Visible to the public Policy Analysis 2015Conflict Detection Enabled

SoS Newsletter- Advanced Book Block


SoS Logo

Policy Analysis 2015


Policy-based access controls and security policies are intertwined in most commercial systems.  Analytics use abstraction and reduction to improve policy-based security.  For the Science of Security community, policy-based governance is one of the five Hard Problems.  The work cited here was presented in 2015.

Aldini, A.; Seigneur, J.-M.; Lafuente, C.B.; Titi, X.; Guislain, J., "Formal Modeling and Verification of Opportunity-enabled Risk Management," in Trustcom/BigDataSE/ISPA, 2015 IEEE, vol. 1, pp. 676-684, 20-22 Aug. 2015. doi: 10.1109/Trustcom.2015.434

Abstract: With the advent of the Bring-Your-Own-Device (BYOD) trend, mobile work is achieving a widespread diffusion that challenges the traditional view of security standard and risk management. A recently proposed model, called opportunity-enabled risk management (OPPRIM), aims at balancing the analysis of the major threats that arise in the BYOD setting with the analysis of the potential increased opportunities emerging in such an environment, by combining mechanisms of risk estimation with trust and threat metrics. Firstly, this paper provides a logic-based formalization of the policy and metric specification paradigm of OPPRIM. Secondly, we verify the OPPRIM model with respect to the socio-economic perspective. More precisely, this is validated formally by employing tool-supported quantitative model checking techniques.

Keywords: formal specification; formal verification; mobile computing; risk management; security of data; BYOD trend; OPPRIM model; bring-your-own-device; formal modeling; formal verification; logic-based formalization; metric specification paradigm; mobile work; opportunity-enabled risk management; risk management; security standard; socio-economic perspective; threat metric; tool-supported quantitative model checking techniques; trust metric; Access control; Companies; Measurement; Mobile communication; Real-time systems; Risk management; BYOD; model checking; opportunity analysis; risk management (ID#: 15-8498)



Choudhury, S.; Bhowal, A., "Comparative Analysis of Machine Learning Algorithms Along with Classifiers for Network Intrusion Detection," in Smart Technologies and Management for Computing, Communication, Controls, Energy and Materials (ICSTM), 2015 International Conference on, pp.  89-95, 6-8 May 2015. doi: 10.1109/ICSTM.2015.7225395

Abstract: Intrusion detection is one of the challenging problems encountered by the modern network security industry. A network has to be continuously monitored for detecting policy violation or suspicious traffic. So an intrusion detection system needs to be developed which can monitor network for any harmful activities and generate results to the management authority. Data mining can play a massive role in the development of a system which can detect network intrusion. Data mining is a technique through which important information can be extracted from huge data repositories. In order to spot intrusion, the traffic created in the network can be broadly categorized into following two categories- normal and anomalous. In our proposed paper, several classification techniques and machine learning algorithms have been considered to categorize the network traffic. Out of the classification techniques, we have found nine suitable classifiers like BayesNet, Logistic, IBK, J48, PART, JRip, Random Tree, Random Forest and REPTree. Out of the several machine learning algorithms, we have worked on Boosting, Bagging and Blending (Stacking) and compared their accuracies as well. The comparison of these algorithms has been performed using WEKA tool and listed below according to certain performance metrics. Simulation of these classification models has been performed using 10-fold cross validation. NSL-KDD based data set has been used for this simulation in WEKA.

Keywords: data mining; learning (artificial intelligence); pattern classification; security of data; BayesNet classifiers; IBK classifiers; J48 classifiers; JRip classifiers; NSL-KDD based data set; PART classifiers; REPTree classifiers; WEKA tool; classification techniques; data mining; data repository; logistic classifiers; machine learning algorithms; management authority; network intrusion detection; network security industry; network traffic; policy violation detection; random forest classifiers; random tree classifiers; Accuracy; Classification algorithms; Intrusion detection; Logistics; Machine learning algorithms; Prediction algorithms; Training; classification; data mining; intrusion detection; machine learning; network (ID#: 15-8499)



Caramujo, J.; Rodrigues Da Silva, A.M., "Analyzing Privacy Policies Based on a Privacy-Aware Profile: The Facebook and LinkedIn Case Studies," in Business Informatics (CBI), 2015 IEEE 17th Conference on, vol. 1, pp. 77-84, 13-16 July 2015. doi: 10.1109/CBI.2015.44

