Privacy-preserving recommendations in context-aware mobile environments

© Emerald Publishing Limited. Purpose - This paper aims to address privacy concerns that arise from the use of mobile recommender systems when processing contextual information relating to the user. Mobile recommender systems aim to solve the information overload problem by recommending products or services to users of Web services on mobile devices, such as smartphones or tablets, at any given point in time and in any possible location. They use recommendation methods, such as collaborative filtering or content-based filtering and use aconsiderable amount of contextual information to provide relevant recommendations. However, because of privacy concerns, users are not willing to provide the required personal information that would allow their views to be recorded and make these systems usable. Design/methodology/approach - This work is focused on user privacy by providing a method for context privacy-preservation and privacy protection at user interface level. Thus, a set of algorithms that are part of the method has been designed with privacy protectionin mind, which isdone byusing realistic dummy parameter creation. Todemonstrate the applicability of the method, arelevant context-aware data set has been used to run performance and usability tests. Findings - The proposed method has been experimentally evaluated using performance and usability evaluation tests and is shown that with a small decrease in terms of performance, user privacy can be protected. Originality/value - This is a novel research paper that proposed a method for protecting the privacy of mobile recommender systems users when context parameters are used

A Taxonomy for and Analysis of Anonymous Communications Networks

Any entity operating in cyberspace is susceptible to debilitating attacks. With cyber attacks intended to gather intelligence and disrupt communications rapidly replacing the threat of conventional and nuclear attacks, a new age of warfare is at hand. In 2003, the United States acknowledged that the speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult. Even President Obama’s Cybersecurity Chief-elect recognizes the challenge of increasingly sophisticated cyber attacks. Now through April 2009, the White House is reviewing federal cyber initiatives to protect US citizen privacy rights. Indeed, the rising quantity and ubiquity of new surveillance technologies in cyberspace enables instant, undetectable, and unsolicited information collection about entities. Hence, anonymity and privacy are becoming increasingly important issues. Anonymization enables entities to protect their data and systems from a diverse set of cyber attacks and preserves privacy. This research provides a systematic analysis of anonymity degradation, preservation and elimination in cyberspace to enhance the security of information assets. This includes discovery/obfuscation of identities and actions of/from potential adversaries. First, novel taxonomies are developed for classifying and comparing well-established anonymous networking protocols. These expand the classical definition of anonymity and capture the peer-to-peer and mobile ad hoc anonymous protocol family relationships. Second, a unique synthesis of state-of-the-art anonymity metrics is provided. This significantly aids an entity’s ability to reliably measure changing anonymity levels; thereby, increasing their ability to defend against cyber attacks. Finally, a novel epistemic-based mathematical model is created to characterize how an adversary reasons with knowledge to degrade anonymity. This offers multiple anonymity property representations and well-defined logical proofs to ensure the accuracy and correctness of current and future anonymous network protocol design

