Papers by Anas Abou El Kalam
Et Systemique Edition Hermes, 2005
Cet article présente des travaux menés dans le projet MP6 1 . Il montre comment, compte tenu de l... more Cet article présente des travaux menés dans le projet MP6 1 . Il montre comment, compte tenu de la sensibilité des informations manipulées, les Systèmes d'Information et Communication en Santé et Social (SICSS) peuvent être convoités par des individus malintentionnés. Sont alors présentés les objectifs de MP6 face au besoin crucial de sécurité informatique, dans un domaine où la dynamicité des contextes d'exploitation et la complexité organisationnelle des organismes utilisateurs excluent des solutions développées dans d'autres secteurs, comme la défense ou la banque. MP6 vise notamment à définir un outil d'assistance à l'élaboration de politiques de sécurité pour les SICSS : cet outil doit permettre à l'utilisateur (par exemple un médecin DIM 2 ) d'exprimer une politique sous la forme d'un ensemble de règles, puis de vérifier qu'elle respecte des propriétés attendues (disponibilité, intégrité, confidentialité, auditabilité, etc.). L'article présente un ensemble de concepts nécessaires pour exprimer une politique de sécurité tenant compte des spécificités des mondes santé et social. Il montre enfin comment la capacité expressive et le mécanisme déductif de certaines logiques non classiques permettent de décrire formellement une telle politique de sécurité et de calculer automatiquement si elle vérifie les propriétés de sécurité souhaitées.
A Security Framework for Internet of Things
Lecture Notes in Computer Science, 2015
MIDS: Multi level Intrusion Detection System
ABSTRACT
Sensitive Data Anonymization
ABSTRACT
Security and Privacy in collaborative environments
ABSTRACT
Multi-OrBAC: un modèle de contrôle d'accès pour les systèmes multi-organisationnels
ABSTRACT
security and QoS are the two most precious objectives for network systems to be attained. Unfortu... more security and QoS are the two most precious objectives for network systems to be attained. Unfortunately, they are in conflict, while QoS tries to minimize processing delay, strong security protection requires more processing time and cause packet delay. This article is a step towards resolving this conflict by extending the firewall session table to accelerate NAT, QoS classification, and routing processing time while providing the same level of security protection.
SEC 2014 : proceedings of the 29th IFIP TC 11 International Conference : ICT Systems Security and Privacy Protection
Techniques et sciences informatiques, 2004
). L'un des objectifs de ce modèle est de favoriser l'interopérabilité de ces systèmes tout en ét... more ). L'un des objectifs de ce modèle est de favoriser l'interopérabilité de ces systèmes tout en étant suffisamment souple pour prendre en compte toute amélioration ou changement dans la politique de sécurité. Ce modèle réalise un bon compromis entre le respect du principe du moindre privilège et la flexibilité du contrôle d'accès, de façon à ne pas gêner le travail du personnel soignant, tout en préservant les droits des patients, et ce, conformément aux législations nationale et européenne. Pour faciliter l'administration de la politique de sécurité, c'est-à -dire de gérer la complexité de la gestion des droits d'accès, le modèle utilise des notions de rôle et de groupe. Il définit également, avec précision, les différents types de contextes qui peuvent exister dans les systèmes interopérables et répartis que sont les SICS. Ce modèle décrit la politique de sécurité dans un langage de spécification à la fois simple et expressif, basé sur la logique déontique.
Arxiv preprint arXiv:0911.4033, 2009
— security and QoS are the two most precious objectives for network systems to be attained. Unfor... more — security and QoS are the two most precious objectives for network systems to be attained. Unfortunately, they are in conflict, while QoS tries to minimize processing delay, strong security protection requires more processing time and cause packet delay. This article is ...
Automatic Classification and Detection of Snort Configuration Anomalies - a Formal Approach
Advances in Intelligent Systems and Computing, 2015
IEEE Systems Journal, 2015
The next generation of telesurgical robotics systems 5 presents significant challenges related to... more The next generation of telesurgical robotics systems 5 presents significant challenges related to network performance 6 and data security. It is known that packet transmission in wide 7 area networks is a complex stochastic process; thus, low band-8 width as well as high delay, jitter, and packet loss will greatly 9 affect the quality of service (QoS) of teleoperation control, which is 10 unacceptable in this kind of sensitive application. Furthermore, a 11 relevant but more serious issue is the network attacks, particularly 12 denial of service as well as data alteration or disclosure. The main 13 motivation of this study is to deploy suitable security mechanisms 14 while preserving the QoS of network-based bilateral teleoperation. We propose and apply a protocol that secures our teleoperation 16 system while preserving its real-time constraints. More precisely, 17 we present in this paper a bilateral generalized predictive con-18 troller coupled to a QoS-friendly IP security protocol. The ex-19 perimental results demonstrate that the telerobotic system is able 20 to satisfy both QoS and security requirements of real-time and 21 sensitive teleoperation tasks. In fact, our teleoperation security 22 protocol provides priority treatment while preventing attacks and 23 avoiding potential deadline misses due to increased security cost. 24 Index Terms-Predictive control, quality of service (QoS), se-25 cured network, telerobotics control.
