P2D2: A Mechanism for PrivacyPreserving Data Dissemination - PowerPoint PPT Presentation

1 / 63
About This Presentation
Title:

P2D2: A Mechanism for PrivacyPreserving Data Dissemination

Description:

... by private data owners with collection, processing, storage, or transfer of their data ... Destination Guardian (DG) provides public key ... – PowerPoint PPT presentation

Number of Views:89
Avg rating:3.0/5.0
Slides: 64
Provided by: llil2
Category:

less

Transcript and Presenter's Notes

Title: P2D2: A Mechanism for PrivacyPreserving Data Dissemination


1
P2D2 A Mechanism forPrivacy-Preserving Data
Dissemination
  • Leszek Lilien
  • http//www.cs.wmich.edu/llilien/
  • Department of Computer Science
  • Western Michigan University
  • Kalamazoo, Michigan 49008
  • Affiliated with
  • Center for Education and Research in Information
    Assurance and Security (CERIAS), Regenstrief
    Center for Healthcare Engineering (RCHE) both
    at Purdue University
  • With contributions from Prof. Bharat Bhargava and
    Ms. Yuhui Zhong
  • Department of Computer Sciences, Purdue
    University.
  • Supported in part by NSF grants IIS-0209059 and
    IIS-0242840.

2
Interactions and Trust
  • Trust new paradigm of security
  • Replaces/enhances CIA (confid./integr./availab.)
  • Adequate degree of trust required in interactions
  • In social or computer-based interactions
  • From a simple transaction to a complex
    collaboration
  • Must build up trust w.r.t. interaction partners
  • Human or artificial partners
  • Offline or online
  • We focus on asymmetric trust relationships
  • One partner is weaker, another is stronger
  • Ignoring same-strength partners
  • Individual to individual, most B2B,

3
Building Trust by Weaker Partners
  • Means of building trust by weaker partner in his
    strongeer (often institutional) partner (offline
    and online)
  • Ask around
  • Family, friends, co-workers,
  • Check partners history and stated philosophy
  • Accomplishments, failures and associated
    recoveries,
  • Mission, goals, policies (incl. privacy
    policies),
  • Observe partners behavior
  • Trustworthy or not, stable or not,
  • Problem Needs time for a fair judgment
  • Check reputation databases
  • Better Business Bureau, consumer advocacy groups,
  • Verify partners credentials
  • Certificates and awards, memberships in
    trust-building organizations (e.g., BBB),
  • Protect yourself against partners misbehavior
  • Trusted third-party, security deposit,
    prepayment,, buying insurance,

4
Building Trust by Stronger Partners
  • Means of building trust by stronger partner in
    her weaker (often individual) partner (offline
    and online)
  • Business asks customer for a payment for goods or
    services
  • Bank asks for private information
  • Mortgage broker checks applicants credit history
  • Authorization subsystem on a computer observes
    partners behavior
  • Trustworthy or not, stable or not,
  • Problem Needs time for a fair judgment
  • Computerized trading system checks reputation
    databases
  • e-Bay, PayPal,
  • Computer system verifies users digital
    credentials
  • Passwords, magnetic and chip cards, biometrics,
  • Business protects itself against customers
    misbehavior
  • Trusted third-party, security deposit,
    prepayment,, buying insurance,

5
Trading Weaker Partners Privacy Loss for
Stronger Partners Trust Gain
  • In all examples of Building Trust by Stronger
    Partners but the first (payments)
  • Weaker partner trades his privacy loss for his
    trust gain as perceived by stronger partner
  • Approach to trading privacy for trust
  • Zhong and Bhargava, Purdue
  • Formalize the privacy-trust tradeoff problem
  • Estimate privacy loss due to disclosing a
    credential set
  • Estimate trust gain due to disclosing a
    credential set
  • Develop algorithms that minimize privacy loss for
    required trust gain
  • Bec. nobody likes loosing more privacy than
    necessary

6
Privacy-Trust Tradeoff andDissemination of
Private Data
  • Dissemination of private data
  • Related to trading privacy for trust
  • Examples above
  • Not related to trading privacy for trust
  • Medical records
  • Research data
  • Tax returns
  • Private data dissemination can be
  • Voluntary
  • When theres a sufficient competition for
    services or goods
  • Pseudo-voluntary
  • Free to decline and loose service
  • E.g. a monopoly or demand exceeding supply)
  • Mandatory
  • Required by law, policies, bylaws, rules, etc.