Preserving Privacy in Mobile Environments

Technology is improving day-by-day and so is the usage of mobile devices. Every activity that would involve manual and paper transactions can now be completed in seconds using your ngertips. On one hand, life has become fairly convenient with the help of mobile devices, whereas on the other hand privacy of the data and the transactions occurring in the process have been under continuous threat. Mobile devices connect to a number of service providers for various reasons. These could include downloading data, online purchasing or could be just used to browse information which may be irrelevant at a later point. Access to critical and sensitive information may be available at a number of places. In case of a mobile device, the information may be available with the service provider. Service Provider could be in the form of any web portal. In all such scenarios, passing the information or data from the service provider into the mobile device is a major challenge, as the data/information cannot be sent in plain text format. The con dentiality and integrity of the data needs to be protected and hence, the service provider must convert the data into an encrypted format before passing it onto the mobile device, to prevent risks from sniffing and unauthorized disclosure of data. Preserving the location of the individual user of any mobile device has also been the concern for a number of researchers. Mobile devices have become an important tool in modern communication. Mobile and other handheld devices such as ipads and tablets have over taken laptops and desktops and hence there has been an increasing research interest in this area in recent years. This includes improving the quality of communication and the overall end-to-end data security in day-to-day transactions. Mobile devices continuously connect to di erent service providers for day-to-day needs such as online purchases, online banking and endless sur ng for information. In addition to this devices could be connecting to the service providers to receive or send sensitive information. At the Service Provider end, the data would be stored with the provider and Service Provider would only hand over the data if it con rms that the person requested it is authorized to receive the information. The exchange of data from one end of the network to the other is a major challenge due to malicious intruder mishandling of the data. Hence the con dentiality and integrity of the data needs to be protected either by transforming the sensitive information into a non-readable format or by converting into a cipher text. Privacy has been an open problem for research as more and more information is getting leaked on a day-to-day basis. Through this thesis, I have tried to address a number of areas within the privacy realm where information and data access and sharing is a key concern along side the key aspect of location privacy. I have also tried to address the problems in the space of access control wherein I have proposed policy based languages and extensions for ensuring appropriate access control methodologies. The main goal and focus in this work has been to enforce the importance of location privacy in mobile environments and to propose solutions that resolve the problems of where and when to enforce location security. Another key goal of this work has been to create new access control and trust based solutions to ensure the right level of access to the right receiver of information. Through my research, I have explored the various privacy related attacks and suggested appropriate countermeasures for the same. In addition to proposing and showcasing solutions using policy languages for access control, I have also introduced geospatial access control solutions to ensure that the right user is accessing or requesting for the right information from the right location. This helps the appropriate and the right use of the information by the right resource. Through my thesis I have also given equal importance to the trust aspects of sharing information. I have created new trust assessment models to show how fused information can be handled and how can trust be imposed on the information provider and the information itself. The main contribution of this thesis is to address the problems around protecting the data and individual's privacy and to propose solutions to mitigate these issues using new and novel techniques. They can be detailed as the following: In privacy, there is always a privacy versus utility tradeo and in order to make use of utility, trust in the location is essential. Through this research I have developed i) novel attestation models and access control methodologies including Privacy Preferences Platform (P3P) extensions, ii) Extensible Access Control Markup Language (XACML) extensions and iii) Geospatial access control through GeoXACML. iv)I have created new methodologies to enforce location privacy and shown where best to enforce privacy. v)I have also shown that global attestation is very crucial for privacy and needs accurate methods in place to attest user's location information for access. vi) Fusing of location information is very crucial as there could be a number of similar or con icting information produced about a common source and it is very important to assess and evaluate the trust level in the information. I have proposed, developed and implemented a new trust assessment framework. This framework looks at the incoming information and passes it on to the rule engine in the framework to make some inferences and then the trust assessment module computes the trust score based on forward chaining or background chaining scheme. The framework is used to evaluate the trust on the fused information in a streaming setup. vii) I have created new solutions to look at the similarity pro les and create identity enforcement through pro ling. I have shown methods of anonymisation for location privacy and identity privacy

Leveraging Client Processing for Location Privacy in Mobile Local Search

Usage of mobile services is growing rapidly. Most Internet-based services targeted for PC based browsers now have mobile counterparts. These mobile counterparts often are enhanced when they use user\u27s location as one of the inputs. Even some PC-based services such as point of interest Search, Mapping, Airline tickets, and software download mirrors now use user\u27s location in order to enhance their services. Location-based services are exactly these, that take the user\u27s location as an input and enhance the experience based on that. With increased use of these services comes the increased risk to location privacy. The location is considered an attribute that user\u27s hold as important to their privacy. Compromise of one\u27s location, in other words, loss of location privacy can have several detrimental effects on the user ranging from trivial annoyance to unreasonable persecution. More and more companies in the Internet economy rely exclusively on the huge data sets they collect about users. The more detailed and accurate the data a company has about its users, the more valuable the company is considered. No wonder that these companies are often the same companies that offer these services for free. This gives them an opportunity to collect more accurate location information. Research community in the location privacy protection area had to reciprocate by modeling an adversary that could be the service provider itself. To further drive this point, we show that a well-equipped service provider can infer user\u27s location even if the location information is not directly available by using other information he collects about the user. There is no dearth of proposals of several protocols and algorithms that protect location privacy. A lot of these earlier proposals require a trusted third party to play as an intermediary between the service provider and the user. These protocols use anonymization and/or obfuscation techniques to protect user\u27s identity and/or location. This requirement of trusted third parties comes with its own complications and risks and makes these proposals impractical in real life scenarios. Thus it is preferable that protocols do not require a trusted third party. We look at existing proposals in the area of private information retrieval. We present a brief survey of several proposals in the literature and implement two representative algorithms. We run experiments using different sizes of databases to ascertain their practicability and performance features. We show that private information retrieval based protocols still have long ways to go before they become practical enough for local search applications. We propose location privacy preserving mechanisms that take advantage of the processing power of modern mobile devices and provide configurable levels of location privacy. We propose these techniques both in the single query scenario and multiple query scenario. In single query scenario, the user issues a query to the server and obtains the answer. In the multiple query scenario, the user keeps sending queries as she moves about in the area of interest. We show that the multiple query scenario increases the accuracy of adversary\u27s determination of user\u27s location, and hence improvements are needed to cope with this situation. So, we propose an extension of the single query scenario that addresses this riskier multiple query scenario, still maintaining the practicability and acceptable performance when implemented on a modern mobile device. Later we propose a technique based on differential privacy that is inspired by differential privacy in statistical databases. All three mechanisms proposed by us are implemented in realistic hardware or simulators, run against simulated but real life data and their characteristics ascertained to show that they are practical and ready for adaptation. This dissertation study the privacy issues for location-based services in mobile environment and proposes a set of new techniques that eliminate the need for a trusted third party by implementing efficient algorithms on modern mobile hardware

