic to known attacks signatures. This technic could not
detect newly invented attacks because they are not present in the NIDS signature database.
The second technic is based on building a normal profile of the network behavior, once the
network behavior deviates from the built normal profile, an alarm is fired. This detection
technic is capable to detect new unknown attacks but one of its major challenges is building
the normal profile of the network behavior.
Our goal is to create an anomaly based intrusion detection system that is using the
specification technic in building the normal profile . We are proposing to use this technic in a
way that the NIDS will better understand the semantic of the communication. We will will
inspect all the TCP/IP protocols used by the communication. All the results of this inspection
should be correlated in a way to better understand the semantic of the communication. Our
technic will be implemented using IDS Bro.
To achieve this goal, two objectives were fixed; The first one is to comprehensively study the
protocol stack to build a network-based intrusion detection system that makes use of all the
available information. We will study the specification of the protocol stack, including
temporal conditions such as timer expirations and retransmits, to build a detector that
successfully analyzes a protocol dialog and can diagnose cross-layer or cross-sessions
attacks, e.g attacks that require manipulating traffic at multiple levels of the protocol stack
(e.g. TCP and SIP to steal a session), or manipulating traffic across multiple session (e.g.
between SIP and VoIP media streams to highjack accounts or dial free calls). This study will
be based on both the specification of the protocols and on the history of vulnerabilities that
have been collected over these protocols.
The second objective of this project is to strengthen the detection engine by combining in a
cooperative matter between different detectors. A cross-layer detector will not have the
ability to detect all kind of network attacks, especially cooperative and multi-stage attacks
targeting different components of the monitored network. This study will combine the crosslayer detector with an attack behavior detector, a network policy detector and a Topology
profile to achieve a low false alarm rate, a better understanding of the network context and
the ability of the detection engine to detect cooperative multi stage attack targeting different
network components.
6
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
4. Expected outputs / Résultats attendus
1 page max / 1 page au maximum
Methodology proposed:
1- Study of the dynamics of multiple protocols according to their specifications, using
techniques similar to the CPNI[9] document for TCP. The initial target study is the
IP/{TCP|UDP}/HTTP stack, but this should be extended to other protocols, e.g. VoIP.
2- Study of the cross-layer correlation to improve both detection (detect attacks
previously not detected by classic means) and to improve diagnosis (more reliably
detect known attacks), including the topology of the monitored network.
3- Study of the different attack targeting a network to be able to model and create the
attack behaviour detector.
4- Study of the information needed to be presented in the network topology profile and
the network security detector and the way by which this information should be
collected.
5- Study of detector combination. The previously designed detectors should be
integrated in a complete detection architecture to fuse all the proposed small-scale
detectors into a single system with complete diagnosis ability.
By applying the following methodology we could reach a detection mechanism immune
against evasion attacks, covers attacks targeting different protocol layers and spanning many
services.The expected outputs and activities of our project are as follows:
1- First we will focus on the transportation layer of the TCP/IP protocol stack and
models the temporal aspect of this layer. The study will use the internet traces
provided by many research organizations to study the behavior of internet traffic in
real circumstances. The detection mechanism in this part should be implemented
using Bro and tested against public traces of attacks targeting the transport protocol
layer. The results in this part should be published in known journals.
2- After finishing the first part, we will focus on the application layer of the TCP/IP
protocol stack. We will attack first the VoIP services and more especially SIP and
RTP protocols. In this part we have to install a VoIP lab that contains a SIP proxy
server and many SIP phones. We should try to create a detection mechanism based on
protocol specification to detect the different attacks targeting these services.
3- We will work in this part on the payload detection of the WEB services. We will
propose a detection mechanism based on the specification of the web behavior to
detect anomalies in the payload part of the WEB communication.
4- All the above outputs should be correlated together to enrich and improve the
semantic of the detection mechanism. We believe that by doing so, we could propose
a novel detection mechanism capable of detecting a wide a variety of attacks. At this
stage we should publish our contributions in known research journals. The results
should be deduced after installing a lab made of a web server interacting with a SIP
server, web users and many SIP clients. We should not that to achieve the following
outputs the IDS will use the different profiles mentioned in the introduction of the
project.
7
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
5.
Résultats obtenus / Obtained results
5 to 10 pages / 5 à 10 pages
Appendices can be added a the end of this document / Des annexes peuvent être ajoutées à
