A Safe and Secure Web-Based Management for Mobile Phone ...

3 downloads 36120 Views 105KB Size Report
security management system against cloning mobile phones, and describe an implementation ... However, to the best of our knowledge ..... the specific application. .... (2) a Builder module, located in the main building of the telecom company.
A Safe and Secure Web-Based Management for Mobile Phone Operations Mirela Sechi Moretti Annoni Notare1 [email protected]

Azzedine Boukerche2 [email protected]

Carlos Becker Westphall1 [email protected]

1 Federal University of Santa Catarina/Computer Science, Brazil 2 University of North Texas/Computer Science, USA

Abstract: Security is an essential part of network communications. Interestingly enough, these systems are designed to provide open access across vast networked environment. With the increasing popularity of wireless network, the security issue for mobile users could be even more serious than we expect. In this paper, we discuss SSTCC, a general framework of a distributed security management system against cloning mobile phones, and describe an implementation of its safe and secure on-line phone bill system, which we refer to as SETWeb, using distributed objects techniques (i.e., manager and agents). We also show how an ISO Formal Description Technique (LOTOS) is used to specify and validate the system.

Key words: network management, security, telecommunications, Web.

1. INTRODUCTION

Emerging requirements for higher data services such as news-on-demand, web browsing, e-commerce, stock quotes, video-conferencing and better spectrum efficiency are the main drivers identified for the next generation mobile radio systems, and the coming decade of the next millennium. Mobile phones will change many aspects of our lives forever, but not until potential users become

2

convinced of the security of the mobile networks. Therefore, rather than ignoring

the

security

concerns

of

potential

users,

merchants

and

telecommunication companies need to acknowledge these concerns and deal with them in a straightforward manner [1, 2]. Indeed, in order to convince the public to use mobile and wireless technology in the next and future generation [3, 4, 5] of wireless systems, telecom companies and all organizations will need to explain how they have addressed the security of their mobile/wireless systems. Manufactures, service providers and entrepreneurs who can visualize this monumental change and effectively leverage their experiences on both wireless and Internet will stand to benefit from its security system.

Consequently, there is a great deal of interest recently to design mobile phones using new technologies, such as Boot Block Flash technology used by Intel Corporation, that will make it much more difficult to clone cellular phones (Electronic Serial Number cryptography). However, to the best of our knowledge there is very little work effective done at the software level. Furthermore, to verifies if a call is out of the client patterns, current software (i) do not have an efficient automatic process to warn their clients about the impostors using their mobile phones. In most of these systems, human staffs are used to do that (only lists of large bills are reviewed to identify cloned phones); (ii) have no efficient ways to control/identify the impostors; and (iii) use an “experimental satisfaction” to prove the correctness of their security framework. Some systems provide the billing process via the Web. However, the identification of a cloned phone is done only at the end of the monthly billing cycle. This unfortunately is not quite efficient and leads to a big loss of revenue for the telecom carrier.

3

In this paper, we describe a distributed security network management system for mobile phone operations, which we refer to as SSTCC [6, 7, 8], that includes a safe (i.e., a correct system against trusted users) and secure (i.e., a protected system against untrusted users) [9] online phone bill system, which we refer to as SETWeb.

The remainder of this paper is organized as follows. Section 2 presents an overview of the system context. Section 3 describes the formal specifications and validation of the system. Section 4 discusses the security system implementation. The conclusion and references follows.

2. SECURITY MANAGEMENT SYSTEM FRAMEWORK

Despite the fact that there are some intrusion detection systems for networks, automatic cloning detection in mobile telecommunication networks have received very little attention. Many telecommunication companies are losing hundred of hundreds of dollars due to the use of clones or genuine mobile phones by impostors. One might argue that although it is rather easy to clone an AMPS phone, it is much trickier to clone a D-AMPS, a GSM, or an IS-95 phones. Although GSM mobile phone was cloned yet.

While cryptography techniques have been employed satisfactory in digital mobile systems, it is our belief that neural networks techniques could be used to protect both digital and analogue mobile phones against frauds and cloning, as well as companies against (future) impostors trying to use cloned phones and/or use the mobile phone improperly (subscription of mobile phones using other name). Neural networks can be used to learn the behavior of mobile phone

4

users, and could be used as a knowledge-based intrusion detection tool to learn impostors’ traces, and then identify cloned phones and (future) intruders. In addition of that detection made by the telecom company (by distributed CORBA agents), the system includes the fraud detection by the telecom users through the on-line phone-bill by Web.

