Djedjiga Mouheb

Formal Verification and Validation of UML 2.0 Sequence Diagrams using Source and Destination of Messages

A major challenge in software development process is to advance error detection to early phases of the software life cycle. For this purpose, the Verification and Validation (V&V) of UML diagrams play a very important role in detecting flaws at the design phase. It has a distinct importance for software security, where it is crucial to detect security flaws before they can be exploited. This paper presents a formal V&V technique for one of the most popular UML diagrams: sequence diagrams. The proposed approach creates a PROMELA-based model from UML interactions expressed in sequence diagrams, and uses SPIN model checker to simulate the execution and to verify properties written in Linear Temporal Logic (LTL). The whole technique is implemented as an Eclipse plugin, which hides the model-checking formalism from the user. The main contribution of this work is to provide an efficient mechanism to be able to track the execution state of an interaction, which allows designers to write relevant properties involving send/receive events and source/destination of messages using LTL. Another important contribution is the definition of the PROMELA structure that provides a precise semantics of most of the newly UML 2.0 introduced combined fragments, allowing the execution of complex interactions. Finally, we illustrate the benefits of our approach through a security-related case study in a real world scenario.

Usability of Security Specification Approaches for UML Design: A Survey.

Since it is the de facto language for software specification and design, UML is the target language used by almost all state of the art contributions handling security at specification and design level. However, these contributions differ in the covered security requirements, specification approaches, verification tools, etc. This paper investigates the main approaches adopted for specifying and enforcing security at UML design and surveys the related state of the art. The main contribution of this paper is a discussion of these approaches from usability viewpoint. A set of criteria has been defined and used in this usability discussion. The discussed UML approaches are stereotypes and tagged values, OCL, and behavior diagrams. Extending the UML meta-language or creating new meta-languages for security specification are also covered by this study.

Weaving security aspects into UML 2.0 design models

Security plays a predominant role in software engineering. Nowadays, security solutions are generally added to existing software either as an afterthought, or manually injected into software applications. However, given the complexity and pervasiveness of todays software systems, the current practices might not be completely satisfactory. In most cases, security features remain scattered and tangled throughout the entire software, resulting in complex applications that are hard to understand and maintain. In this paper, we propose an aspect-oriented modeling approach to systematically integrate security solutions into software during the early phases of the software development life cycle. First, we present the security design weaving approach, as well as the UML profile needed for specifying security aspects. Then, we illustrate the approach through an example for injecting the design-level security aspects into base models.

Aspect-Oriented Modeling for Representing and Integrating Security Concerns in UML

Security is a challenging task in software engineering. Enforcing security policies should be taken care of during the early phases of the software development process to more efficiently integrate security into software. Since security is a crosscutting concern that pervades the entire software, integrating security at the software design level may result in the scattering and tangling of security features throughout the entire design. To address this issue, we present in this paper an aspect-oriented modeling approach for specifying and integrating security concerns into UML design models. In the proposed approach, security experts specify high-level and generic security solutions that can be later instantiated by developers, then automatically woven into UML design. Finally, we describe our prototype implemented as a plug-in in a commercial software development environment.

Graph-theoretic characterization of cyber-threat infrastructures

In this paper, we investigate cyber-threats and the underlying infrastructures. More precisely, we detect and analyze cyber-threat infrastructures for the purpose of unveiling key players (owners, domains, IPs, organizations, malware families, etc.) and the relationships between these players. To this end, we propose metrics to measure the badness of different infrastructure elements using graph theoretic concepts such as centrality concepts and Google PageRank. In addition, we quantify the sharing of infrastructure elements among different malware samples and families to unveil potential groups that are behind specific attacks. Moreover, we study the evolution of cyber-threat infrastructures over time to infer patterns of cyber-criminal activities. The proposed study provides the capability to derive insights and intelligence about cyber-threat infrastructures. Using one year dataset, we generate notable results regarding emerging threats and campaigns, important players behind threats, linkages between cyber-threat infrastructure elements, patterns of cyber-crimes, etc.

