I'm a 22yo Algerian Computer Science & Web Development Master's Graduate. I build low-level eBPF kernel enforcement engines, Tor-anonymized C2 frameworks, and proactive CTI platforms from scratch.
Rigorous empirical research addressing critical blind spots in software supply chain security, runtime machine learning pipelines, and eBPF kernel enforcement.
Traffic Light Protocol, AST Reachability & Active Deception Docker Sandbox for NPM/PyPI Pipelines
The Problem: Software supply chain attacks on NPM/PyPI package registries have surged by 742%, where attackers inject credential stealers, backdoors, or cryptominers into open-source dependencies before code review.
How It Works: A pre-merge CI/CD defense utilizing a "Traffic Light" protocol (SAFE ≤3,
SANDBOX 4-9, BLOCK ≥10). A static AST reachability layer scans 12 attack vectors (SA-001 to SA-012) while
filtering dead code. If flagged, suspicious packages are detonated inside an Active Deception Docker
container populated with honeytokens (fake AWS & SSH keys) monitored in real time via kernel
strace.
Proven Results: Evaluated on 17,316 real-world samples from the Datadog dataset, achieving 89.6% (NPM) and 82.2% (PyPI) malicious detection rates with 0% false positives on benign packages at ~2.04 seconds per package.
Novel eBPF & Linux Security Module (LSM) Supply Chain Defense Framework
The Problem: Solves the critical "Temporal Window of Installation" vulnerability where malicious open-source packages execute arbitrary install scripts with full user privileges before standard runtime monitors or static scanners engage.
How It Works: A custom eBPF engine attached directly to Linux kernel LSM hooks
(socket_connect, bprm_check_security). It implements Deep Process Tree Tracking
to monitor installer lineage and block evasion attempts (e.g., pip spawning bash or curl), armed with an
autonomous Active Kill Switch terminating malicious process groups (PGID) in microseconds.
Proven Results: Achieved 100% block rate across diverse attack classes on the QUT-DV25
dataset with 0% false positives and negligible ~100ns latency overhead. Upgraded with sudo-free
unprivileged eBPF execution and .pth File Planting persistence detection.
First Formal Taxonomy, SDAS Risk Scoring & Dynamic Kernel strace Interception for ML Software
The Problem: When running pip install transformers, standard scanners
inspect ~70 declared packages. However, at runtime, ML pipelines silently load hundreds of unmanifested
native `.so` binaries, model weights, and arbitrary scripts (trust_remote_code=True)
completely invisible to standard SCA tools (Snyk, Trivy, pip-audit).
How It Works: Establishes the industry's first formal 4-category taxonomy (SD-1 to SD-4)
and quantitative SDAS risk score. Operates as a 5-phase CI/CD auditor combining Hugging Face Hub metadata
verification with kernel-level strace interception across multithreaded BLAS/MKL process
trees to generate Dynamic CycloneDX v1.5 SBOMs.
Proven Results: Discovered that on standard bert-base-uncased, 71% of
runtime dependencies (242/341 native libraries) are invisible to standard scanners. Intercepted reverse
shells embedded in C extensions and exposed hidden OpenSSL CVEs below the Python layer.
Building Algeria's first contextualized cyber threat intelligence platform tailored for critical infrastructure operators.
Rather than overwhelming SOC teams with generic, global threat feeds containing thousands of irrelevant CVEs, **Vector** enables enterprises to build a precise **Digital Twin** of their exact technology stack, spanning hardware models, firmware versions, OS distributions, and enterprise software using NIST industry standards.
Vector's custom matching engine continuously cross-references real-time zero-day disclosures, NVD CVE feeds, and APT campaign IOCs directly against the organization's Digital Twin. When a newly discovered threat impacts an Algerian critical infrastructure operator (Energy, Water, Telecom, Government, or ICS/SCADA), alerts are dispatched instantly with tailored mitigation guidance.
High-stealth Red Team architectures, zero-trust network simulations, vulnerability crawlers, and credited zero-day disclosures.
Sophisticated Command & Control framework operating entirely over Tor Hidden Services
(.onion). Bypasses strict inbound firewall rules, CGNAT, and Deep Packet Inspection (DPI)
without port forwarding or public IP exposure.
Extends the industry-standard Sliver C2 framework by deploying a Tor hidden service pointing to a local HTTP proxy that forwards everything directly to Sliver's HTTPS listener.
Implants connect covertly through the Tor network while operators maintain full management control inside standard Sliver interface sessions. Featured in comprehensive technical Medium deep dive.
Intelligent web vulnerability crawler combining machine learning models with traditional security heuristics. Crawls dynamic web targets, detecting SQL injection (SQLi) and Cross-Site Scripting (XSS) in real time.
Streams detection alerts and severity scores to a sleek, modern web dashboard for real-time triage and remediation reporting.
Complete enterprise network architecture constructed across HQ, DMZ, and branch sites. Documented across 11 comprehensive milestones with schematics.
Discovered and reported critical vulnerability in the widely-used **Caddy Web Server** (CVSS 9.1: "Unauthenticated Admin API Configuration Modification").
Officially credited as the original reporter on the GitHub Security Advisory. Maintainers praised the responsible disclosure, detailed instructional documentation, and video proof-of-concept.
Active competitive hacker ranked **Pro (#731 Global)** on Hack The Box. Authored open-source writeups repository detailing solutions for complex machines and challenges.
Active bug bounty hunter on YesWeHack with 3 reports currently under RTFS review. Solved advanced PortSwigger labs, crAPI (REST API vulnerabilities), and DVGA (GraphQL exploitation).
Achieved through resourcefulness, scholarship programs, and relentless self-study without external financial backing ("doing more than what I can with what I have").
Feel free to connect with me directly across my official developer profiles or inspect my active open-source security repositories and technical writeups.