Advances in information technology, and its use in research, are increasing both the need for anonymized data and the risks of poor anonymization. In this thesis,  we point out some questions raised by current anonymization techniques such as a)  support for additional adversary models and the difficulty of measuring privacy pro-  vided, b) flexibility of algorithms-generalizations with respect to a utility cost metric,  and c) working with complex data. To address these issues, a) We propose a human understandable privacy notion, δ-presence ; b) We increase flexibility by introduc-  ing a new family of algorithms, clustering-based anonymity algorithms and two new types of generalizations, natural domain generalizations, generalizations with proba-  bility distributions. We also point out weaknesses such as metric-utility anomalies ;  c) We extend the definitions of current anonymization techniques for multirelational and spatio-temporal setting by presenting multirelational k-anonymity, and trajectory anonymity.

Data sharing with multiple parties over a third-party distribution framework requires that both data integrity and confidentiality be assured. One of the most widely used data organization structures is the tree structure. When such structures encode sensitive information (such as in the XML documents), it is crucial that integrity and confidentiality be assured not only for the content, but also for the structure. Digital signature schemes are commonly used to authenticate the integrity of the data. The most widely used such technique for tree structures is the Merkle hash technique, which however is known to be ``not hiding’‘, thus leading to leakage of information. Most existing techniques for the integrity of hierarchical data structures   are based on the Merkle hash technique and thus suffer from the problem of information leakages.  We describe the types of leakages and inference attacks that can be carried out on the Merkle hash technique, in the context of integrity assurance. Assurance of integrity and confidentiality (no leakages) of tree-structured data is an important problem in the context of secure data publishing and content distribution systems.

In this paper, we propose an integrity assurance scheme for tree data structures, which assures both confidentiality and integrity and is also efficient, especially in third-party distribution environments. Our integrity assurance technique, which we refer to as the ``structural integrity assurance scheme’‘, is based on the structure of the tree as defined by tree traversals (pre-order, post-order, in-order) and is defined using a randomized notion of such traversal numbers. Techniques for computing randomized traversal numbers are also described in the paper. In addition to formally defining the technique, we prove that it protects against violations of content and structural integrity and information leakages. We also show through complexity and performance analysis that the structural integrity assurance scheme is efficient; with respect to the Merkle hash technique, it incurs comparable cost for signing trees and incurs lower cost for user-side integrity verification. Further, we extend the proposed technique in order to assure integrity of weighted trees and dynamic updates.  % As an % example, the paper also describes a revised scheme for structure-based routing % for secure dissemination of XML documents.  We also show how the proposed structural integrity assurance technique can be applied in order to precisely detect integrity violations as well as to efficiently recover data. Such techniques have applications in digital forensics and efficient data transmission.

We present algorithms to reliably generate biometric identifiers from a user’s biometric image which in turn is used for identity verification possibly in conjunction with cryptographic keys. The biometric identifier generation algorithms employ image hashing functions using singular value decomposition and support vector classification techniques. Our algorithms capture generic biometric features that ensure unique and repeatable biometric identifiers. We provide an empirical evaluation of our techniques using 2569 images of 488 different individuals for three types of biometric images; namely fingerprint, iris and face. Based on the biometric type and the classification models, as a result of the empirical evaluation we can generate biometric identifiers ranging from 64 bits up to 214 bits. We provide an example use of the biometric identifiers in privacy preserving multi-factor identity verification based on zero knowledge proofs. Therefore several identity verification factors, including various traditional identity attributes, can be used in conjunction with one or more biometrics of the individual to provide strong identity verification. We also ensure security and privacy of the biometric data. More specifically, we analyze several attack scenarios. We assure privacy of the biometric using the one-way hashing property, in that no information about the original biometric image is revealed from the biometric identifier.

Users increasingly use their mobile devices for electronic transactions to store related information, such as digital receipts. However, such information can be target of several attacks. There are some security issues related to Mcommerce: the loss or theft of mobile devices results in a exposure of transaction information; transaction receipts that are send over WI-FI or 3G networks can be easily intercepted; transaction receipts can also be captured via Bluetooth connections without the user’s consent; and mobile viruses, worms and Trojan horses can access the transaction information stored on mobile devices if this information is not protected by passwords or PIN numbers. Therefore, assuring privacy and security of transactions’ information, as well as of any sensitive information stored on mobile devices is crucial. In this paper, we propose a privacy-preserving approach to manage electronic transaction receipts on mobile devices. The approach is based on the notion of transaction receipts issued by service providers upon a successful transaction and combines Pedersen commitment and Zero Knowledge Proof of Knowledge (ZKPK) techniques and Oblivious Commitment-Based Envelope (OCBE) protocols. We have developed a version of such protocol for Near Field Communication (NFC) enabled cellular phones.

Kernel rootkits, malicious software designed to compromise a running operating system kernel, are difficult to profile due to the variety and complexity of their attacks as well as the privilege level at which they run.  However, an accurate profile of a kernel rootkit can be greatly helpful in developing cost-effective rootkit defense solutions. In this paper we present PoKeR, a kernel rootkit profiler capable of producing multi-aspect rootkit profiles which include the extraction of kernel rootkit code, the revelation of rootkit hooking behavior, the determination of targeted kernel objects (both static and dynamic), as well as the assessment of user-level impacts.  The evaluation results with a number of real-world rootkits show that PoKeR is able to accurately profile a variety of rootkits ranging from traditional ones with system call hooking to more advanced ones with direct kernel object manipulation. The obtained profiles lead to unique insights into the rootkits’ characteristics.

