Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/25/20142009 ISI-AIS Workshop1 TIUPAM: A Framework for Trustworthiness-centric Information Sharing Shouhuai Xu Univ. Texas at San Antonio Joint work with.

Published byAustin Barrett Modified over 10 years ago

Similar presentations

Presentation on theme: "1/25/20142009 ISI-AIS Workshop1 TIUPAM: A Framework for Trustworthiness-centric Information Sharing Shouhuai Xu Univ. Texas at San Antonio Joint work with."— Presentation transcript:

1 1/25/20142009 ISI-AIS Workshop1 TIUPAM: A Framework for Trustworthiness-centric Information Sharing Shouhuai Xu Univ. Texas at San Antonio Joint work with Qun Ni and Elisa Bertino (Purdue Univ.) Ravi Sandhu (Univ. Texas at San Antonio)

2 1/25/20142009 ISI-AIS Workshop2 Roadmap Motivation and Goal The TIUPAM Framework High-level structure Components Related Work

3 1/25/20142009 ISI-AIS Workshop3 Motivation Information is essential to decision making Datamining-like techniques can deal with the information volume issue But what if the underlying data is inaccurate, incorrect, inappropriate, misleading, or maliciously introduced? The problem is further complicated by the shifting from need to know to need to share E.g., one can obtain data from sources not within previously defined boundary (e.g., internal sourced information) with (reasonable) accountability

4 1/25/20142009 ISI-AIS Workshop4 Goal A systematic framework for information sharing Trustworthiness-centric Identity, Usage, Provenance, and Attack Management (TIUPAM) Four supporting components: Identity management Usage management Provenance management Attack management The framework is centered at the need of trustworthiness and risk management for decision makers

5 1/25/20142009 ISI-AIS Workshop5 Roadmap Motivation and Goal The TIUPAM Framework High-level structure Components Related Work

6 1/25/20142009 ISI-AIS Workshop6 Birds Eye View of TIUPAM Trustworthiness management Risk management Usage management (of authorized activities) Identity management (of people, organizations, and devices) Attack management (of unauthorized activities) Provenance management (of data, software, and requests) Note: 1 – trustworthiness risk in general

7 1/25/20142009 ISI-AIS Workshop7 trustworthiness and risk management attack management identity management provenance management usage management Architecture of TIUPAM

8 1/25/20142009 ISI-AIS Workshop8 Core questions Trustworthiness and risk management Data at hand reflects the current snapshot of the world, and may be (in)accurate, (in)correct, misleading, or even maliciously introduced The snapshots are dynamical as, for example, incorrect information may later be corrected Trustworthiness is a measure against the snapshot of ones up-to-date observation about information in question Risk is a measure against the potential consequences caused by the execution of decisions based on not- necessarily-trustworthy information.

9 1/25/20142009 ISI-AIS Workshop9 Core questions (cont.) For Identity Management: How can/should we evaluate the trustworthiness of digital identities and digital credentials of people, organizations and devices? The snapshots are derived, in one way or another, from the statements asserted by the relevant people, organizations, and devices A software vendor digitally signs the output of this algorithm (e.g., datamining) is the desired results A message digitally signed by an organization would make one tend to accept it as trustworthy However, there are threats like botnets, identity theft

10 1/25/20142009 ISI-AIS Workshop10 Core questions (cont.) For Usage Management: How can/should we deal with authorized activities in situations complicated by need to share and not necessarily having prior authorizations? What is the trustworthiness of a request (in delivering its promise of appropriately using data)? A subject is traditionally deemed as trustworthy (trusted) as long as it passes certain authentication. But what if the authentication credential has been compromised? An object is always trustworthy (trusted) as long as it is in the filesystem or database. But what if the object itself was malicious or incorrectly provided?

