3,133 research outputs found
On the `Semantics' of Differential Privacy: A Bayesian Formulation
Differential privacy is a definition of "privacy'" for algorithms that
analyze and publish information about statistical databases. It is often
claimed that differential privacy provides guarantees against adversaries with
arbitrary side information. In this paper, we provide a precise formulation of
these guarantees in terms of the inferences drawn by a Bayesian adversary. We
show that this formulation is satisfied by both "vanilla" differential privacy
as well as a relaxation known as (epsilon,delta)-differential privacy. Our
formulation follows the ideas originally due to Dwork and McSherry [Dwork
2006]. This paper is, to our knowledge, the first place such a formulation
appears explicitly. The analysis of the relaxed definition is new to this
paper, and provides some concrete guidance for setting parameters when using
(epsilon,delta)-differential privacy.Comment: Older version of this paper was titled: "A Note on Differential
Privacy: Defining Resistance to Arbitrary Side Information
Blindspot: Indistinguishable Anonymous Communications
Communication anonymity is a key requirement for individuals under targeted
surveillance. Practical anonymous communications also require
indistinguishability - an adversary should be unable to distinguish between
anonymised and non-anonymised traffic for a given user. We propose Blindspot, a
design for high-latency anonymous communications that offers
indistinguishability and unobservability under a (qualified) global active
adversary. Blindspot creates anonymous routes between sender-receiver pairs by
subliminally encoding messages within the pre-existing communication behaviour
of users within a social network. Specifically, the organic image sharing
behaviour of users. Thus channel bandwidth depends on the intensity of image
sharing behaviour of users along a route. A major challenge we successfully
overcome is that routing must be accomplished in the face of significant
restrictions - channel bandwidth is stochastic. We show that conventional
social network routing strategies do not work. To solve this problem, we
propose a novel routing algorithm. We evaluate Blindspot using a real-world
dataset. We find that it delivers reasonable results for applications requiring
low-volume unobservable communication.Comment: 13 Page
Cryptographically Secure Information Flow Control on Key-Value Stores
We present Clio, an information flow control (IFC) system that transparently
incorporates cryptography to enforce confidentiality and integrity policies on
untrusted storage. Clio insulates developers from explicitly manipulating keys
and cryptographic primitives by leveraging the policy language of the IFC
system to automatically use the appropriate keys and correct cryptographic
operations. We prove that Clio is secure with a novel proof technique that is
based on a proof style from cryptography together with standard programming
languages results. We present a prototype Clio implementation and a case study
that demonstrates Clio's practicality.Comment: Full version of conference paper appearing in CCS 201
Decoy Bandits Dueling on a Poset
We adress the problem of dueling bandits defined on partially ordered sets,
or posets. In this setting, arms may not be comparable, and there may be
several (incomparable) optimal arms. We propose an algorithm, UnchainedBandits,
that efficiently finds the set of optimal arms of any poset even when pairs of
comparable arms cannot be distinguished from pairs of incomparable arms, with a
set of minimal assumptions. This algorithm relies on the concept of decoys,
which stems from social psychology. For the easier case where the
incomparability information may be accessible, we propose a second algorithm,
SlicingBandits, which takes advantage of this information and achieves a very
significant gain of performance compared to UnchainedBandits. We provide
theoretical guarantees and experimental evaluation for both algorithms
Recommended from our members
Set-related restrictions for semantic groupings
Semantic database models utilize several fundamental forms of groupings to increase their expressive power. In this paper we consider four of the most common of these constructs; basic set groupings, is-a related groupings, power set groupings, and Cartesian aggregation groupings. For each, we define a number of useful restrictions that control its structure and composition. This permits each grouping to capture more subtle distinctions of the concepts or situations in the application environment. The resulting set of restrictions forms a framework which increases the expressive power of semantic models and specifies various set-related integrity constraints
Intensity Process for a Pure Jump L\'evy Structural Model with Incomplete Information
In this paper we discuss a credit risk model with a pure jump L\'evy process
for the asset value and an unobservable random barrier. The default time is the
first time when the asset value falls below the barrier. Using the
indistinguishability of the intensity process and the likelihood process, we
prove the existence of the intensity process of the default time and find its
explicit representation in terms of the distance between the asset value and
its running minimal value. We apply the result to find the instantaneous credit
spread process and illustrate it with a numerical example.Comment: 15 pages, 2 figure
A Verified Information-Flow Architecture
SAFE is a clean-slate design for a highly secure computer system, with
pervasive mechanisms for tracking and limiting information flows. At the lowest
level, the SAFE hardware supports fine-grained programmable tags, with
efficient and flexible propagation and combination of tags as instructions are
executed. The operating system virtualizes these generic facilities to present
an information-flow abstract machine that allows user programs to label
sensitive data with rich confidentiality policies. We present a formal,
machine-checked model of the key hardware and software mechanisms used to
dynamically control information flow in SAFE and an end-to-end proof of
noninterference for this model.
We use a refinement proof methodology to propagate the noninterference
property of the abstract machine down to the concrete machine level. We use an
intermediate layer in the refinement chain that factors out the details of the
information-flow control policy and devise a code generator for compiling such
information-flow policies into low-level monitor code. Finally, we verify the
correctness of this generator using a dedicated Hoare logic that abstracts from
low-level machine instructions into a reusable set of verified structured code
generators
- …