Spam campaign detection, analysis, and investigation

Spam has been a major tool for criminals to conduct illegal activities on the Internet, such as stealing sensitive information, selling counterfeit goods, distributing malware, etc. The astronomical amount of spam data has rendered its manual analysis impractical. Moreover, most of the current techniques are either too complex to be applied on a large amount of data or miss the extraction of vital security insights for forensic purposes. In this paper, we elaborate a software framework for spam campaign detection, analysis and investigation. The proposed framework identifies spam campaigns on-the-fly. Additionally, it labels and scores the campaigns as well as gathers various information about them. The elaborated framework provides law enforcement officials with a powerful platform to conduct investigations on cyber-based criminal activities.

Aspect weaver: a model transformation approach for UML models

Aspect-Oriented Modeling (AOM) is an emerging solution for handling crosscutting concerns at the software modeling level in order to reduce the complexity of software models and application code. In this paper, we present the implementation strategies of an aspect-oriented approach for weaving crosscutting concerns into UML models. The main advantages of the design and the implementation of our approach are the portability and the expressiveness thanks to the OMG standards: OCL and QVT languages. We instrument OCL to translate pointcuts into a language that can easily navigate a diagram and query its elements. We implement aspect weaving as a model-to-model transformation using QVT. Additionally, we provide semantics for matching and weaving in UML activity diagrams. Finally, we demonstrate the viability and the relevance of our propositions using a case study.

Cypider: building community-based cyber-defense infrastructure for android malware detection

The popularity of Android OS has dramatically increased malware apps targeting this mobile OS. The daily amount of malware has overwhelmed the detection process. This fact has motivated the need for developing malware detection and family attribution solutions with the least manual intervention. In response, we propose Cypider framework, a set of techniques and tools aiming to perform a systematic detection of mobile malware by building an efficient and scalable similarity network infrastructure of malicious apps. Our detection method is based on a novel concept, namely malicious community, in which we consider, for a given family, the instances that share common features. Under this concept, we assume that multiple similar Android apps with different authors are most likely to be malicious. Cypider leverages this assumption for the detection of variants of known malware families and zero-day malware. It is important to mention that Cypider does not rely on signature-based or learning-based patterns. Alternatively, it applies community detection algorithms on the similarity network, which extracts sub-graphs considered as suspicious and most likely malicious communities. Furthermore, we propose a novel fingerprinting technique, namely community fingerprint, based on a learning model for each malicious community. Cypider shows excellent results by detecting about 50% of the malware dataset in one detection iteration. Besides, the preliminary results of the community fingerprint are promising as we achieved 87% of the detection.

Aspect weaving in UML activity diagrams: a semantic and algorithmic framework

Aspect-Oriented Modeling (AOM) is an emerging solution for handling crosscutting concerns at the software modeling level in order to reduce the complexity of software models and application code. Most existing work on weaving aspects into UML design models is presented from a practical perspective and lacks formal syntax and semantics. In this paper, we propose formal specifications for aspect weaving into UML activity diagrams and the implementation strategies of the proposed weaving semantics. To this end, we define syntax for activity diagrams and UML aspects. We also show the correctness and the completeness of the matching and the weaving processes in terms of the semantics and the algorithms provided in this paper. Finally, we demonstrate the viability and the relevance of our propositions using a case study.

BinSign: Fingerprinting Binary Functions to Support Automated Analysis of Code Executables

Binary code fingerprinting is a challenging problem that requires an in-depth analysis of binary components for deriving identifiable signatures. Fingerprints are useful in automating reverse engineering tasks including clone detection, library identification, authorship attribution, cyber forensics, patch analysis, malware clustering, binary auditing, etc. In this paper, we present BinSign, a binary function fingerprinting framework. The main objective of BinSign is providing an accurate and scalable solution to binary code fingerprinting by computing and matching structural and syntactic code profiles for disassemblies. We describe our methodology and evaluate its performance in several use cases, including function reuse, malware analysis, and indexing scalability. Additionally, we emphasize the scalability aspect of BinSign. We perform experiments on a database of 6 million functions. The indexing process requires an average time of 0.0072 s per function. We find that BinSign achieves higher accuracy compared to existing tools.