Dima Alhadidi

Secure Two-Party Differentially Private Data Release for Vertically Partitioned Data

Privacy-preserving data publishing addresses the problem of disclosing sensitive data when mining for useful information. Among the existing privacy models, ϵ-differential privacy provides one of the strongest privacy guarantees. In this paper, we address the problem of private data publishing, where different attributes for the same set of individuals are held by two parties. In particular, we present an algorithm for differentially private data release for vertically partitioned data between two parties in the semihonest adversary model. To achieve this, we first present a two-party protocol for the exponential mechanism. This protocol can be used as a subprotocol by any other algorithm that requires the exponential mechanism in a distributed setting. Furthermore, we propose a two-party algorithm that releases differentially private data in a secure way according to the definition of secure multiparty computation. Experimental results on real-life data suggest that the proposed algorithm can effectively preserve information for a data mining task.

Security crosscutting concerns and AspectJ

This paper presents a brief description for the mostly used AOP approaches and analyzes them from a security point of view. AspectJ is then considered the most appropriate language to enforce security issues but at the same time it is not complete. This paper shows that some security crosscutting concerns need more means than those that are currently exist in AspectJ. 1 Motivations and Background Application security becomes one of the fastest growing fields in IT market today. Security precautions built inside applications minimize the probability that hackers will be able to manipulate applications and access critical data. Aspect Oriented Programming (AOP) is a new paradigm that complements the Object Oriented Programming (OOP) paradigm by supporting a better separation for crosscutting concerns. Crosscutting concerns such as security are concerns that are tangled and scattered across more than one module. AOP languages such as AspectJ, HyperJ, and DJ have adopted pointcut-advice model, multi-dimensional separation of concerns model, and adaptive programming model respectively. An analysis is done for these models from a security perspective. As a result of this analysis, AspectJ, which supports the pointcut-advice model, is considered the most appropriate language to enforce security in Java Applications. AspectJ extends Java programming language. AspectJ aspects contain new parts that do not exist in an ordinary Java class such as: join points, pointcuts, and advices. AspectJ is the right choice to enforce security but it needs more means than those that are currently exist to do this job successfully. This issue is the one that we will talk about it This research is funded by NSERC(Natural Sciences and Engineering Research Council of Canada) DND(Department of National Defence) grant in collaboration with Bell Canada and DRDC(Defense Research and Development Canada) at Valcartier. extensively in this paper. This paper contains two basic parts. The first part (section 2) discusses briefly AOP approaches and gives an analysis to these approaches from a security point of view. The second part (section 3) discusses the lacks in AspectJ that are needed to enforce security issues successfully. Finally, a few remarks and discussion of future research are ultimately sketched as a conclusion in Section 4. 2 AOP Security Appropriateness The mostly used AOP approaches will be discussed in this section followed by an appropriateness analysis for these approaches from a security perspective. 2.1 Pointcut-Advice Model The fundamental concepts of the pointcut-advice approach are: join points, pointcuts, and advices. A join point is a point in the control flow graph of an application. A pointcut is a constructor that designates a set of join points. Advices are pieces of code attached to pointcuts. An advice is executed when join points satisfying its pointcut are reached. AspectJ [5] is probably the most known representative of the pointcut-advice model. 2.2 Multi-Dimensional Separation of Concerns Multi-dimensional separation of concerns (MDSOC) [10] allows developers to partition overlapping concerns in software along multiple dimensions of composition and decomposition. MDSOC treats all concerns as first-class and co-equal, including components and aspects, allowing them to be encapsulated and composed at will. As a result, the approach is symmetric, as opposed to the pointcut-advice approach where aspects are composed (woven) into the base application. Hyperspaces are an approach to achieve MDSOC where multiple decompositions of the program are modeled as a set of units called hyperslices (concerns). HyperJ [10] supports hyperspaces in Java. In HyperJ, a set of hyperslices can be combined into a hypermodule using composition rules. 2.3 Adaptive Programming Adaptive programming (AP) (proposed by Demeter group [2]) has used the ideas of AOP several years before the name aspect oriented programming was coined. Following the Demeter law, a programming style rule for loose coupling between the structure and behavior concerns can result in a large number of methods scattered throughout the program. Adaptive programming with traversal strategies and adaptive visitors avoids this problem [9]. DJ [9] is a Java library for adaptive programming that allows traversal strategies to be constructed and interpreted dynamically at run time. DJ allows traversing a graph object according to the traversal strategy and allows specifying a visitor to be executed before or after specific nodes. 2.4 Appropriatness Analysis All the above AOP approaches are candidates to separate crosscutting concerns in general. The multi-dimensional separation of concerns has a serious limitation from a security perspective. It is not possible to add functionality before, after, or around a field access. Access authentication to a given field in a given class is a simple security example that we can not handle with HyperJ which is a representative for MDSOC model. MDSOC approach works at the method granularity and consequently it can not operate within a method body. HyperJ does not support pulling apart of code within method bodies. Picking out multiple concerns within method bodies is required in many situations to enforce security. The adaptive programming is concerned with the loose coupling between structure and behavior and focuses on certain kinds of concerns. For example, DJ is unable to change a method by a more secure one. The pointcut-advice model is the most popular model. It offers a better granularity than MDSOC approach and considers more general kinds of concerns than the adaptive programming. Furthermore, the pointcut-advice model adapts extensively the pull approach. It allows tracking subtle points in the control flow of the application. For example points where methods are invoked and fields are set. Hence, we choose AspectJ as the candidate to enforce security issues in Java applications. 3 AspectJ Shortcomings This section suggests some possible extensions to AspectJ explained by examples in order to handle security issues in applications successfully. pointcut* displayState(): pcflow(execution(void SecurityElement+.draw())) && get(* SecurityElement+.*); after set( ) (): {

