Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
MTZ-Fachkongress

Antriebe und Energiesysteme von morgen


Austausch von Automobil- und Energiewirtschaft

Am 14./15. Mai geht es in Chemnitz um die Mobilitätswende durch Elektro- und Wasserstofffahrzeuge.
Erweiterte Suche
Anmelden
nach oben

2011 | Buch

Electrostatic Force Method: Kapitel lesen Erstes Kapitel lesen

Trust, Privacy and Security in Digital Business

8th International Conference, TrustBus 2011, Toulouse, France, August 29 - September 2, 2011. Proceedings

herausgegeben von: Steven Furnell, Costas Lambrinoudakis, Günther Pernul

Verlag: Springer Berlin Heidelberg

Buchreihe : Lecture Notes in Computer Science

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

This book constitutes the refereed proceedings of the 8th International Conference on Trust and Privacy in Digital Business, TrustBus 2011, held in Toulouse, France, in August/September 2011 in conjunction with DEXA 2011. The 18 revised full papers presented were carefully reviewed and selected from numerous submissions. The papers are organized in the following topical sections: identity and trust management; security and privacy models for pervasive information systems; reliability and security of content and data; authentication and authorization in digital business; intrusion detection and information filtering; management of privacy and confidentiality; and cryptographic protocols/usability of security.

Inhaltsverzeichnis

Frontmatter

Identity and Trust Management

Electrostatic Force Method:
Trust Management Method Inspired by the Laws of Physics
Abstract
Online auctions are among the most important e-commerce services. Unfortunately it is very difficult to assure trust in such customer-to-customer environment. Most auction sites utilize a very simple participation counts system for reputation rating. This feedback-based reputation systems do not differentiate between sellers who trade in luxury goods and those who sell worthless trinkets. A fraudster can easily gain reputation by selling hundreds of cheap books and then cheat while selling a few expensive TV sets which are not as good as described on item page.
In this paper we present a novel trust management method called Electrostatic Force Method (EFM) which calculates Personal Subjective Trust instead of overall reputation value. The trust value depends on price and category of an item one wants to buy. In this method a seller could have high trust value for someone who wants to buy a book and at the same time this seller may not be trustworthy for someone who wants to buy a TV set. Furthermore our method can be applied in addition to the system currently used by eBay-like online auction sites because it does not require any additional information other than positive, negative or  neutral feedback on transactions.
Konrad Leszczyński, Maciej Zakrzewicz
Exploiting Proxy-Based Federated Identity Management in Wireless Roaming Access
Abstract
Federated Identity Management technologies are exploited for user authentication in a number of network services but their usage may conflict with security restrictions imposed in a specific domain. We considered a specific case (roaming wireless access for guests) and extended the Stork SAML-based identity federation to cope with this problem by adding dynamic data, called meta-attributes, to be used for authorization even before the user authentication is completed. This concept may be easily extended to other data needed for trust verification and complex authorization decisions in a federated environment.
Diana Berbecaru, Antonio Lioy, Marco Domenico Aime

Security and Privacy Models for Pervasive Information Systems

Privacy-Preserving Statistical Analysis on Ubiquitous Health Data
Abstract
In this work, we consider ubiquitous health data generated from wearable sensors in a Ubiquitous Health Monitoring System (UHMS) and examine how these data can be used within privacy- preserving distributed statistical analysis. To this end, we propose a secure multi-party computation based on a privacy-preserving cryptographic protocol that accepts as input current or archived values of users’ wearable sensors. We describe a prototype implementation of the proposed solution with a community of independent personal agents and present preliminary results that confirm the viability of the approach.
George Drosatos, Pavlos S. Efraimidis
A Safety-Preserving Mix Zone for VANETs
Abstract
In vehicular ad hoc networks, vehicles may be tracked due to the frequent sending of beacons containing telemetic data. Even changing the vehicle’s pseudonym cannot prevent attackers from linking beacons. Previously published solutions require vehicles to stop sending beacons when changing their pseudonyms, resulting in the loss of safety. We propose a novel concept based on the approach of mix zones, providing a compromise between privacy and safety. Therefore we introduce a communication proxy inside the mix zones. Simulations show that this approach is technically feasible, even with common hardware.
Florian Scheuer, Karl-Peter Fuchs, Hannes Federrath
A Secure Smartphone Applications Roll-out Scheme
Abstract
The adoption of smartphones, devices transforming from simple communication devices to smart and multipurpose devices, is constantly increasing. Amongst the main reasons for their vast pervasiveness are their small size, their enhanced functionality, as well as their ability to host many useful and attractive applications. Furthermore, recent studies estimate that application installation in smartphones acquired from official application repositories, such as the Apple Store, will continue to increase. In this context, the official application repositories might become attractive to attackers trying to distribute malware via these repositories. The paper examines the security inefficiencies related to application distribution via application repositories. Our contribution focuses on surveying the application management procedures enforced during application distribution in the popular smartphone platforms (i.e. Android, Black-Berry, Apple iOS, Symbian, Windows Phone), as well as on proposing a scheme for an application management system suited for secure application distribution via application repositories.
Alexios Mylonas, Bill Tsoumas, Stelios Dritsas, Dimitris Gritzalis

