1 / 15

Data and Applications Security Developments and Directions

Data and Applications Security Developments and Directions. Confidentiality Privacy Trust (CPT) COMPSAC 2005 Dr. Bhavani Thuraisingham The University of Texas at Dallas July 2005. Outline. Semantic web as vehicle for collaboration Trustworthy/dependable data management Confidentiality

ray-ball
Download Presentation

Data and Applications Security Developments and Directions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data and Applications Security Developments and Directions Confidentiality Privacy Trust (CPT) COMPSAC 2005 Dr. Bhavani Thuraisingham The University of Texas at Dallas July 2005

  2. Outline • Semantic web as vehicle for collaboration • Trustworthy/dependable data management • Confidentiality • Data Mining and Privacy • Platform for Privacy Preferences • Trust Management • Coalition Policy Architecture

  3. SECURITY P R I V A C Y Logic, Proof and Trust Rules/Query Other Services RDF, Ontologies XML, XML Schemas URI, UNICODE Layered Architecture for Dependable Semantic Web • Adapted from Tim Berners Lee’s description of the Semantic Web • Some Challenges: Interoperability between Layers; Security and Privacy cut across all layers; Integration of Services; Composability

  4. Privacy Confidentiality Trust Dependability Relationships between Dependability, Confidentiality, Privacy, Trust Dependability: Security, Privacy, Trust, Real-time Processing, Fault Tolerance; also sometimes referred to as “Trustworthiness” Confidentiality: Preventing the release of unauthorized information considered sensitive Privacy: Preventing the release of unauthorized information about individuals considered sensitive Trust: Confidence one has that an individual will give him/her correct information or an individual will protect sensitive information

  5. Some Confidentiality Models: RBAC and UCON Access Control Models by Sandhu et al • RBAC (Role-based access control): • Access to information sources including structured and unstructured data both within the organization and external to the organization depending on user roles • UCON: Usage Control • Policies of authorizations, Obligations and Conditions • Authorization decisions are determined by policies of the subject, objects and right • Obligations are actions that are required to be performed before or during the access process • Conditions are environment restrictions that are required to be valid before or during the access process

  6. Security/Inference Control (for Semantic Web) Interface to the Client Security Engine/ Rules Processor Policies Ontologies Rules XML, RDF Documents Web Pages, Databases Semantic Web Engine

  7. Data Mining as a Threat to Privacy • Data mining gives us “facts” that are not obvious to human analysts of the data • Can general trends across individuals be determined without revealing information about individuals? • Possible threats: • Combine collections of data and infer information that is private • Disease information from prescription data • Military Action from Pizza delivery to pentagon • Need to protect the associations and correlations between the data that are sensitive or private

  8. Some Privacy Problems and Potential Solutions • Problem: Privacy violations that result due to data mining • Potential solution: Privacy-preserving data mining • Problem: Privacy violations that result due to the Inference problem • Inference is the process of deducing sensitive information from the legitimate responses received to user queries • Potential solution: Privacy Constraint Processing • Problem: Privacy violations due to un-encrypted data • Potential solution: Encryption at different levels • Problem: Privacy violation due to poor system design • Potential solution: Develop methodology for designing privacy-enhanced systems

  9. Privacy Preserving Data Mining • Prevent useful results from mining • Introduce “cover stories” to give “false” results • Only make a sample of data available so that an adversary is unable to come up with useful rules and predictive functions • Randomization • Introduce random values into the data and/or results • Challenge is to introduce random values without significantly affecting the data mining results • Give range of values for results instead of exact values • Secure Multi-party Computation • Each party knows its own inputs; encryption techniques used to compute final results

  10. Platform for Privacy Preferences (P3P): What is it? • P3P is an emerging industry standard that enables web sites t9o express their privacy practices in a standard format • When a user enters a web site, the privacy policies of the web site is conveyed to the user • If the privacy policies are different from user preferences, the user is notified; User can then decide how to proceed • The format of the policies can be automatically retrieved and understood by user agents • Main difference between privacy and security • User is informed of the privacy policies • User is not informed of the security policies

  11. Privacy Problem as a form of Inference Problem • Privacy constraints • Content-based constraints; association-based constraints • Privacy controller • Augment a database system with a privacy controller for constraint processing and examine the releasability of data/information (e.g., release constraints) • Use of conceptual structures to design applications with privacy in mind (e.g., privacy preserving database and application design) • The web makes the problem much more challenging than the inference problem we examined in the 1990s! • Is the General Privacy Problem Unsolvable?

  12. Privacy Control Interface to the Semantic Web Privacy Engine/ Rules Processor Policies Ontologies Rules Client accessing the Web site XML, RDF Documents

  13. Trust Management • Trust Services • Identify services, authorization services, reputation services • Trust negotiation (TN) • Digital credentials, Disclosure policies • TN Requirements • Language requirements • Semantics, constraints, policies • System requirements • Credential ownership, validity, alternative negotiation strategies, privacy • Example TN systems • KeyNote and Trust-X (U of Milan), TrustBuilder (UIUC)

  14. Trust Management Process

  15. Coalition CPT Policy Integration Architecture CPT Policies for Coalition Export Export CPT Policies CPT Policies Export CPT Policies Component Component CPT Policies for CPT Policies for Agency A Agency C Component CPT Policies for Agency B

More Related