تقرير نهائي لمشروع بحث Research project final report / Rapport final du projet de recherche 1 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 مستند إداري Administrative Document -------- Administrative information / المعلومات اإلداري :المرجع Project Title - )عنوان المشروع (عربي وأجنبي التقاط هجمات اإلنترنت متعدد الطبقات Cross layer Intrusion detection System Principal Investigator - الباحث الرئيسي كلية العلوم العنوان الحدث Address abhijaz@ul.edu.lb 03 760214 الجامع اللبناني رقم الهاتف عباس حسن حجازي Abbas HIJAZI االسم والشهرة الجامع اللبناني المؤسسة Institution أستاذ الوظيفة Telephone Name & surname Post Co-investigators - الباحثون المشاركون العنوان االلكتروني e-mail kaled.el-dassouki@telecomsudparis.eu المؤسسة Institution الجامعة اللبنانية االسم والشهرة Name and surname )خالد الدسوقي (طالب دكتوراه 2 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 .1 Duration and starting date of the research / المدة التعاقدي للمشروع وتاريخ بدء البحث سنتين Duration (year) / المدة التعاقدية للمشروع 01/10/2011 Starting date of the research /وتاريخ بدء البحث Scientific Information / العلمي المعلومات.2 ّ Objectives - الهدف (mandatory field to fill 5-8 lines) – ) أسطر8-5 : ( معلومات إلزامية The objective of our project is to propose and test new detection techniques that should be used by Network Intrusion Detection Systems (NIDS). Our goal is to create an anomaly based intrusion detection system that is using the specification technical in building the normal profile. We are proposing to use this technique in a way that the NIDS will better understand the semantic of the communication. To achieve our goal the detection mechanism will inspect all the TCP/IP protocols used by the communication. All the results of this inspection should be correlated in a way to better understand the semantic of the communication. Our technique will be implemented using IDS Bro. Achievements - أالنجازات المحقق (mandatory field to fill 5-8 lines) – ) أسطر8-5 : ( معلومات إلزامية We proposed a mechanism that is capable of detecting congestions by monitoring passively an aggregation link. This mechanism does not need parameterizations since all the used parameters are deduced from public real internet traces. Experimental results have shown that the proposed mechanism is able to detect congestion rapidly and does not suffer from false alarms. We proposed a security mechanism that protects SIP sessions against such attacks. The mechanism uses SIP fingerprint to authenticate messages, in order to prevent spoofing. We validate our robust mechanism using Openssl and Sipp. Perspectives - آفاق البحث (mandatory field to fill 5-8 lines) – ) أسطر8-5 : ( معلومات إلزامية Our future work will be focusing on the upper layers. The proposed security mechanism has two limitations that we plan to solve in future work; the first is that it is unable of securing messages initiated by intermediate proxies. The second is related to SBCs (Session Border Controllers). SBCs are SIP elements used by network operators to secure and control SIP flows. The behavior of these elements is not conform to the proxy behavior described in SIP specification.They have a direct impact on our mechanism by breakingend to end SIP communications and changing the mandatory SIP headers. 3 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 Publications & Communications - المنشورات والمساهمات في المؤتمرات A publication was composed and will be submitted very soon to an international scientific journal. IEEE – ICCIT, Third International Conference on Communications and Information Technology (ICCIT) 2013 - “A TCP delay based mechanism for detecting congestion in the internet”. IEEE – NTMS2014 Sixth international conference on new technologies, mobility and security (NTMS) 2014. “End to end mechanism to protect SIP from signaling attacks” Poster - Journées Scientifiques à l’Ecole Doctorale de Sciences et Technologie-2011/2012. Poster - Journées Scientifiques à l’Ecole Doctorale de Sciences et Technologie-2012/2013 Cross layer Intrusion detection System. Oral presentation – Third Doctoral Forum EDST – Lebanese University - 25-26 June 2013 – “Cross layer Intrusion Detection System” Abstract - موجز عن نتائج البحث (mandatory field to fill 5-8 lines) – ) أسطر8-5 : ( معلومات إلزامية In our work we have proposed two algorithms: the first is a passive congestion detection algorithm capable of efficiently detecting congestions by monitoring an aggregation link. Our proposed mechanism, implemented using IDS Bro, could be deployed near a gateway router, a server or a client. Our mechanism was able to detect congestion rapidly. We also showed that our algorithm does not suffer from false alarms when the network is not congested. The second is an end to end security mechanism that uses message fingerprints to protect SIP sessions from signaling attacks. The mechanism uses SIP fingerprint to authenticate messages, in order to prevent spoofing. We validate our mechanism using Openssl and Sipp and show that it is light and robust. توقيع الباحث 4 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 Final report / Rapport Final Warning / Avertissement 1. The final report must be limited to results directly related to the research project supported by the Council excluding any other activity carried out by the investigator otherwise the report will be rejected. 