In order to support emerging online activities within the digital information infrastructure, such as commerce, healthcare, entertainment and scientific collaboration, it is increasingly important to verify and protect the digital identity of the individuals involved. Identity management systems manage the digital identity life cycle of individuals that includes issuance, usage and revocation of digital identifiers.

Identity management systems have improved the management of identity information and user convenience; however they do not provide specific solutions to address protection of identity from threats such as identity theft and privacy violation. One major shortcoming of current approaches is the lack of strong verification techniques for issuance and usage of digital identifiers. Moreover current identity management systems do not consider biometric and history-based identifiers. Such identifiers are increasingly becoming an integral part of an individuals’ identity. Such types of identity data also need to be used with other digital identifiers and protected against misuse.

In this thesis we introduce a number of techniques that address the above problems. Our approach is based on the concept of privacy preserving multi-factor identity verification. The technique consists of verifying multiple identifier claims of an individual, without revealing extraneous identity information. A distinguishing feature of our approach is that we employ identity protection and verification techniques at all stages of the identity life cycle. We also enhance our approach with the use of biometric and history-based identifiers.

In open distributed systems, the verification of properties of subjects is a crucial task for authorization. Very often access to resources is based on policies that express (possibly complex) requirements in terms of what are referred to variously as identity properties, attributes, or characteristics of the subject. Example characteristics include whether the subject is (operating on behalf of) a user of a certain age or having a certain credit rating, or is an organization having certain accreditation, to name just a few. In a distributed system having no central authority on subject characteristics, evaluation of such policy requirements is a challenging task. In this paper we provide an approach according to which an entity, referred to as verifier, can evaluate a query concerning properties related to the identity of a subject, which may be required for the purpose of authorizing some action. The present contribution concerns the reuse of query results. We consider issues related to temporal validity (i.e., expiration and revocation of identity properties) as well as issues related to confidentiality when one entity reuses query results computed by another entity. We employ constraint logic programming as the foundation of our policy rules and query evaluation. This provides a very general, flexible basis, and enable our work to be applied more or less directly to several existing policy frameworks. The process of evaluation of a query against a subject identity is traced through a structure, referred to as identity proof tree, that carries all information proving that a policy requirement is met.

In this paper, we present for the first time efficient explicit formulas for arithmetic in the degree 0 divisor class group of a real hyperelliptic curve. Hereby, we consider real hyperelliptic curves of genus 2 given in affine coordinates for which the underlying finite field has characteristic > 3. These formulas are much faster than the optimized generic algorithms for real hyperelliptic curves and the cryptographic protocols in the real setting perform almost as well as those in the imaginary case. We provide the idea for the improvements and the correctness together with a comprehensive analysis of the number of field operations. Finally, we perform a direct comparison of cryptographic protocols using explicit formulas for real hyperelliptic curves with the corresponding protocols presented in the imaginary model.

This paper investigates whether information security related disclosures in financial reports can mitigate the impact of information security incidents.  First, stock price reactions from a number of information security related incidents from 1997 to 2006 are regressed on the number of disclosures along with control variables.  Two different types of disclosures are considered: the disclosure of internal control and procedures and the disclosure of information security risk factors.  Our analysis does not show significant relationship between the disclosures of internal controls and cumulative abnormal return (CAR).  However, our findings demonstrate that new information security risk factor disclosure can mitigate the effect of information security incidents in terms of CAR.  If those factors have been disclosed previously, the effect becomes smaller.  Although the match between disclosures and the incident does not have any impacts on stock price reactions, our result shows that for the matched companies, other business risk factors can adversely increase CAR.  Second, a clustering analysis is performed on the contents of information security risk disclosures and the media announcements of the incidents by using text mining techniques.  The clustering results demonstrate that the titles and contents of the disclosures point out possible impacts and subjects that might be affected.  The results also show that breached companies gradually increase the number of disclosures than non-breached firms.  For media announcements, site attacks and virus attacks are the two most popular incidents in our sample from the clustering analysis.  This paper not only contributes to the literature in information security and accounting but also sheds light on how managers can evaluate their information security policies and convey information security practices more effectively to the investors.  By properly reflecting information security risk factors causing directly by information security incidents and indirectly by other companies, investors might discount the impacts of such events through expectation formulation.

