Kamel Karoui

A Multi-Agent Framework for Anomalies Detection on Distributed Firewalls Using Data Mining Techniques

The Agents and Data Mining integration has emerged as a promising area for disributed problems solving. Applying this integration on distributed firewalls will facilitate the anomalies detection process. In this chapter, we present a set of algorithms and mining techniques to analyse, manage and detect anomalies on distributed firewalls’ policy rules using the multi-agent approach; first, for each firewall, a static agent will execute a set of data mining techniques to generate a new set of efficient firewall policy rules. Then, a mobile agent will exploit these sets of optimized rules to detect eventual anomalies on a specific firewall (intra-firewalls anomalies) or between firewalls (inter-firewalls anomalies). An experimental case study will be presented to demonstrate the usefulness of our approach.

DISTRIBUTED FIREWALLS AND IDS INTEROPERABILITY CHECKING BASED ON A FORMAL APPROACH

To supervise and guarantee a network security, the administrator uses different security components, such as firewalls, IDS and IPS. For a perfect interoperability between these components, they must be configured properly to avoid misconfiguration between them. Nevertheless, the existence of a set of anomalies between filtering rules and alerting rules, particularly in distributed multi-component architectures is very likely to degrade the network security. The main objective of this paper is to check if a set of security components are interoperable. A case study using a firewall and an IDS as examples will illustrate the usefulness of our approach.

Misconfigurations discovery between distributed security components using the mobile agent approach

Nowadays, to survey and guarantee the security policy in networks, the administrator uses different network security components, such as firewalls and intrusion detection systems (IDS). For a perfect interoperability between these components in the network, these latter must be configured properly to avoid misconfiguration anomalies between them. However, there are a set of anomalies between alerting rules in the IDS and filtering rules in firewalls, that degrade the network security policy. In this paper, we will present a mobile agent based architecture to detect misconfigurations between these distributed components and generate a new set of rules free of errors. A case study will illustrate the effectiveness of our approach.

A Formal Approach for Network Security Policy Relevancy Checking

Security components such as firewalls, IDS and IPS, are the mainstay and the most widely adopted technology for protecting networks. These security components are configured according to a global security policy. An error in a security policy either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which, in turn, could lead to irreparable consequences. It has been observed that most security policies on the Internet are poorly designed and have many misconfigurations. In this paper, we propose a formal process to specify, verify and correct the security policy using the decision tree formalism, which consists of four steps. First, we define the security policy specifications and write it in a natural language. Second, the security policy will be translated into a formal language. Third, we verify the security policy correctness. If this latter is plugged with anomalies, we correct it in the last step.

A framework for firewalls policy representativeness testing based on classification and reversible metrics

Networks security organisation and management is a hard and complex task. This is due to the diversity of security components and activities such as security policy specification, anomalies detection, vulnerability assessment, etc. In this paper, we propose to organise and gather these activities in a unique framework called network security life-cycle. Security components, especially firewalls, deployment should respect the network security life-cycle. It is necessary to check that the firewalls policys state or quality is accurately representative of all deployed firewalls. This activity is based on a set of individual metrics that allow us to evaluate and classify the security policy and firewalls according to the accurately implemented rules. Those metrics are gathered and classified to provide a unique reversible representativeness metric. In case of bad representative metric value, we can use the reversible metric to find back the individual metrics classifications and then detect the cause of this deficiency.

Cloud Security Quantitative Assessment Based on Mobile Agent and Web Service Interaction

Cloud security is very challenging and is becoming a research hot topic. Thus, the adoption of the security assessment would be the key to evaluate and to enhance the cloud security level. The security assessment can be quantitative or qualitative. This paper proposes a cloud security quantitative assessment (CSQA) model. This proposed model evaluates the security of any cloud service (XaaS) exposed to attacks and vulnerabilities affecting its quality and specially its availability. It is based on mobile agent and web service interaction framework.

Firewalls anomalies severity evaluation and classification

Firewalls are the most widely adopted security devices for network protection. These components are often implemented with several errors (or anomalies) that are sometimes critical. To ensure the security of their networks, administrators should detect these anomalies and correct them. Before correcting the detected anomalies, the administrator should evaluate and classify these latter to determine the best strategy to correct them. In this work, we propose a process to evaluate and classify the detected anomalies using a three evaluation criteria: a quantitative evaluation, a semantic evaluation and multi-anomalies evaluation. The proposed process, convenient in an audit process, will be detailed by a case study to demonstrate its usefulness.

Firewalls anomalies’ detection system based on web services / mobile agents interactions

Firewalls are core elements in network security. However, detecting anomalies, particularly in distributed firewalls has become a complex task. Mobile agents promise an interesting approach for communications between different distributed systems specially Web services applications. In this work, we propose a firewall anomaliespsila detection system based on interactions between the Web services and the mobile agents technologies. Then, we highlight the trumps of this approach compared to the client/server model.