Abstract: The regular use of social networking websites and applications encompasses the collection and retention of personal and very often sensitive information about users. This information needs to remain private and each social network owns a privacy policy that describes in-depth how users' information is managed and disclosed. Problems arise when the development of new systems and applications includes an integration with social networks. The lack of clear understanding and a precise mechanism to enforce the statements described in privacy policies can compromise the development and adaptation of these statements. This paper proposes the extension and validation of a UML profile for privacy-aware systems. The goal of this approach is to provide a better understanding of the different privacy-related requirements for improving privacy policies enforcement when developing systems or applications integrated with social networks. Additionally, to illustrate the potential of this profile, the paper presents and discusses its application with two real world case studies - the Facebook and Linked In policies - which are well structured and represented through two respective Excel files.

Keywords: Unified Modeling Language; computer network security; data privacy ;information management; social networking (online);Excel file; Facebook; LinkedIn; UML profile; privacy aware profile; privacy aware system; privacy profile analysis; social networking Websites; user information management; Business; Conferences; Informatics; Facebook; LinkedIn; Privacy; Requirements; System; UML profile; integration (ID#: 15-8500)



Daoudagh, S.; Lonetti, F.; Marchetti, E., "Assessment of Access Control Systems Using Mutation Testing," in TEchnical and LEgal aspects of data pRivacy and SEcurity, 2015 IEEE/ACM 1st International Workshop on, pp. 8-13, 18-18 May 2015. doi: 10.1109/TELERISE.2015.10

Abstract: In modern pervasive applications, it is important to validate access control mechanisms that are usually defined by means of the standard XACML language. Mutation analysis has been applied on access control policies for measuring the adequacy of a test suite. In this paper, we present a testing framework aimed at applying mutation analysis at the level of the Java based policy evaluation engine. A set of Java based mutation operators is selected and applied to the code of the Policy Decision Point (PDP). A first experiment shows the effectiveness of the proposed framework in assessing the fault detection of XACML test suites and confirms the efficacy of the application of code-based mutation operators to the PDP.

Keywords: Java; authorisation; program diagnostics; program testing; ubiquitous computing; Java based mutation operators; Java based policy evaluation engine; PDP; access control system assessment; code-based mutation operators; fault detection; mutation testing analysis; policy decision point code; standard XACML language; Access control; Engines; Fault detection; Java; Proposals; Sun; Testing (ID#: 15-8501)


He-Ming Ruan; Ming-Hwa Tsai; Yen-Nun Huang; Yen-Hua Liao; Chin-Laung Lei, "Discovery of De-identification Policies Considering Re-identification Risks and Information Loss," in Information Security (AsiaJCIS), 2015 10th Asia Joint Conference on, pp. 69-76, 24-26 May 2015. doi: 10.1109/AsiaJCIS.2015.23

Abstract: In data analysis, it is always a tough task to strike the balance between the privacy and the applicability of the data. Due to the demand for individual privacy, the data are being more or less obscured before being released or outsourced to avoid possible privacy leakage. This process is so called de-identification. To discuss a de-identification policy, the most important two aspects should be the re-identification risk and the information loss. In this paper, we introduce a novel policy searching method to efficiently find out proper de-identification policies according to acceptable re-identification risk while retaining the information resided in the data. With the UCI Machine Learning Repository as our real world dataset, the re-identification risk can therefore be able to reflect the true risk of the de-identified data under the de-identification policies. Moreover, using the proposed algorithm, one can then efficiently acquire policies with higher information entropy.

Keywords: data analysis; data privacy; entropy; learning (artificial intelligence); risk analysis; UCI machine learning repository; data analysis; deidentification policies; deidentified data; information entropy; information loss; privacy leakage; reidentification risks; Computational modeling; Data analysis; Data privacy; Lattices; Privacy; Synthetic aperture sonar; Upper bound; De-identification; HIPPA; Safe Harbor; data privacy (ID#: 15-8502)



Pengyan Shen; Kai Guo; Mingzhong Xiao; Quanqing Xu, "Spy: A QoS-Aware Anonymous Multi-Cloud Storage System Supporting DSSE," in Cluster, Cloud and Grid Computing (CCGrid), 2015 15th IEEE/ACM International Symposium on, pp. 951-960, 4-7 May 2015. doi: 10.1109/CCGrid.2015.88

Abstract: Constructing an overlay storage system based on multiple personal cloud storages is a desirable technique and novel idea for cloud storages. Existing designs provide the basic functions with some customized features. Unfortunately, some important issues have always been ignored including privacy protection, QoS and cipher-text search. In this paper, we present Spy, our design for an anonymous storage overlay network on multiple personal cloud storage, supporting a flexible QoS awareness and cipher-text search. We reform the original Tor protocol by extending the command set and adding a tail part to the Tor cell, which makes it possible for coordination among proxy servers and still keeps the anonymity. Based on which, we proposed a flexible user-defined QoS policy and employed a Dynamic Searchable Symmetric Encryption (DSSE) scheme to support secure cipher-text search. Extensive security analysis prove the security on privacy preserving and experiments show how different QoS policy work according to different security requirements.