Secure distributed framework for achieving ε-differential privacy

Privacy-preserving data publishing addresses the problem of disclosing sensitive data when mining for useful information. Among the existing privacy models, e-differential privacy provides one of the strongest privacy guarantees. In this paper, we address the problem of private data publishing where data is horizontally divided among two parties over the same set of attributes. In particular, we present the first generalization-based algorithm for differentially private data release for horizontally-partitioned data between two parties in the semi-honest adversary model. The generalization algorithm correctly releases differentially-private data and protects the privacy of each party according to the definition of secure multi-party computation. To achieve this, we first present a two-party protocol for the exponential mechanism. This protocol can be used as a subprotocol by any other algorithm that requires exponential mechanism in a distributed setting. Experimental results on real-life data suggest that the proposed algorithm can effectively preserve information for a data mining task.

Transportation risk analysis using probabilistic model checking

Elaboration of an approach for transportation risk assessment and contingency evaluation.Modeling risk prone transportation tasks as composed Markov Decision Process (MDP).Assessment of transportation tasks expressed as MDP via probabilistic model checking.Provision of decision making support via decision trees built from the model checking output.Evaluation of risk related properties expressed in probabilistic temporal logic. Transportation and supply chain activities represent essential components in many endeavors covering both public and private domains. However, the underlying transport networks are complex and potentially fragile due to weather, natural disasters or other risk factors. Thus, assessing transportation related risk represents a key decision support capability along with the ability to evaluate contingency options for risk mitigation. In this paper, we address these issues by adopting probabilistic model checking to evaluate the risk and contingency options related to transportation tasks. In this pursuit, risk related properties are assessed for behavioral models capturing the transport system. Moreover, we show the usefulness of constructing decision trees that can provide insightful means of risk appraisal. The proposed approach can help decision makers evaluate contingency options and determine lower and upper cost bounds for risky transportation tasks such as those involved in humanitarian aid provision. The proposed approach is also illustrated with a case study.

The dataflow pointcut: a formal and practical framework

Some security concerns are sensitive to flow of information in a program execution. The dataflow pointcut has been proposed by Masuhara and Kawauchi in order to easily implement such security concerns in aspect-oriented programming (AOP) languages. The pointcut identifies join points based on the origins of values. This paper presents a formal framework for this pointcut based on the λ_calculus. Dataflow tags are propagated statically to track data dependencies between expressions. We introduce a static semantics for tag propagation and prove that it is consistent with respect to the dynamic semantics of the propagation. We instrument the static effect-based type system to propagate tags, match and inject advices. This static approach can be used to minimize the cost of dataflow pointcuts by reducing the runtime overhead since much of the dataflow information would be available statically and at the same time it can be used for verification. The proposed semantics for advice weaving is in the spirit of AspectJ where advices are injected before, after, or around the join points that are matched by their respective pointcuts. Inspired from the formal framework, the AspectJ compiler ajc is extended with the dataflow pointcut that tracks data dependencies inside methods.

