Section Menu

Behavior Tracking and Ad Network

Dhaval Patel

One of the fastest-growing businesses on the Internet, a Wall Street Journal investigation has found, is the business of spying on web users. The Journal conducted a comprehensive study that assessed and analyzed a broad array of surveillance technologies that companies are used to monitor Internet users. It revealed that tracking of consumers has grown both far more pervasive and far more intrusive than it was realized by all but a handful of people in the vanguard of the industry. Recent studies have proposed several approaches to preventing the business from spying on web users, without disrupting the main web functionalities, such as providing advertisements, etc. 

Securing Health Data in mStroke: A System for Stroke Rehabilitation 

David Schwab, Dan Kolb, Eric Reinsmidt 

 

 

Bioinformatics analysis of human genes associated with diseases at higher rates in African Americans (DHRAAs)

Yi Jiang, Shahab Hassani

Health disparity refers to population-specific differences in the presence of disease, health outcomes, or access to health care that exist across racial and ethnic groups. According to a 2009 study by the Joint Center for Political and Economic studies, eliminating health disparities for minorities would have reduced direct medical care expenditures by $229.4 billion between 2003 and 2006 [1]. The goal of this project is to identify pathogenic potentials of human genes in African American derived populations (AADPs) through large-scale computational searches. Revealing pathogenic genes and affecting factors among AADPs will help to reduce cost of health care by guiding African Americans to take preventive measure to mitigate health disparity.

Fine-grained Reputation-based Routing in Wireless Ad Hoc Networks

Mobile Ad-hoc Networks (MANETs) are extremely helpful in supporting and forming an instant network when no fixed infrastructure is available. MANETs can support applications in a variety of areas like emergency assistance and inter-vehicle communications. Most developed wireless ad-hoc routing protocols are designed to discover and maintain an active path from source to destination with an assumption that every node is friendly. However, it is possible that the participating nodes may be selfish or malicious. A mechanism to evaluate reputation and trust for each node is essential for the reliability of a routing protocol in MANETs.

In this area, we are doing research in integrating reputation and trust management into routing protocols in MANETs. The reputation mechanism is based on constantly monitoring and updating both first-hand and second-hand information. Nodes within the network are able to monitor their immediate neighbors and obtain first-hand information based on the perceived behavior. Second-hand information is obtained from the sharing of this first-hand information with other network nodes. The nodes thus create the total reputation value by a combination of first-hand and second-hand information. The total reputation value is then available to neighboring nodes for routing decisions. Dynamic Source Routing Protocol (DSR) is selected to explore the possibility and benefits resulting from the integration of a reputation and trust management into a routing protocol. Reputation-based routing is designed to improve reliability in both route discovery and maintenance in MANETs.

Integrate Trust into Usage Control in File Sharing

Most access control models have formal access control rules to govern the authorization of a request from a principal.  Trust evaluation helps to identify a principal or behaviors of a principal in a pervasive and collaborative environment when complete information on a principal is not available.  This paper integrates trust management into usage control model to make file sharing decision in an ever-changing environment.  The attributes associated with a certain principal and requested objects, contexts associated with a certain request, and even behaviors of a principal can change during the collaborative file sharing environment.  A variety of such mutability poses challenges in file protection when resources sharing must happen during collaboration.  In order to address the challenges, we propose a framework to determine trust value of a principle of a principle and thus integrate the trust into access control to make decision on resource exchange.  First, a trust value for a principal is evaluated based on both observed behaviors and peer recommendations.  Second, the usage-based access control rules are checked to decide the authorization of a request.  Our system is dynamic because untrusted principal can be disenrolled and on-going access can be revoked when it does not meet the access control rules due to mutability.  We apply our trust based-usage control framework into an application of file sharing by simulation. 