11 1/25/20142009 ISI-AIS Workshop11 Core questions (cont.) For Provenance Management: How can/should we evaluate the trustworthiness of data, software, and requests? Provenance of data allows to measure the trustworthiness of information Provenance of software helps evaluate the trustworthiness of programs output Provenance of requests enhances the assurance that they are invoked by the individual or process in question, rather than by malware

12 1/25/20142009 ISI-AIS Workshop12 Core questions (cont.) For Attack Management: How can/should we deal with attacks (e.g., maliciously introduce wrong or misleading information into the system) and unauthorized activities in situations complicated by need to share and not necessarily having prior authorizations? Help manage the trustworthiness of infrastructure- level services provided to the other components as well as their services in the framework (e.g., authentication services) PKI may be trusted, but not necessarily trustworthy

13 1/25/20142009 ISI-AIS Workshop13 Trustworthiness of information Trustworthiness of provenance Trustworthiness of identity Trustworthiness of usage Trustworthiness of request Trustworthiness of issuer Trustworthiness of owner Risk of (not) sharing Risk of (not) utilizing Incentives for (not) sharing Gain or loss Incentives for (not) utilizing Payoff of (not) sharing Payoff of (not) utilizing Attack model Functions as the Glue Q: How should we construct/approximate these functions?

14 1/25/20142009 ISI-AIS Workshop14 Roadmap Motivation and Goal The TIUPAM Framework High-level structure Components Related Work

15 1/25/20142009 ISI-AIS Workshop15 Component I In order to fulfill the envisioned trustworthiness and risk management, what kinds of Identity Management systems we want?

16 1/25/20142009 ISI-AIS Workshop16 Desired Properties Extensibility: Can accommodate or integrate emerging new identity systems. Heterogeneous or not, large-scale or small-scale Automated trustworthiness: for higher-layer applications Compromise containment: User-end is relatively easy to deal with when compared with server-end compromise Accountability: Who should be responsible for a transaction (or how good forensics we can hope for)?

17 1/25/20142009 ISI-AIS Workshop17 Component II How can we achieve the Usage Management we envisioned? Possible solution: Observation: The dynamic characteristics of usage control are well suited to the problem of trustworthiness-centric information sharing Extending Usage Control (UCON) to Usage Management?

18 1/25/20142009 ISI-AIS Workshop18 From ABAC to UCON Attribute-based access control or ABAC: access is determined by subject and object attributes Attributes can be roles, groups, clearances, sensitivity, title, rank, cost, status etcetera UCON differentiators: Mutable attributes: Obligations: Conditions: 3 phase enforcement: pre, ongoing, post.

19 1/25/20142009 ISI-AIS Workshop19 UCON Differentiators Mutable attributes: attributes can change due to access, allows consumable rights. Only three ATM withdrawals in a day Obligations: in addition to authorization. Click accept button on license agreement Conditions: system wide conditions. Threat level: red, orange, yellow, blue, green 3 phase enforcement: pre, ongoing, post. Change in threat level can kill ongoing access (ongoing condition) When phone card runs out of money the call is killed (ongoing authorization) After access is completed the minutes used are billed to the account (post obligation)

20 1/25/20142009 ISI-AIS Workshop20 UCON Model unified model integrating authorization obligation conditions and incorporating continuity of decisions mutability of attributes UCON is Attribute-Based Access Control on Steroids

21 1/25/20142009 ISI-AIS Workshop21 UCON Limitations Future obligations Access exception is made but should be explained Example: Physician is allowed access in emergency situation but has future obligation to write an explanatory note within 3 weeks System obligations Obligation is on the system not on the user Example: data must be deleted after use Handle trustworthiness and risk

22 1/25/20142009 ISI-AIS Workshop22 Component III Need Secure Provenance Management systems Security aspect is not well understood [Braun-Shinnar-Seltzer HotSec08] highlighted the difficulties in managing access control to provenance information We look at a broader picture: How to use provenance for trustworthiness and risk management? How to secure provenance information itself?

