Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Preserving Cross-Domain Data Dissemination (with adaptable service selection) Northrop Grumman TechFest June 2015 PI: Prof. Bharat Bhargava Purdue.

Published byErika Mathews Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy Preserving Cross-Domain Data Dissemination (with adaptable service selection) Northrop Grumman TechFest June 2015 PI: Prof. Bharat Bhargava Purdue."— Presentation transcript:

1 Privacy Preserving Cross-Domain Data Dissemination (with adaptable service selection) Northrop Grumman TechFest June 2015 PI: Prof. Bharat Bhargava Purdue University Technical Champions: Dr. Sunil Lingayat, Mr. Jason C. Kobes

2 End-to-End Security in Trusted and Untrusted SOA and Cloud 2 Browser Service request analyze request source based on W3C standards Insecure browser Secure browser Send active bundle to cloud for execution UNTRUSTED TRUSTED Active Bundle Service Domain Data access request Active Bundle Service X Data request Data Service X is authorized to access Encrypted search Filtered/lower quality data Filtered search results authentication CAC PIN Trust = X + Y Trust = X Low trustHigh trust execute active bundle in cloud

3 End-to-End Information Flow 1.Client sends request to the service using browser and shares data by means of Active Bundle (AB) 2.Service checks the request source (secure or insecure browser) –Based on W3C Crypto standards 3.Service executes AB in Cloud if created by an insecure browser 4.Service interacts with AB and requests data 5.AB behaves differently under different contexts –Full data dissemination based on service authorization/trust level –Context-based partial data dissemination based on insufficient authorization level –No data dissemination for unauthorized access/attacks 6.Cross-domain information exchange with trustworthy/untrustworthy subscribers –Data dissemination is done on a “need to know” basis by limiting the disclosure of decryption keys –Incremental disclosure of keys based on increase in the “need” 3

4 Active Bundle Active Bundle (AB) approach for secure data dissemination –Self-protecting data encapsulation mechanism –Provides secure cross-domain information exchange Sensitive data –Encrypted data items Metadata –Access control and operational policies Virtual Machine –Protection mechanism (self-integrity check) –Policy evaluation, enforcement and data dissemination 4

5 Example of Controlled Data Distortion Distorted data reveal less, protects privacy Examples: accurate datamore and more distorted data 5 250 N. Salisbury Street West Lafayette, IN 250 N. Salisbury Street West Lafayette, IN [home address] 765-123-4567 [home phone] Salisbury Street West Lafayette, IN 250 N. University Street West Lafayette, IN [office address] 765-987-6543 [office phone] somewhere in West Lafayette, IN P.O. Box 1234 West Lafayette, IN [P.O. box] 765-987-4321 [office fax]

6 P2P Secure Data Sharing in UAV Network 6 NORTHROP GRUMMAN PRIVATE / PROPRIETARY LEVEL I Each UAV creates active bundle with captured image data and trust-based dissemination policies When active bundle is sent to a UAV, image data is filtered (blurred) based on trust level Trust levels of UAVs change based on context, distance, communication bandwidth

7 P2P Secure Data Sharing in UAV Network 7 NORTHROP GRUMMAN PRIVATE / PROPRIETARY LEVEL I Original imageDissemination Policy: If 2.5 > trust ≥ 2.2 => blur level = 20 If 2.2 > trust ≥ 2.0 => blur level = 40 If 2.0 > trust => blur level = 80 trust = 2.4trust = 2.1trust = 1.5

8 P2P Secure Data Sharing in UAV Network 8 NORTHROP GRUMMAN PRIVATE / PROPRIETARY LEVEL I Original image Dissemination Policy: If context = emergency => contrast = 0.4 If 2.5 > trust ≥ 2.2 => contrast = 0.2 If 1.8 > trust => contrast = 0.1 trust = 2.0 context = emergency trust = 2.4 trust = 1.7

9 Example of Controlled Data Filtering of Electronic Healthcare Record (EHR) EHRs stored in a database and filtered for different data consumers using SQL queries run in the AB’s VM 9 a. Data consumer verified as doctor at the hospital can get all patient data b. Hospital Receptionist gets filtered data c. Insurance company gets only the minimal required data

10 UAV 2UAV 3 UAV 1 Command & Control Top Secret Secret ConfidentialUnclassified Time period Deployed personnel Target locations Intelligence reports Mission expenses Deployed weapons Casualties Press Release Time period Deployed personnel Target locations Intelligence reports Mission expenses Deployed weapons Casualties Press Release Mission expenses Press Release Target locations Intelligence reports Mission expenses Deployed weapons Press Release Infrared imagery Location coordinates Multispectral imagery Location coordinates 10 Cross-Domain Data Dissemination (disclosure based on classification level)

11 Context-based Data Dissemination (disclosure during emergency context) Pharmacy’s App Insurance’sApp Doctor’sApp Paramedic’sApp Laboratory’s App Medical Information System Active Bundle Patient ID Insurance ID Medical data Medical history Medical test prescription Prescription Treatment code Active Bundle Active Bundle Active Bundle Active Bundle Medical data Medical history E(Patient ID) E(Insurance ID) E(Medical test prescription) E(Prescription) E(Treatment code) Patient ID Medical data Medical history Medical test prescription Prescription E(Insurance ID) E(Treatment code) Patient ID Medical test prescription E(Medical data) E(Insurance ID) E(Medical history) E(Prescription) E(Treatment code) Patient ID Prescription E(Medical data) E(Insurance ID) E(Medical history) E(Medical test prescription) E(Treatment code) Patient ID Insurance ID Treatment code E(Medical data) E(Medical history) E(Medical test prescription) E(Prescription) 11 Emergency context Data access: GRANTED