7
Dissemination of Private Datais Critical
  • Reasons
  • Fears/threats of privacy violations reduce trust
  • Reduced trust leads to restrictions on
    interactions
  • In the extreme
  • refraining from interactions, even self-imposed
    isolation
  • Very high social costs of lost (offline and
    online) interaction opportunities
  • Lost business transactions, opportunities
  • Lost research collaborations
  • Lost social interactions
  • gt Without privacy guarantees, pervasive
    computing will
  • never be realized
  • People will avoid interactions with pervasive
    devices / systems
  • Fear of opportunistic sensor networks
    self-organized by electronic devices around them
    can help or harm people in their midst

8
Recognition of Needfor Privacy Guarantees (1)
  • By individuals Ackerman et
    al. 99
  • 99 unwilling to reveal their SSN
  • 18 unwilling to reveal their favorite TV show
  • By businesses
  • Online consumers worrying about revealing
    personal data
  • held back 15 billion in online revenue in 2001
  • By Federal government
  • Privacy Act of 1974 for Federal agencies
  • Health Insurance Portability and Accountability
    Act of 1996 (HIPAA)

9
Recognition of Needfor Privacy Guarantees (2)
  • By computer industry research
  • Microsoft Research
  • The biggest research challenges
  • According to Dr. Rick Rashid, Senior Vice
    President for Research
  • Reliability / Security / Privacy / Business
    Integrity
  • Broader application integrity (just
    integrity?)
  • gt MS Trustworthy Computing Initiative
  • Topics include DRMdigital rights management
    (incl. watermarking surviving photo editing
    attacks), software rights protection,
    intellectual property and content protection,
    database privacy and p.-p. data mining, anonymous
    e-cash, anti-spyware
  • IBM (incl. Privacy Research Institute)
  • Topics include pseudonymity for e-commerce, EPA
    and EPALenterprise privacy architecture and
    language, RFID privacy, p.-p. video surveillance,
    federated identity management (for enterprise
    federations), p.-p. data mining and p.-p.mining
    of association rules, Hippocratic (p.-p.)
    databases, online privacy monitoring

10
Recognition of Needfor Privacy Guarantees (3)
  • By academic researchers
  • CMU and Privacy Technology Center
  • Latanya Sweeney (k-anonymity, SOSSurveillance of
    Surveillances, genomic privacy)
  • Mike Reiter (Crowds anonymity)
  • Purdue University CS and CERIAS
  • Elisa Bertino (trust negotiation languages and
    privacy)
  • Bharat Bhargava (privacy-trust tradeoff, privacy
    metrics, p.-p. data dissemination, p.-p.
    location-based routing and services in networks)
  • Chris Clifton (p.-p. data mining)
  • UIUC
  • Roy Campbell (Mist preserving location privacy
    in pervasive computing)
  • Marianne Winslett (trust negotiation w/ controled
    release of private credentials)
  • U. of North Carolina Charlotte
  • Xintao Wu, Yongge Wang, Yuliang Zheng (p.-p.
    database testing and data mining)

11
Outline
  • PART 1 Mechanism for privacy-preserving data
    dissemination
  • The Problem
  • Challenges
  • Proposed Approach
  • Bundling
  • Apoptosis
  • Evaporation
  • Prototype Implementation
  • PART 2 Taxonomy of solutions for dealing with
    illegal data replication
  • Copying of digital vs. non-digital data
  • Online and offline replication of digital data
  • Basic approaches to dealing with illegal
    replication of digital data
  • Prevent illegal copying
  • Impede illegal copying
  • Trace back illegal copying

12
1) The Problem
Guardian 1 Original Guardian
Owner (Private Data Owner)
Data (Private Data)
Guardian 5 Third-level
Guardian 2 Second Level
Guardian 4
Guardian 3
Guardian 6
  • Guardian
  • Entity entrusted by private data owners with
    collection, processing, storage, or transfer of
    their data
  • owner can be an institution or a system
  • owner can be a guardian for her own private data
  • Guardians allowed or required to
    share/disseminate private data
  • With owners explicit consent
  • Without the consent as required by law
  • For research, by a court order, etc.

13
The Problem cont.
  • Guardian passes private data to another guardian
    in a data dissemination chain
  • Chain within a graph (possibly cyclic)
  • Sometimes owner privacy preferences not
    transmitted due to neglect or failure
  • Risk grows with chain length and milieu
    fallibility and hostility
  • If preferences lost, even honest receiving
    guardian unable to honor them

14
Trust Model for P2D2 Mechanism
  • Owner builds trust in Primary Guardian (PG)
  • As shown in Building Trust by Weaker Partners
  • Trusting PG means
  • Trusting the integrity of PG data sharing
    policies and practices
  • Transitive trust in data-sharing partners of PG
  • PG provides owner with a list of partners for
    private data dissemination (incl. info which data
    PG plans to share, with which partner, and why)
  • OR
  • PG requests owners permission before any private
    data dissemination (request must incl. the same
    info as required for the list)
  • OR
  • A hybrid of the above two
  • E.g., PG provides list for next-level partners
    AND each second- and lower-level guardian
    requests owners permission before any further
    private data dissemination