2. Appendices may be added or attached to the report. 1. Le rapport final doit être limité aux résultats directement liés au projet de recherche soutenu par le Conseil à l'exclusion de toute autre activité menée par le chercheur sous peine de rejet. 2. Des annexes peuvent être ajoutées ou attachées au rapport. 1. Principal investigator / Chercheur principal Name and surname / Nom et prénoms Abbas HIJAZI Institution of affiliation / Institution d'affiliation Lebanese University 2. Title of the project as proposed in the original application / Titre du projet tel qu'il a été proposé dans la demande originale (English and French / Anglais et Français) Cross layer Intrusion detection System Système de Détection d’Intrusion dans les inter-Couches 5 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 3. Purpose of the project / Objectifs du projet (1page) IP networks are becoming more and more complex. New services are implemented every day and a variety of users are granted access to these networks thanks to the variety of access technologies (Wifi, 3G, FTTH…). Understanding the semantic of the communication is becoming a key factor in enhancing the detection mechanisms of intrusion detection systems. The purpose of our project is to propose and test new detection technics that should be used by Network Intrusion Detection Systems (NIDS). A NIDS is a network component that detects network attacks by monitoring the traffic that passes through it. There is two detection technics used by NIDS; Signature based and anomaly based. The first technic detects intrusions by comparing network traffic to known attacks signatures. This technic could not detect newly invented attacks because they are not present in the NIDS signature database. The second technic is based on building a normal profile of the network behavior, once the network behavior deviates from the built normal profile, an alarm is fired. This detection technic is capable to detect new unknown attacks but one of its major challenges is building the normal profile of the network behavior. Our goal is to create an anomaly based intrusion detection system that is using the specification technic in building the normal profile . We are proposing to use this technic in a way that the NIDS will better understand the semantic of the communication. We will will inspect all the TCP/IP protocols used by the communication. All the results of this inspection should be correlated in a way to better understand the semantic of the communication. Our technic will be implemented using IDS Bro. To achieve this goal, two objectives were fixed; The first one is to comprehensively study the protocol stack to build a network-based intrusion detection system that makes use of all the available information. We will study the specification of the protocol stack, including temporal conditions such as timer expirations and retransmits, to build a detector that successfully analyzes a protocol dialog and can diagnose cross-layer or cross-sessions attacks, e.g attacks that require manipulating traffic at multiple levels of the protocol stack (e.g. TCP and SIP to steal a session), or manipulating traffic across multiple session (e.g. between SIP and VoIP media streams to highjack accounts or dial free calls). This study will be based on both the specification of the protocols and on the history of vulnerabilities that have been collected over these protocols. The second objective of this project is to strengthen the detection engine by combining in a cooperative matter between different detectors. A cross-layer detector will not have the ability to detect all kind of network attacks, especially cooperative and multi-stage attacks targeting different components of the monitored network. This study will combine the crosslayer detector with an attack behavior detector, a network policy detector and a Topology profile to achieve a low false alarm rate, a better understanding of the network context and the ability of the detection engine to detect cooperative multi stage attack targeting different network components. 