Jihene Krichene

Cognitive-Maps Based Investigation of Digital Security Incidents

Investigation of security incidents is of great importance as it allows to trace back the actions taken by the intruders. In this paper we develop a formal technique for digital investigation based on the use of Incident Response Probabilistic Cognitive Maps. Three main issues are addressed here: (1) construction and extraction of plausible known attack scenarios, (2) construction of hypothetical scenarios and their validation using a logic-based formalism, and (3) selection of optimal counter-measures addressing the detected attacks.

Security policy validation using temporal executable specifications

Security policies constitute the core of protecting information systems. Validation tools should therefore be developed to check whether a version of a specific security policy conforms to the required security properties. This paper proposes a validation framework for security policies where: (1) algebraic specifications are used to build abstract views about the security policy, (2) an executable security policy can be extracted from the algebraic representation, and (3) syntactical (resp. sematic) verification of the executable (resp. algebraic) security policy is performed.

Collective computer incident response using cognitive maps

Incident response is becoming an important activity in organizations as security intrusions are increasing rapidly. Cooperation and view sharing within incident response team are very important for successful incident handling. We introduce a causal map based method helping the incident response team members reasoning collectively about security incidents. In this method, we use heuristics to help reasoning within causal maps and we propose a sensitivity analysis approach for assessing the error propagation introduced by the causal maps used in This work.

DigForNet: Digital Forensic in Networking

Security incidents targeting information systems become more complex and sophisticated, and intruders might evade responsibility due to the lack of supporting evidences to convict them. In this paper, we develop a system for Digital Forensic in Networking (DigForNet) which is useful to analyze security incidents and explain the steps taken by the attackers. DigForNet uses intrusion response team knowledge and formal tools to reconstruct potential attack scenarios and show how the system behaved for every step in the scenario. The attack scenarios identification is automated and the hypothetical concept is introduced within DigForNet to alleviate lack of data related to missing evidences or investigator knowledge.

Network security project management: a security policy-based approach

Managing security projects is a delicate activity due to the evolution of attacks. In this paper, we develop a new methodology for estimating security effort based on algebraic representation of security policies. This methodology is used within the SECOMO model. Two models are defined: the a priori model and the a posteriori model. Real security projects are used to prove the accuracy of the new methodology.

SECOMO: an estimation cost model for risk management projects

In this paper an estimation cost model for risk management projects, called SECOMO is presented. This model helps managers reasoning about the cost and schedule implications of network security decisions that security teams may need to make. It aims to achieve several objectives including: (1) providing accurate cost and scheduling estimates for currently security projects, and (2) providing a normative method for the allocation of resources necessary for the development and maintenance of network security solution.

Heterogeneous Security Policy Validation: From Formal to Executable Specifications

This paper develops a prototyping technique for information systems security policies. Starting from the algebraic specification of a security policy, we derive an executable specification that represents a prototype of the actual policy. Executing the specification allows determining sequences of actions that lead to security policy violations. We propose a composition framework to build compound algebraic specifications. We show that the mechanism we provide to translate algebraic specifications to executable specifications preserves the composition rules, which is of utmost importance from the engineering perspective. Through accurate examples, we show how executables specifications can be used in conjunction with formal specification in the frame of the security policy engineering process.

Managing Network Security Projects: Classification models and Scale Effect

Network security projects present several differences with software engineering projects. Managing security projects and evaluating the effort needed to conduct them is more complex. We propose in this paper three models aiming at managing three classes of security projects. We address here the models definition methodologies, the effort estimation, and the projects classification methodology. We discuss also the scale effect related to security projects.

Forensic Investigation in Communication Networks Using Incomplete Digital Evidences

Security incidents targeting information systems have become more complex and sophisticated, and intruders might evade responsibility due to the lack of evidence to convict them. In this paper, we develop a system for Digital Forensic in Networking, called DigForNet, which is useful to analyze security incidents and explain the steps taken by the attackers. DigForNet combines intrusion response team knowledge with formal tools to identify the attack scenarios that have occurred and show how the system behaves for every step in the scenario. The attack scenarios construction is automated and the hypothetical concept is introduced within DigForNet to alleviate missing data related to evidences or investigator knowledge. DigForNet system supports the investigation of attack scenarios that integrate anti-investigation attacks. To exemplify the proposal, a case study is proposed.