Information Systems Security

Internet provides unprecedented opportunities for the collection and sharing of privacy-sensitive information from and about users. Information about users is collected every day, as they join associations or groups, shop for groceries, or execute most of their common daily activities. Such information is subsequently processed, exchanged and shared between different parties; with users often having little control over their personal information once it has been disclosed to third parties. Privacy is then becoming an increasing concern. In this paper we discuss some problems to be addressed in the protection of information in our electronic society, surveying ongoing work and open issues to be investigated.

When consumers build value-added services on top of data resources they do not control, they need to manage their information supply chains to ensure that their data suppliers produce and supply required data as needed. Producers also need to manage their information supply chains to ensure that their data is disseminated and protected appropriately. In this paper, we present a framework for data sharing agreements (DSA) that supports a wide variety of data sharing policies. A DSA is modeled as a set of obligation constraints expressed over a dataflow graph whose nodes are principals with local stores and whose edges are (typed) channels along which data flows. We present a specification language for DSAs in which obligations are expressed as distributed temporal logic (DTL) predicates over data resources, dataflow events, and datastore events. We illustrate the use of our framework via a case study based on a real-world data sharing agreement and discuss issues related to the analysis and compliance of agreements.

Passwords are currently the dominant authentication mechanism in computing systems. However, users are unwilling or unable to retain passwords with a large amount of entropy. This reality is exacerbated by the increasing ability of systems to mount offline attacks. In this paper, we evaluate the degree to which the previous statements are true and attempt to ascertain the point at which passwords are no longer sufficient to securely mediate authentication. In order to demonstrate this, we develop an analytical model for computation to understand the time required to recover random passwords. Further, an empirical study suggests the situation is much worse. In fact, we found that past systems vulnerable to offline attacks will be obsolete in 5-15 years, and our study suggests that a large number of these systems are already obsolete. We conclude that we must discard or fundamentally change these systems, and to that effect, we suggest a number of ways to prevent offline attacks.

Networked environment has grown hostile over the years. In order to guarantee the security of networks and the resources attached to networks it is necessary to constantly monitor and analyze network traffic. Increasing network bandwidth, however, prohibits the recording and analysis of raw network traffic. In this paper we discuss some challenges facing network monitoring and present monitoring strategies to alleviate the challenges.

The conventional concurrency control protocols cannot be directly used in the multilevel secure database management systems (MLS/DBMS), because they may be exploited to establish covert channels. The stringent non-interference requirements imposed by multilevel security dictate modification of the conventional concurrency control. A number of multilevel secure concurrency control protocols have been proposed in the literature, which address the problem of covert channels. To prevent covert channels, most of these concurrency control protocols give high priority to the operations of low security level transaction when it conflicts with the operations of a high security level transaction. This may lead to the abortion or re-execution of high security level transactions over and over again and making the concurrency control protocols unfair towards high security level transactions. Motivated by fairness concerns, we present a fairness strategy for multilevel secure concurrency control protocol to achieve fair performance across different security levels while guaranteeing Orange security. Our simulation results show that fairness strategy can achieve a significant performance improvement, in terms of fairness.

Electronic business applications are often structured by workflow declarations that span potentially numerous generic activities in different organizations. Such declarations are used to assign activities to specific entities, and to dynamically grant and revoke access to the resources according to the execution state of the workflow instance. If competing organizations cooperate in common workflow instances for achieving a joint purpose, they might want to let entities participate anonymously. Anonymous participation demands a restricted flow of identifying information, whereas state dependent access control requires the flow of specific control information. In this paper we introduce the ‘Anonymous SDSD’ approach (State-Dependent Security Decisions) balancing the conflicting requirements by combining techniques like onion routing, logging, bulletin boards, pseudonyms and proxies.

Nowadays, the interaction between systems is absolutely essential to achieve business continuity. There is a need to exchange and share services and resources. Unfortunately, this does not come without security problems. The organizations (companies, enterprizes, etc.) have to manage accesses to their services and resources by external opponents. O2O is a formal approach we suggest in this paper to deal with access control in an interoperability context. It is based on two main concepts:

Virtual Private Organization

(VPO) and Role Single-Sign On (RSSO). A VPO enables any organization undertaking an inter-operation with other organizations to keep control over the ressources accessed during the interoperability phases. The RSSO principle allows a given subject to keep the same role when accessing to another organization but with privileges defined in the VPO. Thus, using O2O, each organization can define and enforce its own secure interoperability policy. O2O is integrated in the OrBAC model (Organization based access control).

