In this paper we have addressed confidentiality and privacy for video surveillance databases. First we discussed our overall approach for suspicious event detection. Next we discussed an access control model and accedes control algorithms for confidentiality. Finally we discuss privacy preserving video surveillance. Our goal is build a comprehensive system that can detect suspicious events, ensure confidentiality as well as privacy.

Integrity has long been considered a fundamental requirement for secure computerized systems, and especially today’s demand for data integrity is stronger than ever as many organizations are in-creasing their reliance on data and information systems. A number of recently enacted data privacy regulations also require high in-tegrity for personal data. In this paper, we discuss various issues concerning systematic control and management of data integrity with a primary focus on access control. We first examine some previously proposed integrity models and define a set of integrity requirements. We then present an architecture for comprehensive integrity control systems, which has its basis on data validation and metadata management. We also provide an integrity control policy language that we believe is flexible and intuitive.

In this paper we discuss issues concerning the development of interactive virtual reality (VR) environments. We argue that the integration of such type of environments with database technology has the potential of providing on one side much flexibility and on the other hand of resulting in enhanced interfaces for accessing contents from digital archives. The paper also describes a project dealing with the dissemination of cultural heritage contents. Within the project an integrated framework has been developed that enhances conventional VR environments with database interactions.

Privacy is considered critical for all organizations needing to manage individual related information. As such, there is an increasing need for access control models which can adequately support the specification and enforcement of privacy policies. In this paper, we propose a model, referred to as Conditional Privacy-aware Role Based Access Control (P-RBAC), which supports expressive condition languages and flexible relations among permission assignments for more complex privacy policies. Efficient algorithms for detecting conflicts, redundancies, and indeterminism for a set of permission assignments are presented. In the paper we also extend Conditional P-RBAC to Universal P-RBAC by taking into account hierarchical relations among roles, data and purposes. In comparison with other approaches, such as P3P, EPAL, and XACML, our work has achieved both expressiveness and efficiency.

Hierarchical access control (HAC) has been a fundamental problem in computer and network systems. Since Akl and Taylor proposed the first HAC scheme based on number theory in 1983, cryptographic key management techniques for HAC have appeared as a new and promising class of solutions to the HAC problem. Many cryptographic HAC schemes have been proposed in the past two decades. One common feature associated with these schemes is that they basically limited dynamic operations at the node level. In this paper, by introducing the innovative concept of ‘access polynomial’ and representing a key value as the sum of two polynomials in a finite field, we propose a new key management scheme for dynamic access hierarchy. The newly proposed scheme supports full dynamics at both the node level and user level in a uniform yet efficient manner. Furthermore, the new scheme allows access hierarchy to be a random structure and can be flexibly adapted to many other access models such as ‘transfer down’ and ‘depth-limited transfer’.

A zone-based anonymous positioning routing protocol for ad hoc networks, enabling anonymity of both source and destination, is proposed and analyzed. According to the proposed algorithm, a source sends data to an anonymity zone, where the destination node and a number of other nodes are located. The data is then flooded within the anonymity zone so that a tracer is not able to determine the actual destination node. Source anonymity is also enabled because the positioning routing algorithms do not require the source ID nor its position for the correct routing. We develop anonymity protocols for both routeless and route-based data delivery algorithms. To evaluate anonymity, we propose a “measure of anonymity” and we develop an analytical model to evaluate it. By using this model we perform an extensive analysis of the anonymity protocols to determine the parameters that most impact the anonymity level.

We propose an approach based on description logics for the representation and retrieval of visual information. We first consider objects as having shapes which are described by means of semi-algebraic sets.1 We propose a model which consists of three layers: (1) Shape Layer, which provides the geometric shapes of image objects; (2) Object Layer, intended to contain objects of interest and their description; and (3) Schema Layer, which contains the structured abstractions of objects, i.e., a general schema about the classes of objects represented in the Object Layer. We propose two abstract languages on the basis of description logics: one for describing knowledge of the object and schema layers, and the other, more expressive, for making queries. Queries can refer to the form dimension (i.e., information of the Shape Layer) or to the semantic dimension (i.e., information of the Object Layer). We show how this framework can be easily extended to accommodate the visual layer (e.g., color and texture).