Privacy Preserving Cryptographic Protocols for Secure Heterogeneous Networks

Disertační práce se zabývá kryptografickými protokoly poskytující ochranu soukromí, které jsou určeny pro zabezpečení komunikačních a informačních systémů tvořících heterogenní sítě. Práce se zaměřuje především na možnosti využití nekonvenčních kryptografických prostředků, které poskytují rozšířené bezpečnostní požadavky, jako je například ochrana soukromí uživatelů komunikačního systému. V práci je stanovena výpočetní náročnost kryptografických a matematických primitiv na různých zařízeních, které se podílí na zabezpečení heterogenní sítě. Hlavní cíle práce se zaměřují na návrh pokročilých kryptografických protokolů poskytujících ochranu soukromí. V práci jsou navrženy celkově tři protokoly, které využívají skupinových podpisů založených na bilineárním párování pro zajištění ochrany soukromí uživatelů. Tyto navržené protokoly zajišťují ochranu soukromí a nepopiratelnost po celou dobu datové komunikace spolu s autentizací a integritou přenášených zpráv. Pro navýšení výkonnosti navržených protokolů je využito optimalizačních technik, např. dávkového ověřování, tak aby protokoly byly praktické i pro heterogenní sítě.The dissertation thesis deals with privacy-preserving cryptographic protocols for secure communication and information systems forming heterogeneous networks. The thesis focuses on the possibilities of using non-conventional cryptographic primitives that provide enhanced security features, such as the protection of user privacy in communication systems. In the dissertation, the performance of cryptographic and mathematic primitives on various devices that participate in the security of heterogeneous networks is evaluated. The main objectives of the thesis focus on the design of advanced privacy-preserving cryptographic protocols. There are three designed protocols which use pairing-based group signatures to ensure user privacy. These proposals ensure the protection of user privacy together with the authentication, integrity and non-repudiation of transmitted messages during communication. The protocols employ the optimization techniques such as batch verification to increase their performance and become more practical in heterogeneous networks.

Low-latency mix networks for anonymous communication

Every modern online application relies on the network layer to transfer information, which exposes the metadata associated with digital communication. These distinctive characteristics encapsulate equally meaningful information as the content of the communication itself and allow eavesdroppers to uniquely identify users and their activities. Hence, by exposing the IP addresses and by analyzing patterns of the network traffic, a malicious entity can deanonymize most online communications. While content confidentiality has made significant progress over the years, existing solutions for anonymous communication which protect the network metadata still have severe limitations, including centralization, limited security, poor scalability, and high-latency. As the importance of online privacy increases, the need to build low-latency communication systems with strong security guarantees becomes necessary. Therefore, in this thesis, we address the problem of building multi-purpose anonymous networks that protect communication privacy. To this end, we design a novel mix network Loopix, which guarantees communication unlinkability and supports applications with various latency and bandwidth constraints. Loopix offers better security properties than any existing solution for anonymous communications while at the same time being scalable and low-latency. Furthermore, we also explore the problem of active attacks and malicious infrastructure nodes, and propose a Miranda mechanism which allows to efficiently mitigate them. In the second part of this thesis, we show that mix networks may be used as a building block in the design of a private notification system, which enables fast and low-cost online notifications. Moreover, its privacy properties benefit from an increasing number of users, meaning that the system can scale to millions of clients at a lower cost than any alternative solution