Reliability and Security of Content and Data

Privacy Preserving Tree Augmented Naïve Bayesian Multi-party Implementation on Horizontally Partitioned Databases
Abstract
The evolution of new technologies and the spread of the Internet have led to the exchange and elaboration of massive amounts of data. Simultaneously, intelligent systems that parse and analyze patterns within data are gaining popularity. Many of these data contain sensitive information, a fact that leads to serious concerns on how such data should be managed and used from data mining techniques. Extracting knowledge from statistical databases is an essential step towards deploying intelligent systems that assist in making decisions, but also must preserve the privacy of parties involved. In this paper, we present a novel privacy preserving data mining algorithm from statistical databases that are horizontally partitioned. The novelty lies to the multi-candidate election schema and its capabilities of being a basic foundation for a privacy preserving Tree Augmented Naïve Bayesian (TAN) classifier, in order to obviate disclosure of personal information.
Maria Eleni Skarkala, Manolis Maragoudakis, Stefanos Gritzalis, Lilian Mitrou
Secure Cloud Storage: Available Infrastructures and Architectures Review and Evaluation
Abstract
Cloud Computing is an emerging technology paradigm, enabling and facilitating the dynamic and versatile provision of computational resources and services. Even though the advantages offered by cloud computing are several, there still exists thoughts as per the thus offered security and privacy services. Transferring and storing data to a cloud computing infrastructure, provided by Storage-as-a-Service (STaS) tenants, changes an organization’s security posture, as it is challenging to control or audit the cloud provider’s infrastructure in terms of the way the underlying risks are controlled and mitigated. Therefore, it is necessary that the organizations understand the new threats and risks introduced by the cloud technology. On the other hand we need to adopt, develop, and deploy mechanisms that can effectively and efficiently preserve the confidentiality and integrity of the data. In this paper we examine available cloud computing architectures, focusing on their security capabilities regarding the storage of the data. We then define a set of comparative criteria, so as to evaluate these architectures. Finally, we evaluate current commercial secure storage services, in order to demonstrate their strengths and weaknesses as well as their supported features and usability.
Nikos Virvilis, Stelios Dritsas, Dimitris Gritzalis
TRAP: Open Decentralized Distributed Spam Filtering
Abstract
Spam is a significant problem in the day-to-day operations of large networks and information systems, as well as a common conduit for malicious software. The problem of detecting and eliminating spam remains of great interest, both commercially and in a research context. In this paper we present TRAP, a reputation-based open, decentralized and distributed system to aid in detecting unwanted e-mail. In TRAP, all participants are equal, all participants can see how the system works, and there is no reliance on any member or subset of members. This paper outlines the TRAP system itself and shows, through simulation, that the fundamental component of TRAP, a distributed low-overhead trust management system, is efficient and robust under the normal conditions present on the Internet.
Nahid Shahmehri, David Byers, Rahul Hiran

