An Interoperable Access Control System based on Self-Sovereign Identities

The extreme growth of the World Wide Web in the last decade together with recent scandals related to theft or abusive use of personal information have left users unsatisfied withtheir digital identity providers and concerned about their online privacy. Self-SovereignIdentity (SSI) is a new identity management paradigm which gives back control over personal information to its rightful owner - the individual. However, adoption of SSI on theWeb is complicated by the high overhead costs for the service providers due to the lackinginteroperability of the various emerging SSI solutions. In this work, we propose an AccessControl System based on Self-Sovereign Identities with a semantically modelled AccessControl Logic. Our system relies on the Web Access Control authorization rules usedin the Solid project and extends them to additionally express requirements on VerifiableCredentials, i.e., digital credentials adhering to a standardized data model. Moreover,the system achieves interoperability across multiple DID Methods and types of VerifiableCredentials allowing for incremental extensibility of the supported SSI technologies bydesign. A Proof-of-Concept prototype is implemented and its performance as well as multiple system design choices are evaluated: The End-to-End latency of the authorizationprocess takes between 2-5 seconds depending on the used DID Methods and can theoretically be further optimized to 1.5-3 seconds. Evaluating the potential interoperabilityachieved by the system shows that multiple DID Methods and different types of VerifiableCredentials can be supported. Lastly, multiple approaches for modelling required Verifiable Credentials are compared and the suitability of the SHACL language for describingthe RDF graphs represented by the required Linked Data credentials is shown

Privacy Preservation and Analytical Utility of E-Learning Data Mashups in the Web of Data

Virtual learning environments contain valuable data about students that can be correlated and analyzed to optimize learning. Modern learning environments based on data mashups that collect and integrate data from multiple sources are relevant for learning analytics systems because they provide insights into students' learning. However, data sets involved in mashups may contain personal information of sensitive nature that raises legitimate privacy concerns. Average privacy preservation methods are based on preemptive approaches that limit the published data in a mashup based on access control and authentication schemes. Such limitations may reduce the analytical utility of the data exposed to gain students' learning insights. In order to reconcile utility and privacy preservation of published data, this research proposes a new data mashup protocol capable of merging and k-anonymizing data sets in cloud-based learning environments without jeopardizing the analytical utility of the information. The implementation of the protocol is based on linked data so that data sets involved in the mashups are semantically described, thereby enabling their combination with relevant educational data sources. The k-anonymized data sets returned by the protocol still retain essential information for supporting general data exploration and statistical analysis tasks. The analytical and empirical evaluation shows that the proposed protocol prevents individuals' sensitive information from re-identifying.The Spanish National Research Agency (AEI) funded this research through the project CREPES (ref. PID2020-115844RB-I00) with ERDF funds

Serviços de integração de dados para aplicações biomédicas

Doutoramento em Informática (MAP-i)In the last decades, the field of biomedical science has fostered unprecedented scientific advances. Research is stimulated by the constant evolution of information technology, delivering novel and diverse bioinformatics tools. Nevertheless, the proliferation of new and disconnected solutions has resulted in massive amounts of resources spread over heterogeneous and distributed platforms. Distinct data types and formats are generated and stored in miscellaneous repositories posing data interoperability challenges and delays in discoveries. Data sharing and integrated access to these resources are key features for successful knowledge extraction. In this context, this thesis makes contributions towards accelerating the semantic integration, linkage and reuse of biomedical resources. The first contribution addresses the connection of distributed and heterogeneous registries. The proposed methodology creates a holistic view over the different registries, supporting semantic data representation, integrated access and querying. The second contribution addresses the integration of heterogeneous information across scientific research, aiming to enable adequate data-sharing services. The third contribution presents a modular architecture to support the extraction and integration of textual information, enabling the full exploitation of curated data. The last contribution lies in providing a platform to accelerate the deployment of enhanced semantic information systems. All the proposed solutions were deployed and validated in the scope of rare diseases.Nas últimas décadas, o campo das ciências biomédicas proporcionou grandes avanços científicos estimulados pela constante evolução das tecnologias de informação. A criação de diversas ferramentas na área da bioinformática e a falta de integração entre novas soluções resultou em enormes quantidades de dados distribuídos por diferentes plataformas. Dados de diferentes tipos e formatos são gerados e armazenados em vários repositórios, o que origina problemas de interoperabilidade e atrasa a investigação. A partilha de informação e o acesso integrado a esses recursos são características fundamentais para a extração bem sucedida do conhecimento científico. Nesta medida, esta tese fornece contribuições para acelerar a integração, ligação e reutilização semântica de dados biomédicos. A primeira contribuição aborda a interconexão de registos distribuídos e heterogéneos. A metodologia proposta cria uma visão holística sobre os diferentes registos, suportando a representação semântica de dados e o acesso integrado. A segunda contribuição aborda a integração de diversos dados para investigações científicas, com o objetivo de suportar serviços interoperáveis para a partilha de informação. O terceiro contributo apresenta uma arquitetura modular que apoia a extração e integração de informações textuais, permitindo a exploração destes dados. A última contribuição consiste numa plataforma web para acelerar a criação de sistemas de informação semânticos. Todas as soluções propostas foram validadas no âmbito das doenças raras