The framework of the system (see Figure 1) consists of three main components. The first part represents the Security System against Cellular Cloning (SSCC). The second part presents the on-line phone bill by Web (SETWeb). Finally, the third component SIPI (System to Identify Probable Impostors) represents the system to avoid future impostors that might try to use the mobile phones improperly. • SSCC can be viewed as a black box that interacts with the users via mails or phones; which we refer to as gate-mail, and gate-phone respectively. While the first gate is used by the SSCC to send alarms of possible frauds to the users by “surface” mail, the second gate allows the SSCC to use mobile phone to send the same alarms. The main purpose of sending alarms by phone is for an immediate notification of possible frauds. Although the “surface” mail is more secure, it is still slower than the notification by phone. The system is supported by CORBA that uses on-line telecommunication databases (i.e., CallsFile), as well as database files (i.e., Baseline) created during the training process of the system for the classification of the clients - using neural network/pattern recognition techniques. • SETWeb, a system phone bill on-line via Web, has been developed to allow clients to consult their phone bill online via the web, at any time during the day. The client can then observe if a call from a clone just arrived in your bill – thus,

5

avoiding big looses. Our system ensures the security and the privacy of the client when he tries to access to his/her file, as will described later. • SIPI, a system to identify probable impostors has been designed to identify “probable” impostors using cloned phones. There are several types of impostors the SIPI system can identify: (i) those who had changed the mobile phone’s owner call patterns; (ii) those who bought a mobile phone only for one month (already convinced in not to pay); and (iii) and those who bought mobile phones using other names (already convinced in not to pay, too).

6

SSTCC C O R B A

CloneCorbaAgent1 clone_notif online_call

user_pattern UserPatternFile1

OnlineCallsFile1

. . .

M A N A G E R

CloneCorbaAgentn clone_notif user_pattern UserPatternFilen

mail alarm

online_call OnlineCallsFilen

phone alarm

SSCC C O R B A

BillCorbaAgent1 bill_notif online_call

bill_db

BillDB1 . . .

U S E R S

UserOnlineCallsFile1

BillCorbaAgentn bill_db

M A N A G E R

bill_notif

online_call

BillDB1

UserOnlineCallsFile1

online _bill

SETWeb C O R impostor_pattern1 online_call1 B A

impostor_notif ImpostorCorbaAgent2 user_pattern1

UsersPatternsFile1 ImpostorsPatternsFile1 OnLineCallsFile1

. . . impostor_notif ImpostorCorbaAgentn user_patternn

impostor_patternn online_calln

UsersPatternsFilen ImpostorsPatternsFilen OnLineCallsFilen

M A N A G E R

check owner

SIPI

Figure 1 – General Architecture of SSTCC.

As illustrated in Figure 1, the three components (SSCC, SETWeb and SIPI) constitute the SSTCC System (Security System for Telecommunications against Cloning and Impostors).

7

This paper focuses the SETWeb component of the SSTCC system. SETWeb has been developed to allow mobile phones’ clients to access and monitor their phone bill on-line via the Web in a safe and secure mode. SETWeb is a Java applet available in the telecom Web server where the users can access their phone bill file, and thereby can monitor their calls on a daily basis as opposed to the end of the monthly billing cycle. This procedure contributes to reduce the profit loses of the telecom companies such as printing errors and cloning phones, just to mention a few. 3. SETWEB FORMAL SPECIFICATION AND VALIDATION

The FDT LOTOS (Formal Description Technique - Language of Temporal Ordering Specification), an ISO standard [10], have been used to specify and validate the SETWeb system in order to obtain the correctness proof of the system. A correct system is a safe system. In our design, SETWeb system is represented by the LOTOS process SetwebBill, and it can be detailed to consider two of its more important components, i.e., the management sites set, represented by the process BillCorbaAgentsSet, and the manager, represented by the process BillCorbaManager. See the Figure 2.

SetwebBill

BillCorbaAgentsSet

bill_notif

BillCorbaManager

online_bill

Figure 2 – The two main process of the process Setwebbill.

8

The process BillCorbaAgentsSet can use the gate bill_notif to transmit notifications to the process BillCorbaManager, i.e., update the computed data from the agents to the manager. Upon receipt of the notification, (throught the gate bill_notif), the manager makes the information available to the users throughout the online_bill gate using the Web server. The SetwebBill

identifies

the LOTOS specification which

corresponds to the following process: process SetwebBill[online_bill]:noexit:= hide bill_notif in BillCorbaAgentsSet[bill_notif]|[bill_notif]| BillCorbaManager[bill_notif] where process BillCorbaAgentsSet[bill_notif]:noexit:= process BillCorbaManager[bill_notif]noexit:= endproc

... ...

endproc endproc

The behavior of the process BillCorbaAgentsSet can be specified, in LOTOS,

as

[bill_notif].

follow:

Bill_notif;BillCorbaAgentsSet

This approach allows an infinite

succession of

notifications.