Keywords: cloud computing; cryptography; data privacy; information retrieval; quality of service; storage management; DSSE; QoS-aware anonymous multicloud storage system; Spy; Tor cell; Tor protocol; anonymous storage overlay network; cipher-text search; dynamic searchable symmetric encryption scheme; flexible QoS awareness; flexible user-defined QoS policy; multiple personal cloud storage; multiple personal cloud storages; overlay storage system; privacy protection; security requirements; Cloud computing; Encryption; Indexes; Quality of service; Servers; Cipher-text search; DSSE; PCS; Privacy Preserving; QoS (ID#: 15-8503)



Catania, V.; La Torre, G.; Monteleone, S.; Panno, D.; Patti, D., "User-Generated Services: Policy Management and Access Control in a Cross-Domain Environment," in Wireless Communications and Mobile Computing Conference (IWCMC), 2015 International, pp. 668-673, 24-28 Aug. 2015. doi: 10.1109/IWCMC.2015.7289163

Abstract: The rapid evolution of mobile computing, together with the spread of social networks is increasingly moving the role of users from simple information and services consumers to actual producers. Currently, while most of the critical aspects related to User-Generated Contents (UGC) have been addressed, many issues related to service generation still must be faced and represent the next challenge. In this work, we focus on security issues raised by a particular kind of services: those generated by users. User-Generated Services (UGS) are characterized by a set of features that distinguish them from conventional services. To cope with UGS security problems we introduce three possible policy management models, analyzing benefits and drawbacks of each approach. Finally, we propose a cloud-based solution that enables the composition of multiple UGS and policy models, allowing user's devices to share features and services among them.

Keywords: authorisation; cloud computing; mobile computing; social networking (online);UGC;UGS; access control; cloud-based solution; conventional services; cross-domain environment; mobile computing; policy management; policy management models; policy models; social networks; user-generated contents ;user-generated services; Authorization; Context; Privacy; Smart phones; Synchronization; User-Generated Services; access control; cloud; mobile computing; policy management (ID#: 15-8504)



Hongwei Li; Dongxiao Liu; Kun Jia; Xiaodong Lin, "Achieving Authorized And Ranked Multi-Keyword Search Over Encrypted Cloud Data," in Communications (ICC), 2015 IEEE International Conference on, pp. 7450-7455, 8-12 June 2015. doi: 10.1109/ICC.2015.7249517

Abstract: In cloud computing, it is important to protect user data. Thus, data owners usually encrypt their data before outsourcing them to the cloud server for security and privacy concerns. At the same time, very often users need to find data for specific keywords of interest to them. This motivates the research on the searchable encryption technique, which allows the search user to search over the encrypted data. Many mechanisms have been proposed, and are mainly focusing on the symmetric searchable encryption (SSE) technique. However, they do not consider the search authorization problem that requires the cloud server only to return the search results to authorized users. In this paper, we propose an authorized and ranked multi-keyword search scheme (ARMS) over encrypted cloud data by leveraging the ciphertext policy attribute-based encryption (CP-ABE) and SSE techniques. Security analysis demonstrates that the proposed ARMS scheme can achieve confidentiality of documents, trapdoor unlinkability and collusion resistance. Extensive experiments show that the ARMS is more superior and efficient than existing approaches in terms of functionalities and computational overhead.

