237 research outputs found
Business intelligence meets big data : an overview on security and privacy
Today big data are the target of many research activities focusing on big data management and analysis, definition of zero latency approaches to data analytics, and protection of big data security and privacy. In particular, security and privacy are two important, while contrasting, requirements. Big data security usually refers to the use of big data to implement solutions increasing security, reliability, and safety of a distributed system. Big data privacy, instead, focuses on the protection of big data from unauthorized use and unwanted inference. In this paper, we start from the manifesto on Business Intelligence Meets Big Data [8] and the notions of full data and zero-latency analysis to discuss new challenges in the context of big data security and privacy
Information security theory and practice : security and privacy of mobile devices in wireless communication : 5. IFIP WG 11.2 international workshop, WISTP 2011 : Heraklion, Crete, Greece, june 1-3, 2011. proceedings
IWSSC 2011 : 1. International workshop on securing services on the cloud : september 7, 2011, Milan, Italy : proceedings
Network and Storage Latency Attacks to Online Trading Protocols in the Cloud
Online trading protocols enable participants to trade, barter, or sell goods and services over a private network or the global Net. Due to diversity of network and computational resources at their disposal, participants communicate and carry out their trading with different latencies. This scenario may give rise to latency attacks, where malicious parties (a.k.a. fast traders) exploit lower latency to attack trading protocols' fairness and increase their income. With the advent of the cloud, the problem of identifying and preventing latency attacks is exacerbated by the fact that cloud providers and privileged users could collude to make latency attacks simpler and more effective. In this paper, we give an overview of network and storage latency attacks in multi-party trading protocols, focusing on cloud peculiarities and providing some empirical recommendations for protocol design
Privacy and security in distributed and pervasive systems
Technical improvements of Web and location technologies have fostered the development of online applications that use private information of users to offer enhanced services. As a consequence, the vast amount of personal information thus available on the Web has led to growing concerns about privacy of its users. Today global networked infrastructure requires the ability for parties to communicate in a secure environment while at the same time preserving their privacy. Support for digital identities and definition of privacy-enhanced protocols and techniques for their management and exchange become then fundamental requirements. A number of useful privacy enhancing technologies (PETs) have been developed for dealing with privacy issues and previous works on privacy protection have focused on a wide variety of topics. Among them, for helping users in maintaining control over their personal information, access control solutions have been enriched with the ability of supporting privacy requirements, by regulating access to and release of users personal information. Despite the benefits of such solutions few proposals have addressed the problem of how to regulate use of personal information in secondary applications. Moreover, this large number of solutions is causing some confusion and seems increasing the effort for developers to build online services.
In this thesis, the notions of privacy and access control are fully integrated within a common framework, and a privacy-aware access control system supporting digital identities, anonymous interactions, and fine-grained context information is defined together with an evaluation infrastructure. The defined models and languages, which provide authorizations based on digital certificates, include support for obligations constraints and data handling policies that regulate secondary use and dissemination of private information exchanged among parties.
The proposed privacy-aware access control system is however of little values if location privacy is not protected. Location information in fact has achieved a level of accuracy that makes straightforward its adoption within an access control system to define restrictions based on physical position of users. By contrast, location information can cause loss of privacy on users whereabouts and can easily permit to re-identify the users by looking at information, such as the place in which users stay during the night. Special attention is then devoted to protection of location information with respect to privacy threats that can happen in today pervasive environment, where location information of users is available to external parties without restrictions. A further complicating factor is that while protecting location privacy, the quality of service of location-based applications plays an important role and should be preserved. In this thesis, we propose an obfuscation-based solution to location privacy protection that balances the need of privacy of users and the need of location information accuracy of location-based services. This solution is then validated in the context of our location-based access control (LBAC) system, which is responsible for the evaluation and management of an innovative access control language supporting a new class of location-aware conditions. This approach coupled with the privacy-aware access control system guarantees flexible and reliable access control evaluation and enforcement while protecting the privacy of the users.
In summary, the contribution of this thesis is twofold: first we develop a privacy-aware access control system for Web transactions; then we propose a LBAC system and a location privacy solution to be validated in the context of such a system. With respect to the development of a privacy-aware access control system, the original results are: the definition of an access control model, composed of attribute-based access control and release policies, which on the one side regulates access to service provider resources, and on the other side manages release of user data. Our model supports requests for certified and uncertified data, ontology definition, anonymous interactions, and zero-knowledge proofs; the definition of a data handling model and language for specification and enforcement of policies aimed at protecting secondary use of private information of users after their release to external parties; an architecture for the composition of access control, release, and data handling policies. With respect to the definition of a location privacy solution to be integrated in the context of our location-based access control model and language, the original results are: the definition of an infrastructure for the evaluation and enforcement of LBAC policies, which manages the uncertainty of location-based information; the definition of a location privacy solution based on obfuscation techniques balancing privacy need of users and accuracy need of location-based services; a privacy-aware LBAC system integrating our privacy-aware access control system, our location-based access control system, and our location privacy solution
Container-level security certification of services
The increasing success of Service-Oriented Architecture (SOA) paradigm has fostered the implementation of complex services, including business processes, via dynamic selection and composition of remote services providing single functionality. Run-time selection and composition of services require the deployment of high-level security standards for the SOA infrastructure, to increase the confidence of both service consumers and providers that the services satisfy their security requirements and behave as expected. In this context, certification can play a fundamental role and provide the evidence that a set of properties hold for a given service. Security certification of services can involve two different aspects: i) the evaluation of the container in which the service is deployed, in terms of compliance with web service security standards and policies; ii) the verification and validation of the service implementation. In this chapter, we focus on the first aspect and we propose an overview of container-level certification of services
Dependability certification of services : a model-based approach
The advances and success of the Service-Oriented Architecture (SOA) paradigm have produced a revolution in ICT, particularly, in the way in which software applications are implemented and distributed. Today, applications are increasingly provisioned and consumed as web services over the Internet, and business processes are implemented by dynamically composing loosely coupled applications provided by different suppliers. In this highly dynamic context, clients (e.g., business owners or users selecting a service) are concerned about the dependability of their services and business processes. In this paper, we define a certification scheme that allows to verify the dependability properties of services and business processes. Our certification scheme relies on discrete-time Markov chains and awards machine-readable dependability certificates to services, whose validity is continuously verified using run-time monitoring. Our solution can be integrated within existing SOAs, to extend the discovery and selection process with dependability requirements and certificates, and to support a dependability-aware service composition
- …
