A novel policy-driven reversible anonymisation scheme for XML-based services

Author's version of an article in the journal: Information Systems. Also available from the publisher at: http://dx.doi.org/10.1016/j.is.2014.05.007This paper proposes a reversible anonymisation scheme for XML messages that supports fine-grained enforcement of XACML-based privacy policies. Reversible anonymisation means that information in XML messages is anonymised, however the information required to reverse the anonymisation is cryptographically protected in the messages. The policy can control access down to octet ranges of individual elements or attributes in XML messages. The reversible anonymisation protocol effectively implements a multi-level privacy and security based approach, so that only authorised stakeholders can disclose confidential information up to the privacy or security level they are authorised for. The approach furthermore supports a shared secret based scheme, where stakeholders need to agree to disclose confidential information. Last, it supports time limited access to private or confidential information. This opens up for improved control of access to private or confidential information in XML messages used by a service oriented architecture. The solution provides horizontally scalable confidentiality protection for certain types of big data applications, like XML databases, secure logging and data retention repositories

Privacy-enhanced network monitoring

This PhD dissertation investigates two necessary means that are required for building privacy-enhanced network monitoring systems: a policy-based privacy or confidentiality enforcement technology; and metrics measuring leakage of private or confidential information to verify and improve these policies. The privacy enforcement mechanism is based on fine-grained access control and reversible anonymisation of XML data to limit or control access to sensitive information from the monitoring systems. The metrics can be used to support a continuous improvement process, by quantifying leakages of private or confidential information, locating where they are, and proposing how these leakages can be mitigated. The planned actions can be enforced by applying a reversible anonymisation policy, or by removing the source of the information leakages. The metrics can subsequently verify that the planned privacy enforcement scheme works as intended. Any significant deviations from the expected information leakage can be used to trigger further improvement actions. The most significant results from the dissertation are: a privacy leakage metric based on the entropy standard deviation of given data (for example IDS alarms), which measures how much sensitive information that is leaking and where these leakages occur; a proxy offering policy-based reversible anonymisation of information in XML-based web services. The solution supports multi-level security, so that only authorised stakeholders can get access to sensitive information; a methodology which combines privacy metrics with the reversible anonymisation scheme to support a continuous improvement process with reduced leakage of private or confidential information over time. This can be used to improve management of private or confidential information where managed security services have been outsourced to semi-trusted parties, for example for outsourced managed security services monitoring health institutions or critical infrastructures. The solution is based on relevant standards to ensure backwards compatibility with existing intrusion detection systems and alarm databases

Searchable Privacy-Enabled Information and Event Management Solution.

Masteroppgave informasjons- og kommunikasjonsteknologi - Universitetet i Agder, 2015With network traffic proliferating over the last couple of decades, there is an increasing need to monitor security information in order to prevent and resolve network security threats. A Security Information and Event Management (SIEM) solution collects all the alerts that the various Intrusion Detection and Prevention Systems (IDS/IDP or IDPS) generates, as well as security logs from various other systems, into one database so that the security analyst (SA) can more easily get an overview of the threat activity. A privacy enhanced anonymization and deanonymization protocol (Anonymiser/ Reversible Anonymiser) has been used to prevent a first-line security analyst, without proper clearance, getting access to personal identifiable information (PII) and/or other types of confidential information that are not allowed to leave the network perimeter. Some examples may be PII sampled in IP packets, critical address information and network architecture. This thesis proposes an architectural design for a new SIEM solution which utilises a reversible anonymizer (RA) for enabling privacy-enhanced data collection and on demand deanonymization of anonymized alarms

An Architecture for Provenance Systems

This document covers the logical and process architectures of provenance systems. The logical architecture identifies key roles and their interactions, whereas the process architecture discusses distribution and security. A fundamental aspect of our presentation is its technology-independent nature, which makes it reusable: the principles that are exposed in this document may be applied to different technologies

Cloud technology options towards Free Flow of Data

This whitepaper collects the technology solutions that the projects in the Data Protection, Security and Privacy Cluster propose to address the challenges raised by the working areas of the Free Flow of Data initiative. The document describes the technologies, methodologies, models, and tools researched and developed by the clustered projects mapped to the ten areas of work of the Free Flow of Data initiative. The aim is to facilitate the identification of the state-of-the-art of technology options towards solving the data security and privacy challenges posed by the Free Flow of Data initiative in Europe. The document gives reference to the Cluster, the individual projects and the technologies produced by them