12 Trust-based Data Dissemination (access based on trust level) 12 SERVICE MONITOR Shopping Service Name Email Credit card type Credit card Shipping preference Mailing address Seller Service Payment Shipping order request + 1 Active Bundle Active Bundle verify request + 2 Name Email Payment type E(Credit card) E(Shipping preference) E(Mailing address) Trust Request Trust level: 1 Trust Request Trust level: 5 Low trust level of Seller Data access: DENIED

13 Trusted vs. Untrusted Service Invocation 13 NORTHROP GRUMMAN PRIVATE / PROPRIETARY LEVEL I UAV on search and rescue mission for a fire hazard When invoked from secure browser, active bundle is sent to each involved service domain (Fire Control, Ambulance, Weather), so they access data they are authorized for.

14 Trusted vs. Untrusted Service Invocation (cont.) 14 NORTHROP GRUMMAN PRIVATE / PROPRIETARY LEVEL I When invoked from insecure browser, active bundle is sent to the cloud and each service (Fire Control, Ambulance, Weather), interacts with active bundle in the cloud for data access.

15 Dynamic Service Composition Reconfiguration An SOA service orchestration is composed of a series of services that interact with each other based on a service interaction graph Select services in each category for specific functionality, for e.g., category: Weather, services: Accuweather, Yahoo weather Dynamic service composition reconfiguration is based on changes in context and type, duration, extent of attacks and failures Goal: Given a set of service categories (each with a set of services), a set of security constraints, a set of target performance parameters; Create a service composition that complies with the given security constraints and has best performance Approach: Sort services in each category based on given performance parameters Select highest performing service from each category to form a composition Check composition against given security constraints and switch to alternate services if the constraints are not satisfied (acceptance test fails) 15

16 Technical Approach Overview Instrumentation Passive Passive Listener Active Listener Heartbeat & Inflow Listener Anomaly Detection Policies Interaction Authorization Algorithms Passive Monitoring Algorithms Service 1 Service 2 Active request response request (if authorized) Dynamic Service Composition Active Bundle State Listener Trust Management Active Bundle reconfiguration Service Monitor Service monitor intercepts all client-service/service-service interactions. The approach aims to provide a unified security architecture for SOA and cloud by integrating components for: Service trust management Interaction authorization between different services Anomaly detection based on service behavior Dynamic service composition Secure data dissemination using active bundles 16

Download ppt "Privacy Preserving Cross-Domain Data Dissemination (with adaptable service selection) Northrop Grumman TechFest June 2015 PI: Prof. Bharat Bhargava Purdue."

Similar presentations

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
NIST Big Data Public Working Group Security and Privacy Subgroup Presentation September 30, 2013 Arnab Roy, Fujitsu Akhil Manchanda, GE Nancy Landreville,

NIST Big Data Public Working Group Security and Privacy Subgroup Presentation September 30, 2013 Arnab Roy, Fujitsu Akhil Manchanda, GE Nancy Landreville,
Cryptography and Network Security

Cryptography and Network Security
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Context-based Detection of Privacy Violation Bharat Bhargava In collaboration with Mark Linderman (AFRL) and Chao Wang (UNCC) Purdue University

Context-based Detection of Privacy Violation Bharat Bhargava In collaboration with Mark Linderman (AFRL) and Chao Wang (UNCC) Purdue University
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
Privacy and Identity Management in Cloud Rohit Ranchal, Bharat Bhargava, Pelin Angin, Noopur Singh, Lotfi Ben Othmane, Leszek Lilien Department of Computer.

Privacy and Identity Management in Cloud Rohit Ranchal, Bharat Bhargava, Pelin Angin, Noopur Singh, Lotfi Ben Othmane, Leszek Lilien Department of Computer.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Trust and Privacy in Authorization Bharat Bhargava Yuhui Zhong Leszek Lilien CERIAS Security Center CWSA Wireless Center Department of CS and ECE Purdue.

1 Trust and Privacy in Authorization Bharat Bhargava Yuhui Zhong Leszek Lilien CERIAS Security Center CWSA Wireless Center Department of CS and ECE Purdue.
A Primer on Healthcare Information Exchange John D. Halamka MD CIO, Harvard Medical School and Beth Israel Deaconess Medical Center.

A Primer on Healthcare Information Exchange John D. Halamka MD CIO, Harvard Medical School and Beth Israel Deaconess Medical Center.
Chapter 8 Web Security.

Chapter 8 Web Security.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
RIVERA SÁNCHEZ-1 CSE 5810 User Authentication in Mobile Healthcare Applications Yaira K. Rivera Sánchez Computer Science & Engineering Department University.

RIVERA SÁNCHEZ-1 CSE 5810 User Authentication in Mobile Healthcare Applications Yaira K. Rivera Sánchez Computer Science & Engineering Department University.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Similar presentations

Ads by Google