LDA-based Dark Web Analysis

Analysis of dark websites is important for developing effective combating strategies against terrorism or extremists when more and more scattered terrorist cells use the ubiquity of Internet to form a community in the virtual space with a fairly low cost.  Terrorists or extremists can anonymously set up various web sites embedded in large scale public Internet, forming on-line social communities to exchange ideology, spread propaganda, recruit members and plan attacks.  In this paper, we will propose a method to discover and cluster the latent topics via analyzing contents of  "Dark websites".  The content and data from dark websites are gathered and extracted by crawlers and exported to documents. LDA (Latent Dirichlet Allocation)-based hierarchical Bayesian algorithm is used to analyze the extracted documents so as to discover latent communities from the web sites of terrorists or extremists. Latent communities are subsets of terrorist or extremist networks, distributing over the social actor space.  The connections within each discovered topic are dense, whereas the connections between the topics are sparse.  In contrast to the traditional clustering technology, LDA-based analysis allows one document to be classified into different topics.  By using Expectation-Maximization algorithm, a Bayesian inference is carried out to learn the distribution and classify documents into corresponding latent topics.  Our analyses help to gain more insights into the structure and communities of terrorists and extremists.

A Relationship-based Context-aware Flexible Authorization Framework for Mediation Systems 

Security is a critical concern for mediator-based data integration among heterogeneous data sources. We provide a modeling and architectural solution to the problem of mediation security that addresses the security challenges including context-awareness, semantic heterogeneity, and multiple security policy specification. A generic, extensible modeling method for the security policies in mediation systems is developed. A series of authorization constraints are identified based on the relationship on the different security components in the mediation systems. Moreover, we enforce the flexible access control to mediation systems while providing uniform access for heterogeneous data sources.

SecCMP: A Secure Chip-Multiprocessor Architecture 

Security has been considered as an important issue in processor design. Most of the existing mechanisms address security and integrity issues caused by untrusted main memory in single-core systems. We are working on a secure Chip-Multiprocessor architecture (SecCMP) to handle security related problems such as key protection and core authentication in multi-core systems. Threshold secret sharing scheme is employed to protect critical keys because secret sharing is a distributed security scheme that matches the nature of multi-core systems. A critical secret is divided and distributed among multiple cores instead of keeping a single copy that is sensitive to exposure. The proposed SecCMP cannot only enhance the security and fault-tolerance in key protection but also supports core authentication. It is designed to be an efficient and secure architecture for CMPs. We use an application to demonstrate secure and remote critical information access and sharing supported by our SecCMP. Integrated with identity based cryptography, the SecCMP provides a secure and reliable way to generate and distribute encryption keys between a local host and a remote site when prior distribution of keys is not available.

 

Readings

Web and Browser Security

1. Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, and Christopher Kruegel. 2010. A solution for the automated detection of clickjacking attacks. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS '10). ACM, New York, NY, USA, 135-144. 

2. Know you enemy: web application threats: http://honeynet.org/book/export/html/1

3. Kapil Singh, Alexander Moshchuk, Helen J. Wang, and Wenke Lee, On the Incoherencies in Web Browser Access Control Policies, 2010. 

4. Thomas Wadlow, Vlad Gorelik, Security in the Browser, ACM Queue, 2009. 

5. Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: a web browser with flexible and precise information flow control. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12). ACM, New York, NY, USA, 748-759.

6. Eric Yawei Chen, Jason Bau, Charles Reis, Adam Barth, and Collin Jackson. 2011. App isolation: get the security of multiple browsers with just one. In Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM, New York, NY, USA, 227-238. 

7. Shuo Tang, Haohui Mai, Samuel T. King, Trust and Protection in the Illinois Browser Operating System, n Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI), October 2010. 

8. Mike Ter Louw, Karthik Thotta Ganesh, and V. N. Venkatakrishnan. 2010. AdJail: practical enforcement of confidentiality and integrity policies on web advertisements. In Proceedings of the 19th USENIX conference on Security (USENIX Security'10). USENIX Association, Berkeley, CA, USA, 24-24.

9. Gustav RydstedtElie BurszteinDan Boneh, and Collin JacksonBusting frame busting: a study of clickjacking vulnerabilities at popular sites, IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010). 