Recent web-based applications offer users free service in exchange for access to personal communication, such as on-line email services and instant messaging. The inspection and retention of user communication is generally intended to enable targeted marketing. However, unless specifically stated otherwise by the collecting service’s privacy policy, such records have an indefinite lifetime and may be later used or sold without restriction. In this paper, we show that it is possible to protect a user’s privacy from these risks by exploiting mutually oblivious, competing communication channels. We create virtual channels over online services (e.g., Google’s Gmail, Microsoft’s Hotmail) through which messages and cryptographic keys are delivered. The message recipient uses a shared secret to identify the shares and ultimately recover the original plaintext. In so doing, we create a wired “spread-spectrum” mechanism for protecting the privacy of web-based communication. We discuss the design and implementation of our open-source Java applet, Aquinas, and consider ways that the myriad of communication channels present on the Internet can be exploited to preserve privacy.

High heterogeneity and dynamicity of pervasive computing environments introduces requirement of more flexible and functional access control policies. The notion of provisional actions has been defined previously to overcome the insufficient grant/denial response to an access request and has been incorporated in the provision-based access control model (PBAC). Based on PBAC, we propose a context-aware provision-based access control model, capable of dynamic adaptation of access control policy according to the changing context. In particular, the model facilitates the definition of context-aware policies and enriches the access control by enforcing provisional actions in addition to common permissions.

With the growing use of wireless networks and mobile devices, we are moving towards an era where location information will be necessary for access control. The use of location information can be used for enhancing the security of an application, and it can also be exploited to launch attacks. For critical applications, a formal model for location-based access control is needed that increases the security of the application and ensures that the location information cannot be exploited to cause harm. In this paper, we show how the Role-Based Access Control (RBAC) model can be extended to incorporate the notion of location. We show how the different components in the RBAC model are related with location and how this location information can be used to determine whether a subject has access to a given object. This model is suitable for applications consisting of static and dynamic objects, where location of the subject and object must be considered before granting access.

Security is a crucial concern for commercial and mission critical applications in Web-based environments. In our model, context information associated with

Access Control

management policies is defined according to basic operators that can be represented using the

Web Ontology Language

. Standard inference procedures of

Description Logics

are being used to check the consistency of context information referred to by policy conditions and, more interestingly, to pre-process context information for grounding policy propagation and enabling conflict resolution. In this paper, we extend the model to encompass part-of relations between entities in context descriptions and, consequently, revise the policy propagation criteria being applied to the model to take into account the newly introduced relations. Finally, we exemplify modality conflicts arising from part-of relations, a category of

extensional

conflicts (i.e., inconsistencies related to individuals) that cannot be foreseen by looking at the terminology underlying context information.

SACL is an access control language based on SPKI/SDSI PKI that has features like group certificates, delegation, threshold certificates etc. In this paper, we show how SACL can be effectively realized in a Security Automata framework. We establish the equivalence of the transformation with the SPKI/SDSI semantics as well as the set-theoretic semantics. The transformation gives an efficient way to enforce the policy being defined and allows inference of authorizations obtained from multiple certificates. Further, we describe algorithms for efficiently solving certificate-analysis problems, resource authentication problems etc. The transformation allows us to capture the authorization of tags while being delegated in an unambiguous way and, define the set of tags permissible under threshold certification. The framework succinctly captures the expressive power of SACL and enables heterogenous integration of SACL with state-based security mechanisms that are widely used for protection/security of classical OS, Databases etc. One of the distinct advantages of the framework is the amenability of using finite state model-checking algorithms for verifying access control. We shall show how very useful properties can be verified using our transformation.

In this work, we have identified a class of weakness named as

insider-replay

attack in a number of existing protocols and propose a common design principle to avoid the weakness. Also, based on the design principles, we propose three key establishment schemes under two different scenarios. The proposed schemes are efficient in terms of number of nonce used and are based on one-way functions.

This paper examines a hash based hierarchical access control scheme proposed by Yang and Li. It is shown that the scheme suffers from the ex-member access problem. A new hash based scheme that avoids the ex-member problem is proposed. Our scheme has the following advantages: (i) it uses less private storage per node; (ii) addition or deletion of nodes and users does not require rekeying of all nodes; and (iii) the static version of the scheme carries a proof of security. A hash based scheme recently proposed by Atallah, Frikken and Blanton also has these properties. Compared to their scheme, our scheme requires less public storage space for tree hierarchies.

Network connectivity has undergone a significant change since the appearance and increasing deployment of IEEE 802.11 technology. Wireless links are inherently insecure and, in order to secure them, the IEEE 802.11i amendment has defined the security mechanisms to be used. The solution described in IEEE 802.11i is applicable, in theory, to both infrastructure and ad-hoc networks. Nevertheless, the great deployment of wireless access points and the potential economical benefits derived from it impelled the standardization bodies to provide a security solution for IEEE 802.11 access links. Therefore, IEEE 802.11i has been designed as an infrastructure-oriented solution, and some of the design decisions are not the most appropriate for its use in peer-to-peer communications, showing several limitations to secure ad-hoc networks. We have found the same drawbacks when trying to adapt the IEEE 802.1X model for providing end-to-end security at the link layer between Ethernet peers. We have identified the shortcomings of the standardized solution for its application in securing peer-to-peer communications, and we propose some modifications to the IEEE 802.1X model that help to overcome those limitations. These modifications have been implemented and functionally tested for establishing secure communications between end stations in Ethernet networks.

