Trust negotiation is a promising approach for establishing trust in open systems, in which sensitive interactions may often occur between entities with no prior knowledge of each other. Although, to date several trust negotiation systems have been proposed, none of them fully address the problem of privacy preservation. Today, privacy is one of the major concerns of users when exchanging information through the Web and thus we believe that trust negotiation systems must effectively address privacy issues in order to be widely applicable. For these reasons, in this paper, we investigate privacy in the context of trust negotiations. We propose a set of privacy-preserving features for inclusion in any trust negotiation system, such as the support for the P3P standard, as well as a number of innovative features, such as a novel format for encoding digital credentials specifically designed for preserving privacy. Further, we present a variety of interoperable strategies to carry on the negotiation with the aim of improving both privacy and efficiency.

Static analysis of declarative languages deals with the detection, at compile time, of program properties that can be used to better understand the program semantics and to improve the efficiency of program evaluation. In logical update languages, an interesting problem is the detection of conflicting updates, inserting and deleting the same fact, for transactions based on set-oriented updates and active rules. In this paper, we investigate this topic in the context of the U-Datalog language, a set-oriented update language for deductive databases [12], based on a deferred semantics. We first formally define relevant properties of U-Datalog programs, mainly related to update conflicts. Then, we prove that the defined properties are decidable and we propose an algorithm to detect such conditions. Finally, we show how the proposed techniques can be applied to other logical update languages. Our results are based on the concept of labeling and query-tree, first used in [30], [31], [32].

Knowledge management enhances the value of a corporation by identifying the assets and expertise as well as efficiently managing the resources. Security for knowledge management is critical as organizations have to protect their intellectual assets. Therefore, only authorized individuals must be permitted to execute various operations and functions in an organization. In this paper, secure knowledge management will be discussed, focusing on confidentiality, trust, and privacy. In particular, certain access-control techniques will be investigated, and trust management as well as privacy control for knowledge management will be explored.

The paper proposes an approach to content dissemination that exploits the structural properties of an Extensible Markup Language (XML) document object model in order to provide an efficient dissemination and at the same time assuring content integrity and confidentiality. Our approach is based on the notion of encrypted postorder numbers that support the integrity and confidentiality requirements of XML content as well as facilitate efficient identification, extraction, and distribution of selected content portions. By using such notion, we develop a structure-based routing scheme that prevents information leaks in the XML data dissemination, and assures that content is delivered to users according to the access control policies, that is, policies specifying which users can receive which portions of the contents. Our proposed dissemination approach further enhances such structure-based, policy-based routing by combining it with multicast in order to achieve high efficiency in terms of bandwidth usage and speed of data delivery, thereby enhancing scalability. Our dissemination approach thus represents an efficient and secure mechanism for use in applications such as publish—subscribe systems for XML Documents. The publish—subscribe model restricts the consumer and document source information to the routers to which they register with. Our framework facilitates dissemination of contents with varying degrees of confidentiality and integrity requirements in a mix of trusted and untrusted networks, which is prevalent in current settings across enterprise networks and the web. Also, it does not require the routers to be aware of any security policy in the sense that the routers do not need to implement any policy related to access control.

We present Trust-/spl Xscr/;, a comprehensive XML-based framework for trust negotiations, specifically conceived for a peer-to-peer environment. Trust negotiation is a promising approach for establishing trust in open systems like the Internet, where sensitive interactions may often occur between entities at first contact, with no prior knowledge of each other. The framework we propose takes into account all aspects related to negotiations, from the specification of the profiles and policies of the involved parties to the selection of the best strategy to succeed in the negotiation. Trust-/spl Xscr/; presents a number of innovative features, such as the support for protection of sensitive policies, the use of trust tickets to speed up the negotiation, and the support of different strategies to carry on a negotiation. In this paper, besides presenting the language to encode security information, we present the system architecture and algorithms according to which negotiations take place.

