Privacy-Aware Risk-Based Access Control Systems

Modern organizations collect massive amounts of data, both internally (from their employees and processes) and externally (from customers, suppliers, partners). The increasing availability of these large datasets was made possible thanks to the increasing storage and processing capability. Therefore, from a technical perspective, organizations are now in a position to exploit these diverse datasets to create new data-driven businesses or optimizing existing processes (real-time customization, predictive analytics, etc.). However, this kind of data often contains very sensitive information that, if leaked or misused, can lead to privacy violations. Privacy is becoming increasingly relevant for organization and businesses, due to strong regulatory frameworks (e.g., the EU General Data Protection Regulation GDPR, the Health Insurance Portability and Accountability Act HIPAA) and the increasing awareness of citizens about personal data issues. Privacy breaches and failure to meet privacy requirements can have a tremendous impact on companies (e.g., reputation loss, noncompliance fines, legal actions). Privacy violation threats are not exclusively caused by external actors gaining access due to security gaps. Privacy breaches can also be originated by internal actors, sometimes even by trusted and authorized ones. As a consequence, most organizations prefer to strongly limit (even internally) the sharing and dissemination of data, thereby making most of the information unavailable to decision-makers, and thus preventing the organization from fully exploit the power of these new data sources. In order to unlock this potential, while controlling the privacy risk, it is necessary to develop novel data sharing and access control mechanisms able to support risk-based decision making and weigh the advantages of information against privacy considerations. To achieve this, access control decisions must be based on an (dynamically assessed) estimation of expected cost and benefits compared to the risk, and not (as in traditional access control systems) on a predefined policy that statically defines what accesses are allowed and denied. In Risk-based access control for each access request, the corresponding risk is estimated and if the risk is lower than a given threshold (possibly related to the trustworthiness of the requester), then access is granted or denied. The aim is to be more permissive than in traditional access control systems by allowing for a better exploitation of data. Although existing risk-based access control models provide an important step towards a better management and exploitation of data, they have a number of drawbacks which limit their effectiveness. In particular, most of the existing risk-based systems only support binary access decisions: the outcome is “allowed” or “denied”, whereas in real life we often have exceptions based on additional conditions (e.g., “I cannot provide this information, unless you sign the following non-disclosure agreement.” or “I cannot disclose this data, because they contain personal identifiable information, but I can disclose an anonymized version of the data.”). In other words, the system should be able to propose risk mitigation measures to reduce the risk (e.g., disclose partial or anonymized version of the requested data) instead of denying risky access requests. Alternatively, it should be able to propose appropriate trust enhancement measures (e.g., stronger authentication), and once they are accepted/fulfilled by the requester, more information can be shared. The aim of this thesis is to propose and validate a novel privacy enhancing access control approach offering adaptive and fine-grained access control for sensitive data-sets. This approach enhances access to data, but it also mitigates privacy threats originated by authorized internal actors. More in detail: 1. We demonstrate the relevance and evaluate the impact of authorized actors’ threats. To this aim, we developed a privacy threats identification methodology EPIC (Evaluating Privacy violation rIsk in Cyber security systems) and apply EPIC in a cybersecurity use case where very sensitive information is used. 2. We present the privacy-aware risk-based access control framework that supports access control in dynamic contexts through trust enhancement mechanisms and privacy risk mitigation strategies. This allows us to strike a balance between the privacy risk and the trustworthiness of the data request. If the privacy risk is too large compared to the trust level, then the framework can identify adaptive strategies that can decrease the privacy risk (e.g., by removing/obfuscating part of the data through anonymization) and/or increase the trust level (e.g., by asking for additional obligations to the requester). 3. We show how the privacy-aware risk-based approach can be integrated to existing access control models such as RBAC and ABAC and that it can be realized using a declarative policy language with a number of advantages including usability, flexibility, and scalability. 4. We evaluate our approach using several industrial relevant use cases, elaborated to meet the requirements of the industrial partner (SAP) of this industrial doctorate

0391: Cardiac involvement in ankylosing spondylitis

BackgroundCardiac involvement in ankylosing spondylitis is common. We have tried through this study to analyze the cardiovascular events among 50 patients with ankylosing spondylitis.MethodsA retrospective study including 50 patients with ankylosing spondylitis. All patients underwent a complete physical examination with a heart and lung auscultation and an electro-cardiogram (ECG). Transthoracic ultrasound was performed whenever there was an abnormal physical examination and/or ECG.ResultsThe study included 47 men and 3 women, the sex ratio is 15,6. The average age of onset was 26±7 years. The mode of onset is axial in 95% of cases (low back pain and/or buttock). The extra-articular manifestations are present in 54% of cases. Cardiac involvement is present in 9 cases (18% of cases). The reason for consultation is dyspnea in 2 patients. In other cases, cardiac involvement was discovered incidentally. Aortic regurgitation was noted in 4 patients. Mitral insufficiency was found in 3 cases. Two patients have predominantly septal hypertrophic cardiomyopathy and one patient presented an array of pulmonary insufficiency. The average time of onset of cardiac involvement was 8±5 years. All patients were put under special medical treatment of their heart, with good clinical outcome.ConclusionCardiac involvement in ankylosing spondyllitis is seen more frequently in men, especially in the old cases. A close relationship between time to onset of aortic insufficiency and duration of disease progression was found. It would be responsible for one third of deaths of patients. It was significantly more frequent in HLA B27 positive patients (especially complete atrioventricular block and aortic insufficiency)

