The ATEN Framework for Creating the Realistic Synthetic Electronic Health Record

Realistic synthetic data are increasingly being recognized as solutions to lack of data or privacy concerns in healthcare and other domains, yet little effort has been expended in establishing a generic framework for characterizing, achieving and validating realism in Synthetic Data Generation (SDG). The objectives of this paper are to: (1) present a characterization of the concept of realism as it applies to synthetic data; and (2) present and demonstrate application of the generic ATEN Framework for achieving and validating realism for SDG. The characterization of realism is developed through insights obtained from analysis of the literature on SDG. The development of the generic methods for achieving and validating realism for synthetic data was achieved by using knowledge discovery in databases (KDD), data mining enhanced with concept analysis and identification of characteristic, and classification rules. Application of this framework is demonstrated by using the synthetic Electronic Healthcare Record (EHR) for the domain of midwifery. The knowledge discovery process improves and expedites the generation process; having a more complex and complete understanding of the knowledge required to create the synthetic data significantly reduce the number of generation iterations. The validation process shows similar efficiencies through using the knowledge discovered as the elements for assessing the generated synthetic data. Successful validation supports claims of success and resolves whether the synthetic data is a sufficient replacement for real data. The ATEN Framework supports the researcher in identifying the knowledge elements that need to be synthesized, as well as supporting claims of sufficient realism through the use of that knowledge in a structured approach to validation. When used for SDG, the ATEN Framework enables a complete analysis of source data for knowledge necessary for correct generation. The ATEN Framework ensures the researcher that the synthetic data being created is realistic enough for the replacement of real data for a given use-case

Metodologia de testes de segurança para análise de robustez de Web services por injeção de falhas

Orientador: Eliane MartinsDissertação (mestrado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: Devido a sua natureza distribuída e aberta, os Web Services geram novos desafios de segurança da informação. Esta tecnologia Web, desenvolvida pela W3C e OASIS, é susceptível a ataques de injeção e negação de serviços. Desta forma, o atacante pode coletar e manipular informação para procurar vulnerabilidades nos serviços. Nesse estudo analisamos o uso do injetor de falhas (IF) WSInject, para emular ataques com testes de segurança nos Web Services. A motivação para o uso de um injetor de falhas, ao invés do uso de vulnerabilities scanners, que são comumente usados na prática para testar a segurança, foi permitir melhor cobertura dos ataques. Em um estudo preliminar, usando um vulnerability scanner não comercial, foi possível determinar: (i) os serviços, bem como seus parâmetros e suas operações que seriam mais interessantes de utilizar durante a injeção de falhas, por terem sido os que apresentaram maior número de vulnerabilidades; (ii) um conjunto de regras para analisar os resultados dos testes de segurança. Esses resultados preliminares serviram de guia para os testes usando o injetor de falhas. As falhas foram injetadas em Web Services reais, sendo que alguns implementaram mecanismos de segurança de acordo com o padrão Web Services Security (WS-Security), como credenciais de segurança (Security Tokens)Abstract: Due to its distributed and open nature, the Web Services give rise to new information security challenges. This technology, standardized by W3C and OASIS, is susceptible to both injection and denial of services (DoS) attacks. In this way, the attacker can collect and manipulate information in search of Web Services vulnerabilities. In this study we analyses the use of the WSInject fault injector, in order to emulate attacks with security tests on Web Services. The proposed approach makes use of WSInject Fault Injector to emulate attacks with Security Testing on Web Services. The motivation for using a fault injector, instead of vulnerabilities scanners, which are commonly used in practice for security testing, was to enable better coverage of attacks. In a preliminary study, using a non-commercial vulnerability scanner, it was possible to determine: (i) the Web Services to be tested as well as its parameters and operations more interesting to use during fault injection, by presenting the highest number of vulnerabilities; and (ii) a set of rules to analyze the results of security testing. These preliminary results served as a guide for the tests using the fault injector. The faults have been injected into real Web Services, and some of them have security mechanisms implemented, in compliance with the Web Services Security (WS-Security) with Security TokensMestradoCiência da ComputaçãoMestre em Ciência da Computaçã

Automated Realistic Test Input Generation and Cost Reduction in Service-centric System Testing

Service-centric System Testing (ScST) is more challenging than testing traditional software due to the complexity of service technologies and the limitations that are imposed by the SOA environment. One of the most important problems in ScST is the problem of realistic test data generation. Realistic test data is often generated manually or using an existing source, thus it is hard to automate and laborious to generate. One of the limitations that makes ScST challenging is the cost associated with invoking services during testing process. This thesis aims to provide solutions to the aforementioned problems, automated realistic input generation and cost reduction in ScST. To address automation in realistic test data generation, the concept of Service-centric Test Data Generation (ScTDG) is presented, in which existing services used as realistic data sources. ScTDG minimises the need for tester input and dependence on existing data sources by automatically generating service compositions that can generate the required test data. In experimental analysis, our approach achieved between 93% and 100% success rates in generating realistic data while state-of-the-art automated test data generation achieved only between 2% and 34%. The thesis addresses cost concerns at test data generation level by enabling data source selection in ScTDG. Source selection in ScTDG has many dimensions such as cost, reliability and availability. This thesis formulates this problem as an optimisation problem and presents a multi-objective characterisation of service selection in ScTDG, aiming to reduce the cost of test data generation. A cost-aware pareto optimal test suite minimisation approach addressing testing cost concerns during test execution is also presented. The approach adapts traditional multi-objective minimisation approaches to ScST domain by formulating ScST concerns, such as invocation cost and test case reliability. In experimental analysis, the approach achieved reductions between 69% and 98.6% in monetary cost of service invocations during testin