Rafael Accorsi

Personalization in privacy-aware highly dynamic systems

Enabling novel ways to personalize the relationship with customers without sacrificing their privacy.

Security and Trust Management

Since location information is considered as personal information, location privacy has been emerged as one of the most important security concerns. In this paper, we enhance the ‘Share The Secret’ (STS) scheme, a privacy mechanism that segments location information into pieces (shares), distributes the shares to multiple untrustworthy location servers, and reconstructs the original location on authorized entities. We introduce certain policies based on the theory of optimal stopping in order to achieve time-optimized decisions for different levels of privacy. Moreover, we evaluate the performance of STS in terms of communication and computation load, and energy consumption. Experimental results quantify the benefits stemming for STS adoption.

On the exploitation of process mining for security audits: the conformance checking case

Process mining stands for a set of techniques to analyze business process models and logs. However, the extent to which it can be used for security auditing has not been investigated. Focusing on conformance checking and its support in ProM, this paper reports on a case-study in the financial sector applying this technology for the auditing of relevant security requirements. Although the vast majority of requirements could be verified, we notice a large manual effort to carry out the analysis. Moreover, we identify a class of security requirements that demands process discovery for analysis, and elaborate on ways in which process mining could be extended to better suit security analyses.

Automated Certification for Compliant Cloud-based Business Processes

A key problem in the deployment of large-scale, reliable cloud computing concerns the difficulty to certify the compliance of business processes operating in the cloud. Standard audit procedures such as SAS-70 and SAS-117 are hard to conduct for cloud-based processes. The paper proposes a novel approach to certify the compliance of business processes with regulatory requirements. The approach translates process models into their corresponding Petri net representations and checks them against requirements also expressed in this formalism. Being based on Petri nets, the approach provides well-founded evidence on adherence and, in case of noncompliance, indicates the possible vulnerabilities.

Vulnerability Analysis in SOA-Based Business Processes

Business processes and services can more flexibly be combined when based upon standards. However, such flexible compositions practically always contain vulnerabilities, which imperil the security and dependability of processes. Vulnerability management tools require patterns to find or monitor vulnerabilities. Such patterns have to be derived from vulnerability types. Existing analysis methods such as attack trees and FMEA result in such types, yet require much experience and provide little guidance during the analysis. Our main contribution is ATLIST, a new vulnerability analysis method with improved transferability. Especially in service-oriented architectures, which employ a mix of established web technologies and SOA-specific standards, previously observed vulnerability types and variations thereof can be found. Therefore, we focus on the detection of known vulnerability types by leveraging previous vulnerability research. A further contribution in this respect is the, to the best of our knowledge, most comprehensive compilation of vulnerability information sources to date. We present the method to search for vulnerability types in SOA-based business processes and services. Also, we show how patterns can be derived from these types, so that tools can be employed. An additional contribution is a case study, in which we apply the new method to an SOA-based business process scenario.

On the Relationship of Privacy and Secure Remote Logging in Dynamic Systems

We investigate a mechanism for secure remote logging to improve privacy guarantees in dynamic systems. Using an extended threat model for privacy, we first describe outer and inner privacy: outer privacy denotes the traditional attacker model for privacy where identity management systems control the collection of personal, observable information; inner privacy denotes the threat posed by an attacker who attempts to get hold of private log data by tampering with a device. While privacy-enhancing technologies should take outer and inner privacy into account, there is, to our knowledge, no approach for inner privacy, in particular for dynamic systems. To this end, we develop protocols to address inner privacy based on secure logging. Our approach accounts for the capacity limitations of resource-poor devices in dynamic systems, as it allows for the remote storage of log data, while fulfilling its security guarantees. Furthermore, our approach can be smoothly integrated into identity management systems to combine outer and inner privacy.

Automated Privacy Audits to Complement the Notion of Control for Identity Management

Identity management systems are indispensable in modern networked computing, as they equip data providers with key techniques to avoid the imminent privacy threats intrinsic to such environments. Their rationale is to convey data providers with a sense of control over the disclosure and usage of personal data to varying degree, so that they can take an active role in protecting their privacy. However, we purport the thesis that a holistic sense of control includes not only the regulation of disclosure, as identity management techniques currently do, but must equivalently comprise the supervision of compliance, i.e. credible evidence that data consumers behave according to the policies previously agreed upon. Despite its relevance, supervision has so far not been possible. We introduce the concept of privacy evidence and present the necessary technical building blocks to realise it in dynamic systems.

Safe-Keeping Digital Evidence with Secure Logging Protocols: State of the Art and Challenges

While log data are being increasingly used as digital evidence in court, the extent to which existing secure logging protocols used to collect log data fulfill the legal requirements for admissible evidence remain largely unclear. This paper elucidates a subset of the necessary secure requirements for digital evidence and extensively surveys the state of the art secure logging protocols, thereby demonstrating that none of the current protocols completely fulfills the elucidated requirements for admissible evidence. In analyzing the shortcoming of logging protocols, the paper also elaborates on the related research challenges.

Automatic information flow analysis of business process models

We present an automated and efficient approach for the verification of information flow control for business process models. Building on the concept of Place-based Non-Interference, the novelty is that Petri net reachability is employed to detect places in which information leaks occur. We show that the approach is sound and complete, and present its implementation, the Anica tool. Anica employs state of the art model-checking algorithms to test reachability. An extensive evaluation comprising over 550 industrial process models is carried out and shows that information flow analysis of process models can be done in milliseconds.

Strong non-leak guarantees for workflow models

Despite the correct deployment of access control mechanisms, information leaks can persist and undermine the compliance of workflows to regulations and policies. This paper proposes InDico, a framework for the automated detection of information leaks in workflow models based on static information flow analysis. InDico identifies leaks induced by the structure of the workflow, i.e. its control flow. To this end, it translates workflow models, e.g. in BPEL or BPMN, into Petri nets and conducts the static information flow analysis. Examples demonstrate the applicability and the kinds of information leaks InDico currently detects.