la fin de ce document
I. First contribution: congestion detection
We started our work by studying the transport layer of the TCP/IP protocol stack and
especially the widely used TCP protocol. TCP is a reliable protocol that uses timers to
ensure this reliability. It is vulnerable to an important range of attacks which are well
described in [1]. Our intention at the beginning was to introduce a TCP attack detection
mechanism that takes into consideration the timing aspect of TCP. Based on this
intention we proposed a detection mechanism that we found will be suitable to use it not
only in the detection of Distributed Denial of Service attacks but also in the congestion
detection field. Following is a detailed description of our work and results.
A.
State of the art and related work
Active Queue Management (AQM) are between the main proposed solutions to control
and avoid congestion in the internet. These algorithms monitor passively router’s queues
in order to detect congestions. Once the packets waiting in the queue exceeds a specified
threshold, the algorithm considers that congestion is occurring. Formerly, the algorithm
manages the router queue in order to avoid and control congestion. RED is the most
famous AQM algorithm. When the queue occupancy reaches a certain threshold RED
drops TCP packets based on a probabilistic relation. By dropping packets, different
parties using TCP congestion control mechanism notice that congestion is occurring and
slow down there communication.
Although AQM is between the main solutions deployed nowadays to avoid congestion,
it has many shortcomings. First, the detection phase is based on the router’s IP level
information which is not sufficient to detect all congestion situations. Second, there is no
study that reveals the cooperation of many AQMs together .
Both of these drawbacks are based on the detection mechanism of the AQM algorithms.
To overcome these drawbacks we are proposing a real time congestion detection
8
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
mechanism capable of detecting congestions by monitoring passively an aggregation
link. Our detection mechanism use TCP delays as a detection parameter which is a
common symptom of all the congestion scenarios. Our proposed detection mechanism
doesn’t need parameterization. All the used parameters were deduced from public real
internet traces using statistical approaches.
B.
Our algorithm
Our algorithm monitors mainly TCP sessions. TCP is a reliable protocol that uses timers
to deliver reliably IP packets and detect anomalies on the network. Every packet sent by
TCP should be acknowledged. If an acknowledgment is not received after a specified
period of time TCP considers that the packet is not received and sends again the
unacknowledged packet.
This
procedure is
repeated many times until
an
acknowledgment is received or until TCP drops the session. When a link suffers from
congestion, one of the main consequences of this congestion is the increase in delays.
Based on this, our algorithm monitors delays experienced by different TCP sessions to
detect congestion. We propose a dynamic congestion detection mechanism that is able to
detect accurately, quickly and in real time congestion by passively monitoring link
traffic. The dynamicity of our algorithm is based on the fact that the more the congestion
is severe the more we are attending the abnormal delay threshold experienced on a link.
Because of that we propose to dynamically tune the detection mechanism based on the
severity of the congestion.
Our algorithm is tuned dynamically between two delay thresholds; the first threshold,
“PrAb” represents the delay after which the session is probably abnormal. The second
threshold, “Ab” is the threshold that represents the delay after which we consider that a
session is abnormal and suffers from a problem. When “PrAb” is reached, there is a high
probability that the delay experienced by this session risks to attend the “Ab” threshold.
To dynamically tune our algorithm between both of these thresholds, we propose the
following relation: for every active session if t >= Dif – x*Dif/Max => y = y+1. Where
“t” is the time elapsed after reaching the PrAb threshold, Dif is the difference in seconds
between Ab and PrAb, x is the number of sessions that are waiting for more than PrAb
and Max is the acceptable percentage of sessions that could reaches the Ab threshold
9
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
under normal circumstances.
t >= Dif – x*Dif/Max
C.
Parameters specification
Implementing and validating our algorithm requires two major steps; first we have to
specify the PrAb and Ab thresholds used by our algorithm. Second, we will use these
variables to validate the efficiency of our algorithm on real public network traces.
1.PrAb and Ab specification
To specify the values of PrAb and Ab, we decided first to study the TCP delay behavior
on the nternet. To do so, we chose ten public traffic traces provided by the MAWI
dataset. Two reasons were behind our choice; first, the MAWI dataset provides an
important amount of internet traces collected in real case scenario. The traces were
collected from a transpacific aggregation link. Every trace file consist of 15 minutes
containing around () packets. The second choice is the MAWILab labeling which labels
all the attacks present in the dataset. This will help us in cleaning the MAWI traces from
all the malicious sessions to come up with normal and clean traces. We studied the TCP
delay behavior by applying the following methodology:
i. Cleaning the studied traces: for every chosen trace file, we deleted all the sessions
containing IP addresses labeled as malicious by the MAWILab labeled dataset. This will
help us to derive results from normal TCP sessions. Most of the surveyed previous work