Internet of Things data contextualisation for scalable information processing, security, and privacy

The Internet of Things (IoT) interconnects billions of sensors and other devices (i.e., things) via the internet, enabling novel services and products that are becoming increasingly important for industry, government, education and society in general. It is estimated that by 2025, the number of IoT devices will exceed 50 billion, which is seven times the estimated human population at that time. With such a tremendous increase in the number of IoT devices, the data they generate is also increasing exponentially and needs to be analysed and secured more efficiently. This gives rise to what is appearing to be the most significant challenge for the IoT: Novel, scalable solutions are required to analyse and secure the extraordinary amount of data generated by tens of billions of IoT devices. Currently, no solutions exist in the literature that provide scalable and secure IoT scale data processing. In this thesis, a novel scalable approach is proposed for processing and securing IoT scale data, which we refer to as contextualisation. The contextualisation solution aims to exclude irrelevant IoT data from processing and address data analysis and security considerations via the use of contextual information. More specifically, contextualisation can effectively reduce the volume, velocity and variety of data that needs to be processed and secured in IoT applications. This contextualisation-based data reduction can subsequently provide IoT applications with the scalability needed for IoT scale knowledge extraction and information security. IoT scale applications, such as smart parking or smart healthcare systems, can benefit from the proposed method, which  improves the scalability of data processing as well as the security and privacy of data.   The main contributions of this thesis are: 1) An introduction to context and contextualisation for IoT applications; 2) a contextualisation methodology for IoT-based applications that is modelled around observation, orientation, decision and action loops; 3) a collection of contextualisation techniques and a corresponding software platform for IoT data processing (referred to as contextualisation-as-a-service or ConTaaS) that enables highly scalable data analysis, security and privacy solutions; and 4) an evaluation of ConTaaS in several IoT applications to demonstrate that our contextualisation techniques permit data analysis, security and privacy solutions to remain linear, even in situations where the number of IoT data points increases exponentially

Estimating Footfall From Passive Wi-Fi Signals: Case Study with Smart Street Sensor Project

Measuring the distribution and dynamics of the population at granular level both spatially and temporally is crucial for understanding the structure and function of the built environment. In this era of big data, there have been numerous attempts to undertake this using the preponderance of unstructured, passive and incidental digital data which are generated from day-to-day human activities. In attempts to collect, analyse and link these widely available datasets at a massive scale, it is easy to put the privacy of the study subjects at risk. This research looks at one such data source - Wi-Fi probe requests generated by mobile devices - in detail, and processes it into granular, long-term information on number of people on the retail high streets of the United Kingdom (UK). Though this is not the first study to use this data source, the thesis specifically targets and tackles the uncertainties introduced in recent years by the implementation of features designed to protect the privacy of the users of Wi-Fi enabled mobile devices. This research starts with the design and implementation of multiple experiments to examine Wi-Fi probe requests in detail, then later describes the development of a data collection methodology to collect multiple sets of probe requests at locations across London. The thesis also details the uses of these datasets, along with the massive dataset generated by the ‘Smart Street Sensor’ project, to devise novel data cleaning and processing methodologies which result in the generation of a high quality dataset which describes the volume of people on UK retail high streets with a granularity of 5 minute intervals since August 2015 across 1000 locations (approx.) in 115 towns. This thesis also describes the compilation of a bespoke ‘Medium data toolkit’ for processing Wi-Fi probe requests (or indeed any other data with a similar size and complexity). Finally, the thesis demonstrates the value and possible applications of such footfall information through a series of case studies. By successfully avoiding the use of any personally identifiable information, the research undertaken for this thesis also demonstrates that it is feasible to prioritise the privacy of users while still deriving detailed and meaningful insights from the data generated by the users

Modelling the prevalence, healthcare costs and number of deaths in chronic obstructive pulmonary disease in England and Scotland