Recent work on graphical models for relational data has demonstrated significant improvements in classification and inference when models represent the dependen-  cies among instances. Despite its use in conventional statistical models, the as-  sumption of instance independence is contradicted by most relational datasets. For example, in citation data there are dependencies among the topics of a paper’s references, and in genomic data there are dependencies among the functions of interacting proteins. In this chapter we present relational dependency networks (RDNs), a graphical model that is capable of expressing and reasoning with such dependencies in a relational setting. We discuss RDNs in the context of relational Bayes networks and relational Markov networks and outline the relative strengths of RDNs—namely, the ability to represent cyclic dependencies, simple methods for parameter estimation, and efficient structure learning techniques. The strengths of RDNs are due to the use of pseudolikelihood learning techniques, which estimate an efficient approximation of the full joint distribution. We present learned RDNs for a number of real-world datasets and evaluate the models in a prediction context,  showing that RDNs identify and exploit cyclic relational dependencies to achieve significant performance gains over conventional conditional models.

We describe an application of relational knowledge discov-  ery to a key regulatory mission of the National Associa-  tion of Securities Dealers (NASD). NASD is the world’s largest private-sector securities regulator, with responsibil-  ity for preventing and discovering misconduct among secu-  rities brokers. Our goal was to help focus NASD’s limited regulatory resources on the brokers who are most likely to engage in securities violations. Using statistical relational learning algorithms, we developed models that rank brokers with respect to the probability that they would commit a serious violation of securities regulations in the near future.  Our models incorporate organizational relationships among brokers (e.g., past coworker), which domain experts consider important but have not been easily used before now. The learned models were sub jected to an extensive evaluation using more than 18 months of data unseen by the model developers and comprising over two person weeks of effort by NASD staff. Model predictions were found to correlate highly with the sub jective evaluations of experienced NASD examiners. Furthermore, in all performance measures, our models performed as well as or better than the handcrafted rules that are currently in use at NASD.

A common technique used by routing protocols for ad hoc wireless networks is to establish the routing paths on-demand, as opposed to continually maintaining a complete routing table. Since in an ad hoc network nodes not in direct range communicate via intermediate nodes, a significant concern is the ability to route in the presence of Byzantine failures which include nodes that drop, fabricate, modify,  or mis-route packets in an attempt to disrupt the routing service.  We propose the first on-demand routing protocol for ad hoc wireless networks that provides resilience to Byzantine failures caused by individual or colluding nodes. The protocol relies on an adaptive probing technique that detects a malicious link after log n faults have occurred, where n is the length of the path. Problematic links are avoided by using a weight-based mechanism that multiplicatively increases their weights and by using an on-demand route discovery protocol that finds a least weight path to the destination. Our protocol bounds the amount of damage that an attacker or a group of colluding attackers can cause to the network.

An alarming trend in malware attacks is that they are armed with stealthy techniques to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental lim-  itation of traditional host-based anti-malware systems is that they run inside the very hosts they are protecting (“in the box”), making them vulnerable to counter-detection and subversion by malware.  To address this limitation, recent solutions based on virtual ma-  chine (VM) technologies advocate placing the malware detection facilities outside of the protected VM (“out of the box”). However,  they gain tamper resistance at the cost of losing the native, seman-  tic view of the host which is enjoyed by the “in the box” approach,  thus leading to a technical challenge known as the semantic gap.  In this paper, we present the design, implementation, and evalua-  tion of VMwatcher – an “out-of-the-box” approach that overcomes the semantic gap challenge. A new technique called guest view casting is developed to systematically reconstruct internal seman-  tic views (e.g., files, processes, and kernel modules) of a VM from the outside in a non-intrusive manner. Specifically, the new tech-  nique casts semantic definitions of guest OS data structures and functions on virtual machine monitor (VMM)-level VM states, so that the semantic view can be reconstructed. With the semantic gap bridged, we identify two unique malware detection capabilities: (1)  view comparison-based malware detection and its demonstration in rootkit detection and (2) “out-of-the-box” deployment of host-  based anti-malware software with improved detection accuracy and tamper-resistance. We have implemented a proof-of-concept pro-  totype on both Linux and Windows platforms and our experimen-  tal results with real-world malware, including elusiverootkits, demonstrate its practicality and effectiveness.

