Anas Abou El Kalam

Integrity-OrBAC: a new model to preserve Critical Infrastructures integrity

Nations development depends heavily on the proper functioning of their Critical Infrastructures (CIs). Their security requirements are very important since small dysfunctions can deeply affect nation stability. We focus on their integrity need because Critical Information Infrastructures (CIIs) manipulate data that must be correct. The differentiation of their various elements security needs is essential to their protection. Unfortunately, existent access control models do not completely meet the CIIs requirements for many reasons. The Organization-Based Access Control (OrBAC) model, however, presents several strengths but it does neither consider the differentiation concept nor cope with integrity issues. In this paper, we work to enrich OrBAC with integrity mechanisms and means of differentiation. Integrity-OrBAC (I-OrBAC) is our extension and it is a proactive model. I-OrBAC is a multi-integrity level model that enables quantifying the integrity needs of each CII element, in term of credibility or criticality, to take optimal access control decisions. Given a triple (context, view and activity), we propose a way to determine the best subjects of the role selected to perform the activity through the calculation of integrity level thresholds. This idea is illustrated by a security policy example. We also propose a role priority concept and an algorithm that make security policies more flexible. The algorithm is described by an inference system. Regarding the implementation, we extend XACML to reflect the properties of our entities. Steps for access decision-making are detailed and scenarios used to test the implementation are presented.

Towards a new intelligent generation of intrusion detection system

This paper presents a survey of distributed Intrusion Detection Systems (IDS) based on intelligent and mobile agents; it also proposes a new concept of proactive IDS. At first, we introduce the topic. Then, we present limitations of classical IDSs. In the third part, we study the technologies of agent and multi-agent system and present benefits of using it to address shortcoming of classical IDSs. Finally, we present our approach and future work.

A model-driven approach for experimental evaluation of intrusion detection systems

Because attacks are becoming more frequent and more complex, intrusion detection systems IDSes need significant improvements to be able to detect new attacks and variants of already known attacks. It is thus necessary to assess precisely their quality of detection, performance, and robustness in the environment where they will be deployed. In this paper, we present an evaluation approach designed to overcome most of the identified weaknesses in several IDS evaluation: the lack of a rigorous methodology, the use of non-representative test datasets, and the use of inappropriate metrics. In our approach, model-based evaluation is combined with experimental testing. Because testing an IDS against all possible attacks is practically impossible, we propose a classification of elementary attacks and a model of attack processes. Then, we developed the attack planning and injection tool that helps security administrators to plan and select the most relevant attack scenarios. Attack planning and injection tool is able to generate and carry out concrete and adaptable attacks on specifically identified computers. To demonstrate the validity of our approach, we experimented our tool in a case study environment to compare well-known IDSes. Copyright

Integrity-Organization Based Access Control for Critical Infrastructure Systems

The organization-based access control (OrBAC) model is an access control model that helps evaluate the security policies of organizations. OrBAC affords a high degree of expressiveness and scalability. The model, however, does not readily express integrity constraints. Integrity is one of the most important properties for critical infrastructure systems, mainly due to their criticality and low tolerance of corruption and alterations. This paper describes an extension of OrBAC, called Integrity-OrBAC (I-OrBAC), which models integrity attributes associated with critical infrastructure systems. I-OrBAC facilitates the modeling of multiple integrity levels to express the requirements of different critical infrastructure organizations. An example security policy is presented to demonstrate the expressiveness of the model.

Firewall Anti-Leak of Sensitive Data☆

Abstract Recently Smartphones have become more robust tools in terms of storage capacity and computing power, effective tools for business to improve productivity, and daily tools for many people due to the various services they offer and allow to end users to perform multiple tasks and be always updated on the move. This has made it a favorite target for malicious applications that specifically attack their personal and professional data. To overcome this problem, mobile platforms have set up a security system based on the permissions model; the user decides whether to validate the permissions requested by an application before installation, or to abort the installation. In case the user needs to install an application, and that application requests unjustified permissions, this represents a particularly troublesome weakness. In this paper, we propose a firewall Anti-Leak of Sensitive Data (ALSD), allowing reliable protection against leakage of sensitive personal and professional data. This integrated solution to the mobile operating system is based on automated analysis of markets; it allows blocking applications query on the sensitive data while ensuring their proper functioning.