An ontology based approach in health information systems: Blood test ontology example

<span>Health domain is a complex and distributed research area, where different institutions and people take and provide service, at the same time. Therefore, the health data about a patient is completely distributed among doctors, clinics, hospitals, pharmacies and insurance companies. To share and reuse the distributed, well-structured and semantically rich clinical data with the appropriate permissions from anywhere is one of the major areas that the research of information systems focused in healthcare domain in recent years. The semantic web provides a technological infrastructure with representing the meaning of data and reasoning new information from the existing knowledge for the healthcare domain. The blood, as the life fluid, gives hints to the clinicians about a patient's general health status by analyzing the ingredients in. The results of blood tests contain lots of information that can be used by different clinics. In the diagnostic phase, analyzing the blood for the same tests repeatedly delays to start the treatment process and increases the cost. The Blood Test Ontology is developed to model the blood tests semantically that is done in the health field and also to define information related with the blood and the blood tests as well as the relationships between them. The ontology in this work is developed with the aim to be used in the health information system, which should provide the querying, sharing and reusing the personalized the blood test result of the patients, as a knowledge base. The Blood Test Ontology is supported by the medical information standards to be able to interoperable with the other medical ontologies that are developed in the health.</span

Data Segmentation in Electronic Health Information Exchange: Policy Considerations and Analysis

The issue of whether and, if so, to what extent patients should have control over the sharing or withholding of their health information represents one of the foremost policy challenges related to electronic health information exchange. It is widely acknowledged that patients\u27 health information should flow where and when it is needed to support the provision of appropriate and high-quality care. Equally significant, however, is the notion that patients want their needs and preferences to be considered in the determination of what information is shared with other parties, for what purposes, and under what conditions. Some patients may prefer to withhold or sequester certain elements of health information, often when it is deemed by them (or on their behalf) to be sensitive, whereas others may feel strongly that all of their health information should be shared under any circumstance. This discussion raises the issue of data segmentation, which we define for the purposes of this paper as the process of sequestering from capture, access or view certain data elements that are perceived by a legal entity, institution, organization, or individual as being undesirable to share. This whitepaper explores key components of data segmentation, circumstances for its use, associated benefits and challenges, various applied approaches, and the current legal environment shaping these endeavors

An Approach for Managing Access to Personal Information Using Ontology-Based Chains

The importance of electronic healthcare has caused numerous changes in both substantive and procedural aspects of healthcare processes. These changes have produced new challenges to patient privacy and information secrecy. Traditional privacy policies cannot respond to rapidly increased privacy needs of patients in electronic healthcare. Technically enforceable privacy policies are needed in order to protect patient privacy in modern healthcare with its cross organisational information sharing and decision making. This thesis proposes a personal information flow model that specifies a limited number of acts on this type of information. Ontology classified Chains of these acts can be used instead of the "intended/business purposes" used in privacy access control to seamlessly imbuing current healthcare applications and their supporting infrastructure with security and privacy functionality. In this thesis, we first introduce an integrated basic architecture, design principles, and implementation techniques for privacy-preserving data mining systems. We then discuss the key methods of privacypreserving data mining systems which include four main methods: Role based access control (RBAC), Hippocratic database, Chain method and eXtensible Access Control Markup Language (XACML). We found out that the traditional methods suffer from two main problems: complexity of privacy policy design and the lack of context flexibility that is needed while working in critical situations such as the one we find in hospitals. We present and compare strategies for realising these methods. Theoretical analysis and experimental evaluation show that our new method can generate accurate data mining models and safe data access management while protecting the privacy of the data being mined. The experiments followed comparative kind of experiments, to show the ease of the design first and then follow real scenarios to show the context flexibility in saving personal information privacy of our investigated method