23 1/25/20142009 ISI-AIS Workshop23 Provenance Why-provenance: why is a certain piece of information here? Source-provenance: what is the source of a certain piece of information? How-provenance: how does a certain piece of information get here?

24 1/25/20142009 ISI-AIS Workshop24 Secure Provenance Management What would secure provenance management systems --- say, as an analogy to secure DBMS --- look like? Functional requirements Security requirements How should we design and implement them? Facets of secure provenance management

25 1/25/20142009 ISI-AIS Workshop25 Functional Requirements Secure provenance management system should cover the entire lifecycle of information (in this context) as well as their associated provenance processing compliance generationdissemination

26 1/25/20142009 ISI-AIS Workshop26 Functional Requirements Information generation: first time enter the system Information processing: new information items may be derived (e.g., datamining output) Dissemination: data and information can be disseminated in the presence of malicious attacks Compliance: who could read/write/modify and who have read/written/modified which data items

27 1/25/20142009 ISI-AIS Workshop27 logical structure, physical storage etc. core of secure provenance management systems enforcing accountability enforcing advanced access control enforcing integrity enforcing privacy protection Secure information dissemination management information trustworthiness management information compliance management service (of the core secure provenance management systems) to applications applications Security Requirements

28 1/25/20142009 ISI-AIS Workshop28 Security Requirements Information trustworthiness management For a source, what is the trustworthiness of an information item that has to be entered into the system? For an intermediate node, what is the trustworthiness of both the source and the prior intermediate nodes so that, e.g., a decision may be made whether to re-disseminate the processed information? For an information consumer, how to evaluate the trustworthiness of an incoming information item? For an administrator, who has greater influence in the information network?

29 1/25/20142009 ISI-AIS Workshop29 Security Requirements Secure information dissemination management What if there are malicious insiders/attackers in the dissemination system? How can we enforce re-dissemination control? Is the dissemination process privacy-preserving?

30 1/25/20142009 ISI-AIS Workshop30 Security Requirements Information compliance management Who has read/written/modified and could read/write/modify a certain data item? This might help detect malicious insider who leaked a certain confidential information. Who has read/written/modified and could read/write/modify a certain provenance item? This might help detect malicious insider who leaked a certain confidential information. This could help detect the party who leaked, for example, who has participated in which operation/process?

31 1/25/20142009 ISI-AIS Workshop31 Security Requirements Securing data provenance Enforcing advanced access control: provenance of data item if often a Directed Acyclic Graph (DAG). Traditional access control models and their straightforward adaptations are not sufficient [Braun-Shinnar-Seltzer HotSec08]. Enforcing integrity. Enforcing accountability. Enforcing privacy protection.

32 1/25/20142009 ISI-AIS Workshop32 policy usage accountability usage privacy source privacy source accountability processing privacy dissemination privacy processing accountability dissemination accountability privacy accountability Facets of Secure Provenance Management

33 1/25/20142009 ISI-AIS Workshop33 Attack Management Attacks attempting to manipulate the trustworthiness of information, including compromise of provenance information Can be done by attack Attacks attempting to manipulate the trustworthiness of usage By attacking trustworthiness of information provenance (e.g., malicious information spreads to many users) or trustworthiness of request (e.g., compromising credential)

34 1/25/20142009 ISI-AIS Workshop34 Component IV If attacks are not controllable, can we manage them? Attacks attempting to manipulate the trustworthiness of information, including compromise of provenance information Attacks attempting to manipulate the trustworthiness of usage By attacking trustworthiness of information provenance (e.g., malicious information spreading to many users) or trustworthiness of request (e.g., compromising credential)

35 1/25/20142009 ISI-AIS Workshop35 Attack Management Any security statement is with respect to a specific adversarial model If we want to measure security, trustworthiness, and assurance, we must state the (holistic) model explicitly Cryptography has made very progress in this aspect, but we need holistic model

36 1/25/20142009 ISI-AIS Workshop36 Related Work This is an ambitious project The framework itself likely will be refined We are investigating mechanisms for fitting into the framework as well [Braun-Shinnar-Seltzer HotSec08] presented an excellent discussion on the challenge of access control of provenance data

37 1/25/20142009 ISI-AIS Workshop37 Thanks, and Questions?