6 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 4. Expected outputs / Résultats attendus 1 page max / 1 page au maximum Methodology proposed: 1- Study of the dynamics of multiple protocols according to their specifications, using techniques similar to the CPNI[9] document for TCP. The initial target study is the IP/{TCP|UDP}/HTTP stack, but this should be extended to other protocols, e.g. VoIP. 2- Study of the cross-layer correlation to improve both detection (detect attacks previously not detected by classic means) and to improve diagnosis (more reliably detect known attacks), including the topology of the monitored network. 3- Study of the different attack targeting a network to be able to model and create the attack behaviour detector. 4- Study of the information needed to be presented in the network topology profile and the network security detector and the way by which this information should be collected. 5- Study of detector combination. The previously designed detectors should be integrated in a complete detection architecture to fuse all the proposed small-scale detectors into a single system with complete diagnosis ability. By applying the following methodology we could reach a detection mechanism immune against evasion attacks, covers attacks targeting different protocol layers and spanning many services.The expected outputs and activities of our project are as follows: 1- First we will focus on the transportation layer of the TCP/IP protocol stack and models the temporal aspect of this layer. The study will use the internet traces provided by many research organizations to study the behavior of internet traffic in real circumstances. The detection mechanism in this part should be implemented using Bro and tested against public traces of attacks targeting the transport protocol layer. The results in this part should be published in known journals. 2- After finishing the first part, we will focus on the application layer of the TCP/IP protocol stack. We will attack first the VoIP services and more especially SIP and RTP protocols. In this part we have to install a VoIP lab that contains a SIP proxy server and many SIP phones. We should try to create a detection mechanism based on protocol specification to detect the different attacks targeting these services. 3- We will work in this part on the payload detection of the WEB services. We will propose a detection mechanism based on the specification of the web behavior to detect anomalies in the payload part of the WEB communication. 4- All the above outputs should be correlated together to enrich and improve the semantic of the detection mechanism. We believe that by doing so, we could propose a novel detection mechanism capable of detecting a wide a variety of attacks. At this stage we should publish our contributions in known research journals. The results should be deduced after installing a lab made of a web server interacting with a SIP server, web users and many SIP clients. We should not that to achieve the following outputs the IDS will use the different profiles mentioned in the introduction of the project. 7 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 5. Résultats obtenus / Obtained results 5 to 10 pages / 5 à 10 pages Appendices can be added a the end of this document / Des annexes peuvent être ajoutées à la fin de ce document I. First contribution: congestion detection We started our work by studying the transport layer of the TCP/IP protocol stack and especially the widely used TCP protocol. TCP is a reliable protocol that uses timers to ensure this reliability. It is vulnerable to an important range of attacks which are well described in [1]. Our intention at the beginning was to introduce a TCP attack detection mechanism that takes into consideration the timing aspect of TCP. Based on this intention we proposed a detection mechanism that we found will be suitable to use it not only in the detection of Distributed Denial of Service attacks but also in the congestion detection field. Following is a detailed description of our work and results. A. State of the art and related work Active Queue Management (AQM) are between the main proposed solutions to control and avoid congestion in the internet. These algorithms monitor passively router’s queues in order to detect congestions. Once the packets waiting in the queue exceeds a specified threshold, the algorithm considers that congestion is occurring. Formerly, the algorithm manages the router queue in order to avoid and control congestion. RED is the most famous AQM