Keywords: authorisation; cloud computing; cryptography; data protection; search problems; ARMS scheme; CP-ABE scheme; SSE technique; authorized and ranked multikeyword search scheme; ciphertext policy attribute-based encryption scheme; cloud computing; cloud data encryption; cloud server; collusion resistance; computational overhead; data privacy; data security; document confidentiality; search authorization problem; symmetric searchable encryption technique; trapdoor unlinkability; user data protection;Authorization;Encryption;Indexes;Servers;Sun;Multi-keyword Ranked Search; Search Authorization; Searchable Encryption (ID#: 15-8505)



Breaux, T.D.; Smullen, D.; Hibshi, H., "Detecting Repurposing and Over-Collection in Multi-Party Privacy Requirements Specifications," in Requirements Engineering Conference (RE), 2015 IEEE 23rd International, pp. 166-175, 24-28 Aug. 2015. doi: 10.1109/RE.2015.7320419

Abstract: Mobile and web applications increasingly leverage service-oriented architectures in which developers integrate third-party services into end user applications. This includes identity management, mapping and navigation, cloud storage, and advertising services, among others. While service reuse reduces development time, it introduces new privacy and security risks due to data repurposing and over-collection as data is shared among multiple parties who lack transparency into third-party data practices. To address this challenge, we propose new techniques based on Description Logic (DL) for modeling multiparty data flow requirements and verifying the purpose specification and collection and use limitation principles, which are prominent privacy properties found in international standards and guidelines. We evaluate our techniques in an empirical case study that examines the data practices of the Waze mobile application and three of their service providers: Facebook Login, Amazon Web Services (a cloud storage provider), and (a popular mobile analytics and advertising platform). The study results include detected conflicts and violations of the principles as well as two patterns for balancing privacy and data use flexibility in requirements specifications. Analysis of automation reasoning over the DL models show that reasoning over complex compositions of multi-party systems is feasible within exponential asymptotic timeframes proportional to the policy size, the number of expressed data, and orthogonal to the number of conflicts found.

Keywords: Web services; data privacy; description logic; mobile computing; security of data; Amazon Web Services; DL models; Facebook login;; Waze mobile application; data use flexibility; description logic; exponential asymptotic timeframes; guidelines; international standards; multiparty data flow requirements; multiparty privacy requirements specifications; over-collection detection; repurposing detection; use limitation principles; Advertising; Data privacy; Facebook; Limiting; Privacy; Terminology; Data flow analysis; privacy principles; requirements validation (ID#: 15-8506)



Chessa, M.; Grossklags, J.; Loiseau, P., "A Game-Theoretic Study on Non-monetary Incentives in Data Analytics Projects with Privacy Implications," in Computer Security Foundations Symposium (CSF), 2015 IEEE 28th, pp. 90-104, 13-17 July 2015. doi: 10.1109/CSF.2015.14

Abstract: The amount of personal information contributed by individuals to digital repositories such as social network sites has grown substantially. The existence of this data offers unprecedented opportunities for data analytics research in various domains of societal importance including medicine and public policy. The results of these analyses can be considered a public good which benefits data contributors as well as individuals who are not making their data available. At the same time, the release of personal information carries perceived and actual privacy risks to the contributors. Our research addresses this problem area. In our work, we study a game-theoretic model in which individuals take control over participation in data analytics projects in two ways: 1) individuals can contribute data at a self-chosen level of precision, and 2) individuals can decide whether they want to contribute at all (or not). From the analyst's perspective, we investigate to which degree the research analyst has flexibility to set requirements for data precision, so that individuals are still willing to contribute to the project, and the quality of the estimation improves. We study this tradeoffs scenario for populations of homogeneous and heterogeneous individuals, and determine Nash equilibrium that reflect the optimal level of participation and precision of contributions. We further prove that the analyst can substantially increase the accuracy of the analysis by imposing a lower bound on the precision of the data that users can reveal.

Keywords: data analysis; data privacy; game theory; incentive schemes; social networking (online);Nash equilibrium; data analytics; digital repositories; game theoretic study; nonmonetary incentives; personal information; privacy implications; social network sites; Data privacy; Estimation; Games; Noise; Privacy; Sociology; Statistics; Non-cooperative game; data analytics; non-monetary incentives; population estimate; privacy; public good (ID#: 15-8507)



Yukun Zhou; Dan Feng; Wen Xia; Min Fu; Fangting Huang; Yucheng Zhang; Chunguang Li, "SecDep: A User-Aware Efficient Fine-Grained Secure Deduplication Scheme With Multi-Level Key Management," in Mass Storage Systems and Technologies (MSST), 2015 31st Symposium on, pp. 1-14, May 30 2015-June 5 2015. doi: 10.1109/MSST.2015.7208297