A wireless sensor network (WSN), an ad hoc network of resource constrained sensor nodes, has become an attractive option for monitoring applications. The wide use of sensor networks is due to the cheap hardware and detailed information they provide to the end user. As with every network of every computing device, security is one of the key issue of sensor networks. The resource constrained nature of sensor nodes make the security quite challenging. The sensor networks are prone to many kinds of security attack viz. report fabrication attack, denial of service attack, Sybil attack, traffic analysis attack, node replication attack, physical attack etc. The report fabrication attack is a security attack in which the adversary tries to generate bogus reports by compromising the sensor nodes. This paper proposes a security solution that makes cluster based sensor networks resilient to report fabrication attacks. The proposed solution relies on symmetric key mechanisms, appropriate for random deployment and also handles the node failures.

Threat analysis and mitigation, both essential for corporate security, are time consuming, complex and demand expert knowledge. We present an approach for simulating threats to corporate assets, taking the entire infrastructure into account. Using this approach effective countermeasures and their costs can be calculated quickly without expert knowledge and a subsequent security decisions will be based on objective criteria. The ontology used for the simulation is based on Landwehr’s [ALRL04] taxonomy of computer security and dependability.

A phenomenal growth in the number of credit card transactions, especially for on-line purchases, has also led to a substantial rise in fraudulent activities. Implementation of efficient fraud detection systems has thus become imperative for all credit card companies in order to minimize their losses. In real life, fraudulent transactions could be interspersed with genuine transactions and simple pattern matching techniques are not often sufficient to detect the fraudulent transactions efficiently. In this paper, we propose a hybrid approach in which anomaly detection and misuse detection models are combined. Sequence alignment is used to determine similarity of an incoming sequence of transactions to both a genuine card holder’s sequence as well as to sequences generated by a validated fraud model. The scores from these two stages are combined to determine if a transaction is genuine or not. We use stochastic models for studying the performance of the system.

Most of the commercial antivirus software fail to detect unknown and new malicious code. In order to handle this problem generic virus detection is a viable option. Generic virus detector needs features that are common to viruses. Recently Kolter et al. [16] propose an efficient generic virus detector using

n

-grams as features. The fixed length

n

-grams used there suffer from the drawback that they cannot capture meaningful sequences of different lengths. In this paper we propose a new method of variable-length

n

-grams extraction based on the concept of episodes and demonstrate that they outperform fixed length

n

-grams in malicious code detection. The proposed algorithm requires only two scans over the whole data set whereas most of the classical algorithms require scans proportional to the maximum length of

n

-grams.

Even though self-healing techniques for transactional processes have attracted enough attention in recent years, several critical issues regarding the distributed systems have not been addressed. For example, if we do the recovery under sustained attacks, in which condition the recovery can terminate? Is a synchronized clock necessary for distributed recovery? In this paper, we proposed a dead-lock free algorithm for coordinated recovery and answered related questions. We also proved that under specific situations, we have to freeze the recovery scheme to guarantee that the recovery can make progress.

Devising public key cryptosystems that are secure against chosen ciphertext attacks has been the subject of investigation by many researchers. However, there are actually very few secure and efficient systems in the literature.

In this paper, we introduce a secure and efficient public key cryptosystem. The main advantage of our schemes is that we employ a problem

equivalent to the well-studied RSA problem

, and thus our schemes do not rely on conjectures or unproven claims. Therefore, the resulting schemes are as secure as the RSA system.

We propose an effective approach for partial image encryption with pseudo random sequences (PRS). It is known that an image can be considered as a combination of correlated and uncorrelated data as well as most of the perceptual information are present in the correlated data rather than the uncorrelated data. Hence, the amount of residual intelligence present in an encrypted image depends on the correlated data. It is, therefore, sufficient to encrypt the correlated data instead of encrypting the entire image in order to speed up the entire operation. From the perception point of view, the most significant bit (MSB) planes have high adjacent correlation between the pixels whereas the least significant bit (LSB) planes contain comparatively more uncorrelated data. PRS with simple hardware like

m

-sequences and Gold sequences have less correlation between the adjacent bits. These can therefore serve as a good alternative for partially encrypting the MSB planes with low complexity to provide security against casual listeners. It is observed from the results that the new approach is able to reduce the residual intelligence as would have been obtained by encrypting the entire image.

