Yacine Djemaiel

Dynamic Detection and Tolerance of Attacks in Storage Area Networks

Due to the increasing amount of data handled by business applications and the need of an easy way to access data by multiple servers, storage area networks (SANs) have been proposed as a solution to be deployed in enterprises networks. Despite their advantages, a set of security issues are related to these next generation high speed network architectures and that may be a threat to the performance and the availability of such networks. In this paper, we propose an intrusion detection and tolerance system that ensures protection of the SANs against attacks. The proposed solution is based on: (a) the management of two areas (virtual area and protected area) at each storage node; (b) the cooperation of detection modules running on each SAN component; and (c) the use of distributed set of rules that are updated and managed in a secure manner. A case study is given to illustrate the proposed system capabilities in terms of intrusion detection and tolerance.

Cooperative Intrusion Detection and Tolerance System

Protecting implemented security mechanisms and ensuring their robustness when a host is compromised is among the major challenges that have being studied. Implementing security mechanisms such as intrusion detection inside workstation disks is among recent findings that can be exploited to fulfill these needs. In this paper, we describe a Cooperative Intrusion Detection and Tolerance System, called C-IDTS, which takes advantage of the information that are available at the network, host and storage level to better detect intrusion attempts in their early stages, even when the host is compromised. It also provides intrusion tolerance capability and supports investigation activities.

Intrusion detection and tolerance for transaction based applications in wireless environments

Nowadays, many intrusion detection and tolerance systems have been proposed in order to detect attacks in both wired and wireless networks. Even if these solutions have shown some efficiency by detecting a set of complex attacks in wireless environments, they are unable to detect attacks using transaction based traffic in wireless environments. In this context, we propose an intrusion detection and tolerance scheme that is able to monitor heterogeneous traffic and to detect and tolerate attacks targeting transaction based applications interoperating in wireless environments. A case study is given to illustrate the proposed system capabilities against a complex attack scenario targeting a multi-player wireless gaming service.

An intrusion tolerant transaction management model for wireless storage area networks

Storage area networks is among the solutions that have been deployed in most enterprise information systems through the world by ensuring the processing of corporate data taking benefit of the high speed and the separation of provided services from processed data. Due to the great need of such infrastructures, a wireless connectivity have been added to these networks in order to ensure more flexibility and mobility for interconnected components in order to deal with environment constraints in addition to advanced security strategies defined for critical services and data and that have lead to a new kind of networks called wireless storage area networks. Such emerging networks integrate in most cases transaction-based applications that are exposed to several security threats that aim to prevent the correct processing of transactions and engender damage to interconnected components. In this paper, we propose a novel intrusion tolerant transaction management model for wireless storage area networks. The proposed model defines the secure flex transaction concept and is based on intrusion and detection strategy and compensability feature to manage transactions in WSAN either if this environment is compromised. Moreover, this model uses the Predicate Transition Net as a tool to control the executability of secure flex transactions. In order to illustrate the behavior of the proposed model and their security capabilities, a case study is defined for a transaction-based e-payment service for an online commerce company integrated in a monitored wireless storage area network that is exposed to a set of security attacks.

A Clustering Data Fusion Method for Intrusion Detection System

The increasing advance in technological systems has several impacts that affect the security of information systems. The result of such progress leads to an exponential growth in the ability to generate and access to the information. Therefore, there is a need to have both appropriate and specific data. To achieve this goal, data fusion approaches are applied to analyze large scale of heterogeneous data in complex systems. The existing data fusion systems rely generally on human experts but they lack of training dataset for the fusion techniques. Thus, useful autonomous approach should be applied to fuse data automatically and accurately. In this paper, a decision fusion approach based on clustering technique is proposed. This technique enables the generation of composite attack scenarios by selecting events generated by analyzers while considering their efficiency to detect attacks using defined efficiency criteria. The general system architecture is presented to allocate the data fusion component within the network. Then, the core functioning and the characteristics of the data fusion component are presented.