Abstract: Nowadays, many customers and enterprises backup their data to cloud storage that performs deduplication to save storage space and network bandwidth. Hence, how to perform secure deduplication becomes a critical challenge for cloud storage. According to our analysis, the state-of-the-art secure deduplication methods are not suitable for cross-user finegrained data deduplication. They either suffer brute-force attacks that can recover files falling into a known set, or incur large computation (time) overheads. Moreover, existing approaches of convergent key management incur large space overheads because of the huge number of chunks shared among users. Our observation that cross-user redundant data are mainly from the duplicate files, motivates us to propose an efficient secure deduplication scheme SecDep. SecDep employs User-Aware Convergent Encryption (UACE) and Multi-Level Key management (MLK) approaches. (1) UACE combines cross-user file-level and inside-user chunk-level deduplication, and exploits different secure policies among and inside users to minimize the computation overheads. Specifically, both of file-level and chunk-level deduplication use variants of Convergent Encryption (CE) to resist brute-force attacks. The major difference is that the file-level CE keys are generated by using a server-aided method to ensure security of cross-user deduplication, while the chunk-level keys are generated by using a user-aided method with lower computation overheads. (2) To reduce key space overheads, MLK uses file-level key to encrypt chunk-level keys so that the key space will not increase with the number of sharing users. Furthermore, MLK splits the file-level keys into share-level keys and distributes them to multiple key servers to ensure security and reliability of file-level keys. Our security analysis demonstrates that SecDep ensures data confidentiality and key security. Our experiment results based on several large real-world datasets show that SecDep is mor- time-efficient and key-space-efficient than the state-of-the-art secure deduplication approaches.

Keywords: cloud computing ;cryptography; data privacy; MLK approaches; SecDep; UACE ;brute-force attacks; cloud storage; computation overheads; cross-user deduplication security; cross-user file-level deduplication; cross-user finegrained data deduplication; data confidentiality; inside-user chunk-level deduplication; key security; key space overhead reduction; multilevel key management approaches; security analysis; server-aided method; user-aided method; user-aware convergent encryption; user-aware efficient fine-grained secure deduplication scheme; Encryption; Protocols; Resists; Servers (ID#: 15-8508)



Namazifard, A.; Tousi, A.; Amiri, B.; Aminilari, M.; Hozhabri, A.A., "Literature Review of Different Contention of E-Commerce Security and the Purview of Cyber Law Factors," in e-Commerce in Developing Countries: With focus on e-Business (ECDC), 2015 9th International Conference on, pp. 1-14, 16-16 April 2015. doi: 10.1109/ECDC.2015.7156333

Abstract: Today, by widely spread of information technology (IT) usage, E-commerce security and its related legislations are very critical issue in information technology and court law. There is a consensus that security matters are the significant foundation of e-commerce, electronic consumers, and firms' privacy. While e-commerce networks need a policy for security privacy, they should be prepared for a simple consumer friendly infrastructure. Hence it is necessary to review the theoretical models for revision. In This theory review, we embody a number of former articles that cover security of e-commerce and legislation ambit at the individual level by assessing five criteria. Whether data of articles provide an effective strategy for secure-protection challenges in e-commerce and e-consumers. Whether provisions clearly remedy precedents or they need to flourish? This paper focuses on analyzing the former discussion regarding e-commerce security and existence legislation toward cyber-crime activity of e-commerce the article also purports recommendation for subsequent research which is indicate that through secure factors of e-commerce we are able to fill the vacuum of its legislation.

Keywords: computer crime; data privacy; electronic commerce; information systems; legislation; IT; cyber law factor; cyber-crime activity; e-commerce security; information technology; legislation; security privacy policy; Business; Electronic commerce; Information technology; Internet; Legislation; Privacy; Security; cyberspace security; e-commerce law; e-consumer protection; jurisdiction (ID#: 15-8509)



Butin, D.; Le Metayer, D., "A Guide to End-to-End Privacy Accountability," in TEchnical and LEgal aspects of data pRivacy and SEcurity, 2015 IEEE/ACM 1st International Workshop on, pp. 20-25, 18-18 May 2015. doi: 10.1109/TELERISE.2015.12

Abstract: Accountability is considered a tenet of privacy management, yet implementing it effectively is no easy task. It requires a systematic approach with an overarching impact on the design and operation of IT systems. This article, which results from a multidisciplinary project involving lawyers, industry players and computer scientists, presents guidelines for the implementation of consistent sets of accountability measures in organisations. It is based on a systematic analysis of the Draft General Data Protection Regulation. We follow a systematic approach covering the whole life cycle of personal data and considering the three levels of privacy proposed by Bennett, namely accountability of policy, accountability of procedures and accountability of practice.