used some training phases were they inject so-called normal traffic in there network to
train the detector. We believe that this procedure is difficult in real case scenarios. To
overcome this problem, we decided to deduce values from cleaned real internet datasets
to make our algorithm efficient in real case scenarios.
ii. Extracting different delay proportions: For every chosen trace file, we computed the
percentage of delayed packets which arrive after: 1, 2, 3 … 15 seconds of delays. Our
study is based the delays experienced by the TCP packets sent by the TCP clients. We
decided to choose the delays experienced by the TCP clients instead of those
experienced by the TCP servers because clients could provide us with a wider network
overview. Figure 1 presents the studied statistical results; the legend of the figure lists
the chosen trace files. The horizontal axis presents the amount of delays studied and the
10
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
vertical axis presents the percentage of the following delays with respect to the total
amount of packets. Figure 2 presents the mean of the different studied traces and the
standard deviation.
Percentage of delayed packets
8
1/2/2010
7
2/24/2010
6
5/22/2010
5
6/6/2010
4
6/11/2010
3
6/24/2010
2
7/9/2010
1
9/18/2010
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
11/30/2010
Delay duration in seconds
12/13/2010
Figure 1 statistical results for every trace file
Percentage of delayed packets
6
5
4
3
Mean
2
Standard deviation
1
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Delay duration in seconds
Figure 2 statistical results means and standard deviation
2.Max specification
We used the central limit theorem applied on the 10 statistical samples to make an
inference about the 4 and 13 seconds delayed packet percentage in the internet. The
central limit theorem states that if the sample size is sufficiently large (greater than 30),
then the mean of a random sample from a population has a sampling distribution that is
11
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
approximately normal, regardless of the shape of the distribution of the population.
Based on this theorem, we divided every 15 minutes traces to 30 seconds samples. This
will result in a sample size of 30 for every trace file. By computing the percentage of 4
and 13 seconds delayed packet during every 30 seconds period and then by computing
the mean of the sample (mean of the 30 x 30 seconds period during the chosen traffic
trace) and then by computing the mean of the 10 means deduced for the 10 different
trace files we deduced that the population mean of 13 seconds delay is 1.7.
D.
Algorithm implementation
We used IDS Bro [8] to implement our algorithm and test it efficiency against different
public traces. Bro provided us with a powerful policy script language that could be
perfectly used to implement our algorithm. We implemented our algorithm using two
traces categories; the first category is made of public data traces collected from
congested networks. We found that the MAWI connection was suffering from
congestion during the 2003 year. The congestion was due to the limited capacity of the
MAWI link during this period which had led to upgrading the link capacity later. Our
algorithm was able to detect congestion in around 7 seconds. We used also from the
public CAIDA traffic traces that contains approximately one hour of DDoS attack on
August 4, 2007. This type of denial-of-service attack attempts to block access to the
targeted server by consuming computing resources on the server and by consuming all
of the bandwidth of the network connecting the server to the Internet. Our algorithm
detected congestion in around 10 seconds; this is because the attack was not intense in
the beginning. The second testing category was using non congested traces. We used
these traces to validate the efficiency of the proposed algorithm in terms of false
negative rate. We used MAWI traffic traces collected during periods where the link is
not suffering from congestion. No congestion alarms were fired.
12
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
6. Summary table of expected and obtained results / Tableau récapitulatif
des résultats attendus et des résultats obtenus
Expected outputs / Résultats attendus
The objective of our project is to propose and
test new detection techniques that should be
used by Network Intrusion Detection Systems
(NIDS). Our goal is to create an anomaly
based intrusion detection system that is using
the specification technical in building the
normal profile. To achieve our goal the
detection mechanism will inspect all the
TCP/IP
protocols
used
by
the
communication. All the results of this
inspection should be correlated in a way to
better understand the semantic of the
communication. Our technique will be
implemented using IDS Bro
Obtained results / Résultats obtenus
1. we proposed a mechanism that is
capable of detecting congestions by
monitoring passively an aggregation
link.
2. we proposed a security mechanism that
protects SIP sessions against such
attacks. The mechanism uses SIP
fingerprint to authenticate messages, in
order to prevent spoofing. We validate
our robust mechanism using Openssl
and Sipp.
13
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
3.
Possible encountered difficulties / Difficultés éventuelles rencontrées
14
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
4.
Scientific publications )articles in peer review journals, books,
communications, etc …) / Publications scientifiques (articles dans des
revues à comité de lecture, livres, communications, etc …)
Attach a copy of each publication as it appeared in the journal) / (Joindre une copie de
chaque publication telle qu'elle a paru dans la revue)