Authentication and Authorization in Digital Business

Best Effort and Practice Activation Codes
Abstract
Activation Codes are used in many different digital services and known by many different names including voucher, e-coupon and discount code. In this paper we focus on a specific class of ACs that are short, human-readable, fixed-length and represent value. Even though this class of codes is extensively used there are no general guidelines for the design of Activation Code schemes. We discuss different methods that are used in practice and propose BEPAC, a new Activation Code scheme that provides both authenticity and confidentiality. The small message space of activation codes introduces some problems that are illustrated by an adaptive chosen-plaintext attack (CPA-2) on a general 3-round Feistel network of size 22n . This attack recovers the complete permutation from at most 2 n + 2 plaintext-ciphertext pairs. For this reason, BEPAC is designed in such a way that authenticity and confidentiality are independent properties, i.e. loss of confidentiality does not imply loss of authenticity.
Gerhard de Koning Gans, Eric R. Verheul
Decentralized Generation of Multiple, Uncorrelatable Pseudonyms without Trusted Third Parties
Abstract
Regarding the increasing number of applications provided as external services, the importance of pseudonymous data as a means for privacy protection of user entities is growing. Along with it grows the relevance of secure and accurate generation, use and management of pseudonyms. In particular we consider the involvement of third parties in this process as potentially harmful, and therefore favor a decentralized pseudonym generation approach where the role of central components is reduced to a minimum. In this paper, we propose a pseudonym generation mechanism and focus on its implementation based on elliptic curve cryptography, in which every user entity can generate an arbitrary number of uncorrelatable pseudonyms with minimal effort, initially as well as at any later point in time. Because no sensitive information necessary for pseudonym generation is available on central components, our approach provides security as well as flexibility and usability.
Jan Lehnhardt, Adrian Spalka

Intrusion Detection and Information Filtering

Mining Roles from Web Application Usage Patterns
Abstract
Role mining refers to the problem of discovering an optimal set of roles from existing user permissions. In most role mining algorithms, the full set of user-permission assignments (UPA) is given as input. The challenge we are facing in the current paper is mining roles from actual web-application usage information. This information is collected by monitoring the access of users to application during a period of time. We analyze the actual permissions required to access the application in each user’s session, and construct a set of user-permission assignments, which result in an incomplete UPA. We propose an algorithm that uses the session permission information to overcome the deficient data. We show by example how each step of the algorithm overcomes by heuristic instances of higher uncertainty. We demonstrate by simulation the efficiency of our algorithm in handling different levels of deficient data.
Nurit Gal-Oz, Yaron Gonen, Ran Yahalom, Ehud Gudes, Boris Rozenberg, Erez Shmueli
A Mobility and Energy-Aware Hierarchical Intrusion Detection System for Mobile Ad Hoc Networks
Abstract
This paper presents a hierarchical cluster-based IDS architecture for Mobile Ad-hoc NETworks (MANETs) that considers the mobility and energy of nodes in the cluster formation in order to improve detection accuracy and reduce energy consumption. The proposed architecture adopts and enhances the Mobility and Energy Aware Clustering Algorithm (MEACA), which is the most appropriate for IDS in MANETs, since it aims at forming mobility aware and energy efficient 1-hop clusters. The algorithm maximizes the clusters’ stability by choosing nodes with relatively low mobility and high energy to be the cluster-heads and keeping the constructed clusters unchanged to the extent of their maximum possible lifetime. The key advantage of the proposed IDS is that its detection accuracy is not affected from nodes mobility, since each cluster includes nodes with similar direction and speed. Thus, mobile nodes of the same cluster appear more static to each other eliminating cluster reformation, which negatively affects the detection accuracy. Moreover, the distribution of the detection load is based on the remaining energy in each node. Thus, nodes with adequate energy undertake more detection responsibilities than nodes with low power. In this way, the proposed IDS balances the energy consumption in a fair and efficient manner.
Eleni Darra, Christoforos Ntantogian, Christos Xenakis, Sokratis Katsikas
An Evaluation of Anomaly-Based Intrusion Detection Engines for Mobile Ad Hoc Networks
Abstract
Mobile Ad Hoc Networks are susceptible to a variety of attacks that threaten their operation and the provided services. Intrusion Detection Systems may act as defensive mechanisms, since they monitor network activities in order to detect malicious actions performed by intruders. Anomaly-based detection engines are a topic of ongoing interest in the research community, due to their advantage in detecting unknown attacks. However, this advantage is offset by a number of limitations such as high rates of false alarms, imposition of processing overhead, lack of adaptability under dynamic network conditions etc. This paper presents a comprehensive evaluation and comparison of the most recent literature in the area of anomaly detection for MANETs. The provided weaknesses and limitations, which are thoroughly examined in this paper, constitute open issues in the area of MANET security and will drive future research steps.
Christoforos Panos, Christos Xenakis, Ioannis Stavrakakis