algorithm. When the queue occupancy reaches a certain threshold RED drops TCP packets based on a probabilistic relation. By dropping packets, different parties using TCP congestion control mechanism notice that congestion is occurring and slow down there communication. Although AQM is between the main solutions deployed nowadays to avoid congestion, it has many shortcomings. First, the detection phase is based on the router’s IP level information which is not sufficient to detect all congestion situations. Second, there is no study that reveals the cooperation of many AQMs together . Both of these drawbacks are based on the detection mechanism of the AQM algorithms. To overcome these drawbacks we are proposing a real time congestion detection 8 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 mechanism capable of detecting congestions by monitoring passively an aggregation link. Our detection mechanism use TCP delays as a detection parameter which is a common symptom of all the congestion scenarios. Our proposed detection mechanism doesn’t need parameterization. All the used parameters were deduced from public real internet traces using statistical approaches. B. Our algorithm Our algorithm monitors mainly TCP sessions. TCP is a reliable protocol that uses timers to deliver reliably IP packets and detect anomalies on the network. Every packet sent by TCP should be acknowledged. If an acknowledgment is not received after a specified period of time TCP considers that the packet is not received and sends again the unacknowledged packet. This procedure is repeated many times until an acknowledgment is received or until TCP drops the session. When a link suffers from congestion, one of the main consequences of this congestion is the increase in delays. Based on this, our algorithm monitors delays experienced by different TCP sessions to detect congestion. We propose a dynamic congestion detection mechanism that is able to detect accurately, quickly and in real time congestion by passively monitoring link traffic. The dynamicity of our algorithm is based on the fact that the more the congestion is severe the more we are attending the abnormal delay threshold experienced on a link. Because of that we propose to dynamically tune the detection mechanism based on the severity of the congestion. Our algorithm is tuned dynamically between two delay thresholds; the first threshold, “PrAb” represents the delay after which the session is probably abnormal. The second threshold, “Ab” is the threshold that represents the delay after which we consider that a session is abnormal and suffers from a problem. When “PrAb” is reached, there is a high probability that the delay experienced by this session risks to attend the “Ab” threshold. To dynamically tune our algorithm between both of these thresholds, we propose the following relation: for every active session if t >= Dif – x*Dif/Max => y = y+1. Where “t” is the time elapsed after reaching the PrAb threshold, Dif is the difference in seconds between Ab and PrAb, x is the number of sessions that are waiting for more than PrAb and Max is the acceptable percentage of sessions that could reaches the Ab threshold 9 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 under normal circumstances. t >= Dif – x*Dif/Max C. Parameters specification Implementing and validating our algorithm requires two major steps; first we have to specify the PrAb and Ab thresholds used by our algorithm. Second, we will use these variables to validate the efficiency of our algorithm on real public network traces. 1.PrAb and Ab specification To specify the values of PrAb and Ab, we decided first to study the TCP delay behavior on the nternet. To do so, we chose ten public traffic traces provided by the MAWI dataset. Two reasons were behind our choice; first, the MAWI dataset provides an important amount of internet traces collected in real case scenario. The traces were collected from a transpacific aggregation link. Every trace file consist of 15 minutes containing around () packets. The second choice is the MAWILab labeling which labels all the attacks present in the dataset. This will help us in cleaning the MAWI traces from all the malicious sessions to come up with normal and clean traces. We studied the TCP delay behavior by applying the following methodology: i. Cleaning the studied traces: for every chosen trace file, we deleted all the sessions containing IP addresses labeled as malicious by the MAWILab labeled dataset. This will help us to derive results from normal TCP sessions. Most of the surveyed previous work used some training phases were they inject so-called normal traffic in there