15
2) Challenges
  • Ensuring that owners metadata are never
    decoupled from his data
  • Metadata include owners privacy preferences
  • Efficient protection in a hostile milieu
  • Threats - examples
  • Uncontrolled data dissemination
  • Intentional or accidental data corruption,
    substitution, or disclosure
  • Detection of data or metadata loss
  • Efficient data and metadata recovery
  • Recovery by retransmission from the original
    guardian is most trustworthy

16
3) Proposed Approach
  • Design self-descriptive bundles
  • - bundle private data metadata
  • - self-descriptive bec. includes metadata
  • Construct a mechanism for apoptosis of bundles
  • - apoptosis clean self-destruction
  • Develop context-sensitive evaporation of bundles

17
Related Work
  • Self-descriptiveness (in diverse contexts)
  • Meta data model Bowers and Delcambre, 03
  • KIF Knowledge Interchange Format Gensereth and
    Fikes, 92
  • Context-aware mobile infrastructure
    Rakotonirainy, 99
  • Flexible data types Spreitzer and A. Begel, 99
  • Use of self-descriptiveness for data privacy
  • Idea mentioned in one sentence Rezgui,
    Bouguettaya and Eltoweissy, 03
  • Term apoptosis (clean self-destruction)
  • Using apoptosis to end life of a distributed
    services (esp. in strongly active networks,
    where each data packet is replaced by a mobile
    program) Tschudin, 99
  • Specification of privacy preferences and policies
  • Platform for Privacy Preferences Cranor, 03
  • ATT Privacy Bird ATT, 04

18
Bibliography for Related Work
  • ATT Privacy Bird Tour http//privacybird.com/tou
    r/1 2 beta/tour.html. February 2004.
  • S. Bowers and L. Delcambre. The uni-level
    description A uniform framework for representing
    information in multiple data models. ER
    2003-Intl. Conf. on Conceptual Modeling, I.-Y.
    Song, et al. (Eds.), pp. 4558, Chicago, Oct.
    2003.
  • L. Cranor. P3P Making privacy policies more
    useful. IEEE Security and Privacy, pp. 5055,
    Nov./Dec. 2003.
  • M. Gensereth and R. Fikes. Knowledge Interchange
    Format. Tech. Rep. Logic-92-1, Stanford Univ.,
    1992.
  • A. Rakotonirainy. Trends and future of mobile
    computing. 10th Intl. Workshop on Database and
    Expert Systems Applications, Florence, Italy,
    Sept. 1999.
  • A. Rezgui, A. Bouguettaya, and M. Eltoweissy.
    Privacy on the Web Facts, challenges, and
    solutions. IEEE Security and Privacy, pp. 4049,
    Nov./Dec. 2003.
  • M. Spreitzer and A. Begel. More flexible data
    types. Proc. IEEE 8th Workshop on Enabling
    Technologies (WETICE 99), pp. 319324, Stanford,
    CA, June 1999.
  • C. Tschudin. Apoptosis - the programmed death of
    distributed services. In J. Vitek and C. Jensen,
    eds., Secure Internet Programming.
    Springer-Verlag, 1999.

19
A. Self-descriptive Bundles
  • Comprehensive metadata include
  • owners privacy preferences
  • owners contact information
  • guardians privacy policies
  • metadata access conditions
  • enforcement specifications
  • data provenance
  • context-dependent and
  • other components

How to read and write private data
Needed to request owners access permissions, or
notify the owner of any accesses
For the original and/or subsequent data guardians
How to verify and modify metadata
How to enforce preferences and policies
Who created, read, modified, or destroyed any
portion of data
Application-dependent elements Customer trust
levels for different contexts Other metadata
elements

20
Implementation Issues for Bundles
  • Provide efficient and effective representation
    for bundles
  • Use XML work in progress
  • Ensure bundle atomicity
  • metadata cant be split from data
  • A simple atomicity solution using asymmetric
    encryption
  • Destination Guardian (DG) provides public key
  • Source Guardian (or owner) encrypts bundle with
    public key
  • Can re-bundle by encrypting different bundle
    elements with public keys from different DGs
  • DG applies its corresponding private key to
    decrypt received bundle
  • Or decrypts just bundle elements reveals data
    DG needs to know
  • Can use digital signature to assure
    non-repudiation
  • Extra key mgmt effort requires Source Guardian
    to provide public key to DG
  • Deal with insiders making and disseminating
    illegal copies of data they are authorized to
    access (but not copy)
  • Considered below (taxonomy)

21
Notification in Bundles (1)
  • Bundles simplify notifying owners or requesting
    their consent
  • Contact information in the owners contact
    information
  • Included information
  • notification notif_sender, sender_t-stamp,
    accessor, access_t-stamp,

