Maarten H. Everts

Designing Privacy-by-Design

The proposal for a new privacy regulation d.d. January 25th 2012 introduces sanctions of up to 2% of the annual turnover of enterprises. This elevates the importance of mitigation of privacy risks. This paper makes Privacy by Design more concrete, and positions it as the mechanism to mitigate these privacy risks. n nIn this vision paper, we describe how design patterns may be used to make the principle of Privacy by Design specific for relevant application domains. We identify a number of privacy design patterns as examples and we argue that the art is in finding the right level of abstraction to describe a privacy design pattern: the level where the data holder, data subject and privacy risks are described. n nWe give an extended definition of Privacy by Design and, taking Soloves model for privacy invasions as structuring principle, we describe a tool and method to use that tool to generate trust in systems by citizens.

Exploration of the Brain’s White Matter Structure through Visual Abstraction and Multi-Scale Local Fiber Tract Contraction

We present a visualization technique for brain fiber tracts from DTI data that provides insight into the structure of white matter through visual abstraction. We achieve this abstraction by analyzing the local similarity of tract segment directions at different scales using a stepwise increase of the search range. Next, locally similar tract segments are moved toward each other in an iterative process, resulting in a local contraction of tracts perpendicular to the local tract direction at a given scale. This not only leads to the abstraction of the global structure of the white matter as represented by the tracts, but also creates volumetric voids. This increase of empty space decreases the mutual occlusion of tracts and, consequently, results in a better understanding of the brains three-dimensional fiber tract structure. Our implementation supports an interactive and continuous transition between the original and the abstracted representations via various scale levels of similarity. We also support the selection of groups of tracts, which are highlighted and rendered with the abstracted visualization as context.

Illustrative Line Styles for Flow Visualization

We present a flexible illustrative line style model for the visualization of streamline data. Our model partitions view-oriented line strips into parallel bands whose basic visual properties can be controlled independently. We thus extend previous line stylization techniques specifically for visualization purposes by allowing the parametrization of these bands based on the local line data attributes. We demonstrate the effectiveness of our model by applying it to 3D flow field datasets.

UbiKiMa: ubiquitous authentication using a smartphone, migrating from passwords to strong cryptography

Passwords are the only ubiquitous form of authentication currently available on the web. Unfortunately, passwords are insecure. In this paper we therefore propose the use of strong cryptography, using the fact that users increasingly own a smartphone that can perform the required cryptographic operations on their behalf. This is not as trivial as it sounds. Services will not migrate to new forms of authentication if few users have the means to use it. Similarly, users will not acquire the means if there are few services that accept them. Moreover, enabling ones smartphone to seamlessly sign in at a website when browsing on an arbitrary PC is non-trivial. We propose a system, based on a smartphone app, that can be used to sign in with username and password to arbitrary websites using an arbitrary PC or laptop. We describe the protocol and implementation to achieve this without the need for typing usernames and passwords. Furthermore, we propose an authentication protocol based on public key cryptography, integrated in the same smartphone app. This allows websites to seamlessly migrate towards a much more secure authentication method on the web, independently of each other. A prototype of our system has been developed.

Private Sharing of IOCs and Sightings

Information sharing helps to better protect computer systems against digital threats and known attacks. However, since security information is usually considered sensitive, parties are hesitant to share all their information through public channels. Instead, they only exchange this information with parties with whom they already established trust relationships. We propose the use of two complementary techniques to allow parties to share information without the need to immediately reveal private information. We consider a cryptographic approach to hide the details of an indicator of compromise so that it can be shared with other parties. These other parties are still able to detect intrusions with these cryptographic indicators. Additionally, we apply another cryptographic construction to let parties report back their number of sightings to a central party. This central party can aggregate the messages from the various parties to learn the total number of sightings for each indicator, without learning the number of sightings from each individual party. An evaluation of our open-source proof-of-concept implementations shows that both techniques incur only little overhead, making the techniques prime candidates for practice.