Keywords: data protection; IT systems; draft general data protection regulation; end-to-end privacy accountability; personal data life cycle; privacy management; systematic approach; Art; Data handling; Data protection; Law; Privacy; Accountability; Methodology; Privacy requirements (ID#: 15-8510)



Wagner, J.; Kuznetsov, V.; Candea, G.; Kinder, J., "High System-Code Security with Low Overhead," in Security and Privacy (SP), 2015 IEEE Symposium on, pp. 866-879, 17-21 May 2015. doi: 10.1109/SP.2015.58

Abstract: Security vulnerabilities plague modern systems because writing secure systems code is hard. Promising approaches can retrofit security automatically via runtime checks that implement the desired security policy, these checks guard critical operations, like memory accesses. Alas, the induced slowdown usually exceeds by a wide margin what system users are willing to tolerate in production, so these tools are hardly ever used. As a result, the insecurity of real-world systems persists. We present an approach in which developers/operators can specify what level of overhead they find acceptable for a given workload (e.g., 5%), our proposed tool ASAP then automatically instruments the program to maximize its security while staying within the specified "overhead budget." Two insights make this approach effective: most overhead in existing tools is due to only a few "hot" checks, whereas the checks most useful to security are typically "cold" and cheap. We evaluate ASAP on programs from the Phoronix and SPEC benchmark suites. It can precisely select the best points in the security-performance spectrum. Moreover, we analyzed existing bugs and security vulnerabilities in RIPE, Open SSL, and the Python interpreter, and found that the protection level offered by the ASAP approach is sufficient to protect against all of them.

Keywords: security of data; ASAP tool; Open SSL; Phoronix benchmark suites; Python interpreter; RIPE; SPEC benchmark suites; code writing ;high system-code security; runtime checks; security policy; security vulnerabilities; security-performance spectrum; Computer bugs; Instruments; Production; Safety; Security; Software; Memory Safety; Security; Software Hardening; Software Instrumentation (ID#: 15-8511)



Hsiao-Ying Huang; Bashir, M., "Is Privacy a Human Right? An Empirical Examination in a Global Context," in Privacy, Security and Trust (PST), 2015 13th Annual Conference on, pp. 77-84, 21-23 July 2015. doi: 10.1109/PST.2015.7232957

Abstract: Privacy has become an emergent concern in today's digital society. Although scholars have defined privacy from different perspectives, it is still a complex and ambiguous concept. The absence of a concrete concept of privacy impedes the development of privacy legislation and policies in a global context. Therefore, a cross-cultural/national understanding of privacy is urgently needed for establishing a global privacy protocol. This empirical study seeks to better understand privacy by exploring public beliefs of privacy in a global context and further investigating socio-cultural influences on these beliefs. First, we explored general global public beliefs of privacy and then analyzed associations among privacy beliefs and socio-cultural factors. We also investigated the important issue of whether the general global public sees privacy as a “human right.” Results show that most participants agreed with concepts of privacy as a right. However, people had more diverse views on privacy as a right not to be annoyed and social norm privacy concepts. Importantly, nearly eighty percent of people believed in privacy as a human right and nearly seventy percent disagreed with privacy as a concern only for those having something to hide. In the era of globalization, our study provides a bottom-up understanding of privacy beliefs that we believe is essential for the development of global privacy regulation and policies.

Keywords: cultural aspects; data privacy; cross-cultural understanding; digital society; general global public beliefs; global privacy protocol; global privacy regulation; human right; national understanding; privacy beliefs; privacy legislation; social norm privacy; socio-cultural factors; socio-cultural influences; Electromagnetic interference; IEC; IEC Standards; Privacy; Security; global privacy policy and regulation; privacy belief; public opinion (ID#: 15-8512)



Ouaddah, A.; Bouij-Pasquier, I.; Abou Elkalam, A.; Ait Ouahman, A., "Security Analysis and Proposal of New Access Control Model in the Internet of Thing," in Electrical and Information Technologies (ICEIT), 2015 International Conference on, pp. 30-35, 25-27 March 2015. doi: 10.1109/EITech.2015.7162936

Abstract: The Internet of Things (IoT) represents a concept where the barriers between the real world and the cyber-world are progressively annihilated through the inclusion of everyday physical objects combined with an ability to provide smart services. These services are creating more opportunities but at the same time bringing new challenges in particular security and privacy concerns. To address this issue, an access control management system must be implemented. This work introduces a new access control framework for IoT environment, precisely the Web of Things (WoT) approach, called “SmartOrBAC” Based on the OrBAC model. SmartOrBAC puts the context aware concern in a first position and deals with the constrained resources environment complexity. To achieve these goals, a list of detailed IoT security requirements and needs is drawn up in order to establish the guidelines of the “SmartOrBAC”. Then, The OrBAC model is analyzed and extended, regarding these requirements, to specify local as well as collaboration access control rules; on the other hand, these security policies are enforced by applying web services mechanisms mainly the RESTFUL approach. Finaly the most important works that emphasize access control in IoT environment are discussed.