  • access_justification, other_info
  • request req_sender, sender_t-stamp,
    requestor, requestor_t-stamp,

  • access_justification, other_info
  • Notifications / requests sent to owners
  • immediately, periodically, or on demand
  • Via
  • automatic pagers / text messaging (SMS) / email
    messages
  • automatic cellphone calls / stationary phone
    calls
  • mail
  • ACK from owner may be required for notifications
  • Messages may be encrypted or digitally signed for
    security

22
Notification in Bundles (2)
  • If permission for a request or request_type is
  • Granted in metadata
  • gt notify owner
  • Not granted in metadata
  • gt ask for owners permission to access her data
  • For very sensitive data no default permissions
    for requestors are granted
  • Each request needs owners permission

23
Optimization of Bundle Transmission
  • Transmitting complete bundles between guardians
    is inefficient
  • They describe all foreseeable aspects of data
    privacy
  • For any application and environment
  • Solution prune transmitted bundles
  • Adaptively include only needed data and metadata
  • Maybe, needed transitively for the whole down
    stream
  • Use short codes (standards needed)
  • Use application and environment semantics along
    the data dissemination chain

24
B. Apoptosis of Bundles
  • Assuring privacy in data dissemination
  • Bundle apoptosis vs. private data apoptosis
  • Bundle apoptosis is preferable prevents
    inferences from metadata
  • In benevolent settings
  • use atomic bundles with recovery by
    retransmission
  • In malevolent settings
  • attacked bundle, threatened with disclosure,
    performs apoptosis

25
Implementation of Apoptosis
  • Implementation
  • Detectors, triggers and code
  • Detectors e.g. integrity assertions identifying
    potential attacks
  • E.g., recognize critical system and application
    events
  • Different kinds of detectors
  • Compare how well different detectors work
  • False positives
  • Result in superfluous bundle apoptosis
  • Recovery by bundle retransmission
  • Prevent DoS (Denial-of-service) attacks by
    limiting repetitions
  • False negatives
  • May result in disclosure very high costs
    (monetary, goodwill loss, etc.)

26
Optimizationof Apoptosis Implementation
  • Consider alternative detection, trigerring and
    code implementations
  • Determine division of labor between detectors,
    triggers and code
  • Code must include recovery from false positives
  • Define measures for evaluation of apoptosis
    implementations
  • Effectiveness false positives rate and false
    negatives rate
  • Costs of false positives (recovery) and false
    negatives (disclosures)
  • Efficiency speed of apoptosis, speed of recovery
  • Robustness (against failures and attacks)
  • Analyze detectors, triggers and code
  • Select a few candidate implementation techniques
    for detectors, triggers and code
  • Evaluation of candidate techniques vis simulate
    experiments
  • Prototyping and experimentation in our testbed
    for investigating trading privacy for trust

27
C. Context-sensitive Evaporation of Bundles
  • Perfect data dissemination not always desirable
  • Example Confidential business data shared within
  • an office but not outside
  • Idea
  • Context-sensitive bundle evaporation

28
Proximity-based Evaporationof Bundles
  • Simple case Bundles evaporate in proportion to
    their distance from their owner
  • Bundle evaporation prevents inferences from
    metadata
  • Closer guardians trusted more than distant
    ones
  • Illegitimate disclosures more probable at less
    trusted distant guardians
  • Different distance metrics
  • Context-dependent

29
Examples of Distance Metrics
  • Examples of one-dimensional distance metrics
  • Distance business type
  • Distance distrust level more trusted entities
    are closer
  • Multi-dimensional distance metrics
  • Security/reliability as one of dimensions

30
Evaporation Implemented asControlled Data
Distortion
  • Distorted data reveal less, protects privacy
  • Examples
  • accurate data more and more distorted data

250 N. Salisbury Street West Lafayette, IN 250
N. Salisbury Street West Lafayette, IN home
address 765-123-4567 home phone
Salisbury Street West Lafayette, IN 250 N.
University Street West Lafayette, IN office
address 765-987-6543 office phone
somewhere in West Lafayette, IN P.O. Box
1234 West Lafayette, IN P.O. box 765-987-4321
office fax
31
Evaporation Implemented asControlled Data
Distortion
  • Distorted data reveal less, protects privacy
  • Examples
  • accurate data more and more distorted data

250 N. Salisbury Street West Lafayette, IN 250
N. Salisbury Street West Lafayette, IN home
address 765-123-4567 home phone
Salisbury Street West Lafayette, IN 250 N.
University Street West Lafayette, IN office
address 765-987-6543 office phone
somewhere in West Lafayette, IN P.O. Box
1234 West Lafayette, IN P.O. box 765-987-4321
office fax
32
Evaporation asGeneralization of Apoptosis
  • Context-dependent apoptosis for implementing
    evaporation
  • Apoptosis detectors, triggers, and code enable
    context exploitation
  • Conventional apoptosis as a simple case of data
    evaporation
  • Evaporation follows a step function
  • Bundle self-destructs when proximity metric
    exceeds predefined threshold value