A publication was composed and will be submitted very soon to an international scientific
journal.

IEEE – ICCIT, Third International Conference on Communications and Information
Technology (ICCIT) Beirut - 2013 - “A TCP delay based mechanism for detecting
congestion in the internet”.

IEEE – NTMS2014 Sixth international conference on new technologies, mobility and
security (NTMS) Dubai -2014. “End to end mechanism to protect SIP from signaling attacks”

Training of Master II Risk management in Information System, Mariam Saleh, 20132014.

5.
Training of Master II Risk management in Information System, Mohammad Rmayti ,
2011-2012.
Oral presentations or posters in national, regional and international
conferences / Présentations orales ou affichées à des congrès nationaux,
régionaux ou internationaux.
(Attach a copy of each presentation as it was presented or published in refereed
conference proceedings)/ (Joindre une copie de chaque présentation telle qu'elle a été
affichée ou publiée dans les comptes rendus des congrès)

IEEE – ICCIT, Third International Conference on Communications and Information
Technology (ICCIT) Beirut - 2013 - “A TCP delay based mechanism for detecting
congestion in the internet”.

IEEE – NTMS2014 Sixth international conference on new technologies, mobility and
security (NTMS) Dubai -2014. “End to end mechanism to protect SIP from signaling
attacks”

Poster - Journées Scientifiques à l’Ecole Doctorale de Sciences et Technologie-2011/2012.

Poster - Journées Scientifiques à l’Ecole Doctorale de Sciences et Technologie-2012/2013 Cross layer Intrusion detection System.

Oral presentation – Third Doctoral Forum EDST – Lebanese University - 25-26 June 2013 –
“Cross layer Intrusion Detection System”
15
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
How to submit the final report ?
Comment soumettre le rapport final ?
-------The final report must be submitted to Council in two versions :
 A hard copy which can be mailed or delivered directly to the Council
administrative seat;
 An electronic version, Word document, on CD-ROM or USB drive or email sent to the Council at the following address : grp@cnrs.edu.lb
Le rapport final doit parvenir au Conseil en deux versions :
 Une version sur papier qui peut être envoyée par la poste ou déposée
directement au siège administratif du Conseil ;
 Une version électronique en format Word sur CD-ROM ou sur clé USB, ou
envoyée au Conseil par e-mail à l'adresse suivante : grp@cnrs.edu.lb
16
4102 ‫برنامج دعم البحوث العلمية‬
Grant Program for Scientific Research in Lebanon – 2012
Programme de subvention à la recherche scientifique au Liban – 2012
‫برنامج دعم البحوث العلمي في لبنان لعام ‪2112‬‬
‫صفح ‪8‬‬
‫‪--------‬‬‫‪ .11‬تقديم التقرير النهائي‪:‬‬
‫‪ .01.0‬في نهاية المشروع (سنة أو سنتين)‪ ،‬على الباحث تقديم تقرير نهائي (نسخة ورقية ونسخة‬
‫إلكترونية بصيغة ‪ Word‬على قرص مدمج أو ‪ USB‬أو ترسل إلى المجلس بواسطة البريد‬
‫االلكتروني على العنوان التالي‪ ،grp@cnrs.edu.lb :‬وذلك وفقاً للنموذج المعتمد في المجلس‬
‫والموجود على موقع المجلس ‪ http://www.cnrs.edu.lb‬مرفقاً بالتصفية المالية لمشروع‬
‫يبين فيه ما‬
‫البحث‪ .‬ال يقبل التقرير النهائي إالّ إذا عرض الباحث بشكل واضح جدوالً مفصالً ّ‬
‫تم إنجازه مقارن مع تصوره لمخرجات المشروع عند قبوله‪ ،‬على أن ال يتضمن سوى ما له‬
‫عالقة مباشرة بمشروع البحث المدعوم من المجلس دون إغراقه بأية تفاصيل أو نشاطات أخرى‬
‫والتركيز حص اًر على النتائج التي توصل اليها الباحث‪.‬‬
‫‪ .01.4‬يعتمد المجلس في تقييم التقرير النهائي على األهمية العلمية للمقاالت الصادرة عن الباحث‬
‫وذات العالقة بمشروع البحث المدعوم من المجلس من خالل عدد من المعايير والمؤشرات‬
‫الدولية نذكر من بينها على سبيل المثال ‪Impact Factor, Citation Index:‬‬
‫‪17‬‬
‫برنامج دعم البحوث العلمية ‪4102‬‬
‫‪Grant Program for Scientific Research in Lebanon – 2012‬‬
‫‪Programme de subvention à la recherche scientifique au Liban – 2012‬‬
Download