Introduction Chronic obstructive pulmonary disease (COPD) has emerged as a major policy focus for health systems throughout Western Europe. This reflects the increased prevalence, associated healthcare utilisation and costs of COPD, and the potential to substantially improve outcomes through achieving reductions in smoking. The aim of this PhD was to develop projections for the prevalence, healthcare costs and number of deaths in people with COPD in England and Scotland over a 20-year horizon (i.e. from 2011 to 2030). Methods I undertook a phased programme of work, which began with a systematic review of the published and unpublished literature to identify models that were suitable for estimating and/or projecting the prevalence and disease and economic burden from COPD. This involved searching Medline, Embase, CAB Abstracts, World Health Organization (WHO) Library and Information Services and WHO Regional Indexes, and Google over the time period 1980-2013. The models were then critically appraised for their quality of reporting. From these, I selected the Dutch Model developed by Erasmus University for generating projections. Suitable data sources from both England and Scotland were identified, sourced and carefully processed in order to run the modelling exercises. Rates of incidence and prevalence were calculated using English and Scottish healthcare datasets and population data were obtained from the Office for National Statistics (ONS) and the General Register Office for Scotland (GROS). Relative risks for all-cause mortality among people with COPD were calculated from the Clinical Practice Research Datalink and mortality data were obtained from the ONS and GROS. The Model was thus adjusted to apply to England and Scotland. I then travelled to the Netherlands to work with the developers of the Dutch Model and ran a baseline model and an array of sensitivity analyses with modified inputs to the Model. Finally, my Rotterdam colleagues calculated uncertainty intervals for some of the estimates using probabilistic analysis. Results Using the probabilistic means and uncertainty intervals, in England, the modelled prevalence of diagnosed COPD among males of all ages in 2011 was 1.8% (95% uncertainty interval 1.8-1.9) increasing to 2.0% (1.7-2.1) by 2030. In females, in England, the baseline estimate was 1.8% (1.7-1.8) in 2011 increasing to 2.4% (2.0-2.6) in 2030. In Scotland, the modelled prevalence among males was 1.9% (1.8-1.9) in 2011 and this was projected to stay the same at 1.9% (1.7-2.2) by 2030. In females in Scotland, the estimated prevalence was 2.2% (2.1- 2.3) in 2011 and was projected to increase to 2.5% (2.1-2.7) in 2030.Using the Model I estimated that overall in 2011 there were a total of 952,000 (941,000-966,000) people with diagnosed COPD in England and 106,000 (103,000-110,000) in Scotland and that these numbers would increase to 1,325,000 (1,117,000-1,408,000) in England in 2030 and 125,000 (113,000-136,000) in Scotland in 2030, respectively. The greatest increase in COPD was projected to be in females over 65 years of age in both countries. The total annual direct healthcare costs of COPD in England were projected to increase from £1.60 (95% uncertainty interval 1.18-2.5) billion in 2011 to £2.35 (1.85-3.08) billion in 2030. In Scotland, costs were projected to increase from £170 (128-268) million in 2011 to £210 (165-274) million in 2030. These costs were calculated in terms of 2011 costs without the application of any economic trends (i.e. no annual increase applied for inflation). The number of deaths among people with COPD in England was estimated to be 99,000 (93,000-129,000) in 2011, increasing to 129,000 (126,000-133,000) in 2030. In Scotland there were estimated to be 10,000 (9,000-12,000) deaths in 2011, increasing to 14,000 (13,000-15,000) in 2030. The Dutch Model demonstrated a 39% increase in the number of people with COPD in England and a 17% increase in Scotland between 2011 and 2030. It provided an estimate of a 30% increase in deaths among people with COPD in England and of a 43% increase in Scotland. Overall, there was a projected 46% increase in the direct healthcare costs required to care for people with COPD in England and a 23% increase in Scotland between 2011 and 2030. The reasons for these differences are largely due to higher COPD-related excess mortality in Scotland and to differences in the data used for populating the model in both countries. Conclusions There are likely to be substantial increases in the number of people with COPD, associated morbidity, direct healthcare costs and mortality in both England and Scotland over the next two decades. These increases in numbers will predominantly occur in females over 65 years of age and are likely to have substantial societal impact in terms of organising the health and social care for this frail population