33
Application of Evaporation for DRM
  • Evaporation could be used for active DRM
    (digital rights management)
  • Bundles with protected contents evaporate when
    copied onto foreign media or storage device

34
4) Prototype Implementation
  • Our experimental system named PRETTY (PRivatE and
    TrusTed sYstems)
  • Trust mechanisms already implemented

35
Information Flow for PRETTY
  • User application sends query to server
    application.
  • Server application sends user information to TERA
    server for trust evaluation and role assignment.
  • If a higher trust level is required for query,
    TERA server sends the request for more users
    credentials to privacy negotiator.
  • Based on servers privacy policies and the
    credential requirements, privacy negotiator
    interacts with users privacy negotiator to build
    a higher level of trust.
  • Trust gain and privacy loss evaluator selects
    credentials that will increase trust to the
    required level with the least privacy loss.
    Calculation considers credential requirements and
    credentials disclosed in previous interactions.
  • According to privacy policies and calculated
    privacy loss, users privacy negotiator decides
    whether or not to supply credentials to the
    server.
  • Once trust level meets the minimum requirements,
    appropriate roles are assigned to user for
    execution of his query.
  • Based on query results, users trust level and
    privacy polices, data disseminator determines
    (i) whether to distort data and if so to what
    degree, and (ii) what privacy enforcement
    metadata should be associated with it.

36
Outline
  • PART 1 Mechanism for privacy-preserving data
    dissemination
  • The Problem
  • Challenges
  • Proposed Approach
  • Bundling
  • Apoptosis
  • Evaporation
  • Prototype Implementation
  • PART 2 Taxonomy of solutions for dealing with
    illegal data replication
  • Copying of digital vs. non-digital data
  • Online and offline replication of digital data
  • Basic approaches to dealing with illegal
    replication of digital data
  • Prevent illegal copying
  • Impede illegal copying
  • Trace back illegal copying

37
1) Copying of Digital vs. Non-digital Data
  • Replication (copying) of data
  • Copying of digital data
  • Digital data are online (in cyberspace)
  • Explored below
  • Copying of non-digital data
  • Non-digital data are offline (in real world)
  • Bypassed in this research
  • Why? Because I am a (digital) computer
    scientist

38
2) Online and Offline Replication of Digital
Data
  • Online copying of digital data
  • Any cut-and-paste
  • File copying
  • Offline copying of digital data includes
  • Memorizing from display recreating from memory
  • Copying manually from display
  • Taking notes, etc.
  • Photographing or videotaping display, recording
    sounds
  • Future PER devices (PER personal experience
    recorder)
  • PER records all that its owner has seen and heard
  • cf. MS Stuff Ive Seen NSF IDM 2003

39
Illegal Copying Problem and Solution Taxonomy
Illegal Data Replication
Copying Non-digital Data
Copying Digital Data
Online Replication
Offline Replication
PROBLEMS
SOLUTIONS
Same categories as for Online Replication
Impede
Trace Back
Prevent
Hybrid Approaches
Trace Offline
Trace Online
For Online Copying
For Offline Copying
For Offline Copying
For Online Copying
40
3) Basic Approaches to Dealing with Illegal
Copying of Digital Data
  • Prevent illegal copying (make it impossible)
  • Prevent online or offline copying
  • Preventing offline copying might seem
    impossible...
  • Impede illegal copying (make it difficult)
  • Impede online or offline copying
  • Trace back illegal copying
  • Trace back online or offline for accountability
  • Can trace legal data replication, too
  • Hybrid approaches
  • Different approaches used for different portions
    of data

41
Illegal Copying Problem and Solution Taxonomy
Illegal Data Replication
Copying Non-digital Data
Copying Digital Data
Online Replication
Offline Replication
PROBLEMS
SOLUTIONS
Same categories as for Online Replication
Impede
Prevent
Trace Back
Hybrid Approaches
Trace Offline
Trace Online
For Online Copying
For Offline Copying
For Online Copying
For Offline Copying
42
A. Prevent Illegal Copying of Digital Data
  • Application-based solutions examples
  • An option in PDF documents prevents selecting
    text (and thus copying it from screen)
  • An option in IRM in MS Word prevents forwarding
    or copying Word documents by unauthorized people
  • IRM Intellectual Rights Mgmt
  • Blog software provides no copying option for
    blog text
  • System-based solutions
  • E.g., system keeps track of all bundles and
    disallows capture of their screen images