network to train the detector. We believe that this procedure is difficult in real case scenarios. To overcome this problem, we decided to deduce values from cleaned real internet datasets to make our algorithm efficient in real case scenarios. ii. Extracting different delay proportions: For every chosen trace file, we computed the percentage of delayed packets which arrive after: 1, 2, 3 … 15 seconds of delays. Our study is based the delays experienced by the TCP packets sent by the TCP clients. We decided to choose the delays experienced by the TCP clients instead of those experienced by the TCP servers because clients could provide us with a wider network overview. Figure 1 presents the studied statistical results; the legend of the figure lists the chosen trace files. The horizontal axis presents the amount of delays studied and the 10 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 vertical axis presents the percentage of the following delays with respect to the total amount of packets. Figure 2 presents the mean of the different studied traces and the standard deviation. Percentage of delayed packets 8 1/2/2010 7 2/24/2010 6 5/22/2010 5 6/6/2010 4 6/11/2010 3 6/24/2010 2 7/9/2010 1 9/18/2010 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 11/30/2010 Delay duration in seconds 12/13/2010 Figure 1 statistical results for every trace file Percentage of delayed packets 6 5 4 3 Mean 2 Standard deviation 1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Delay duration in seconds Figure 2 statistical results means and standard deviation 2.Max specification We used the central limit theorem applied on the 10 statistical samples to make an inference about the 4 and 13 seconds delayed packet percentage in the internet. The central limit theorem states that if the sample size is sufficiently large (greater than 30), then the mean of a random sample from a population has a sampling distribution that is 11 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 approximately normal, regardless of the shape of the distribution of the population. Based on this theorem, we divided every 15 minutes traces to 30 seconds samples. This will result in a sample size of 30 for every trace file. By computing the percentage of 4 and 13 seconds delayed packet during every 30 seconds period and then by computing the mean of the sample (mean of the 30 x 30 seconds period during the chosen traffic trace) and then by computing the mean of the 10 means deduced for the 10 different trace files we deduced that the population mean of 13 seconds delay is 1.7. D. Algorithm implementation We used IDS Bro [8] to implement our algorithm and test it efficiency against different public traces. Bro provided us with a powerful policy script language that could be perfectly used to implement our algorithm. We implemented our algorithm using two traces categories; the first category is made of public data traces collected from congested networks. We found that the MAWI connection was suffering from congestion during the 2003 year. The congestion was due to the limited capacity of the MAWI link during this period which had led to upgrading the link capacity later. Our algorithm was able to detect congestion in around 7 seconds. We used also from the public CAIDA traffic traces that contains approximately one hour of DDoS attack on August 4, 2007. This type of denial-of-service attack attempts to block access to the targeted server by consuming computing resources on the server and by consuming all of the bandwidth of the network connecting the server to the Internet. Our algorithm detected congestion in around 10 seconds; this is because the attack was not intense in the beginning. The second testing category was using non congested traces. We used these traces to validate the efficiency of the proposed algorithm in terms of false negative rate. We used MAWI traffic traces collected during periods where the link is not suffering from congestion. No congestion alarms were fired. 