Assured Information Sharing

Prof. Bhavani Thuraisingham and Prof. Latifur Khan The University of Texas at Dallas Prof. Ravi Sandhu George Mason University August 2006 Information Operation Across Infospheres: Assured Information Sharing

Acknowledgements Students –UTDallas Dilsad Cavus (MS, Data mining and data sharing) Srinivasan Iyer (MS, Trust management) Ryan Layfield (PhD, Game theory) Mehdi (PhD, Worm detection) –GMU Min (PhD, Extended RBAC) Faculty and Staff –UTDallas Prof. Murat (Game theory) Dr. Mamoun Awad (Data mining and Data sharing) Project supplemented by Texas Enterprise Funds

Architecture Export Data/Policy Component Data/Policy for Agency A Data/Policy for Federation Export Data/Policy Component Data/Policy for Agency C Component Data/Policy for Agency B Export Data/Policy

Our Approach Integrate the Medicaid claims data and mine the data; next enforce policies and determine how much information has been lost by enforcing policies Examine RBAC and UCON in a coalition environment Apply game theory and probing techniques to extract information from non cooperative partners; conduct information operations and determine the actions of an untrustworthy partner. Defensive and offensive operations

Coalition for Assured Information Sharing A coalition is formed by related entities like Medical care facilities and Health insurance companies to share information within themselves and to selected outsiders in a secure manner. Each of these entities can specify policies for access control through the coalition. The coalition provides controlled access to information in the database after enforcing policies generated by the entity owning the database.

Example Consider a set of hospitals: {H1, H2, … Hn} and a set of Health Insurance agencies {I1, I2, … In}. Each of these hospitals and insurance companies can be an entity in a Coalition. The Coalition server provides a single point of access for databases owned by each of the member entities. Each of these entities provides a policy file to the company/individual hosting the Coalition server.

Example … continued Situation – 1 When registering a client, an insurance agency I5 might want to ensure that the applicant does not have an active insurance coverage from any other insurance agency. A web service agent from the insurance company I5 issues a request to the Coalition server to verify this. - Using the applicant’s SSN, the web service agent can query each of the other insurance agency databases to retrieve records of active insurance coverage for the client with the specified SSN.

Coalition Architecture

Architectural Elements – 1 Web Service Agent:  Formulates a request and sends the request to the Response Engine  Receives response from the Response Engine and uses it to provide the appropriate service.  The aim of the web service agent is to obtain as much information as possible.

Architectural Elements – 2 Response Engine: Policy Enforcement Point (PEP):  Enforces policies on requests sent by the Web Service.  Translates this request into an XACML request; sends it to the PDP. Policy Decision Point (PDP):  Makes decisions regarding the request made by the web service.  Conveys the XACML request to the PEP.

Architectural Elements – 3 Coalition ( Policy files + Database) Policy Files:  Policy Files are written in XACML policy language.  Policy Files specify rules for “Targets”. Each target is composed of 3 components: Subject, Resource and Action; each target is identified uniquely by its components taken together. The XACML request generated by the PEP contains the target. The PDP’s decision making capability lies in matching the target in the request file with the target in the policy file.  These policy files are supplied by the owner of the databases (Entities in the coalition). Databases:  The entities participating in the coalition provide access to their databases.

Screenshots - 1

Screenshots - 2

Screenshots - 3

Enforcing Honesty Everyone has a choice: –Tell the truth –Lie Distributed Behavior Enforcement –Non-trivial to implement –Difficult to guarantee –Examples: BitTorrent, P2P Networks, etc. Unless we can afford to have a neutral 3 rd party that everyone can agree on, we need some way of enforcing ‘good’ behavior

Punishment However, there is a third option: refuse to participate –Usually not researched –Drastic measure that only makes sense if we can influence behavior Our modeling suggests that, with proper use of refusal, we can ultimately enforce helpful behavior without a managing agent

Evolutionary Strategy Every 200 rounds, we create a new generation of agents, using the most successful strategies available The fitness f() of a given agent is a function of how well they have performed during interaction with other agents –More successful agents have a higher probability of being a part of the next generation    n i i i i select af af ap 0 )( )( )(

Our Work Our mathematical models suggest that, assuming we punish by cutting off communication, the equilibrium is to always tell the truth Therefore, using an evolutionary environment, we have placed our particular rationality amongst a heterogeneous pool of competing ideologies –Tit-For-Tat: A famous algorithm that simply mirrors the last move an opponent made –Random: An agent that selects it’s strategy with a 50/50 chance –Casual Liar: Like our agent, but lies with a 10% probability –Subtle Liar: Like our agent, but chooses to lie when it perceives the piece being traded is of significant value With equal parts given to each agent, which one will emerge victorious?

Results

Centralized Reputations in Decentralized P2P Networks Nathalie Tsybulnik, Kevin W. Hamlen, Bhavani Thuraisingham

Motivation P2P Systems offer few security guarantees Shared data has low confidentiality Shared data has low integrity Easy for malicious peers to propagate malicious code

Introducing Penny A P2P Network that addresses the following types of attacks: –Spread of corrupt or incorrect data –Attaching incorrect labels to data –Discovering which peers own particular data –Generating a list of all peers who own particular data

Penny P2P Network that supports shared data labeling of: –Confidentiality –Integrity Peers can share data without revealing which data object they own Security labels are global but do not require a centralized server

Penny (Cont’d) P2P Network uses reputation-based trust management system –Store/retrieve labels –Despite malicious peer existence Maintain efficiency of network operations O(log N)