The process BillCorbaManager might have its behavior

specified

LOTOS

in

as

follows:

bill_notif;

online_bill;

BillCorbaManager[bill_notif,online_bill]. Thus, this process will make available all information it maintains, such as phones bill, to the user(s) once it receives notifications from the distributed agents in the system. The processes BillCorbaAgentsSet

and BillCorbaManager are

combined using the operator of general composition |[…]|. This combination indicates

that both processes share all events that occur in the gate

bill_notif.

9

The process BillCorbaAgentsSet (i.e., set of management sites) includes several instances of the same of managed site model. Each one of this instance is related to a LOTOS process, that communicates with the process BillCorbaManager (system manager), through the gate bill_notif.

Since, each managed site acts alone in sending the notifications of possible frauds, then, it is possible to use the operator of independent composition (|||) in order

to combine them, thereby obtaining the following LOTOS

representation:

BillCorbaAgentsSet1[bill_notif]

BillCorbaAgentsSet2[bill_notif]

|||

...

||| |||

BillCorbaAgentsSetn[bill_notif].

The process BillCorbaAgentsSetj represents a typical management site with its three main components: a management agent, represented by the process BillCorbaAgentj; a file that contains phone bill’s information, and is represented by the process BillDBj; and a file of phone calls, represented by the process OnlineCallsFilej. A formal LOTOS specification of the architecture of the Process BillCorbaAgentsSetj can be described as follows: process BillCorbaAgentsSetj[bill_notif]:noexit:= hide bill_dbj,online_callj in (BillDBj[bill_dbj]|||OnlineCallsFilej[online_callj] |[bill_dbj,online_callj]| BillCorbaAgentj[bill_dbj,online_callj,bill_notif] where process BillDBj[bill_dbj]:noexit:= ... endproc process OnLineCallsFilej[online_callj]:noexit:= ... endproc process BillCorbaAgentj[bill_dbj,online_callj,bill_notif]:noexit:= ... endproc endproc

The use of the hide…in operator in this specification allows us to compare this specification with another service more abstract of the same site. The

10

BillDBj and OnLineCallsFilej processes act independently. These two processes share events in the gates bill_dbj and online_callj with the process BillCorbaAgentj, since they are in the same set. The process OnLineCallsFilej can process an infinite sequence of events in the gate online_callj: online_callj; OnLineCallsFilej [online_callj]

- i.e., the on-line calls file is read constantly. In a similar mode, the process BillDBj

can

repeat

the

actions

in

the

gate

bill_dbj:

bill_dbj;BillDBj[bill_dbj] - i.e., the on-line calls are accumulated and saved in a database.

The processes BillDBj and OnLineCallsFilej use simple behaviours, i.e., perform the reading of a file and a saving in a data base, respectively, and they are both represented by one event only (i.e., one communication gate). On the other hand, the process BillCorbaAgentj executes three events: (1) reads the on-line calls; (2) computes and saves the result in the local data base – in each site; and (3) sends the result to the manager, which in turn, makes the information

available

to

the

users

via

a

Web

Server,

online_callj;bill_dbj;bill_notif;BillCorbaAgentj[online_ca llj,bill_dbj,bill_notif].

Thus, the agents keep constantly reading the on-line calls file (i.e., event in the gate online_callj), computing and saving their result in the respective sites (i.e., event in the gate bill_dbj), and sending the data to the manager (i.e., event in the gate bill_notif). In Figure 3, we illustrate how the SETWeb system is managed, using a simple scenario where the managed sites set

includes

only

BillCorbaAgent2).

two

sites

(i.e.,

BillCorbaAgent1

and

11

SETWeb BillCorbaAgentsSet1

bill_notif BillCorbaAgent1

online_bill bill_file1 BillDataFile1

online_call1 Usuários

OnlineCallsFile1

BillCorbaManager

BillCorbaAgentsSet2

bill_notif BillCorbaAgent2

online_bill bill_file2

online_call2

BillDataFile2

OnlineCallsFile2

Figure 3 – Representation of the SETWeb detailed with two sites.