Intrusion tolerant serializability for transaction-based SAN environments

The serializability of transactions is among the properties that should be implemented in order to ensure the correct processing in transaction-based environments. When the system is compromised, the serializability in addition to the relevant properties of transaction-based environments may be affected. Ensuring the serializability of transactions in compromised systems is among the needs in order to enable the processing of interrelated transactions and avoiding blocking situations with the inability of committing transactions or some available sub-transactions. In this context, this paper proposes an approach to ensure an intrusion tolerant serializability in a compromised transaction-based environment. This approach is built on a new concept that is based on the definition and the use of virtual nodes instead of the detected malicious nodes. These virtual entities ensures the processing of transactions and sub transactions in a secure manner even if the running environment is compromised. They ensure the continuous running of transactions without experimenting the blocking of interleaved transactions and therefore to ensure the serializability even if the monitored system is compromised. A serial schedule graph is also generated and used by the Central Security Node in order to make decisions concerning the nodes and the set of data and transactions that are threatened by a malicious activity by attaching to each component a set of security parameters. The behavior of the proposed intrusion tolerant serializability scheme in addition to its efficiency is illustrated through a case study describing a SAN system that ensures the monitoring of cars activity and generates infractions and warning messages on road in order to prevent the occurrence of car accidents.

A global marking scheme for tracing cyber attacks

Tracing complex attacks is among the research topics that are currently under development. Limiting tracing to network traffic has allowed the reconstruction of the attack paths of a few attacks, but appears to be insufficient to trace complex attacks. In this paper, we propose a new tracing scheme that extends marking to additional malicious activities related to system running processes and modification actions operated at the host level, making use of compromise independent disk based components. These components are involved in the marking and the tracing process. The behavior of the new scheme for marking and tracing is illustrated against a sample attack scenario that integrates several techniques in order to increase the complexity of the attack. Our scheme plays an important role in investigation and provides evidences that help an investigator determining the attacker and the actions he performed.

A Mark Based-Temporal Conceptual Graphs for Enhancing Big Data Management and Attack Scenario Reconstruction

The management of big data is mainly affected by the size of the big graph data that represents the huge volumes of data. The size of this structure may increase with the size of data to be handled over the time. Facing this issue, the querying time may be affected and the introduced delay may not be tolerated by running applications. Moreover, the investigation of attacks through the collected massive data could not be ensured using traditional approaches, which do not support big data constraints. In this context, we propose in this paper, a novel temporal conceptual graph to represent the big data and to optimize the size of the derived graph. The proposed scheme built on this novel graph structure enables tracing back of attacks using big data. The efficiency of the proposed scheme for the reconstruction of attack scenarios is illustrated using a case study in addition to a conducted comparative analysis showing how smart big graph data is obtained through the optimization of the graph size.

Optimizing Big Data Management Using Conceptual Graphs: A Mark-Based Approach

Nowadays, the optimization of the representation of big data and their retrieving is actually among the hot studied issues. In this context, this paper proposes a management scheme that enables the representation and the retrieve of big data, even if it is structured or not, based on extended conceptual graphs and the use of structured marks. A case study is given to illustrate the way to represent the generated big data needed to respond to distributed denial of service attacks according to the proposed management scheme and how the querying of such data may help to learn unknown attack fragments.

Cooperating systems for Global Intrusion Detection and Tolerance

In this paper, we propose to cooperate multi level IDSs through the use of an architecture called global intrusion detection and tolerance architecture (GIDTA). GIDTA allows the detection of distributed attacks at their early stages using the collection, correlation, and exchange of data provided by different network components and the structures available at the operating system level and the disk management level. In addition, major detection and tolerance capabilities are protected against intruders attempts since they are performed by compromise independent components. The GIDTA components implement different functions based on global and hierarchical models allowing flee grained distributed analysis, and including intelligent capabilities that are able to impose a dynamic behavior taking into consideration the security state of the cooperating entities. A protocol called a neighbor identification protocol is designed to enhance detection and tolerance capabilities. Finally, GIDTA is validated based on the actions it performs in an environment that integrates an airport distributed application, including a flight management system.