Download ppt "1/25/20142009 ISI-AIS Workshop1 TIUPAM: A Framework for Trustworthiness-centric Information Sharing Shouhuai Xu Univ. Texas at San Antonio Joint work with."

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
Privacy-Enhancing Models and Mechanisms for Securing Provenance and its Use October 2010 Lead PI: Ravi Sandhu (UT San Antonio) PIs: Elisa Bertino (Purdue),

Privacy-Enhancing Models and Mechanisms for Securing Provenance and its Use October 2010 Lead PI: Ravi Sandhu (UT San Antonio) PIs: Elisa Bertino (Purdue),
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
1 TIUPAM: A Framework for Trustworthiness-centric Information Sharing Shouhuai Xu Univ. Texas at San Antonio Joint work with Qun Ni and Elisa Bertino (Purdue.

1 TIUPAM: A Framework for Trustworthiness-centric Information Sharing Shouhuai Xu Univ. Texas at San Antonio Joint work with Qun Ni and Elisa Bertino (Purdue.
QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.
INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.

INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.
Towards Usage Control Models: Beyond Traditional Access Control 7 th SACMAT, June 3, 2002 Jaehong Park and Ravi Sandhu Laboratory for Information Security.

Towards Usage Control Models: Beyond Traditional Access Control 7 th SACMAT, June 3, 2002 Jaehong Park and Ravi Sandhu Laboratory for Information Security.
Usage Control: UCON Ravi Sandhu. © Ravi Sandhu2 Problem Statement Traditional access control models are not adequate for todays distributed, network-

Usage Control: UCON Ravi Sandhu. © Ravi Sandhu2 Problem Statement Traditional access control models are not adequate for todays distributed, network-
A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.

A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.
© 2006 Ravi Sandhu www.list.gmu.edu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,

© 2006 Ravi Sandhu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,
Audit Trail and Node Authentication Audit Trail and Node Authentication Robert Horn Agfa Healthcare.

Audit Trail and Node Authentication Audit Trail and Node Authentication Robert Horn Agfa Healthcare.
Retrieve ECG for Display Profile Retrieve ECG for Display Profile John Donnelly IHE-Cardiology Planning Committee.

Retrieve ECG for Display Profile Retrieve ECG for Display Profile John Donnelly IHE-Cardiology Planning Committee.
Document Digital Signature (DSG) Document Digital Signature (DSG) Gila Pyke / Lori Reed-Fourquet Smart Systems for Health Agency / Identrus IHE ITI Technical.

Document Digital Signature (DSG) Document Digital Signature (DSG) Gila Pyke / Lori Reed-Fourquet Smart Systems for Health Agency / Identrus IHE ITI Technical.
7th xbrl workshop1 CENTRAL BANK OF CYPRUS IMPLEMENTATION OF COREP & XBRL VII European Banking Supervisors XBRL Workshop Munich, 9 May 2007.

7th xbrl workshop1 CENTRAL BANK OF CYPRUS IMPLEMENTATION OF COREP & XBRL VII European Banking Supervisors XBRL Workshop Munich, 9 May 2007.
RDFTL: An Event-Condition- Action Language for RDF George Papamarkos Alexandra Poulovassilis Peter T. Wood School of Computer Science and Information Systems.

RDFTL: An Event-Condition- Action Language for RDF George Papamarkos Alexandra Poulovassilis Peter T. Wood School of Computer Science and Information Systems.
Supporting further and higher education Grid Security: Present and Future Alan Robiette, JISC Development Group.

Supporting further and higher education Grid Security: Present and Future Alan Robiette, JISC Development Group.
The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.

The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Similar presentations

Ads by Google