Note that the specification, with two distributed agents, allows new agents to be added using the independent parallelism operator (|||).

In order to validate the SETWeb system, we make use of the CADP tool (Caesar Aldébaran Development Package) available within the Eucalyptus toolbox [11]. Note that we consider the validation process composed by simulations, tests and verifications. While simulations and testing are able to found and identify errors, however, they do not prove the correctness of the system. Verifications, on the other hand, do provide the correctness proof. The procedure, that is used to obtain the correction proofs between refinements, generates the following two automata: SETWebService.aut (related to the initial specification)

and SETWebProtocol.aut

(related

the

final

specification). These two automata aim at proving correctness of the system. The ´TRUE´ result obtained when these two automata are compared and are ”observational’’ equivalent. Consequently, we obtain the formal correction

12

proof of the system, i.e., the refinement is proved to be correct, and thereby proving that each refinement made is equivalent to the previous specification. Recall that the DivisionA/ClassA1 of Unite State Department of Defense, is the highest security level [12, 13]. It requires a strict and verified design, i.e., formal analysis and mathematical proof that the computer system matches the system security policy and its design specifications. Hence, using that methodology we can claim that we obtained the highest security level. The main trade-off is security level against system performance. Class A1 systems require significantly more resources to achieve the same system performance as Division D systems because of the high overheads required to execute the various security mechanisms. Therefore it is incumbent on an organization to determine exactly what level of security is required and to implement a security policy which reflects those requirements.

4. SETWEB SECURITY IMPLEMENTATION

An adequate security system management policy has long been an important issue. Though, a comprehensive network security plan must also consider the losses of privacy [14] when we define authentication and authorization as well as the losses of performance when we define key management and the security protocols, for instance.

The security implementation needs to consider the attacks that may be occur in the specific application. See Figure 4.

13

Source

Target Normal flow Interruption (attack on availability) Interception (attack on confidentiality)

Modification (attack on integrity)

Fabrication (attack on authenticity)

Figure 4 – Security attacks.

Then, considering the possible attacks, the system must provide the related security services in order ro avoid these attacks. Despite there is no universal agreement about many of the terms used in the security literature [12, 15, 16, 17], one useful classification of security services is the following:

1) confidentiality: requires that the information in a computer system and transmitted information be accessible only for dealing by authorized parties. This type of access includes printing, displaying, and other forms of disclosure, including simply revealing the existence of an object; 2) authentication: requires that the origin of a message be correctly identified, with an assurance that the identity is not false;

14

3) integrity: requires that computer system assets and transmitted information be capable of modification only by authorized parties. Modification includes writing, changing, changing status, deleting, creating, and the delaying or replaying of transmitted messages; 4) nonrepudiation: requires that neither the sender nor the receiver of a message be able to deny the transmission; 5) access control: requires that access to information resources be controlled by or for the target system; and 6) availability: requires that computer system assets be available to authorized parties when needed.

The SETWeb system, in order to ensure the security of the telecom carrier site, and protect the privacy of the client, several issues have been maintained, such as access controlling, logging, confidentiality, authentication, integrity, nonrepudiation, availability and administration of the system resources. These services were implemented mainly using the java.security API with the overall goal of protecting the user’s information from eavesdropping and tampering.

The widespread use of computers and their connectivity, particularly the Web and the Java programming it is security API, has provided a new influx in the research and development in e-commerce and internet based applications. Several protocols have been proposed by now. While some schemes are tuned toward restricted cases of attacks, others provide security support mechanisms to the users so that they can create/design their own security solutions. For completeness, we list some of theses protocols below:

15



SSH (Secure Shell) – provides security using cryptography paradigm, even before the authentication;



SSL (Secure Socket Layer) – authentication by digital certificate;



IPSEC (IP Security) – the IPv6 version includes new services of authentication and cryptography;



PGP (Pretty Good Privacy) – cryptography in e-mails where the key distribution is done by the owner of the keys;



PEM (Privacy Enhanced Mail) – cryptography in e-mails where a centralized authority distributes the keys; and



SET (Secure Electronic Transaction) – conceived for e-commerce, implements the security services of access control, confidentiality, authentication, nonrepudiation and integrity.

In this manner, knowing the services needed and the protocols available, it is time to define the security policy.

4.1. Defining a Security Policy

The security policy chosen, in our system, is based on the following steps:

1) the user has to register with the phone carrier in order to have the online service. 2) as soon as the registration takes place, asymmetric keys are automatically generated on the server for him; 3) to avoid transmitting the private key through the network, an application is mailed to the user’s physical address; this application’s sole purpose is to store the user’s private key on his hard disk in a secure way;

16

4) once the user has his private key on his disk, he is ready to register the password with

the phone carrier server.