Protecting the bytes of the past: Information security and digital-born cultural heritage

Today, cultural heritage increasingly goes digital. The growing number of museums, libraries and archives provide online access to their material collections by digitizing them and sharing through web portals. Simultaneously, new collections of digital-born objects which never existed in the analogue form are established. These digital objects, as UNESCO Charter on Digital Heritage (2003) notes, are more ephemeral than artifacts from the pre-digital time, and thus require “purposeful production, maintenance and management to be retained”. The preservation and management of digital-born cultural objects is a challenging task for multiple reasons, varying from the obsolescence of software and hardware to the lack of legislative support for these objects’ maintenance. In our paper, however, we focus on one specific challenge which so far received limited recognition in the academic scholarship – i.e. the particular susceptibility of digital-born heritage to adversarial attacks. While a number of studies (Stone (2009); Brosché et al. (2016); Dougherty, 2019) discuss attacks against cultural heritage, in particular at the time of armed conflicts, their primary focus is on material cultural objects. Yet, as the digital spaces are increasingly weaponized, digital collections also come under fire. Unlike material collections, whose digital copies can be restored in the case of their deliberate destruction online, digital-born objects are more susceptible for permanent erasure as part of adversarial campaign against opponents’ symbols of identity and collective memory. Additionally, digital-born cultural objects can be manipulated, leading to the loss of authenticity and facilitating their instrumental use by adversarial actors. Such instrumental uses are increasingly common part of today’s political ecosystems, where both conventional and nonconventional actors weaponize cultural heritage to mobilize supporters and stigmatize opponents (see, for instance, de Saint-Laurent et al., 2017; Benazzo, 2017; Makhortykh, 2018). In our paper, we approach the challenges related to the preservation of the digital-born heritage from the information security point of view. For this purpose, we critically review existing literature on the information security in the domain of digital heritage and couple it with the discussion of known instances of adversarial attacks against online museums and archives. Using the CIA model (i.e. confidentiality, integrity and availability), we classify most common types of attacks against digital-born heritage collections and discuss the possible short- and long-term implications of these attacks. We conclude by proposing several strategies for countering adversarial attacks and safeguarding digital heritage which take into account different technical and political contexts in which the attacks take place

When Digital Manuscripts Burn: Information Security and Digital Heritage in Eastern Europe

In Eastern Europe, the growing digitalization of memory and heritage goes hand in hand with instrumentalization of the past. Memory wars raging within and between post-socialist states are increasingly projected into digital spaces, where different historical narratives compete for users’ attention. Under these conditions, both conventional and non-conventional actors increasingly weaponize digital heritage to mobilize supporters and stigmatize opponents. To do so, these actors selectively use contents of online archives and museums to promote or undermine specific interpretations of the past. Yet, as digital heritage turns into another weapon in the ongoing political struggles, it also becomes a possible target of adversarial attacks used to manipulate or destroy it. In our paper, we discuss the ongoing digitalization of digital heritage in Eastern Europe from the information security point of view. For this purpose, we critically review existing literature on the information security in the domain of digital heritage and couple it with the discussion of known instances of adversarial attacks against online museums and collections in the Eastern European context. Using the CIA model (i.e. confidentiality, integrity and availability), we classify most common types of attacks against digital heritage and discuss the possible short- and long-term implications of these attacks for collective memory practices in the region. We conclude by proposing several strategies for countering adversarial attacks and safeguarding digital heritage which take into account specific technical and political aspect of digital remembrance in Eastern European countries

Protecting past and future choices: Identifying and evaluating functional vulnerabilities in recommender systems

Today, our societies are challenged by the abundance of choices. To help consumers choose, companies increasingly use AI-based recommender systems (RSs), learning from consumers’ behavior and suggesting items which are most likely to interest them. By doing so, RSs personalize companies’ offers and increase consumers’ engagement with brands as well. Despite their importance for the digital economy, the growing deployment of RSs raises multiple concerns related to consumers’ rights, for instance, the threats of manipulation and discrimination. However, the majority of research was devoted to investigating the causes and effects of “accidental” negative effects of RSs caused by data/system biases. By contrast, we emphasize the importance of studying how RS processes can be abused by third-party adversaries to serve malicious agendas. Specifically, we argue that it is crucial to ensure the functional integrity of RSs against these adversaries to protect consumers and provide efficient, trustworthy, and ethical services. For this purpose, we propose to develop a novel framework to identify and evaluate functional vulnerabilities in different RSs, based on the likelihood of malicious exploitation(s) of a given vulnerability (i.e., attacks on RSs) and the consequential damages to the RS integrity and repercussions on RSs users (e.g., reputation damage, deception)

Trust and Risk-Based Access Control for Privacy Preserving Threat Detection Systems

