Nizar Kheir

Nizar Kheir
Orange Labs · Security

About

25
Publications
6,242
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
572
Citations
Citations since 2017
5 Research Items
411 Citations
2017201820192020202120222023020406080
2017201820192020202120222023020406080
2017201820192020202120222023020406080
2017201820192020202120222023020406080

Publications

Publications (25)
Conference Paper
Full-text available
5G is envisioned as a transformation of the communications architecture towards multi-tenant, scalable and flexible infrastructure, which heavily relies on virtualised network functions and programmable networks. In particular, orchestration will advance one step further in blending both compute and data resources, usually dedicated to virtualisati...
Article
A recent trend both in academia and industry is to explore the use of deception techniques to achieve proactive attack detection and defense—to the point of marketing intrusion deception solutions as zero-false-positive intrusion detection. However, there is still a general lack of understanding of deception techniques from a research perspective,...
Article
ICT systems are becoming increasingly complex and dynamic. They mostly include a large number of heterogeneous and interconnected assets (both physically and logically), which may be in turn exposed to multiple security flaws and vulnerabilities. Moreover, dynamicity is becoming paramount in modern ICT systems, since new assets and device configura...
Conference Paper
A form of moving target defense that is rapidly increasing in popularity consists of enriching an application with a number of deceptive elements and raising an alert whenever an interaction with such elements takes place. The use of deception can reduce some of the advantages of an attacker, making the exploration of the target to discover vulnera...
Conference Paper
The goal of network intrusion detection is to inspect network traffic in order to identify threats and known attack patterns. One of its key features is Deep Packet Inspection (DPI), that extracts the content of network packets and compares it against a set of detection signatures. While DPI is commonly used to protect networks and information syst...
Conference Paper
In this paper, we propose a new risk analysis framework that enables to supervise risks in complex and distributed systems. Our contribution is twofold. First, we provide the Risk Assessment Graphs (RAGs) as a model of risk analysis. This graph-based model is adaptable to the system changes over the time. We also introduce the potentiality and the...
Conference Paper
Web applications are the core enabler for most Internet services today. Their standard interfaces allow them to be composed together in different ways in order to support different service workflows. While the modular composition of applications has considerably simplified the provisioning of new Internet services, it has also added new security ch...
Conference Paper
Phishing is a form of online identity theft that deceives unaware users into disclosing their confidential information. While significant effort has been devoted to the mitigation of phishing attacks, much less is known about the entire life-cycle of these attacks in the wild, which constitutes, however, a main step toward devising comprehensive an...
Conference Paper
This paper is a first attempt to define a set of security vulnerabilities for the Internet of Things (IoT), in a corporate environment, in order to classify various connected objects based on a taxonomy that was previously proposed. The IoT is a complex infrastructure that we divide in four parts (objects, transport, storage, interfaces). It needs...
Conference Paper
Full-text available
This paper introduces a behavioral model for botnet detection that leverages the Domain Name System (DNS) traffic in large Internet Service Provider (ISP) networks. More particularly, we are interested in botnets that locate and connect to their command and control servers thanks to Domain Generation Algorithms (DGAs). We demonstrate that the DNS t...
Article
Modern botnets are increasingly shifting towards overlay networks, using peer-to-peer (P2P) protocols, for command and control (C&C). P2P botnets are robust against detection and takedown as they avoid single nodes of failure, and mostly use custom encrypted C&C communications. Pattern-based signatures are also inappropriate, yet they cannot effici...
Conference Paper
In this paper we investigate the way cyber-criminals abuse public cloud services to host part of their malicious infrastructures, including exploit servers to distribute malware, C&C servers to manage infected terminals, redirectors to increase anonymity, and drop zones to host stolen data. We conduct a large scale analysis of all the malware sampl...
Conference Paper
Full-text available
We present WebVisor, an automated tool to derive patterns from malware Command and Control (C&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses...
Conference Paper
The Domain Name System (DNS) is an essential infrastructure service on the internet. It provides a worldwide mapping between easily memorizable domain names and numerical IP addresses. Today, legitimate users and malicious applications use this service to locate content on the internet. Yet botnets increasingly rely on DNS to connect to their comma...
Conference Paper
A large proportion of modern botnets are currently shifting towards structured overlay topologies, using P2P protocols, for command and control. These topologies provide a better resilience against detection and takedown as they avoid single nodes of failure in the botnet architecture. Yet current state of the art techniques to detect P2P bots most...
Article
A high proportion of modern botnets uses the HTTP protocol to communicate with its command servers and to perform a wide range of malicious activities. Nonetheless, detection of HTTP botnets is still a real challenge. Botmasters currently implement multiple techniques to hide their activity within the large amount of network traffic. On the other h...
Chapter
This paper analyzes User Agent (UA) anomalies within malware HTTP traffic and extracts signatures for malware detection. We observe, within a large set of malware HTTP traffic provided by a local AV company, that almost one malware out of eight uses a suspicious UA header in at least one HTTP request. Such anomalies include typos, information leaka...
Chapter
To keep pace with the rampant malware threat, security analysts operate tools that collect and observe malicious content on the internet. Since malware is robust against static analysis, dynamic environments are being used for this purpose. They use automated platforms that execute malware and acquire knowledge about its runtime behavior. Today, ma...
Technical Report
The main goal of the present architecture document is to depict a global view of the MASSIF system and of the solution it intends to achieve. This document is primarily for external users to understand how the MASSIF solution is structured and how its components work together. Therefore the document provides a rather high-level description of diffe...
Conference Paper
Recent advances in intrusion detection and prevention have brought promising solutions to enhance IT security. Despite these efforts, the battle with cyber attackers has reached a deadlock. While attackers always try to unveil new vulnerabilities, security experts are bounded to keep their softwares compliant with the latest updates. Intrusion resp...
Conference Paper
Full-text available
Information systems are increasingly dependent on highly distributed architectures that include multiple dependencies. Even basic attacks like script-kiddies have drastic effects on target systems as they easily spread through existing dependencies. Unless intrusion effects are accurately assessed, response systems will still be blinded when select...
Conference Paper
In the complex world of information services, we are realizing that system dependencies upon one another have not only operational implications but also security implications. These security implications are multifold. Beyond allowing an attacker to propagate over an information system by leveraging stepping stones vulnerabilities, it also allows a...
Conference Paper
Full-text available
Networked systems are subject to a wide range of challenges whose nature changes over time, including malicious attacks and operational overload. Numerous mechanisms can be used to ensure the resilience of networked systems, but it can be difficult to define how these mechanisms should be configured in networks that support many services that have...
Conference Paper
The cost evaluation for attacks and/or responses (further called security incidents) in an IT system is a challenging issue. The high rate of service dependencies increases this challenge as the impact on a target service often spreads to its dependent services. This paper evaluates the effect of security incidents using service dependency graphs....
Conference Paper
Full-text available
The use of dynamic access control policies for threat response adapts local response decisions to high level system constraints. However, security policies are often carefully tightened during system design-time, and the large number of service dependencies in a system architecture makes their dynamic adaptation difficult. The enforcement of a sing...

Network

Cited By

Projects

Project (1)
Archived project