Intrusion detection and security policy framework for distributed environments
Proceedings of the 2005 International Symposium on Collaborative Technologies and Systems, 2005., 2005
This paper presents a novel intrusion detection approach and a new infrastructure to enforce the ... more This paper presents a novel intrusion detection approach and a new infrastructure to enforce the security policy within a distributed system. The solution guarantees the consistency of the security policy and prevents any accidental or malicious update (of the local policies). The control is carried out locally (in each host) in accordance with a meta-policy that enables a distributed control
A Novel Metric for the Evaluation of IDSs Effectiveness
IFIP Advances in Information and Communication Technology, 2014
An IDS Evaluation-Centric Taxonomy of Wireless Security Attacks
Communications in Computer and Information Science, 2011
Wireless technology has become a very popular alternative to wired technology in recent years. Ho... more Wireless technology has become a very popular alternative to wired technology in recent years. However, wireless communication faces several security threats. Consequently, several security efforts have been exerted to make wireless communication systems invulnerable to attacks, but unfortunately complete attack prevention is not realistically attainable. Thus, the emphasis on detecting intrusions through a second line of defense, in the form of Intrusion Detection System (IDS), is increasing. But the question that arises is what IDS is more suitable for our systems? The answer necessarily should take the IDSs evaluation into account. However, to consider all possible cases and contexts, the classification of wireless attacks seems necessary. Dealing with this challenge, this paper proposes a holistic taxonomy of wireless security attacks from the perspective of the IDS evaluator. The proposed taxonomy includes all relevant dimensions of wireless attacks and helps to extract the attack test cases that are used for managing unbiased evaluations. Finally, we present our benchmark of two popular wireless IDSs.
Security and Communication Networks, 2010
While IPSec standard is largely used to protect real time network applications, it unfortunately ... more While IPSec standard is largely used to protect real time network applications, it unfortunately consumes more processing time, cause packet delay and impede QoS enforcement. The QoS level that a flow receives depends on the value of the Type of Service (ToS) field; the later is set by the 'Multi-Field' (MF) packet classifiers according to the IP source and destination addresses and ports as well as the transport layer protocol. The last three fields are encrypted by the IPSec ESP, and thus ESP prevents network control devices from providing preferred treatment for time critical applications. To solve this problem, we propose a QoS-friendly Encapsulated Security Payload (Q-ESP) as a new IPSec security protocol that provides QoS supports while enforcing the same security services assured by IPSec ESP and AH used jointly. Basically, Q-ESP allows network elements to inspect all the needed fields to perform classification adequately. In this paper, we present details about Q-ESP design, processing and kernel implementation. Moreover, we give analytical as well as experimental evaluation of our protocol to measure its impact on real time VoIP; we also compare it to IPSec ESP and AH according to QoS and security metrics. Finally, we present and discuss some application scenarios in which the use of the Q-ESP protocol has many advantages.
Smartcard-Based Anonymization
IFIP International Federation for Information Processing, 2004
This paper presents a new technique for anonymizing personal data for studies in which the real n... more This paper presents a new technique for anonymizing personal data for studies in which the real name of the person has to be hidden. Firstly, the privacy problem is introduced and a set of related terminology is then presented. Then, we suggest a rigorous approach to define anonymization requirements, as well as how to characterize, select and build solutions. This analysis shows that the most important privacy needs can be met by using smartcards to carry out the critical part of the anonymizaton procedure. By supplying his card, the citizen (e.g., the patient in the medical field) gives his consent to exploit his anonymized data; and for each use, a new anonymous identifier is generated within the card. In the same way, reversing the anonymity is possible only if the patient presents his personal smartcard (which implies that he gives his consent). In this way, the use of the smartcard seems be the most suitable means of keeping the secret as well as the anonymization and the disanonymization procedures under the patient control.
A generic approach for healthcare data anonymization
Proceedings of the 2004 ACM workshop on Privacy in the electronic society - WPES '04, 2004
ABSTRACT Nowadays, more and more applications use sensitive and personal information. Subsequentl... more ABSTRACT Nowadays, more and more applications use sensitive and personal information. Subsequently, respecting citizens' privacy is becoming extremely important. Dedicated to this issue, this paper suggests a rigorous approach to define anonymization requirements, as well as how to characterize, select and build solutions. Afterwards, a new generic procedure to anonymize and link identities is presented.
A Policy Language for Modelling Recommendations
IFIP Advances in Information and Communication Technology, 2009
While current and emergent applications become more and more complex, most of existing security p... more While current and emergent applications become more and more complex, most of existing security policies and models only consider a yes/no response to the access requests. Consequently, modelling, formalizing and implementing permissions, obligations and prohibitions do not cover the richness of all the possible scenarios. In fact, several applications have access rules with the recommendation access modality. In this paper we focus on the problem of formalizing security policies with recommendation needs. The aim is to provide a generic domain-independent formal system for modelling not only permissions, prohibitions and obligations, but also recommendations. In this respect, we present our logic-based language, the semantics, the truth conditions, our axiomatic as well as inference rules. We also give a representative use case with our specification of recommendation requirements. Finally, we explain how our logical framework could be used to query the security policy and to check its consistency.
Uploads
Papers by Anas Abou El Kalam