Keywords: Internet of Things; Web services; authorisation; ubiquitous computing; Internet of Thing; RESTFUL approach; SmartOrBAC; Web of Things; Web services; collaboration access control rules; context aware concern; cyber-world; new access control model; security analysis; Access control; Biomedical monitoring; Monitoring; Organizations; Scalability; Usability; OrBAC; access control model; internet of things; privacy; security policy; web of things (ID#: 15-8513)



Jingquan Li, "Security Implications of Direct-to-Consumer Genetic Services," in Big Data Computing Service and Applications (BigDataService), 2015 IEEE First International Conference on, pp. 147-153, March 30 2015-April 2 2015. doi: 10.1109/BigDataService.2015.26

Abstract: Direct-to-consumer (DTC) genetic services refer to genetic tests sold directly to consumers via the Internet, television, and other marketing venues without involving healthcare providers such as physicians, genetic counselors, and other healthcare professionals. Companies such as 23andMe and Navigenics offer genetic tests using genome-wide technology direct to consumers over the Internet. Genetic data collected by DTC companies provide an opportunity for future personalized medicine programs that will significantly improve patient outcomes and preventive care. While this may be a promising development, DTC genetic testing raises important security and privacy concerns. This paper aims to identify the most important security threats to consumers of DTC genetic testing services, and explain how to use security technologies and policies to mitigate the threats. In this paper, we first analyze a leading DTC company that demonstrates how security concerns might be intrinsic to contemporary DTC genetic testing services. We then present a threat model and identify the most important security threats to consumers of DTC genetic testing services. Furthermore, we outline security and privacy implications of using DTC genetic services and how DTC companies should elaborate upon them to protect genetic privacy.

 Keywords: Internet; data privacy; genetics; health care; security of data; television; DTC genetic testing services; Internet; direct-to-consumer genetic services; health care providers; marketing venues; privacy concerns; security implications; television; Bioinformatics; Companies; Genomics; Privacy; Security; Testing; cryptography; direct-to-consumer genetic testing ;genetic data; privacy; secondary use; security; security technology (ID#: 15-8514)



Yong Wang; Nepali, R.K., "Privacy Threat Modeling Framework for Online Social Networks," in Collaboration Technologies and Systems (CTS), 2015 International Conference on, pp. 358-363, 1-5 June 2015. doi: 10.1109/CTS.2015.7210449

Abstract: Online social networks (OSNs) provide services for people to connect and share information. Social networking sites contain huge amount of personal information such as user profiles, user relations, and user activities. Most of the information is personal and sensitive in nature and hence disclosure of this information may cause harassment, financial loss, and even identity theft. Thus, protecting user privacy in online social networks is essential. Many threats and attacks have been found in social networks. However, there is lack of a threat model to study privacy issues in online social networks. This paper presents a privacy threat model for online social networks. The threat model includes four components, online social networking sites, third party service providers, genuine social network users, and malicious users. Threats and vulnerabilities are analyzed from six security aspects, i.e., hardware, operating systems, OSN privacy policies, user privacy settings, user relations, and user data. The paper further summarizes and analyzes the existing threats and attacks using the proposed model.

Keywords: data protection; social networking (online); OSN privacy policies; financial loss; genuine social network users; hardware security aspects; identity theft; information sharing; malicious users; online social networks; operating systems; personal information; privacy threat modeling framework; sensitive information; social network threats; social network vulnerabilities; social networking sites; third party service providers; user activities; user data; user privacy protection; user privacy settings; user profiles; user relations; Data privacy; Facebook; Operating systems; Organizations; Privacy; Security; countermeasures; online social networks; privacy threat modeling; privacy threats and attacks (ID#: 15-8515)