On traffic analysis in anonymous communication networks

In this dissertation, we address issues related to traffic analysis attacks and the engineering in anonymous communication networks. Mixes have been used in many anonymous communication systems and are supposed to provide countermeasures that can defeat various traffic analysis attacks. In this dissertation, we first focus on a particular class of traffic analysis attack, flow correlation attacks, by which an adversary attempts to analyze the network traffic and correlate the traffic of a flow over an input link at a mix with that over an output link of the same mix. Two classes of correlation methods are considered, namely time-domain methods and frequency-domain methods. We find that a mix with any known batching strategy may fail against flow correlation attacks in the sense that, for a given flow over an input link, the adversary can correctly determine which output link is used by the same flow. We theoretically analyze the effectiveness of a mix network under flow correlation attacks. We extend flow correlation attack to perform flow separation: The flow separation attack separates flow aggregates into either smaller aggregates or individual flows. We apply blind source separation techniques from statistical signal processing to separate the traffic in a mix network. Our experiments show that this attack is effective and scalable. By combining flow separation and frequency spectrum matching method, a passive attacker can get the traffic map of the mix network. We use a non-trivial network to show that the combined attack works. The second part of the dissertation focuses on engineering anonymous communication networks. Measures for anonymity in systems must be on one hand simple and concise, and on the other hand reflect the realities of real systems. We propose a new measure for the anonymity degree, which takes into account possible heterogeneity. We model the effectiveness of single mixes or of mix networks in terms of information leakage and measure it in terms of covert channel capacity. The relationship between the anonymity degree and information leakage is described, and an example is shown

TOWARDS RELIABLE CIRCUMVENTION OF INTERNET CENSORSHIP

The Internet plays a crucial role in today\u27s social and political movements by facilitating the free circulation of speech, information, and ideas; democracy and human rights throughout the world critically depend on preserving and bolstering the Internet\u27s openness. Consequently, repressive regimes, totalitarian governments, and corrupt corporations regulate, monitor, and restrict the access to the Internet, which is broadly known as Internet \emph{censorship}. Most countries are improving the internet infrastructures, as a result they can implement more advanced censoring techniques. Also with the advancements in the application of machine learning techniques for network traffic analysis have enabled the more sophisticated Internet censorship. In this thesis, We take a close look at the main pillars of internet censorship, we will introduce new defense and attacks in the internet censorship literature. Internet censorship techniques investigate users’ communications and they can decide to interrupt a connection to prevent a user from communicating with a specific entity. Traffic analysis is one of the main techniques used to infer information from internet communications. One of the major challenges to traffic analysis mechanisms is scaling the techniques to today\u27s exploding volumes of network traffic, i.e., they impose high storage, communications, and computation overheads. We aim at addressing this scalability issue by introducing a new direction for traffic analysis, which we call \emph{compressive traffic analysis}. Moreover, we show that, unfortunately, traffic analysis attacks can be conducted on Anonymity systems with drastically higher accuracies than before by leveraging emerging learning mechanisms. We particularly design a system, called \deepcorr, that outperforms the state-of-the-art by significant margins in correlating network connections. \deepcorr leverages an advanced deep learning architecture to \emph{learn} a flow correlation function tailored to complex networks. Also to be able to analyze the weakness of such approaches we show that an adversary can defeat deep neural network based traffic analysis techniques by applying statistically undetectable \emph{adversarial perturbations} on the patterns of live network traffic. We also design techniques to circumvent internet censorship. Decoy routing is an emerging approach for censorship circumvention in which circumvention is implemented with help from a number of volunteer Internet autonomous systems, called decoy ASes. We propose a new architecture for decoy routing that, by design, is significantly stronger to rerouting attacks compared to \emph{all} previous designs. Unlike previous designs, our new architecture operates decoy routers only on the downstream traffic of the censored users; therefore we call it \emph{downstream-only} decoy routing. As we demonstrate through Internet-scale BGP simulations, downstream-only decoy routing offers significantly stronger resistance to rerouting attacks, which is intuitively because a (censoring) ISP has much less control on the downstream BGP routes of its traffic. Then, we propose to use game theoretic approaches to model the arms races between the censors and the censorship circumvention tools. This will allow us to analyze the effect of different parameters or censoring behaviors on the performance of censorship circumvention tools. We apply our methods on two fundamental problems in internet censorship. Finally, to bring our ideas to practice, we designed a new censorship circumvention tool called \name. \name aims at increasing the collateral damage of censorship by employing a ``mass\u27\u27 of normal Internet users, from both censored and uncensored areas, to serve as circumvention proxies

TOWARDS PRIVACY-PRESERVING AND ROBUST WEB OVERLAYS

Ph.DDOCTOR OF PHILOSOPH