10. Daniel Bates, Adam Barth, and Collin Jackson. 2010. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th international conference on World wide web(WWW '10). ACM, New York, NY, USA, 91-100.

11. Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter. 2009. The multi-principal OS construction of the gazelle web browser. In Proceedings of the 18th conference on USENIX security symposium (SSYM'09). USENIX Association, Berkeley, CA, USA, 417-432.

Cloud Security

1. Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jörg Schwenk, Nils Gruschka, and Luigi Lo Iacono. 2011. All your clouds are belong to us: security analysis of cloud management interfaces. In Proceedings of the 3rd ACM workshop on Cloud computing security workshop(CCSW '11). ACM, New York, NY, USA, 3-14.

2. Pearson, S., "Taking account of privacy when designing cloud computing services," Software Engineering Challenges of Cloud Computing, 2009. CLOUD '09. ICSE Workshop on , vol., no., pp.44,52, 23-23 May 2009. 

3. Cong Wang; Qian Wang; Kui Ren; Wenjing Lou, "Privacy-Preserving Public Auditing for Data Storage Security in Cloud Computing," INFOCOM, 2010 Proceedings IEEE , vol., no., pp.1,9, 14-19 March 2010. 

4. Ko, R.K.L.; Jagadpramana, P.; Mowbray, M.; Pearson, S.; Kirchberg, M.; Qianhui Liang; Bu Sung Lee, "TrustCloud: A Framework for Accountability and Trust in Cloud Computing," Services (SERVICES), 2011 IEEE World Congress on , vol., no., pp.584,588, 4-9 July 2011. 

5. Dimitrios Zissis and Dimitrios Lekkas. 2012. Addressing cloud computing security issues. Future Gener. Comput. Syst. 28, 3 (March 2012), 583-592. 

6. Richard Chow, Philippe Golle, Markus Jakobsson, Elaine Shi, Jessica Staddon, Ryusuke Masuoka, and Jesus Molina. 2009. Controlling data in the cloud: outsourcing computation without outsourcing control. In Proceedings of the 2009 ACM workshop on Cloud computing security (CCSW '09). ACM, New York, NY, USA, 85-90. 

7. Qian Wang, Cong Wang, Jin Li, Kui Ren, and Wenjing Lou. 2009. Enabling public verifiability and data dynamics for storage security in cloud computing. In Proceedings of the 14th European conference on Research in computer security (ESORICS'09), Michael Backes and Peng Ning (Eds.). Springer-Verlag, Berlin, Heidelberg, 355-370. 

8. Luis M. Vaquero, Luis Rodero-Merino, and Daniel Moran. Locking the sky: a survey on IaaS cloud securityComputing 91, 1 (January 2011), 93-118. 

9. Kaufman, L.M., "Data Security in the World of Cloud Computing," Security & Privacy, IEEE , vol.7, no.4, pp.61,64, July-Aug. 2009. 

10. Balachandra Reddy Kandukuri, Ramakrishna Paturi V., and Atanu Rakshit. 2009. Cloud Security Issues. In Proceedings of the 2009 IEEE International Conference on Services Computing (SCC '09). IEEE Computer Society, Washington, DC, USA, 517-520. 

11. Ramgovind, S.; Eloff, M.M.; Smith, E., "The management of security in Cloud computing," Information Security for South Africa (ISSA), 2010 , vol., no., pp.1,7, 2-4 Aug. 2010. 

12. Yanpei Chen, Vern Paxson and Randy H. Katz, What’s New About Cloud Computing Security?, Technical Report, UC Berkeley, 2010. 

13. Abdul Nasir Khan, M.L. Mat Kiah, Samee U. Khan, Sajjad A. Madani, Towards secure mobile cloud computing: A survey, Future Generation Computer Systems, Volume 29, Issue 5, July 2013, Pages 1278-1299, ISSN 0167-739X, http://dx.doi.org/10.1016/j.future.2012.08.003. 

©