Management of Privacy and Confidentiality

Privacy Measures for Free Text Documents: Bridging the Gap between Theory and Practice
Abstract
Privacy compliance for free text documents is a challenge facing many organizations. Named entity recognition techniques and machine learning methods can be used to detect private information, such as personally identifiable information (PII) and personal health information (PHI) in free text documents. However, these methods cannot measure the level of privacy embodied in the documents. In this paper, we propose a framework to measure the privacy content in free text documents. The measure consists of two factors: the probability that the text can be used to uniquely identify a person and the degree of sensitivity of the private entities associated with the person. We then instantiate the framework in the scenario of detection and protection of PHI in medical records, which is a challenge for many hospitals, clinics, and other medical institutions. We did experiments on a real dataset to show the effectiveness of the proposed measure.
Liqiang Geng, Yonghua You, Yunli Wang, Hongyu Liu
Towards Legal Privacy Risk Assessment and Specification
Abstract
This article focuses on privacy risk assessment from a legal perspective. We focus on how to estimate legal privacy risk with legal norms instead of quantitative values. We explain the role of normative values in legal risk assessment and introduce a specification for legal privacy risk using a modal language. We examine the difference between legal privacy risk assessment and Information Technology (IT) security risk assessment. IT security risk assessment supports the decision-making processes of system stakeholders - individuals, managers, groups or organizations. It supports both quantitative and qualitative risk analyses and may rely on the knowledge of security experts to estimate the risk. The application of an IT security risk assessment method for legal privacy risk assessment may lead to poor communication and high uncertainties in the risk estimation because legal reasoning is based on normative values and requires legal knowledge. This article proposes legal privacy risk assessment in the knowledge domain of a legal risk assessor.
Ebenezer Paintsil
Privacy-Preserving Storage and Access of Medical Data through Pseudonymization and Encryption
Abstract
E-health allows better communication between health care providers and higher availability of medical data. However, the downside of interconnected systems is the increased probability of unauthorized access to highly sensitive records that could result in serious discrimination against the patient. This article provides an overview of actual privacy threats and presents a pseudonymization approach that preserves the patient’s privacy and data confidentiality. It allows (direct care) primary use of medical records by authorized health care providers and privacy-preserving (non-direct care) secondary use by researchers. The solution also addresses the identifying nature of genetic data by extending the basic pseudonymization approach with queryable encryption.
Johannes Heurix, Thomas Neubauer

Cryptographic Protocols/ Usability of Security

Correcting a Delegation Protocol for Grids
Abstract
Delegation is one important aspect of large-scale distributed systems where many processes and operations run on behalf of system users and clients in order to achieve highly computational and resource intensive tasks. As such, delegation is often synonymous with the concept of trust, in that the delegator would expect some degree of reliability regarding the delegatee’s ability and predictability to perform the delegated task. The delegation protocol itself is expected to maintain certain basic properties, such as integrity, traceability, accountability and the ability to determine delegation chains. In this paper, we give an overview of the vulnerabilities that one such delegation protocol exhibits, namely DToken, a lightweight protocol for Grid systems, as interesting examples of design mistakes. We also propose an alternative protocol, DToken II, which fixes such vulnerabilities.
Benjamin Aziz
Risk Assessment for Mobile Devices
Abstract
With the market penetration of mobile phones and the trend towards the adoption of more sophisticated services, the risks posed by such devices, for the individual and the enterprise, has increased considerably. Risk assessment (RA) is an established approach with organisations for understanding and mitigating information security threats. However, it is also a time consuming process requiring an experienced analyst. Within mobile devices, the interested stakeholders range from administrators to the general public and an approach is therefore required that can establish RA in a fast, user convenient and effective manner. The proposed method utilises a number of approaches to minimise the effort required from the end-user, taking the different security requirements of various services into account and ensuring a level of flexibility that will enable all categories of user (from novice to expert) to engage with the process.
Thomas Lederm, Nathan L. Clarke
Backmatter
Metadaten
Titel
Trust, Privacy and Security in Digital Business
herausgegeben von
Steven Furnell
Costas Lambrinoudakis
Günther Pernul
Copyright-Jahr
2011
Verlag
Springer Berlin Heidelberg
Electronic ISBN
978-3-642-22890-2
Print ISBN
978-3-642-22889-6
DOI
https://doi.org/10.1007/978-3-642-22890-2

Premium Partner

    Bildnachweise