The modern enterprise spans several functional units or administrative domains with diverse authorization requirements. Access control policies in an enterprise environment typically express these requirements as authorization constraints. While desirable for access control, constraints can lead to conflicts in the overall policy in a multidomain environment. The administration problem for enterprise-wide access control, therefore, not only includes authorization management for users and resources within a single domain but also conflict resolution among heterogeneous access control policies of multiple domains to allow secure interoperation within the enterprise. This work presents design and implementation of X-GTRBAC Admin, an administration model that aims at enabling administration of role-based access control (RBAC) policies in the presence of constraints with support for conflict resolution in a multidomain environment. A key feature of the model is that it allows decentralization of policy administration tasks through the abstraction of administrative domains, which not only simplifies authorization management, but is also fundamental to the concept of decentralized conflict resolution presented. The paper also illustrates the applicability of the outlined administrative concepts in a realistic enterprise environment using an implementation prototype that facilitates policy administration in large enterprises.

Constraints are a valuable tool for managing information. Feature constraints have been used for describing records in constraint programming (Aït-Kaci and Podelski, 1993; Smolka and Treinen, 1994) and record like structures in computational linguistics (Kaplan and Bresnan, 1982; Shieber, 1986). In this paper, we consider how constraint-based technology can be used to query and reason about semistructured data. The constraint system FT le (Müller et al., 1997) provides information ordering constraints interpreted over feature trees. Here, we show how a generalization of FT le combined with path constraints can be used to formally represent, state constraints, and reason about semistructured data. The constraint languages we propose provide possibilities to straightforwardly capture, for example, what it means for a tree to be a subtree or subsumed by another, or what it means for two paths to be divergent. We establish a logical semantics for our constraints thanks to axiom schemes presenting our first-order theory constraint system. We propose using the constraint systems for querying semistructured data.

semistructured data - constraints - satisfiability - rule languages

The goal of service provider federations is to support a controlled method by which distributed organizations can provide services to qualified individuals and manage their identity attributes at an inter-organizational level. In order to make access control decisions the history of activities should be accounted for, therefore it is necessary to record information on interactions among the federation entities. To achieve these goals we propose a comprehensive assertion language able to support description of static and dynamic properties of the federation system. The assertions are a powerful means to describe the behavior of the entities interacting in the federation, and to define policies controlling access to services and privacy policies. We also propose a log-based approach for capturing the history of activities within the federationimplemented as a set of tables stored at databases at the various organizations in the federation. We illustrate how, by using different types of queries on such tables, security properties of the federation can be verified.

This paper proposes an infrastructure and related algorithms for the controlled and cooperative updates of XML documents. Key components of the proposed system are a set of XML-based languages for specifying access-control policies and the path that the document must follow during its update. Such path can be fully specified before the update process begins or can be dynamically modified by properly authorized subjects while being transmitted. Our approach is fully distributed in that each party involved in the process can verify the correctness of the operations performed until that point on the document without relying on a central authority. More importantly, the recovery procedure also does not need the participation of a central authority. Our approach is based on the use of some special control information that is transmitted together with the document and a suite of protocols. We formally specify the structure of such control information and the protocols. We also analyze security and complexity of the proposed protocols.

Digital Libraries (DLs) introduce several challenging requirements with respect to the formulation, specification, and enforcement of adequate data protection policies. Unlike conventional database environments, a DL environment typically is characterized by dynamic user population, often making accesses from remote locations, and by an extraordinarily large amount of multimedia information, stored in a variety of formats. Moreover, in a DL environment, access policies are often specified based on user qualifications and characteristics, rather than user identity (for example, a user can be given access to an R-rated video only if he/she is older than 18 years). Another crucial requirement is the support for content-dependent authorizations on digital library objects (for example, all documents containing discussions on how to operate guns must be made available only to users who are 18 or older). Since traditional authorization models do not adequately meet access control requirements typical to DLs, in this paper, we propose a content-based authorization model suitable for a DL environment. Specifically, the most innovative features of our authorization model are: 1) flexible specification of authorizations based on the qualifications and characteristics of users (including positive and negative), 2) both content-dependent and content-independent access control to digital library objects, and 3) varying granularity of authorization objects ranging from sets of library objects to specific portions of objects.

Suppose that Alice, owner of a k-anonymous database, needs to determine whether her database, when adjoined with a tuple owned by Bob, is still k-anonymous. Suppose moreover that access to the database is strictly controlled, because for example data are used for experiments that need to be maintained confidential. Clearly, allowing Alice to directly read the contents of the tuple breaks the privacy of Bob; on the other hand, the confidentiality of the database managed by Alice is violated once Bob has access to the contents of the database. Thus the problem is to check whether the database adjoined with the tuple is still k-anonymous, without letting Alice and Bob know the contents of, respectively, the tuple and the database. In this paper, we propose two protocols solving this problem.