12 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 6. Summary table of expected and obtained results / Tableau récapitulatif des résultats attendus et des résultats obtenus Expected outputs / Résultats attendus The objective of our project is to propose and test new detection techniques that should be used by Network Intrusion Detection Systems (NIDS). Our goal is to create an anomaly based intrusion detection system that is using the specification technical in building the normal profile. To achieve our goal the detection mechanism will inspect all the TCP/IP protocols used by the communication. All the results of this inspection should be correlated in a way to better understand the semantic of the communication. Our technique will be implemented using IDS Bro Obtained results / Résultats obtenus 1. we proposed a mechanism that is capable of detecting congestions by monitoring passively an aggregation link. 2. we proposed a security mechanism that protects SIP sessions against such attacks. The mechanism uses SIP fingerprint to authenticate messages, in order to prevent spoofing. We validate our robust mechanism using Openssl and Sipp. 13 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 3. Possible encountered difficulties / Difficultés éventuelles rencontrées 14 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 4. Scientific publications )articles in peer review journals, books, communications, etc …) / Publications scientifiques (articles dans des revues à comité de lecture, livres, communications, etc …) Attach a copy of each publication as it appeared in the journal) / (Joindre une copie de chaque publication telle qu'elle a paru dans la revue) A publication was composed and will be submitted very soon to an international scientific journal. IEEE – ICCIT, Third International Conference on Communications and Information Technology (ICCIT) Beirut - 2013 - “A TCP delay based mechanism for detecting congestion in the internet”. IEEE – NTMS2014 Sixth international conference on new technologies, mobility and security (NTMS) Dubai -2014. “End to end mechanism to protect SIP from signaling attacks” Training of Master II Risk management in Information System, Mariam Saleh, 20132014. 5. Training of Master II Risk management in Information System, Mohammad Rmayti , 2011-2012. Oral presentations or posters in national, regional and international conferences / Présentations orales ou affichées à des congrès nationaux, régionaux ou internationaux. (Attach a copy of each presentation as it was presented or published in refereed conference proceedings)/ (Joindre une copie de chaque présentation telle qu'elle a été affichée ou publiée dans les comptes rendus des congrès) IEEE – ICCIT, Third International Conference on Communications and Information Technology (ICCIT) Beirut - 2013 - “A TCP delay based mechanism for detecting congestion in the internet”. IEEE – NTMS2014 Sixth international conference on new technologies, mobility and security (NTMS) Dubai -2014. “End to end mechanism to protect SIP from signaling attacks” Poster - Journées Scientifiques à l’Ecole Doctorale de Sciences et Technologie-2011/2012. Poster - Journées Scientifiques à l’Ecole Doctorale de Sciences et Technologie-2012/2013 Cross layer Intrusion detection System. Oral presentation – Third Doctoral Forum EDST – Lebanese University - 25-26 June 2013 – “Cross layer Intrusion Detection System” 15 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 How to submit the final report ? Comment soumettre le rapport final ? -------The final report must be submitted to Council in two versions : A hard copy which can be mailed or delivered directly to the Council administrative seat; An electronic version, Word document, on CD-ROM or USB drive or email sent to the Council at the following address : grp@cnrs.edu.lb Le rapport final doit parvenir au Conseil en deux versions : Une version sur papier qui peut être envoyée par la poste ou déposée directement au siège administratif du Conseil ; Une version électronique en format Word sur CD-ROM ou sur clé USB, ou envoyée au Conseil par e-mail à l'adresse suivante : grp@cnrs.edu.lb 16 4102 برنامج دعم البحوث العلمية Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012 برنامج دعم البحوث العلمي في لبنان لعام 2112 صفح 8 -------- .11تقديم التقرير النهائي: .01.0في نهاية المشروع (سنة أو سنتين) ،على الباحث تقديم تقرير نهائي (نسخة ورقية ونسخة إلكترونية بصيغة Wordعلى قرص مدمج أو USBأو ترسل إلى المجلس بواسطة البريد االلكتروني على العنوان التالي ،grp@cnrs.edu.lb :وذلك وفقاً للنموذج المعتمد في المجلس والموجود على موقع المجلس http://www.cnrs.edu.lbمرفقاً بالتصفية المالية لمشروع يبين فيه ما البحث .ال يقبل التقرير النهائي إالّ إذا عرض الباحث بشكل واضح جدوالً مفصالً ّ تم إنجازه مقارن مع تصوره لمخرجات المشروع عند قبوله ،على أن ال يتضمن سوى ما له عالقة مباشرة بمشروع البحث المدعوم من المجلس دون إغراقه بأية تفاصيل أو نشاطات أخرى والتركيز حص اًر على النتائج التي توصل اليها الباحث. .01.4يعتمد المجلس في تقييم التقرير النهائي على األهمية العلمية للمقاالت الصادرة عن الباحث وذات العالقة بمشروع البحث المدعوم من المجلس من خالل عدد من المعايير والمؤشرات الدولية نذكر من بينها على سبيل المثال Impact Factor, Citation Index: 17 برنامج دعم البحوث العلمية 4102 Grant Program for Scientific Research in Lebanon – 2012 Programme de subvention à la recherche scientifique au Liban – 2012