Intrusion and threat detection systems analyze large amount of security-related data logs for detecting potentially harmful patterns. However, log data often contain sensitive and personal information, and their access and processing should be minimized. Anonymization can provide the technical mean to reduce the privacy risk, but it should carefully applied and balanced with utility requirements of the different phases of the process: a first exploration analysis needs less details than an investigation on a suspect set of logs. As a result, a complex access control framework has to be put in place to, simultaneously, address privacy and utility requirements. In this paper we propose a trust- and risk-aware access control framework for Threat Detection Systems, where each access request is evaluated by comparing the privacy-risk and the trustworthiness of the request. When the risk is too large compared to the trust level, the framework can apply adaptive adjustment strategies to decrease the risk (e.g., by selectively obfuscating the data) or to increase the trust level to perform a given task. We show how this model can provide meaningful results, and real-time performance, for an industrial threat detection solution

Risk-based privacy-aware access control for threat detection systems

Threat detection systems collect and analyze a large amount of security data logs for detecting potential attacks. Since log data from enterprise systems may contain sensitive and personal information access should be limited to the data relevant to the task at hand as mandated by data protection regulations. To this end, data need to be pre-processed (anonymized) to eliminate or obfuscate the sensitive information that is not-strictly necessary for the task. Additional security/accountability measures may be also applied to reduce the privacy risk, such as logging the access to the personal data or imposing deletion obligations. Anonymization reduces the privacy risk, but it should be carefully applied and balanced with utility requirements of the different phases of the process: a preliminary analysis may require fewer details than an in-depth investigation on a suspect set of logs. We propose a risk-based privacy-aware access control framework for threat detection systems, where each access request is evaluated by comparing the privacy-risk and the trustworthiness of the request. When the risk is too large compared to the trust level, the framework can apply adaptive adjustment strategies to decrease the risk (e.g., by selectively obfuscating the data) or to increase the trust level to perform a given task (e.g., imposing enforceable obligations to the user). We show how the framework can simultaneously address both the privacy and the utility requirements. The experimental results presented in the paper that the framework leads to meaningful results, and real-time performance, within an industrial threat detection solution

Risk-Based Privacy-Aware Information Disclosure

Risk-aware access control systems grant or deny access to resources based on the notion of risk. It has many advantages compared to classical approaches, allowing for more flexibility, and ultimately supporting for a better exploitation of data. The authors propose and demonstrate a risk-aware access control framework for information disclosure, which supports run-time risk assessment. In their framework access-control decisions are based on the disclosure-risk associated with a data access request and, differently from existing models, adaptive anonymization operations are used as risk-mitigation method. The inclusion of on-the-fly anonymization allows for extending access to data, still preserving privacy below the maximum tolerable risk. Risk thresholds can be adapted to the trustworthiness of the requester role, so a single access control framework can support multiple data access use cases, ranging from sharing data among a restricted (highly trusted) group to public release (low trust value). The authors have developed a prototype implementation of their framework and have assessed it by running a number of queries against the Adult Data Set from the UCI Machine Learning Repository, a publicly available dataset that is widely used by the research community. The experimental results are encouraging and confirm the feasibility of the proposed approac

Balancing Trust and Risk in Access Control

The increasing availability of large and diverse datasets (big data) calls for increased flexibility in access control so to improve the exploitation of the data. Risk-aware access control systems offer a natural approach to the problem. We propose a novel access control framework that combines trust with risk and supports access control in dynamic contexts through trust enhancement mechanisms and risk mitigation strategies. This allows to strike a balance between the risk associated with a data request and the trustworthiness of the requester. If the risk is too large compared to the trust level, then the framework can identify adaptive strategies leading to a decrease of the risk (e.g., by removing/obfuscation part of the data through anonymization) or to increase the trust level (e.g., by asking for additional obligations to the requester). We outline a modular architecture to realize our model, and we describe how these strategies can be actually realized in a realistic use case

News won't find me? Exploring inequalities in social media news use with tracking data

Access to news and political information is not distributed equally among citizens, but depends on their individual resources and motivations. A rise in the availability of news content on social media over the past decade has been accompanied by a hope that people with lower socioeconomic status and less interest in political affairs would be “accidentally” exposed to news. In this presentation, based on a unique set of tracking data that combines the prevalence of news content in individual Facebook news feeds with their overall news use online and survey data, we explore whether social media news use is mitigating the divide in news use or if the specificities of social media ecosystems rather accelerate the news gap. We specifically analyzed differences in social media news exposure and consumption related to political interest, education and income. We reconstruct pathways to news holistically from (incidental) exposure on Facebook to the actual consumption of a news item and additional engagement with news after the consumption. Our unique approach in data collection and analysis also allows us to differentiate between the consumption of and additional engagement with a news item accessed via a news website and an item found via social media. We find that a higher level of political interest is associated with a higher amount of news exposure on Facebook and a higher amount of news items consumed via social media sites but not with a higher amount of news consumption via news websites. The hypothesized positive effects of education and income were not found. When a news item was accessed via a social media, users engaged less often in news-related follow-up behavior than after consuming news item referred via news website. Overall, our results indicate that social media news use seems to occur particularly for those who are already interested in current affairs and makes follow-up consumption less likely