Security Management Framework for the Internet of Things

The increase in the design and development of wireless communication technologies offers multiple opportunities for the management and control of cyber-physical systems with connections between smart and autonomous devices, which provide the delivery of simplified data through the use of cloud computing. Given this relationship with the Internet of Things (IoT), it established the concept of pervasive computing that allows any object to communicate with services, sensors, people, and objects without human intervention. However, the rapid growth of connectivity with smart applications through autonomous systems connected to the internet has allowed the exposure of numerous vulnerabilities in IoT systems by malicious users. This dissertation developed a novel ontology-based cybersecurity framework to improve security in IoT systems using an ontological analysis to adapt appropriate security services addressed to threats. The composition of this proposal explores two approaches: (1) design time, which offers a dynamic method to build security services through the application of a methodology directed to models considering existing business processes; and (2) execution time, which involves monitoring the IoT environment, classifying vulnerabilities and threats, and acting in the environment, ensuring the correct adaptation of existing services. The validation approach was used to demonstrate the feasibility of implementing the proposed cybersecurity framework. It implies the evaluation of the ontology to offer a qualitative evaluation based on the analysis of several criteria and also a proof of concept implemented and tested using specific industrial scenarios. This dissertation has been verified by adopting a methodology that follows the acceptance in the research community through technical validation in the application of the concept in an industrial setting.O aumento no projeto e desenvolvimento de tecnologias de comunicação sem fio oferece múltiplas oportunidades para a gestão e controle de sistemas ciber-físicos com conexões entre dispositivos inteligentes e autônomos, os quais proporcionam a entrega de dados simplificados através do uso da computação em nuvem. Diante dessa relação com a Internet das Coisas (IoT) estabeleceu-se o conceito de computação pervasiva que permite que qualquer objeto possa comunicar com os serviços, sensores, pessoas e objetos sem intervenção humana. Entretanto, o rápido crescimento da conectividade com as aplicações inteligentes através de sistemas autônomos conectados com a internet permitiu a exposição de inúmeras vulnerabilidades dos sistemas IoT para usuários maliciosos. Esta dissertação desenvolveu um novo framework de cibersegurança baseada em ontologia para melhorar a segurança em sistemas IoT usando uma análise ontológica para a adaptação de serviços de segurança apropriados endereçados para as ameaças. A composição dessa proposta explora duas abordagens: (1) tempo de projeto, o qual oferece um método dinâmico para construir serviços de segurança através da aplicação de uma metodologia dirigida a modelos, considerando processos empresariais existentes; e (2) tempo de execução, o qual envolve o monitoramento do ambiente IoT, a classificação de vulnerabilidades e ameaças, e a atuação no ambiente garantindo a correta adaptação dos serviços existentes. Duas abordagens de validação foram utilizadas para demonstrar a viabilidade da implementação do framework de cibersegurança proposto. Isto implica na avaliação da ontologia para oferecer uma avaliação qualitativa baseada na análise de diversos critérios e também uma prova de conceito implementada e testada usando cenários específicos. Esta dissertação foi validada adotando uma metodologia que segue a validação na comunidade científica através da validação técnica na aplicação do nosso conceito em um cenário industrial

Informed e-Consent Framework for Privacy Preservation in South African Health Information Systems

The South African Constitution advocates the protection of personal information. Everyone has the right to privacy. This includes the protection of special information that relates to an individual’s biometrics, health, religion, or sex life, to name a few. This special information may be processed if it is necessary in law; if it is being processed for historical purposes; or if it has already been disseminated in public by the data subject If the aforementioned conditions are not met, the processing of special information is prohibited, unless the data subject has provided consent. Given that health information is regarded as special information, consent must be obtained from the data subject before it is processed. If the special information is accessed by unauthorised parties it may influence decisions about the data subject’s employment, access to credit, and education, and may even cause reputational or personal harm. This research proposes an e-consent management approach which preserves the privacy of health information. The utilisation of privacy laws and guidelines such as, but not limited to, the Protection of Personal Information Act and the General Data Protection Regulation are used to develop a privacy preserving e-consent model, architectural design and prototype.Dissertation (MSc (Computer Science))--University of Pretoria, 2020.Council for Scientific and Industrial Research (CSIR)Computer ScienceMSc (Computer Science)Unrestricte

Context-Aware Service Creation On The Semantic Web

With the increase of the computational power of mobile devices, their new capabilities and the addition of new context sensors, it is possible to obtain more information from mobile users and to offer new ways and tools to facilitate the content creation process. All this information can be exploited by the service creators to provide mobile services with higher degree of personalization that translate into better experiences. Currently on the web, many data sources containing UGC provide access to them through classical web mechanisms (built on a small set of standards), that is, custom web APIs that promote the fragmentation of the Web. To address this issue, Tim Berners-Lee proposed the Linked Data principles to provide guidelines for the use of standard web technologies, thus allowing the publication of structured on the Web that can be accessed using standard database mechanisms. The increase of Linked Data published on the web, increases opportunities for mobile services take advantage of it as a huge source of data, information and knowledge, either user-generated or not. This dissertation proposes a framework for creating mobile services that exploit the context information, generated content of its users and the data, information and knowledge present on the Web of Data. In addition we present, the cases of different mobile services created to take advantage of these elements and in which the proposed framework have been implemented (at least partially). Each of these services belong to different domains and each of them highlight the advantages provided to their end user