Csilla Farkas Department of Computer Science and Engineering University of South Carolina
-
Upload
damian-shepherd -
Category
Documents
-
view
219 -
download
0
description
Transcript of Csilla Farkas Department of Computer Science and Engineering University of South Carolina
Csilla Farkas
Department of Computer Science and EngineeringUniversity of South Carolina
Who is Impacted by Cyber Attacks?
Source: http://www.cagle.com/2010/05/internet-privacy/
What is Cyber Security?
Highly Technical
• People, processes, and technology
• Legislation and Regulation
• Risk management
Web Evolution• Past: Human usage – HTTP– Static Web pages (HTML)
• Current: Human and some automated usage – Interactive Web pages– Web Services (WSDL, SOAP, SAML)– Semantic Web (RDF, OWL, RuleML, Web databases)– XML technology (data exchange, data representation)
• Future: Semantic Web Services
ARE THE EXISTING SECURITY MECHANISMS SUFFICIENT TO
PROVIDE DATA AND APPLICATION SECURITY OF THE NEXT GENERATION WEB?
Limitation of Research
• Syntax-based• No association protection• Limited handling of updates • No data or application semantics • No inference control
Secure XML Views - Example
<medicalFiles> UC <countyRec> S <patient> S <name>John Smith </name> UC <phone>111-2222</phone> S </patient> <physician>Jim Dale </physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC <phone>333-4444</phone> S </patient> <physician>Joe White </physician> UC <milTag>MT78</milTag> TS </milBaseRec></medicalFiles>
medicalFiles
countyRec
patient
nameJohn Smith
milBaseRec
physicianJim Dale
physicianJoe White
nameHarry Green
milTagMT78
patient
phone111-2222
phone333-4444
View over UC data
Secure XML Views - Example cont.
<medicalFiles> <countyRec> <patient> <name>John Smith</name> </patient> <physician>Jim Dale</physician> </countyRec> <milBaseRec> <patient> <name>Harry Green</name> </patient> <physician>Joe White</physician> </milBaseRec></medicalFiles>
medicalFiles
countyRec
patient
nameJohn Smith
milBaseRec
physicianJim Dale
physicianJoe White
nameHarry Green
patient
View over UC data
Secure XML Views - Example cont.
medicalFiles
countyRec
patient
nameJohn Smith
milBaseRec
physicianJim Dale
physicianJoe White
nameHarry Green
patient
View over UC data
<medicalFiles> <tag01> <tag02> <name>John Smith</name> </tag02> <physician>Jim Dale</physician> </tag01> <tag03> <tag02> <name>Harry Green</name> </tag02> <physician>Joe White</physician> </tag03></medicalFiles>
Secure XML Views - Example cont.
<medicalFiles> UC <countyRec> S <patient> S <name>John Smith</name> UC </patient> <physician>Jim Dale</physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC </patient> <physician>Joe White</physician> UC </milBaseRec></medicalFiles>
medicalFiles
countyRec
patient
nameJohn Smith
milBaseRec
physicianJim Dale
physicianJoe White
nameHarry Green
patient
View over UC data
Secure XML Views - Example cont.
medicalFiles
nameJohn Smith
physicianJim Dale
physicianJoe White
nameHarry Green
View over UC data
<medicalFiles> <name>John Smith</name> <physician>Jim Dale</physician> <name>Harry Green</name> <physician>Joe White</physician></medicalFiles>
Secure XML Views - Solution
• Multi-Plane DTD Graph (MPG)• Minimal Semantic Conflict Graph
(association preservation)• Cover story• Transformation rules
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec>
<patient>
<physician> <name>
TopSecret
Secret
Unclassified
Multi-Plane DTD Graph
D,medicalFiles
D, countyRec D, milBaseRec
D, patient D, milTag
D, name D, phone
UC
UC
UC
S
S
S
TS
TSD, physician
MPG = DTD graphover multiple
security planes
Transformation - Example
name phone
physician
MSCG
MPG
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec><patient>
<physician> <name>
TS
UC
S
Security Space Secret
Transformation - Example
MPG
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec><patient>
<physician> <name>
TS
S
UC
<emrgRec>
SP
name
physician
MSCG
Transformation - Example
MPG
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec><patient>
<physician> <name>
TS
S
UC
<emrgRec>
SPMSCG
Transformation - Example
MPG
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec><patient>
<physician> <name>
TS
S
UC SP
<emrgRec>
medicalFiles
emergencyRec
namephysician
Data Structure
The Inference Problem
General Purpose Database:
Non-confidential data + Metadata Undesired Inferences
Semantic Web:
Non-confidential data + Metadata (data and application semantics) + Computational Power + Connectivity
Undesired Inferences
Association Graph• Association similarity measure– Distance of each node from the association root– Difference of the distance of the nodes from the association
root– Complexity of the sub-trees originating at nodes
• Example:
Air show
address fort
XML document:Association Graph:
address fort
Public Public, AC
Correlated Inference
Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base
address fortPublic
Water source base
Confidential
district basinPublic
?
Concept Generalization: weighted concepts, concept abstraction level, range of allowed abstractions
21
Correlated Inference (cont.)
address fortPublic
district basinPublic
Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base
placebase
Water SourceWater source
Base
Place
Water source base
Confidential
Inference Removal
• Relational databases: limit access to data• Web inferences– Cannot redesign public data outside of protection domain– Cannot modify/refuse answer to already published web
page• Protection Options– Release misleading information– Remove information– Control access to metadata
Big Data Analytics: Are there new questions?
• Technologies• Big Data characteristics–Volume –Variety–Velocity – live database, fast growth
Past: The Inference Problem
Organizational Data
Confidential
Attacker
Public
Access Control
X
OntologyData Integration
andInferences
Web Data
Present: Big Data InferencesPrivate ?
OntologyData Integration
andInferences
Web DataSecure ?
Future: Research Challenges
• Security for raw data– Flexible access control– Data removal
• Security for metadata– Protection need of novel, new concept–Metadata guided attacks
• Cross-context attacks– Correlate data across multiple contexts
Semantic
Web
Technologies
Need for Visualization
Context 1
Context 3
Context 2
Questions?
National Center of Academic Excellence in Information Assurance Education
National Training Standards, Knowledge Units
OUTREACHEDUCATIONRESEARCH
CIAE Mission
CIAE Mission
OUTREACH
EDUCATIONIA courses
IA specializationApplied Computing
Graduate IA Certificate
RESEARCH
K-12 Cyber SecurityEducation
Higher EducationalInstitutes
Industry Partnership
OUTREACHEDUCATION
RESEARCHExternal funding
Peer-reviewed publicationsPh.D. graduates
CIAE Mission