43
B. Impede Illegal Copying of Digital Data
  • If Prevent solutions dont work 100, they
    become Impede solutions
  • Other application- or system-based solutions
  • Searching for existing Impede solutions
  • Thinking about new Impede solutions

44
C. Trace Back Illegal Copying of Digital Data
  • Threat of being traced back is here the only
    barrier against illegal copying
  • Technological-and-legal barrier against illegal
    copying
  • Technologicalmostly the online part
  • Legalmostly the offline part
  • Tracing back alternatives
  • Trace back online (onT)
  • For online copying (onT-onC)
  • For offline copying (onT-offC)
  • Trace back offline (offT)
  • For online copying (offT-onC)
  • For offline copying (offT-offC)

45
Illegal Copying Problem and Solution Taxonomy
Illegal Data Replication
Copying Non-digital Data
Copying Digital Data
Online Replication
Offline Replication
PROBLEMS
SOLUTIONS
Same categories as for Online Replication
Impede
Trace Back
Prevent
Hybrid Approaches
Trace Offline (Toff)
Trace Online (Ton)
For Online Copying (Ton-onC)
For Offline Copying (Toff-offC)
For Offline Copying (Ton-offC)
For Online Copying (Toff-onC)
46
Online Traceback forOnline Copying (onT-onC)
Solutions
  • Solutions
  • Application-level solution
  • Record in bundle metadata info (id, time, etc.)
    for all who access it
  • System-level solution
  • System logs record all bundle accesses
  • Bundles detected by system OR self-register upon
    arrival
  • Both may warn of legal consequences of copying
    bundles
  • Both notify guardians and owners (or their
    delegates)
  • What about impostors (using sb elses id) and
    intruders?
  • The better system security the fewer such
    attackers
  • Penalize/prosecute offline (makes it a hybrid
    solution)

47
Online Traceback for OfflineCopying (onT-offC)
A Solution
  • Recall offline copying includes
  • Memorizing recreating data
  • Copying manually from display
  • Photographing or videotaping display, recording
    sounds
  • Future personal experience recorders
  • A solution
  • E.g., computer cameras monitoring users
    activities or the whole neighborhood
  • automatic alarms for suspect situations (AI
    software)

48
Offline Traceback for Online Copying (offT-onC)
Solutions
  • All offline actions available via crime
    investigations
  • Penalties for privacy violations
  • Social stigma
  • Employer reprimand, dismissal, etc.
  • Prosecution
  • Use of computer tools (in addition to offline
    tools) for traceback would make it a hybrid
    category solution

49
Offline Traceback for Offline Copying
(offT-offC) Solutions
  • Need offline traceback solutions for offline
    copying by
  • Memorizing recreating data (offT-offC/1)
  • Copying manually from display (offT-offC/2)
  • Photographing or videotaping display, recording
    sounds (offT-offC/3)
  • Future personal experience recorders
    (offToffC/4)

50
Illegal Copying Problem and Solution Taxonomy
Illegal Data Replication
Copying Non-digital Data
Copying Digital Data
Online Replication
Offline Replication
PROBLEMS
SOLUTIONS
Same categories as for Online Replication
Impede
Trace Back
Prevent
Hybrid Approaches
Trace Offline
Trace Online
For Online Copying (Ton-onC)
For Offline Copying (Ton-offC)
For Offline Copying
For Online Copying (Toff-onC)
4 solutions (offT-offC/1-4)
51
Offline Traceback for Offline Memorizing
Recreating (offT-offC/1)
  • Offline copying by memorizing recreating data
    is not reliable for all but small amounts of data
    but
  • Day-by-day copying over a long period can add up
    to large amounts of data
  • Context info facilitates remebering
  • E.g. easy to remember many West Lafayette phones
  • start with 765-743, 765-463, etc.
  • Mnemonic techniques help

52
Offline Traceback for Offline
Memorizing Recreating (offT-offC/1)
  • Solutions for memorizing recreating data (1)
  • Embed watermarks that survive memor. recreating
  • Seemingly essential or honey-pot data that will
    be memorized and recreated with high probability
  • E.g., street number 123A instead of 123
  • E.g., non-existing extension for phone number
  • E.g., useless (and false) salary data
  • Watermarks dont harm info contents for
    authorized accesses
  • E.g., a letter carrier delivers to 123
  • E.g., can reach the proper person w/o using the
    extension
  • E.g., no authorized data use requires salary
  • Watermarks facilitate forensics (a trail of
    watermarks)

53
Offline Traceback for OfflineMemorizing
Recreating (offT-offC/1)
  • Solutions for memorizing recreating data (2)
  • Restrict read access to authorized personnel
  • Compartmentalize
  • Most people cant see enough data to harm its
    owner
  • Analyze logs for superfluous or unusual accesses
  • Incl. suspicious prolonged accesses or repeat
    accesses
  • Accountability detect and prosecute disclosures