Tripp, O.; Pistoia, M.; Centonze, P., "Application- and User-Sensitive Privacy Enforcement in Mobile Systems," in Mobile Software Engineering and Systems (MOBILESoft), 2015 2nd ACM International Conference on, pp. 162-163, 16-17 May 2015. doi: 10.1109/MobileSoft.2015.45

Abstract: The mobile era is marked by exciting opportunities for utilization of contextual information in computing. Applications from different categories-including commercial and enterprise email, instant messaging, social, banking, insurance and retail-access, process and transmit over the network numerous pieces of sensitive information, such as the user's geographical location, device ID, contacts, calendar events, passwords, and health records, as well as credit-card, social-security, and bank-account numbers. Understanding and managing how an application handles private data is a significant challenge. There are not only multiple sources of such data (including primarily social accounts, user inputs and platform libraries), but also different release targets (such as advertising companies and application servers) and different forms of release (for example, passwords transmitted in the clear, hashed or encrypted). To the end users, and particularly those who are not tech savvy, it is nontrivial to manage these complexities. In response, we have designed Labyrinth, a system for privacy enforcement. The unique features of Labyrinth are (i) an intuitive visual interface for configuration of the privacy policy, which consists of enriched app screen captures annotated with privacy-related information, combined with (ii) a lightweight mechanism to detect and suppress privacy threats that is completely decoupled from the host platform. Labyrinth supports both Android and iOS. In this paper, we describe the Labyrinth architecture and illustrate its flow steps.

Keywords: Android (operating system); data privacy; iOS (operating system); mobile computing; smart phones; user interfaces; Android; Labyrinth; Labyrinth architecture; iOS; mobile systems; privacy  enforcement; private data; sensitive information; smartphones; Instruments; Mobile applications; Mobile communication; Privacy; Security; Visualization; Android; Dynamic Analysis; Mobile; Privacy; Security; Usable Security; iOS (ID#: 15-8516)



Dev Raghuwanshi, K.; Tamrakar, S., "An Effective Access From Cloud Data Using Attribute Based Encryption," in Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE), 2015 International Conference on, pp. 212-218, 25-27 Feb. 2015. doi: 10.1109/ABLAZE.2015.7154994

Abstract: Cloud Computing is an important way of communicating and share data over Internet. Cloud Computing enables transmission of data over Internet and resource utilization at data centers. But during data sharing and resource utilization security plays a vital role since the chances of attacks increases. The data to be stored at data centers needs to be retrieved without any data loss and attack. Hence a multi key based data retrieved with encryption is proposed previously but the techniques require more computational time and hence increase the overall cost. Here in this paper a new and efficient is implemented which uses the concept of Cipher text policy attribute based encryption using elliptic curve based key generation. The implementation is based on the concept of generating a new attribute for each and every data to be send and encrypt the data using the generated attribute and forms a tupple and stored at the storage site. The receiver then authenticates himself and enters the attribute and hence decrypts the data. The proposed methodology implemented here provides efficient retrieval of data over cloud as well as reduces computational time and cost.

Keywords: cloud computing; computer centres; cryptography; information retrieval; Internet; cipher text policy attribute based encryption; cloud computing; cloud data; data centers; data loss; data retrieval; data sharing; data transmission; elliptic curve based key generation; multikey based data; resource utilization security; storage site; Cloud computing; Data privacy; Encryption; Public key; Receivers; Attribute based encryption; Cloud computing; DOS; Virtualization; multi-keyword retrieval (ID#: 15-8517)



Jun Pang; Yang Zhang, "Cryptographic Protocols for Enforcing Relationship-Based Access Control Policies," in Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual, vol. 2, pp. 484-493, 1-5 July 2015. doi: 10.1109/COMPSAC.2015.9

Abstract: Relationship-based access control schemes have been studied to protect users' privacy in online social networks. In this paper, we propose cryptographic protocols for decentralized social networks to enforce relationship-based access control polices, i.e., K-common friends and k-depth. Our protocols are mainly built on pairing-based cryptosystems. We prove their security under the honest but curious adversary model, and we analyze their computation and communication complexities. Furthermore, we evaluate their efficiency through simulations on a real social network dataset.

Keywords: authorisation; cryptographic protocols; data privacy; social networking (online);communication complexities; computation complexities; cryptographic protocols; curious adversary model; decentralized social networks; k-common friends; k-depth; online social networks; pairing-based cryptosystems; relationship-based access control policies; user privacy; Access control; Computational modeling; Cryptography; Encoding; Protocols; Social network services (ID#: 15-8518)



Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications.