Abstract de la publi numéro 13573

Network security is inherently a distributed function that involves the coordination of a set of devices, each device affording its specific security features. The complexity of this task resides in the number, the nature, and the interdependence of the mechanisms. Any security service can interfere with others creating a breach in the whole network security. We propose a formal data flow oriented model to detect network security conflicts. Network security services are represented by specific abstract functions that can modify the data flow. We have specified our model in hierarchical Colored Petri Nets to automate the conflicts detection analysis. This approach has been tested on various NAPT/IPsec scenarios to prove that without any a priori knowledge these conflicts can be detected.