This password is automatically

ciphered on the client’s computer and as soon as he connects to the network the cipher text is sent to the server; 5) every time the user requests a service, he has to digitally sign it to avoid non- repudiation attacks; 6) to guarantee the user is dealing with the company he thinks and intends to use, the site has to have a valid digital certificate; and 7) to find and/or avoid unauthorized attacks on the server side, login agents constantly monitor the login failures.

In order to avoid direct communication with the Security Manager, an intermediate object known as a proxy has been designed with the following goals: (1) report to the Security Manager the bad login attempts; (2) report to the Security Manager connection requests to the database from a user; and (3) monitor opened connections and account time and resource usage in a log file to send it later to the Security Manager. The Security Manager object has basically three functions: (i) user authentication upon connection to the database server; (ii) creation and storage of access logs from the information sent by the proxy about the users’ requests. This is a very important tool for the system/database administrator; and (iii) providing an interface where the administrator may configure the access to the system’s resources.

In the SETWeb system, the tool policytool creates and manages a text file that stores security policy definitions, known as mypolicy. Those definitions can give special privileges to users having some forms of authentication, such as a digital signature.

17

4.2. Digital Signature and Cryptographic Keys Generation

The use of cryptpo is fundamental to obtain digital signature. In our design, we use the Java Development Kit 1.2 which offers useful tools like keytool and the classes listed below:

1) java.security. Using this API the following classes were inherited; 2) java.security.KeyPairGenerator: its function is to find a cryptography service provider (CSP) to trigger the key generation process; 3) java.security.PrivateKey: responsible for the generation of private keys; 4) java.security.PublicKey: responsible for the generation of public keys; 5) java.security.Signature: its function is to find a cryptography service provider (CSP) and trigger the digital signature key generation process; 6) java.security.KeyFactory: used to create instances of public key generated by the Digital Signature Algorithm (DAS); and 7) java.security.spec.X509EncodedKeySpec:

keys can be created as

instances of an file in case the user already have his private key. This way, it is verified the conformity of the key with the X.509 standard.

In what follow, we present a sample of the code related to generating keys: public boolean cadDados() { try { KeyPairGenerator keyGen = KeyPairGenerator.getInstance (“DAS”, “SUN”); SecureRandom random = SecureRandom.getInstance (“SHA1PRNG”, “SUN”); KeyPair pair = keyGen.generateKeyPair(); priv = pair.getPrivate(); pub = pair.getPublic(); } catch (Exception e) { System.err.println (“Activated Exception: “ + e.toString() } try { Connection com = DriverManager.getConnection(“jdbc:odbc:bill”, “bill”, “bill”); Statement stmt = com.createStatement(); ResultSet rs = stmt.executeQuery(“INSERT INTO keys(chvp,chvpb) values(‘”+priv+”’,’”+pub+”’)”); stmt.close(); com.close(); } ...

18

Note that the client is able to consult its phone bill via the Web only after this security policy procedure is

done

successfully.

The

CORBA [18]

implementation aims at providing the secure management of the SETWeb system, which can be managed remotely via the Web. The management makes use of the Security Alarms Report Functions (SARF), based upon the recommendations already established by the International Telecommunication Union (ITU). This helps the manager responsible for the SETWeb security to enhance the flexibility and the management of the system.

The SETWeb system implementation includes:

(1) several Adaptor modules, located in each regional server which is distributed all over the area covered by the telecom company. These modules help to read the CDR (Call Detailed Register) files, that contains the data of each call done; and (2) a Builder module, located in the main building of the telecom company. This module is responsible to mount the phone bill when requested by a telecom client, using the data stored previously by the Adaptor modules and make the data available to the client using the Web.

The SETWeb system, provides a GUI interface to facilitate the user registration and the user access to his file. See Figure 5.

19

Figure 5 – Phone bill available on the Web. The data stored by the Adaptor modules to be available to the Builder module are organized in a relational data base. The data base includes tables to storage the CDRs, the telecom clients, the SETWeb registered clients, tariffs and pulses by call type among others. The data base allows auditory, what collaborates for the security management.