The increased use of fingerprint recognition systems has brought the issue of fingerprint sensor interoperability to the forefront. Fingerprint sensor interoperability refers to the process of matching fingerprints collected from different sensors. Variability in the fingerprint image is introduced due to the differences in acquisition technology and interaction with the sensor. The effect of sensor interoperability on performance of minutiae based matchers is examined in this dissertation. Fingerprints from 190 participants were collected on nine different fingerprint sensors which included optical, capacitive, and thermal acquisition technologies and touch, and swipe interaction types. The NBIS and VeriFinger 5.0 feature extractor and matcher were used. Along with fingerprints, characteristics like moisture content, oiliness, elasticity and temperature of the skin were also measured. A statistical analysis framework for testing interoperability was formulated for this dissertation, which included parametric and non-parametric tests. The statistical analysis framework tested similarity of minutiae count, image quality and similarity of performance between native and interoperable datasets. False non-match rate (FNMR) was used as the performance metric in this dissertation. Interoperability performance analysis was conducted on each sensor dataset and also by grouping datasets based on the acquisition technology and interaction type of the acquisition sensor. Similarity of minutiae count and image quality scores between two datasets was not an indicator of similarity of FNMR for their interoperable datasets. Interoperable FNMR of 1.47% at fixed FMR of 0.1% was observed for the optical touch and capacitive touch groupings. The impact of removing low quality fingerprint images on the effect of interoperable FNMR was also examined. Although the absolute value of FNMR reduced for all the datasets, fewer interoperable datasets were found to be statistically similar to the native datasets. An image transformation method was also proposed to compensate for the differences in the fingerprint images between two datasets, and experiments conducted using this method showed significant reduction in interoperable FNMR using the transformed dataset.

This paper reports the correlations between skin characteristics, such as moisture, oiliness, elasticity, and temperature of the skin, and fingerprint image quality across three sensing technologies.  Fingerprint images from the index finger of the dominant hand of 190 individuals, were collected on nine different fingerprint sensors.  The sensors included four capacitance sensors, four optical sensors and one thermal fingerprint sensor.  Skin characteristics included temperature, moisture, oiliness and elasticity, were measured prior to the initial interaction with each of the individual sensors.  The analysis of the full dataset indicated that the sensing technology and interaction type (swipe or touch) were moderately and weakly correlated respectively with image quality scores. Correlation analysis between image quality scores and the skin characteristics were also made on subsets of data, divided by the sensing technology. The results did not identify any significant correlations.  This indicates that further work is necessary to determine the type of relationship between the variables, and how they impact image quality and matching performance.

Suppose Alice owns a k-anonymous database and needs to determine whether her database, when inserted with a tuple owned by Bob, is still k-anonymous. Also, suppose that access to the database is strictly controlled, because for example data are used for certain experiments that need to be maintained confidential. Clearly, allowing Alice to directly read the contents of the tuple breaks the privacy of Bob (e.g., a patient’s medical record); on the other hand, the confidentiality of the database managed by Alice is violated once Bob has access to the contents of the database. Thus, the problem is to check whether the database inserted with the tuple is still k-anonymous, without letting Alice and Bob know the contents of the tuple and the database respectively. In this paper, we propose two protocols solving this problem on suppression-based and generalization-based k-anonymous and confidential databases. The protocols rely on well-known cryptographic assumptions, and we provide theoretical analyses to proof their soundness and experimental results to illustrate their efficiency.

In electronic subscription and pay TV systems, data can be organized and encrypted using symmetric key algorithms according to predefined time periods and user privileges, then broadcast to users. This requires an efficient way to manage the encryption keys. In this scenario, time-bound key management schemes for a hierarchy were proposed by Tzeng and Chien in 2002 and 2005, respectively. Both schemes are insecure against collusion attacks. In this paper, we propose a new key assignment scheme for access control which is both efficient and secure. Elliptic curve cryptography is deployed in this scheme. We also provide analysis of the scheme with respect to security and efficiency issues.

This research report provides a historical perspective on key developments in cyber critical infrastructure protection efforts to secure the bulkpower grid system. It is important to understand the past so future efforts can benefit from the knowledge gained from past experiences. The research examines 21 key developments that occur from 1997 to 2008. The developments are sorted into three groups: DHS (represents public sector), NERC (representing the private sector), and FERC (regulatory function). The developments within each group are then analyzed to identify what prior developments contributed to later developments. The main underlying theme in each group is also examined to identify potential issues that hinder cyber critical infrastructure protection efforts. The results of this research show that some progress has been made by the combined efforts of NERC and FERC. The DHS has produced plans but has been unable to effectively implement those plans. The three main issues that were identified are the impact of economics, major power outages, and the ineffective partnership efforts between the DHS and the private entities within the electricity sector. These issues will need to be solved in the future so cyber critical infrastructure protection for the bulk-power grid system can proceed.