Towards a Formal Data Flow Oriented Model for Network Security Policies Analysis

Khoury, Hicham El; Laborde, Romain; Barrère, François; Benzekri, Abdelmalek

doi:10.1109/sar-ssi.2011.5931390

Cited by 4 publications

(5 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [21] Niksefat and Sabaei improve the efficiency of the approach in [7] by eliminating the need of processing all the rules. Khoury et al [22] propose hierarchical colored Petri nets for specifying network data traffic and abstract functions for modelling IPsec mechanisms operations. Compared to these works, the present paper tackles a different problem, which is verifying that the modification of IPsec configuration after migration has been consistently performed.…”

Section: Ipsec Vpnmentioning

confidence: 99%

Trusted Framework for Secured Information Storage over Cloud Environment

2015

IJSR

View full text Add to dashboard Cite

Cloud orchestration involves cloud resources scaling up and down, management, as well as manipulation to better respond user's requests and to facilitate operational objectives of the service providers. These promote the elastic nature of cloud platform but force upon significant challenges to cloud service providers. Particularly, security issues such as inconsistency may arise while dynamic changes such as virtual machine migration occur. In this paper, we intend to tackle this problem, specifically for intrusion detection/ prevention and VPN/IPsec as main security mechanisms. More precisely, we propose a systematic verification approach to check the compliance of security configurations. To this end, we first elaborate on two properties, namely intrusion monitoring configuration preservation and VPN/IPsec protection configuration preservation. Then, we derive a set of formulas that compare security configurations before and after migration. This allows reasoning on whether the aforementioned security properties hold. To this end, we encode these formulas as constraint satisfaction problems.

show abstract

Section: Ipsec Vpnmentioning

confidence: 99%

Trusted Framework for Secured Information Storage over Cloud Environment

2015

IJSR

View full text Add to dashboard Cite

show abstract

“…First, we briefly introduce our model of data flow and data flow treatment that were published in [17,18]. Then we define our model of configuration of devices that improves the one presented in [19].…”

Section: Modeling Security Based On Data Flowmentioning

confidence: 99%

“…In the basic model which was published in [18], a data flow is a contiguous set of bytes of variable size conveyed over a network. We had defined our core entities by:  is the set of possible attributes.…”

Section: A a Formal Data Flow-oriented Modelmentioning

confidence: 99%

See 1 more Smart Citation

A specification method for analyzing fine grained network security mechanism configurations

Khoury¹,

Laborde²,

Barrère³

et al. 2013

2013 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

Quick evolution, heterogeneity, interdependence between equipment, and many other factors induce high complexity to network security analysis. Although several approaches have proposed different analysis tools, achieving this task requires experienced and proficient security administrators who can handle all these parameters. The challenge is not to propose a temporary solution but to offer a building block for this large domain, though no approach can be optimal for all tasks. In previous papers, we have proposed a novel formal model of equipment configuration built on data flow attribute-based approach to detect network security conflicts. In this paper, we extend the previous proposed model in order to make it more generic by proving it can handle microscopic analysis. We define a formal analysis method for network security mechanisms. Therefore, we specify our approach in Colored Petri Networks to automate the conflicts analysis and test it on a fine-grained firewall scenario.

show abstract

“…As part of the IREHDO2 research project, we conducted interviews of senior security requirements engineers that revealed network security architects are looking for a methodological approach to, at least, consolidate the network security architectures they propose. Indeed, the task of verifying and validating the network security requirements with regards to business security requirements is tedious and challenging [12]. How to ensure that the proposed network zoning is correct and cost-effective?…”

Section: Introductionmentioning

confidence: 99%

Logic-based methodology to help security architects in eliciting high-level network security requirements

Laborde

Bulusu

Wazan

et al. 2019

Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing

Self Cite

View full text Add to dashboard Cite

In this paper 1 , we propose a security methodology that automates the process of security zone specification and high-level network security requirements elicitation. We define a set of formalized rules derived from the principles of complete mediation, least privileges and the Clark-Wilson lite formal model making our approach traceable and verifiable. We implemented the methodology in Answer Set Programming to automatically compute an optimal network security zone model considering the cost of the security solution. A use case study of an e-commerce enterprise network infrastructure illustrates our methodology.

show abstract

Towards a Formal Data Flow Oriented Model for Network Security Policies Analysis

Cited by 4 publications

References 12 publications

Trusted Framework for Secured Information Storage over Cloud Environment

Trusted Framework for Secured Information Storage over Cloud Environment

A specification method for analyzing fine grained network security mechanism configurations

Logic-based methodology to help security architects in eliciting high-level network security requirements

Contact Info

Product

Resources

About