Automatic Classification and Detection of Snort Configuration Anomalies - a Formal Approach

IDSs are core elements in network security. The effectiveness of security protection provided by an IDS mainly depends on the quality of its configuration. Unfortunately, configuring an IDS is work-intensive and error prone if performed manually. As a result, there is a high demand for analyzing and discovering automatically anomalies that can arise between rules. In this paper, we present (1) a new classification of anomalies between IDS rules, (2) three inference systems allowing automatic anomaly detection for discovering rule conflicts or redundancies and potential problems in IDS configuration, (3) optimization of IDS rules by removing automatically redundant rules and (4) formal specification and validation of these techniques and demonstration of the advantages of proposed approach on the sets of rules provided by open source Snort IDS. These techniques have been implemented and we proved the correctness of our method and demonstrated its applicability and scalability. The first results we obtained are very promising.

Specifying and enforcing constraints in dynamic access control policies

Constraints in access control models are used to organize access privileges in order to avoid fraudulent situations. Ensuring that the constraints are satisfied during the evolution of the system is an important issue. Thus, there is a need to have a formal reasoning language in order to express the constraints policy and to prove that the constraints are always satisfied. In this work, we propose a formal language based on the deontic logic of actions and situation calculus. The proposed language is easy to use to specify various constraints mentioned in the literature. In addition, we formally specify the condition to prove that the system specification is secure with respect to the access control requirements.

Biometric authentication systems based on hand pattern vein, digital certificates and smart cards

This paper describes and implements an authentication solution using biometrics, digital certificates and smartcards to solve the security problems in the authentication process. The first part is a general introduction to the topic, the second is s brief overview about using biometrics, more exactly hand vein pattern, the third part presents a method of extracting the pattern vein of the back of the hand also how to match two templates. The fourth part presents the two necessary phases in any authentication system: the enrollment and the authentication. A proposed authentication protocol is described too. The fifth part generalize the possible attacks and vulnerabilities in a biometric authentication system and it also shows how our system is able to avoid them. The sixth part talks about the implementation of the application. Finally, in the conclusion, we tried to summarize our work and prove the benefits of using this system.

Securing the mobile environment: firewall anti-leak of sensitive data on smartphone

The growth of the smartphone 1 market broke the record in recent years, smartphones have become more robust tools in terms of storage capacity and computing power, effective tools for business to improve productivity, and daily tools for many people due to the various services they offer and allow to end users to perform multiple tasks and be always updated on the move. This has made it a favorite target for malicious applications that specifically attack their personal and professional data. To overcome this problem, mobile platforms have set up a security system based on the permissions model; the user decides whether to validate the permissions requested by an application before installation, or to abort the installation. In case the user needs to install an application, and that application requests unjustified permissions, this represents a particularly troublesome weakness. In this study, we are going to handle the case of the Open Source Android platform, currently managed by Google. Despite the efforts to create a scalable and secure operating system, Google is not able to process the information of user privacy. Any Android application can discreetly retrieve sensitive data from the smartphone without notifying the user. In this paper, we propose a firewall Anti-Leak of Sensitive Data on Smartphone (ALSDS), allowing reliable protection against leakage of sensitive personal and professional data, and it allows providing notifications to the user. This integrated solution to the mobile operating system is based on automated analysis of markets; it allows blocking applications query on the sensitive data while ensuring their proper functioning.

Mobile app security by fragmentation "MASF"

Mobile cloud computing (MCC) appears as a new computing paradigm which offers computer applications and services with high performance. MCC combines mobile computing and cloud computing, has become one of the main threads of discussion in the IT world since 2010. Smartphones are considered as the representative for the several mobile devices as they have been connected to the Internet with the rapidly growing of wireless network technology or mobile generation network (3G, 4G or 5G). Furthermore, the security presents the important challenge not just in the MCC architecture but also in the smartphone. In this paper, we focus our study in mobile application security because it considered as standard terminal used in MCC. Especially, we present the global architecture and the security of android as popular operating system for mobile phone. In our proposal design, we investigate the possibility to use the fragmentation technique with security policy strategies as access security mechanism to protect data from installed application. The paper concludes by strongly suggesting that can be as future research.