This paper introduces an interactive video system and its architecture where several systems cooperate to manage the services of interactive video. Each system is specialized according to the data it handles and the functionality it performs. A system can be a database (for billing purposes) or just a video store system (to store the video data) lacking the typical features of a database or an information retrieval system to support indexing and querying of video data. Because quality of service is an important requirement for whole management system, a specific system is introduced in the architecture. Such system monitors the bandwidth of the network, the buffer size and the frame size and rate. The resulting architecture of interactive video system consists of several systems cooperating through an active rules based workflow system to integrate their functionalities while preserving autonomy, extensibility and data integrity where necessary.

The launch of e-passports raises concerns about how travellers can replace them if they’re lost or stolen.

A growing number of domains are adopting semantic models as a centralized gateway to heterogeneous data sources, or directly for modeling and managing relevant information. In such contexts, it is crucial to grant access to the semantic model and its data only to the authorized users. In this paper, we present a fine-grained access control model specifically tailored to semantic models. One of the relevant features of the model is the granularity of the resources that can be protected. Access control can be enforced at the level of both the model’s concepts and the concepts’ instances by means of a query rewriting strategy. The proposed model has been implemented adopting the XACML standard and the SeRQL query language; services exposed by the implementation can be used to transparetly integrate authorization into existing systems.

Countering threats to an organization’s internal databases from database applications is an important area of research. In this paper, we propose a novel framework based on anomaly detection techniques, to detect malicious behaviour of database application programs. Specifically, we create a fingerprint of an application program based on SQL queries submitted by it to a database. We then use association rule mining techniques on this fingerprint to extract useful rules. These rules succinctly represent the normal behaviour of the database application. We then apply an anomaly detection algorithm to detect queries that do not conform to these rules. We further demonstrate how this model can be used to detect SQL Injection attacks on databases. We show the validity and usefulness of our approach on synthetically generated datasets and SQL Injected queries. Experimental results show that our techniques are effective in addressing various types of SQL Injection threat scenarios.

This paper deals with the development of interactive Virtual Reality (VR) environments. We argue that the integration of such environments with Database (DB) technology has the potential of providing on one side much flexibility and, on the other hand, of resulting in enhanced interfaces for accessing contents from digital archives. The paper discusses the main issues related to such integration. It also describes two projects related to the use of advanced tools for the dissemination of Cultural Heritage (CH) content. Within these projects an integrated framework has been developed that enhances conventional VR environments with DB interactions.

XACML is being increasingly adopted in large enterprise systems for specifying access control policies. However, the efficient analysis and integration of multiple policies in such large distributed systems still remains a difficult task. In this paper, we propose an annotation technique which is a simple extension to XACML, and may greatly benefit the policy analysis process. We also discuss an important consistency problem during XACML policy translation and point out a few possible research directions.

Various mechanisms for authentication and access control have been developed over time. Operating systems and DBMS implement such mechanisms and support quite rich access control models. A major limitation, however, of such mechanisms is that they are not extensible; thus whenever an application domain requires more sophisticated access controls or authentication, the applications must include logics for such controls. Such an approach leads to increased costs in application development and maintenance. For these reasons, models and mechanisms apt to separate those functions have emerged, also fostered by XML and Web services. At the same time, the need to drive the behaviour of security through clearly stated and machine-processable policies has fostered the development of various policy models and policy management mechanisms. A policy-based approach enhances flexibility, and reduces the application development costs. Changes to the access control or authentication requirements simply entail modifying the policies, without requiring changes to the applications. It is thus clear that an important approach to the problem of security is represented by the development of policy-based security services providing all functions for security management relevant to applications. Such an approach is particularly promising for applications organized according to the Service Oriented (SOA) paradigm. In this paper we discuss basic concepts of such an approach to security and we present a reference architectural framework. We discuss three relevant classes of security services, namely digital identity management services, authentication services, access control services, and outline research directions for each such class.

Content services such as content filtering and transcoding, adapt contents to meet system requirements, display capacities, or user preferences. Data security in such a framework is an important problem, and crucial for many web applications. In this paper, we propose an approach that addresses data integrity and confidentiality in content adaptation and caching by intermediaries. Our approach permits multiple intermediaries to simultaneously perform content services on different portions of the data. Our protocol supports decentralized proxy and key managements and flexible delegation of services. Our experimental results show that our approach is efficient and minimizes the amount of data transmitted across the network.