20

5. CONCLUSION

Today’s technologies are network operation intrusive, i.e., they often limit the connectivity and inhibit easier access to data and services. With the increasing popularity of wireless network, the security issue for mobile users could be even more serious than we expect. In this paper, we have presented SSTCC, a general framework for a distributed security system against mobile phone fraud operations. And a SETWeb, module of SSTCC, that allows the clients to access to their phone bill at any time in a safe and secure mode. This module have proven to be an effective way to fight against fraud and impostors that might use mobile phones improperly. The widespread use of computers and their connectivity, particularly the web and the Java programming has provided a new influx in the research and development in e-commerce and internet based applications such as the SETWeb.

We have shown how LOTOS ISO standard can help to validate and prove its correctness, i.e., safe. SETWeb provides security at (1) protocols/transport layer; (2) environment/browsers; and (3) architectures and languages (Java/Corba). Consequently, SETWeb is a secure system that includes the following security services: (1) the authenticity of the user and the provider is verified; (2) the confidentiality and integrity of the passwords and information are guaranteed, i.e., the data flow is trustable; (3) the availability of the services and information is guaranteed; (4) the nonrepudiation is prevented, i.e., the user and the provider can not deny the fact that they are participating in the consultation process if they are really participating; and (5) the control access is implemented, inclusive in order to facilitate future mechanisms.

21

As future works, we plan to enhance the SSTCC system and its’ SETWeb module using the next generation of wireless communication systems that will include the web-technology within the cellular phones by the use of WAP – Wireless Application Protocol. In addition, we aim at investigating the use of servlets instead applets in order to increase even more the security of the system.

REFERENCES [1]

M. Rozemblit, Security for telecommunications network management, IEEE Press, Piscataway, USA, 1999.

[2]

S. Aidarous and T. Plevyak, Telecommunications network management: technologies and implementations, IEEE Press, Piscataway, USA, 1998.

[3]

G. Calhoun, Third generation wireless communications: post shannon architectures, Artech House Publishers, Norwood, USA, 1999.

[4]

R. Prasad, Third generation mobile communications systems, Artech House Publishers, Norwood, USA, 1999.

[5]

P. Chaudhury, W. Mohr, and S. Onoe, The 3GPP proposal for IMT2000, IEEE Communications Magazine, New York, v.37, n.12, pp. 7281, 1999.

[6]

M.S.M.A. Notare, Conception, development and analysis of a security management system for telecommunication networks, PhD Thesis, Computer Science, Federal University of Santa Catarina, Brazil, 2000.

[7]

M.S.M.A. Notare, A. Boukerche, F. A. S. Cruz, B. G. Riso, C. B. Westphall, Security Management Against Cloning Mobile Phones. In: IEEE GLOBECOM, Rio de Janeiro, pp. 1969-1973, 1999.

[8]

M. S. M. A. Notare, F. A. S. Cruz, J. B. M. Sobral, J. B. M. Alves, B. G. Riso and C. B. Westphall, Distributed Management in the Security Area for Cloned Mobile Phones, In: IEEE DSOM, Newark, USA, pp. 14-24, 1998.

[9]

D. S. Alexander, W. A. Arbaugh,, A. D. Keromytis, and J. M. Smith, Safety and security of programmable networks infrastructures, IEEE

22

Communications Magazine, New York, v.36, n.10, pp. 84-92, 1998. [10]

E. Brinksma, ISO 8807 - International Organization for Standardization – LOTOS - Language of Temporal Ordering Specifications, 1988.

[11]

H. Garavel, CADP: Eucalyptus France, 1997.

[12]

W. Stallings, Network and internetwork security: principles and practice, Prentice-Hall/IEEE Press, Englewood Cliffs, USA, 1995.

[13]

E. Simon, Distributed Informations Systems: from client/server to distributed multimedia, McGraw-Hill, Maidenhead, England, 1996.

[14]

C. Pfleeger and D. Cooper, Security and privacy: promising advances, IEEE Software, New York, pp. 110-111, 1997.

[15]

P. Dowd and J. T. Mchenry, Network security: it's time to take it seriously, IEEE Computer Magazine, New York, v.31, n.9, pp. 24-28, 1998.

[16]

R. Oppliger, Security technologies for the World Wide Web, Artech House Publisher, Norwood, USA, 1999.

[17]

A. D. Rubin and D. E. Geer, A Survey of Web Security. IEEE Computer, New York, v.l.31, n.9, pp. 34-41, 1998.

[18]

L. H. Hauw, Z. Canela, and F. Voyer. A CORBA-based TMN prototype with Web access. In: IEEE DSOM, Australia, pp. 81-93, 1997.

manual, INRIA/VASY, Grenoble,