Wissam Mallouli

Bio: Wissam Mallouli is an academic researcher from Centre national de la recherche scientifique. The author has contributed to research in topics: Computer science & Formal specification. The author has an hindex of 12, co-authored 58 publications receiving 474 citations. Previous affiliations of Wissam Mallouli include Telecom SudParis.

A formal approach for testing security rules

Abstract: Nowadays, security policies are the key point of every modern infrastructure. The specification and the testing of such policies are the fundamental steps in the development of a secure system since any error in a set of rules is likely to harm the global security. To address both challenges, we propose a framework to specify security policies and test their implementation on a system. Our framework makes it possible to generate in an automatic manner, test sequences, in order to validate the conformance of a security policy. system behavior is specified using a formal description technique based on extended finite state machine (EFSM) [12]. The integration of security rules within the system specification is performed by specific algorithms. Then, the automatic tests generation is performed using a dedicated tool, called SIRIUS, developed in our laboratory. Finally, we briefly present a weblog system as a case study to demonstrate the reliability of our framework.

Two Complementary Tools for the Formal Testing of Distributed Systems with Time Constraints

Abstract: The complexity and the variety of the deployed time dependent systems, as well as the high degree of reliability required for their global functioning, justify the care provided to the design of the best possible tests. Moreover,it is significant to automate these steps with an aim of reducing the time and the development cost and especially of increasing the reliability of the offered products. In this paper, we present two different tools to test systems with time constraints. The first one allows to automatically generate test cases based on model-based active testing techniques. Whereas the second tool is based on passive testing approach to check that the collected system traces respect a set of formal properties called Invariants.

Timed Extended Invariants for the Passive Testing of Web Services

Abstract: The service-oriented approach is becoming more and more popular to integrate highly heterogeneous systems. Web services are the natural evolution of conventional middleware technologies to support Web-based and enterprise level integration. Formal testing of such Web-based technology is a key point to guarantee its reliability. In this paper, we choose a non-intrusive approach based on monitoring to propose a conformance passive testing methodology to check that a composed Web service respects its functional requirements. This methodology is based on a set of formal invariants representing properties to be tested including data and time constraints. Passive testing of an industrial system (that uses a composition of Web services) is briefly presented to demonstrate the effectiveness of the proposed approach.

Reliable Detection of Interest Flooding Attack in Real Deployment of Named Data Networking

Abstract: Named data networking (NDN) is a disruptive yet promising architecture for the future Internet, in which the content diffusion mechanisms are shifted from the conventional host-centric to content-centric ones so that the data delivery can be significantly improved. After a decade of research and development, NDN and the related NDN forwarding daemon implementations are now mature enough to enable stakeholders, such as telcos, to consider them for a real deployment. Consequently, NDN and IP will likely cohabit, and the future Internet may be formed of isolated administrative domains, each deploying one of these two network paradigms. The security question of the resulting architecture naturally arises. In this paper, we consider the case of denial of service. Even though the interest flooding attack (IFA) has been largely studied and mitigated through NACK packets in pure NDN networks, we demonstrate in this paper through experimental assessments that there are still some ways to mount such an attack, and especially in the context of coupling NDN with IP, which can hardly be addressed by current solutions. Subsequently, we leverage the hypothesis testing theory to develop a generalized likelihood ratio test adapted to evolve IFA attacks. Simulations show the relevance of the proposed model for guaranteeing the prescribed probability of false alarm and highlight the trade-off between detection power and delay. Finally, we consider a real deployment scenario where NDN is coupled with IP to carry HTTP traffic. We show that the model of IFA attacks is not very accurate in practice and further develops a sequential detector to keep a high detection accuracy. By considering data from the testbed, we show the efficiency of the overall detection method.

Service level agreement-based GDPR compliance and security assurance in(multi)Cloud-based systems

Abstract: Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and security assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security mechanisms definition, enforcement and control, including evidence collection. This study presents a novel DevOps framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any) and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security level objectives in the system service level agreement and in their continuous monitoring and enforcement at runtime.

A Survey on Security and Privacy of 5G Technologies: Potential Solutions, Recent Advancements, and Future Directions

Abstract: Security has become the primary concern in many telecommunications industries today as risks can have high consequences. Especially, as the core and enable technologies will be associated with 5G network, the confidential information will move at all layers in future wireless systems. Several incidents revealed that the hazard encountered by an infected wireless network, not only affects the security and privacy concerns, but also impedes the complex dynamics of the communications ecosystem. Consequently, the complexity and strength of security attacks have increased in the recent past making the detection or prevention of sabotage a global challenge. From the security and privacy perspectives, this paper presents a comprehensive detail on the core and enabling technologies, which are used to build the 5G security model; network softwarization security, PHY (Physical) layer security and 5G privacy concerns, among others. Additionally, the paper includes discussion on security monitoring and management of 5G networks. This paper also evaluates the related security measures and standards of core 5G technologies by resorting to different standardization bodies and provide a brief overview of 5G standardization security forces. Furthermore, the key projects of international significance, in line with the security concerns of 5G and beyond are also presented. Finally, a future directions and open challenges section has included to encourage future research.

Survey on IoT security: Challenges and solution using machine learning, artificial intelligence and blockchain technology

Abstract: Internet of Things (IoT) is one of the most rapidly used technologies in the last decade in various applications. The smart things are connected in wireless or wired for communication, processing, computing, and monitoring different real-time scenarios. The things are heterogeneous and have low memory, less processing power. The implementation of the IoT system comes with security and privacy challenges because traditional based existing security protocols do not suitable for IoT devices. In this survey, the authors initially described an overview of the IoT technology and the area of its application. The primary security issue CIA (confidentially, Integrity, Availability) and layer-wise issues are identified. Then the authors systematically study the three primary technology Machine learning(ML), Artificial intelligence (AI), and Blockchain for addressing the security issue in IoT. In the end, an analysis of this survey, security issues solved by the ML, AI, and Blockchain with research challenges are mention.

Testing and verification in service-oriented architecture: a survey

Abstract: Service-oriented architecture (SOA) is gaining momentum as an emerging distributed system architecture for business-to-business collaborations. This momentum can be observed in both industry and academic research. SOA presents new challenges and opportunities for testing and verification, leading to an upsurge in research. This paper surveys the previous work undertaken on testing and verification of service-centric systems, which in total are 177 papers, showing the strengths and weaknesses of current strategies and testing tools and identifying issues for future work. Copyright © 2012 John Wiley & Sons, Ltd.

Automated Security Test Generation with Formal Threat Models

Abstract: Security attacks typically result from unintended behaviors or invalid inputs. Security testing is labor intensive because a real-world program usually has too many invalid inputs. It is highly desirable to automate or partially automate security-testing process. This paper presents an approach to automated generation of security tests by using formal threat models represented as Predicate/Transition nets. It generates all attack paths, i.e., security tests, from a threat model and converts them into executable test code according to the given Model-Implementation Mapping (MIM) specification. We have applied this approach to two real-world systems, Magento (a web-based shopping system being used by many online stores) and FileZilla Server (a popular FTP server implementation in C++). Threat models are built systematically by examining all potential STRIDE (spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privilege) threats to system functions. The security tests generated from these models have found multiple security risks in each system. The test code for most of the security tests can be generated and executed automatically. To further evaluate the vulnerability detection capability of the testing approach, the security tests have been applied to a number of security mutants where vulnerabilities are injected deliberately. The mutants are created according to the common vulnerabilities in C++ and web applications. Our experiments show that the security tests have killed the majority of the mutants.