In this paper, we investigate the applicability of simulation and emulation for denial of service (DoS) attack experimentation. As a case study, we consider low-rate TCP-targeted DoS attacks. We design con-  structs and tools for emulation testbeds to achieve a level of control com-  parable to simulation tools. Through a careful sensitivity analysis, we ex-  pose difficulties in obtaining meaningful measurements from the DETER and Emulab testbeds with default system settings, and find dramatic differ-  ences between simulation and emulation results for DoS experiments. Our results also reveal that software routers such as Click provide a flexible ex-  perimental platform, but require understanding and manipulation of the underlying network device drivers. We compare simulation and testbed re-  sults to a simple analytical model for predicting the average size of the con-  gestion window of a TCP flow under a low-rate TCP-targeted attack, as a function of the DoS attack frequency. We find that the analytical model and ns-2 simulations closely match in typical scenarios. Our results also illus-  trate that TCP-targeted attacks can be effective even when the attack fre-  quency is not tuned to the retransmission timeout. The router type, router buffer size, attack pulse length, attack packet size, and attacker location have a significant impact on the effectiveness and stealthiness of the attack.

Separation of Duty (SoD) is widely considered to be a fundamental principle in computer security. A Static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensi-  tive task, the cooperation of at least a certain number of users is re-  quired. In Role-Based Access Control (RBAC), Statically Mutually Exclusive Role (SMER) constraints are used to enforce SSoD poli-  cies. In this paper, we pose and answer fundamental questions re-  lated to the use of SMER constraints to enforce SSoD policies. We show that directly enforcing SSoD policies is intractable (coNP-  complete), while checking whether an RBAC state satisfies a set of SMER constraints is efficient. Also, we show that verifying whether a given set of SMER constraints enforces an SSoD policy is intractable (coNP-complete) and discuss why this intractability result should not lead us to conclude that SMER constraints are not an appropriate mechanism for enforcing SSoD policies. We show also how to generate SMER constraints that are as accurate as pos-  sible for enforcing an SSoD policy.

When releasing microdata for research purposes, one needs to preserve the privacy of respondents while maximizing data utility. An approach that has been studied extensively in recent years is to use anonymization techniques such as gen-  eralization and suppression to ensure that the released data table satisfies the k-anonymity property. A major thread of research in this area aims at developing more flexible generalization schemes and more efficient searching algorithms to find better anonymizations (i.e., those that have less information loss).  This paper presents three new generalization schemes that are more flexible than existing schemes. This flexibility can lead to better anonymizations. We present a taxonomy of generalization schemes and discuss their relationship. We present enumeration algorithms and pruning techniques for finding optimal generalizations in the new schemes. Through exper-  iments on real census data, we show that more-flexible generalization schemes produce higher-quality anonymizations and the bottom-up works better for small k values and small number of quasi-identifier attributes than the top-down approach.

The k-anonymity privacy requirement for publishing mi-  crodata requires that each equivalence class (i.e., a set of records that are indistinguishable from each other with re-  spect to certain “identifying” attributes) contains at least k records. Recently, several authors have recognized that k-anonymity cannot prevent attribute disclosure. The no-  tion of

Existing mandatory access control systems for operat-  ing systems are difficult to use. We identify several prin-  ciples for designing usable access control systems and in-  troduce the Usable Mandatory Integrity Protection (UMIP)  model that adds usable mandatory access control to oper-  ating systems. The UMIP model is designed to preserve system integrity in the face of network-based attacks. The usability goals for UMIP are twofold. First, configuring a UMIP system should not be more difficult than installing and configuring an operating system. Second, existing ap-  plications and common usage practices can still be used under UMIP. UMIP has several novel features to achieve these goals. For example, it introduces several concepts for expressing partial trust in programs. Furthermore, it leverages information in the existing discretionary access control mechanism to derive file labels for mandatory in-  tegrity protection. We also discuss our implementation of the UMIP model for Linux using the Linux Security Mod-  ules framework, and show that it is simple to configure, has low overhead, and effectively defends against a number of network-based attacks.