Most data embedding techniques proposed so far lead to distortions in the original image. These distortions create problems in some areas such as medical, astronomical, and military imagery. Lossless data hiding is an exact restoration approach for recovering the original image from the stego image. In this paper, we present a lossless data embedding technique with a higher embedding capacity. We propose two lossless data embedding methods; first, a part of the unusable groups U are changed into the usable groups. Secondly, a discrimination function f is modified to improve the embedding capacity. We provide experimental results to demonstrate the effectiveness of our proposed algorithm.

The threat of loss of privacy of data due to the theft of hard disks requires that the data in hard disks is protected by means of encryption. In this paper we propose an implementation of a disk-driver-based sector level encryption for windows platforms. The implementation provides for strong security to the data at the sector-level, independent of the mounted file-system. The encryption of data is done at the granularity of partitions, leaving aside the boot partition, thus not affecting system boot-up process. Adapting a scheme proposed in the literature, the initialization vector is kept different for different sectors and is changed every time the sector is written into. The complete implementation is tested and evaluated using standard benchmark suites. The paper ends with a discussion on the usability of the implementation and future directions of its development.

Two-dimensional contingency tables are central products of many information organizations such as statistical agencies, census bureaus, and health insurance information agencies. In a contingency table, any sensitive information about individuals must be protected, while some aggregated information can be released. The disclosure risk is that the aggregated information can be used to infer some sensitive information about individuals. Since the disclosure of sensitive information may compromise privacy, confidentiality, and national interests, one needs to carefully assess the latent risk of disclosure and take effective methods to protect the data.

In this short survey, we provide an overview of obfuscation and then shift our focus to outlining various non-trivial control-flow obfuscation techniques. Along the way, we highlight two transforms having provable security properties: the dispatcher model and opaque predicates. We comment on the strength and weaknesses of these transforms and outline difficulties associated in generating generalised classes of these.

This paper presents a novel context-based approach to filter out unfair recommendations for trust model in ubiquitous environments. Context is used in our approach to analyze the user’s activity, state and intention. Incremental learning based neural network is used to dispose the context in order to find doubtful recommendations. This approach has distinct advantages when dealing with randomly given irresponsible recommendations, individual unfair recommendations as well as unfair recommendations flooding.

Mobile agent system raises significant security concerns and requires a thorough security framework, with a wide range of strategies and mechanisms, for the protection of both agents and agent hosts, against possibly malicious behavior. Researchers have identi?ed several security attacks. In general, the behavior of mobile agents is often prescribed by the set of tasks represented in an itinerary. The design and implementation of an itinerary can be a complex, time intensive task. A mobile agent running on a host may attacks, if the host is malicious. The attacks may be on the agent’s static data, its collected information (dynamic data) and its itinerary. Hence itineraries must be made secure, in order to get secure agent behavior. In this paper, we propose the development of protocols, which provide security and robustness to different kinds of agent itineraries and present a comparison of the performance of these protocols with some existing ones.

In the past few years there has been an increased focus on privacy issues for Information Systems. This has resulted in concerted systematic work focused on regulations, tools and enforcement. Despite this, privacy violations still do take place. Therefore there is an increased need to develop efficient methods to detect privacy violations. After a privacy violation has taken place, the post-event diagnostics should make use of any post-event information which might be available. This information (malafide intention) might play a decisive role in determining violations. In this paper we propose one such framework which makes use of malafide intentions. The framework is based on the hypothesis that any intrusion/unauthorized access has a malafide intention always associated with it and is available in a post-event scenario. We hereby propose that by analyzing the privacy policies and the available malafide intention, it is possible to detect probable privacy violations.

In the past few years there has been an increased focus on privacy issues for Information Systems which has resulted in concerted systematic work focused on regulations, tools and enforcement. Despite this, privacy violations still do take place. Therefore there is an increased need to develop efficient methods to detect privacy violations. We propose one such framework which uses malafide intensions (post-event information) and privacy policy to detect probable privacy violations. The framework is based on the hypothesis that every privacy violation has a malafide intension associated with it which is available in a post-event scenario.

As information infrastructure is becoming more and more complex, and connected, the security properties like confidentiality, integrity and availability are becoming more and more difficult to protect. The international community is adopting security standards such as ISO 17799 for best practices in security management and Common Criteria for security certification of IT products. It has been recognized that the security of enterprises has to be tackled from the point of view of a management structure than from a purely technological angle, and to achieve this, the primary need is to have a comprehensive security policy. A security model is a formal way of capturing such security policies. Most existing security models cannot support a wide range of security policies. The need is to develop a formal security model that combines the intricacies of the entire gamut of existing security models and supports security policies for a wide range of enterprises.

We review our recent work on privacy preserving data mining and present a new algorithm for association rules mining in vertically partitioned databases that doesnt use perturbation or secure computation.