Aspect weaver: a model transformation approach for UML models

Aspect-Oriented Modeling (AOM) is an emerging solution for handling crosscutting concerns at the software modeling level in order to reduce the complexity of software models and application code. In this paper, we present the implementation strategies of an aspect-oriented approach for weaving crosscutting concerns into UML models. The main advantages of the design and the implementation of our approach are the portability and the expressiveness thanks to the OMG standards: OCL and QVT languages. We instrument OCL to translate pointcuts into a language that can easily navigate a diagram and query its elements. We implement aspect weaving as a model-to-model transformation using QVT. Additionally, we provide semantics for matching and weaving in UML activity diagrams. Finally, we demonstrate the viability and the relevance of our propositions using a case study.

Secure approximation of edit distance on genomic data

BackgroundEdit distance is a well established metric to quantify how dissimilar two strings are by counting the minimum number of operations required to transform one string into the other. It is utilized in the domain of human genomic sequence similarity as it captures the requirements and leads to a better diagnosis of diseases. However, in addition to the computational complexity due to the large genomic sequence length, the privacy of these sequences are highly important. As these genomic sequences are unique and can identify an individual, these cannot be shared in a plaintext.MethodsIn this paper, we propose two different approximation methods to securely compute the edit distance among genomic sequences. We use shingling, private set intersection methods, the banded alignment algorithm, and garbled circuits to implement these methods. We experimentally evaluate these methods and discuss both advantages and limitations.ResultsExperimental results show that our first approximation method is fast and achieves similar accuracy compared to existing techniques. However, for longer genomic sequences, both the existing techniques and our proposed first method are unable to achieve a good accuracy. On the other hand, our second approximation method is able to achieve higher accuracy on such datasets. However, the second method is relatively slower than the first proposed method.ConclusionThe proposed algorithms are generally accurate, time-efficient and can be applied individually and jointly as they have complimentary properties (runtime vs. accuracy) on different types of datasets.

Secure and Efficient Multiparty Computation on Genomic Data

Large scale biomedical research projects involve analysis of huge amount of genomic data which is owned by different data owners. The collection and storing of genomic data is sometimes beyond the capability of a sole organization. Genomic data sharing is a feasible solution to overcome this problem. These scenarios can be generalized into the problem of aggregating data distributed among multiple databases and owned by different data owners. However, we should guarantee that an adversary cannot learn anything about the data or the individual contribution of each party towards the final output of the computation. In this paper, we propose a practical solution for secure sharing and computation of genomic data. We adopt the Paillier cryptosystem and the order preserving encryption to securely execute the count query and the ranked query. Experimental results demonstrate that the computation time is realistic enough to make our system adoptable in the real world.

Secure and Private Management of Healthcare Databases for Data Mining

There has been a tremendous growth in health data collection since the development of Electronic Medical Record (EMR) systems. Such collected data is further shared and analyzed for diverse purposes. Despite many benefits, data collection and sharing have become a big concern as it threatens individual privacy. In this paper, we propose a secure and private data management framework that addresses both the security and privacy issues in the management of medical data in outsourced databases. The proposed framework ensures the security of data by using semantically-secure encryption schemes to keep data encrypted in outsourced databases. The framework also provides a differentially-private query interface that can support a number of SQL queries and complex data mining tasks. We experimentally evaluate the performance of the proposed framework, and the results show that the proposed framework is practical and has low overhead.

Symmetrically-Private Database Search in Cloud Computing

Database outsourcing has gained importance in the past few years due to the emergence of the cloud computing. In Database-as-a-Service (DaaS), which is a category of cloud computing services, the database owner outsources both databases and querying services to a cloud server and clients issue queries over the database to the cloud server. In this context, privacy is a primary challenge and it is necessary to fulfill main privacy requirements of database owners and clients. This paper presents protocols for executing keyword search and aggregate SQL queries that preserve the privacy of both the client and the database owner. Client privacy is preserved such that the database owner and the cloud server cannot infer the constants contained in the query predicates. Database owner privacy is preserved such that the client cannot obtain any additional information beyond the query result. The primitives that are utilized in designing these protocols include symmetric private information retrieval and private integer comparison. We experimentally evaluate the performance of the proposed protocols and report on the experimental results.