54
Offline Traceback for Offline Manual Copying
(offT-offC/2)
  • Offline data replication by manually copying from
    display
  • Solutions
  • Same as for memorizing recreating
  • PLUS
  • Disallow offline notes and recordings
  • Monitor users of computer terminals visually
    (offline) (online monitoring would fall into
    onT-offC category)

55
Offline Traceback for Offline Photographing,
Etc. (offT-offC/3)
  • Offline copying by photographing or videotaping
    display, or sound recording
  • E.g., copied image converted back to text via OCR
  • OCR optical character recognition
  • Solutions
  • Same as for memorizing recreating
  • PLUS
  • Embed visual or sonic watermarks
  • These are classic watermarks
  • Less difficult to plant than watermarks for
    memorizing recreating, or for manual copying
  • Timestamp recordings to facilitate forensics
  • Future Record camera/camcorder/etc. position to
    facilitate forensics
  • Only GPS-equipped equipment allowed on business
    premises

56
Offline Traceback for Offline PER Recording
(offT-offC/4)
  • Offline copying by PER recording (PER personal
    experience recorders)
  • Records all that its owner experienced whether
    online or offline
  • Existing online PER precursor Microsofts Stuff
    I've Seen (SIS) http//research.microsoft.com/adap
    t/sis/
  • By default, SIS indexes the following sources
  • Everything in your Outlook profile (e-mail
    messages, calendar entries, tasks, etc. in all
    your exchange folders and PSTs that are visible
    when you start Outlook)
  • All files in your "My Documents" folder
  • All web pages in your Internet cache
  • Solutions
  • Same as above (for photographing or videotaping
    screen, or sound recording)

57
Using Traceback also forPreventing/ Impeding
Illegal Copying
  • For preventing copying
  • trace unsuccessful copying attacks
  • Only unsuccessful attacks (unless prevention
    fails)
  • For impeding copying
  • trace both unsuccessful and successful
    attacks

58
Conclusions
  • Intellectual merit
  • A mechanism for preserving privacy in data
    dissemination (bundling, apoptosis, evaporation)
  • Taxonomy of problems and solutions in illegal
    data replication
  • Broader impact
  • Educational and research impact student
    projects, faculty collaborations
  • Practical (social, economic, legal, etc.) impact
  • Enabling more collaborations
  • Enabling more pervasive computing
  • By reducing fears of privacy invasions
  • Showing new venues for privacy research
  • Applications
  • Collaboration in medical practice, business,
    research, military
  • Location-based services
  • Future impact
  • Potential for extensions enabling pervasive
    computing
  • Must adapt to privacy preservation, e.g., in
    opportunistic sensor networks (self-organize to
    help/harm)

59
Future Work
  • Provide efficient and effective representation
    for bundles (XML for metadata?)
  • Run experiments on the PRETTY system
  • Build a complete prototype of proposed mechanism
    for private data dissemination
  • Implement
  • Examine implementation impacts
  • Measures Cost, efficiency, trustworthiness,
    other
  • Optimize bundling, apoptosis and evaporation
    techniques
  • Focus on selected application areas
  • Sensor networks for infrastructure monitoring
    (NSF IGERT proposal)
  • Healthcare enginering (work for RCHE -
    Regenstrief Center for Healthcare Engineering at
    Purdue)

60
Future Work - Extensions
  • Adopting proposed mechanism for DRM, IRM
    (intellectual rights managenment) and
    proprietary/confidential data
  • Privacy
  • Private data owned by an individual
  • Intellectual property, trade/diplomatic/military
    secrets
  • Proprietary/confidential data owned by an
    organization
  • Custimizing proposed mechanismm for selected
    pervasive environments, including
  • Wireless / Mobile / Sensor networks
  • Incl. opportunistic sens. networks
  • Impact of proposed mechanism on data quality

61
My Research Activities
  • Current research
  • Privacy privacy-preserving data dissemination
  • Trust pervasive trust paradigm and its
    realizations
  • Vulnerabilities and Threats analysis,
    avoidance, tolerance
  • Former research areas
  • Database systems
  • Fault tolerance and recovery / Data integrity /
    Concurrency control /
  • Database design / Query processing
  • Distributed computing systems
  • Decentralized control / Fault tolerance and
    recovery
  • Major application areas
  • Pervasive Systems esp. opportunistic sensor
    networks
  • Healthcare Engineering

