Issam Aib

Survivable virtual network embedding

Network virtualization can offer more flexibility and better manageability for the future Internet by allowing multiple heterogeneous virtual networks (VN) to coexist on a shared infrastructure provider (InP) network. A major challenge in this respect is the VN embedding problem that deals with the efficient mapping of virtual resources on InP network resources. Previous research focused on heuristic algorithms for the VN embedding problem assuming that the InP network remains operational at all times. In this paper, we remove that assumption by formulating the survivable virtual network embedding (SVNE) problem and developing a hybrid policy heuristic to solve it. The policy is based on a fast re-routing strategy and utilizes a pre-reserved quota for backup on each physical link. Evaluation results show that our proposed heuristic for SVNE outperforms baseline heuristics in terms of long term business profit for the InP, acceptance ratio, bandwidth efficiency, and response time.

Policy-based Management: A Historical Perspective

This paper traces the history of policy-based management and how it evolved from the first security models dating back to the late 1960’s until today’s more elaborate frameworks, languages, and policy-based management tools. The focus will be on providing a synthesized chronicle of the evolution of ideas and research trends rather than on surveying the various specification formalisms, frameworks, and application domains of policy-based management.

FireCol: a collaborative protection network for the detection of flooding DDoS attacks

Distributed denial-of-service (DDoS) attacks remain a major security problem, the mitigation of which is very hard especially when it comes to highly distributed botnet-based attacks. The early discovery of these attacks, although challenging, is necessary to protect end-users as well as the expensive network infrastructure resources. In this paper, we address the problem of DDoS attacks and present the theoretical foundation, architecture, and algorithms of FireCol. The core of FireCol is composed of intrusion prevention systems (IPSs) located at the Internet service providers (ISPs) level. The IPSs form virtual protection rings around the hosts to defend and collaborate by exchanging selected traffic information. The evaluation of FireCol using extensive simulations and a real dataset is presented, showing FireCol effectiveness and low overhead, as well as its support for incremental deployment in real networks.

Dirichlet-Based Trust Management for Effective Collaborative Intrusion Detection Networks

The accuracy of detecting intrusions within a Collaborative Intrusion Detection Network (CIDN) depends on the efficiency of collaboration between peer Intrusion Detection Systems (IDSes) as well as the security itself of the CIDN. In this paper, we propose Dirichlet-based trust management to measure the level of trust among IDSes according to their mutual experience. An acquaintance management algorithm is also proposed to allow each IDS to manage its acquaintances according to their trustworthiness. Our approach achieves strong scalability properties and is robust against common insider threats, resulting in an effective CIDN. We evaluate our approach based on a simulated CIDN, demonstrating its improved robustness, efficiency and scalability for collaborative intrusion detection in comparison with other existing models.

Robust and scalable trust management for collaborative intrusion detection

The accuracy of detecting intrusions within an Intrusion Detection Network (IDN) depends on the efficiency of collaboration between the peer Intrusion Detection Systems (IDSes) as well as the security itself of the IDN against insider threats. In this paper, we study host-based IDNs and introduce a Dirichlet-based model to measure the level of trustworthiness among peer IDSes according to their mutual experience. The model has strong scalability properties and is robust against common insider threats, such as a compromised or malfunctioning peer. We evaluate our system based on a simulated collaborative host-based IDS network. The experimental results demonstrate the improved robustness, efficiency, and scalability of our system in detecting intrusions in comparison with existing models.

Trust Management for Host-Based Collaborative Intrusion Detection

The accuracy of detecting an intrusion within a network of intrusion detection systems (IDSes) depends on the efficiency of collaboration between member IDSes. The security itself within this network is an additional concern that needs to be addressed. In this paper, we present a trust-based framework for secure and effective collaboration within an intrusion detection network (IDN). In particular, we define a trust model that allows each IDS to evaluate the trustworthiness of others based on personal experience. We prove the correctness of our approach in protecting the IDN. Additionally, experimental results demonstrate that our system yields a significant improvement in detecting intrusions. The trust model further improves the robustness of the collaborative system against malicious attacks.

On Leveraging Policy-Based Management for Maximizing Business Profit

This paper presents a systematic approach to business and policy driven refinement. It also discusses an implementation of an application-hosting service level agreement (SLA) use case. We make use of a simple application hosting SLA template, for which we derive a low-level policy-based service level specification (SLS). The SLS policy set is then analyzed for static consistency and runtime efficiency. The Static Analysis phase involves several consistency tests introduced to detect and correct errors in the original SLS. The Dynamic analysis phase considers the runtime dynamics of policy execution as part of the policy refinement process. This latter phase aims at optimizing the business profit of the service provider. Through mathematical approximation, we derive three policy scheduling algorithms. The algorithms are then implemented and compared against random and first come first served (FCFS) scheduling. This paper shows, in addition to the systematic refinement process, the importance of analyzing the dynamics of a policy management solution before it is actually implemented. The simulations have been performed using the VS Policy Simulator tool.

Business aware Policy-based Management

In this paper, we introduce a business aware framework for the policy-based management of IT Systems and its application to utility computing environments. The framework couples two main subsystems on top of an IETF-like policy-based resource control layer. They are MBO (Management by Business Objectives) where the decision ability supported by analysis of business objectives resides, and GSLA (Generalized SLA), an advanced framework for SLA driven management that lends itself quite naturally to the derivation of IT management policies from the SLAs that the enterprise has contracted. We discuss the advantages and the limitations of the state-of-art policy-based approach to systems management, mainly the lack of business and service level context to drive policy-related decisions at system runtime. We then explain how this is remedied in our framework through the interaction mechanism between the reactive policy-based resource control layer and the more proactive business driven decision making engine.

Policy-Based Security Configuration Management, Application to Intrusion Detection and Prevention

Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defense against the variety of attacks that can compromise the security and well functioning of an enterprise information system. IDPSes can be network or host-based and can collaborate in order to provide better detections of malicious traffic. Although several IDPS systems have been proposed, their appropriate configuration and control for effective detection and prevention of attacks has always been far from trivial. Another concern is related to the slowing down of system performance when maximum security is applied, hence the need to trade off between security enforcement levels and the performance and usability of an enterprise information system. In this paper we motivate the need for and present a policy-based framework for the configuration and control of the security enforcement mechanisms of an enterprise information system. The approach is based on dynamic adaptation of security measures based on the assessment of system vulnerability and threat prediction and provides several levels of attack containment. As an application, we have implemented a dynamic policy-based adaptation mechanism between the Snort signature-based IDPS and the light weight anomaly-based FireCollaborator IDS. Experiments conducted over the DARPA 2000 and 1999 intrusion detection evaluation datasets show the viability of our framework.

GXLA a language for the specification of service level agreements

In this work we propose GXLA, a language for the specification of Service Level Agreements (SLA). GXLA represents the implementation of the Generalized Service Level Agreement (GSLA) information model we proposed in a previous work. It supports multi-party service relationships through a role-based mechanism. It is intended to catch up the complex nature of service interactivity in the broader range of SLA modeling of all sorts of IT business relationships. GXLA is defined as an XML schema which provides a common ground between the entities in order to automate the configuration. GXLA can be used by service providers, service customers, and third parties in order to configure their respective IT systems. Each party can use its own independent SLA interpretation and deployment technique to enforce the role it has to play in the contract. An illustrative VoIP service negotiation shows how GXLA is used for automating the process of SLA negotiation and deployment.