Revocable Privacy: Principles, Use Cases, and Technologies

Security and privacy often seem to be at odds with one another. In this paper, we revisit the design principle of revocable privacy which guides the creation of systems that offer anonymity for people who do not violate a predefined rule, but can still have consequences for people who do violate the rule. We first improve the definition of revocable privacy by considering different types of sensors for users’ actions and different types of consequences of violating the rules (for example blocking). Second, we explore some use cases that can benefit from a revocable privacy approach. For each of these, we derive the underlying abstract rule that users should follow. Finally, we describe existing techniques that can implement some of these abstract rules. These descriptions not only illustrate what can already be accomplished using revocable privacy, they also reveal directions for future research.

Publicly Verifiable Private Aggregation of Time-Series Data

Aggregation of time-series data offers the possibility to learn certain statistics over data periodically uploaded by different sources. In case of privacy sensitive data, it is desired to hide every data providers individual values from the other participants (including the data aggregator). Existing privacy preserving time-series data aggregation schemes focus on the sum as aggregation means, since it is the most essential statistics used in many applications such as smart metering, participatory sensing, or appointment scheduling. However, all existing schemes have an important drawback: they do not provide verifiable outputs, thus users have to trust the data aggregator that it does not output fake values. We propose a publicly verifiable data aggregation scheme for privacy preserving time-series data summation. We prove its security and verifiability under the XDH assumption and a widely used, strong variant of the Co-CDH assumption. Moreover, our scheme offers low computation complexity on the users side, which is essential in many applications.

DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting

We present DECANTeR, a system to detect anomalous outbound HTTP communication, which passively extracts fingerprints for each application running on a monitored host. The goal of our system is to detect unknown malware and backdoor communication indicated by unknown fingerprints extracted from a hosts network traffic. We evaluate a prototype with realistic data from an international organization and datasets composed of malicious traffic. We show that our system achieves a false positive rate of 0.9% for 441 monitored host machines, an average detection rate of 97.7%, and that it cannot be evaded by malware using simple evasion techniques such as using known browser user agent values. We compare our solution with DUMONT [24], the current state-of-the-art IDS which detects HTTP covert communication channels by focusing on benign HTTP traffic. The results show that DECANTeR outperforms DUMONT in terms of detection rate, false positive rate, and even evasion-resistance. Finally, DECANTeR detects 96.8% of information stealers in our dataset, which shows its potential to detect data exfiltration.

Vote to Link: Recovering from Misbehaving Anonymous Users

Service providers are often reluctant to support anonymous access, because this makes it hard to deal with misbehaving users. Anonymous blacklisting and reputation systems can help prevent misbehaving users from causing more damage. However, by the time the user is blocked or has lost reputation, most of the damage has already been done. To help the service provider to recover from abuse by malicious anonymous users, we propose the vote-to-link system. In the vote-to-link system, moderators (rather than a single trusted third party) can cast votes on a users action if they deem it to be bad. After enough moderators have voted on the action, the service provider can use these votes to link all the actions by the same user within a limited time frame and thus recover from these actions. All the users actions in other time frames, however, remain unlinkable. To protect the voting moderators from retaliation, we also propose a (less efficient) variant that allows moderators to vote anonymously. We implemented and evaluated both variants to show that they are practical. In particular, we believe this system is suitable to combat malicious Wikipedia editing.

Reliably determining data leakage in the presence of strong attackers

We address the problem of determining what data has been leaked from a system after its recovery from a successful attack. This is a forensic process which is relevant to give a better understanding of the impact of a data breach, but more importantly it is becoming mandatory according to the recent developments of data breach notification laws. Existing work in this domain has discussed methods to create digital evidence that could be used to determine data leakage, however most of them fail to secure the evidence against malicious adversaries or use strong assumptions such as trusted hardware. In some limited cases, data can be processed in the encrypted domain which, although being computationally expensive, can ensure that nothing leaks to an attacker, thereby making the leakage determination trivial. Otherwise, victims are left with the only option of considering all data to be leaked. In contrast, our work presents an approach capable of determining the data leakage using a distributed log that securely records all accesses to the data without relying on trusted hardware, and which is not all-or-nothing. We demonstrate our approach to guarantee secure and reliable evidence against even strongest adversaries capable of taking complete control over a machine. For the concrete application of client-server authentication, we show the preciseness of our approach, that it is feasible in practice, and that it can be integrated with existing services.