62
Selected Proposals and Publications on Trust,
Privacy, and Security
  • Proposals
  • Vulnerability Analysis and Threat
    Assessment/Avoidance, B. Bhargava (PI) and L.
    Lilien (co-PI). Awarded by the National Science
    Foundation, awarded 212,000, 2003-2006.
  • Selected publications
  • L. Lilien, Z.H. Kamal. and A. Gupta,
    Opportunistic Sensor Networks The Concept and
    Reseqrch Challenges, submitted for conference
    publication.
  • V. Bhuse, A. Gupta, and L. Lilien, Research
    Challenges in Lightweight Intrusion Detection for
    Sensornets, submitted for conference publication
  • V. Bhuse, A. Gupta, and L. Lilien, DPDSN
    Detection of packet-dropping attacks for wireless
    sensor networks, Proc. 4th International Trusted
    Internet Workshop (TIW), Goa, India, December
    2005 (to appear).
  • L. Lilien and B. Bhargava, A Scheme for
    Privacy-preserving Data Dissemination, IEEE
    Transactions on Systems, Man and Cybernetics (to
    appear).
  • B. Bhargava and L. Lilien, "Vulnerabilities and
    Threats in Distributed Systems," Proc. Intl.
    Conf. on Distributed  Computing Internet
    Technology (ICDCIT 2004), Bhubaneswar, India,
    Dec. 2004.
  • B. Bhargava, L. Lilien, A. Rosenthal, and M.
    Winslett, "PervasiveTrust," IEEE Intelligent
    Systems, vol. 19(5), Sep./Oct.2004.
  • B. Bhargava and L. Lilien, "Private and Trusted
    Collaborations," Proc. Secure Knowledge
    Management (SKM 2004) A Workshop, Amherst, NY,
    Sep. 2004.
  • Trust, Privacy, and Security. Summary of a
    Workshop Breakout Session at the National Science
    Foundation Information and Data Management (IDM)
    Workshop held in Seattle, Washington, September
    14 - 16, 2003 by B. Bhargava, C. Farkas, L.
    Lilien and F. Makedon, CERIAS Tech Report
    2003-34, CERIAS, Purdue University, Nov. 2003.
  • L. Lilien, "Developing Pervasive Trust Paradigm
    for Authentication and Authorization," Proc.
    Third Cracow Grid Workshop (CGW03), Cracow,
    Poland, October 2003.
  • L. Lilien and A. Bhargava, "From Vulnerabilities
    to Trust A Road to Trusted Computing," Proc.
    International Conference on Advances in Internet,
    Processing, Systems, and Interdisciplinary
    Research (IPSI-2003), Sv. Stefan, Serbia and
    Montenegro, October 2003.

63
Selected Publications on Database Systems and
Distributed Systems
  • Database systems
  • Fault tolerance and recovery Pessimistic
    Quasipartitioning Protocols for Distributed
    Database Systems, IEEE Journal on Selected Areas
    in Communications ? Quasi-partitioning A New
    Paradigm for Transaction Execution in Distributed
    Database Systems, Proc. IEEE Fifth International
    Conference on Data Engineering ? Expert Systems
    for Fault Tolerant Distributed Database Systems,
    in Essays in Computer Vision and Other Topics,
    Academia Sinica
  • Data integrity Database Integrity Block
    Construct Concepts and Design Issues, IEEE
    Transactions on Software Engineering ? A Scheme
    for Batch Verification of Integrity Assertions in
    a Database System, IEEE Transactions on Software
    Engineering
  • Concurrency control A Performance Analysis of
    an Optimistic and a Basic Timestamp-ordering
    Concurrency Control Algorithms for Centralized
    Database Systems, Proc. IEEE Fourth
    International Conference on Data Engineering ?
    An Abstract Model of Concurrency Control
    Algorithms in Distributed Database Systems,
    Proc. IFIP Working Conference on Distributed
    Processing
  • Database design An Adaptive Mixed Relation
    Decomposition Algorithm for Conjunctive Retrieval
    Queries, Information Sciences ? An Extended
    Entity-Relationship (E2R) Database Specification
    and its Automatic Verification and Transformation
    into the Relational Logical Design, Proc. Sixth
    International Conference on Entity-Relationship
    Approach
  • Query processing Adaptive Techniques for
    Distributed Query Optimization, Proc. IEEE
    Second International Conference on Data
    Engineering
  • Distributed computing systems
  • Decentralized control Degrees of Concurrency in
    Distributed Computing Systems, Proc. IEEE
    Seventh International Conference on Computer
    Science ? Optimistic Algorithms in Distributed
    Systems, Proc. Second International Conference
    on Computers and Applications ? "A Paradigm of
    Modern Mixed Economy for Decentralized Control in
    Massive Distributed Computing Systems," Working
    Paper
  • Fault tolerance and recovery Redistribution of
    Hierarchically Structured Software in Response to
    Distributed System Site Crashes, International
    Journal of Computer Systems Science and
    Engineering
Write a Comment
User Comments (0)
About PowerShow.com