Since my employment at USC, I’ve led the
effort of developing the IA
curriculum and mapping our courses to the NSTISSI 4011, 4013,
and 4014 standards. I have developed
and taught 4
different graduate level IA courses and numerous directed reading courses. I’ve graduated 2 Ph.D. and 6 M.S.
students. Currently I advise 5, and
co-advise 2 Ph.D. students. Some of my research is in collaboration with other faculty members
and graduate students. Following is a
brief overview of my main research areas and links to the Web sites containing
detailed information.
My main research interests are information assurance and privacy. More
specifically, I'm interested in the following areas: (1) the inference problem
in database management systems, (2) authorization model for Semantic Web data,
(3) privacy protection in self-organizing electronic communities, (4) legal and financial analysis of cyber incidents, and
(5) information confidentiality in emerging Web applications.
Database Inference
Problem
( http://www.cse.sc.edu/research/isl/dbInferPbm.shtml
)
One of the main research areas in database
security research is the development of authorization models to protect data
confidentiality, integrity, and availability. While these models do protect
sensitive data from direct data accesses, indirect secrecy violations via
inference channels may still occur. The detection and removal of unauthorized
inference channels are necessary to provide secure database systems.
In my Ph.D. dissertation,
under the advisement of Drs. A. Brodsky and S. Jajodia, I developed an
integrated security architecture that guarantees data confidentiality by
extending a standard access control model with a Disclosure Inference Engine
(DIE). After each query request, DIE
generates all the information that can be disclosed by the query requestor,
using the requestor’s past and current queries (results) and the database
constraints. I introduced fundamental
notions of data-dependent and data-independent disclosures, and showed that the
problem of data-dependent data disclosure is decidable. Our results in relational databases
were extended to the inference problem in semi-structured
databases and inferences via linear constraints in numeric databases.
Currently I am co-advising the PhD student T. Toland with Dr C. Eastman. His research addresses the effects of database updates on the inference problem. We study database updates from two perspectives:
Both aspects of inference detection require the usage of update logs and the maintenance of a history file for each user. Some of
Future extensions of the current results include
the development of models addressing collaborative attacker. Currently each user is monitored
independently and inferences are generated only on his/her history files. Also, I’m planning to evaluate the inference
problem from the perspective of privacy and fairness. Disclosing seemingly unimportant or
non-sensitive information may give advantage to an adversary. In particular, it may play an important role
in interactive negotiation and trust management.
Secure Semantic Web
( http://www.cse.sc.edu/research/isl/SSW/index.shtml
)
The focus of this project is to develop models and
technologies for XML and RDF access control, and for prevention of security
threats via illegal inferences in semantically enhanced semi-structured
information. XML and RDF data has been
increasingly used for storing and exchanging information, and representing
metadata. Further, semantic annotation
of Web data and the development of tools to interpret such annotations support
the intelligent integration of large amounts of data. This large-scale data integration may pose
significant security and privacy threats by data aggregation, inference
disclosure, and data mining. Our
research targets some of the above problems:
·
Access control models
for XML. For this, we address the
problem of generating XML Views that
satisfy the security policies, develop access control language for
XML, develop method and a practical implementation to handle XML updates
without violating document integrity or the security policy, and to prevent indirect disclosure of XML
data via ontology
supported inferences. Two Ph.D. students
A. Stoica and V. Gowadia, and one M.S. students, D. Roy, are involved in this
project.
·
We are currently
developing access
control model suitable for RDF. Our
aim is to support flexible data granularity, satisfy context-based and semantic
requirements, and provide protection against undesired inferences. Ph.D. student A. Jain is involved in this
project.
·
Developing security framework for
SMIL (Synchronized Multimedia Integration Language) formatted streaming
data. SMIL, an XML-like language,
supports operational semantics. We provide language based security that
respects continuity and synchronization constructs of SMIL. This work is with Ph.D. student N. Kodali and
Professor D. Wijesekera from George Mason University, Va.
Future extensions of the current results include
the formal development of security models and completion of our prototype
systems. In addition, we are planning to
study the security requirements of Web applications, like Web Services, and how
these requirements impact the authorization models for XML, RDF, and OWL. In particular, we are planning to address the
need to formally define the intended meaning of XML documents and use this
meaning (instead of the currently used syntactic constructs) to develop
authorization model for XML.
Finally, our future work also involves the study
of offensive and defensive application of our methods, focusing on the security
issues created by large-scale and focused data integration. A defensive approach aims to develop models
and tools to protect against (or warn about) unauthorized data disclosure; an
offensive approach addresses information gathering techniques and techniques to
release erroneous data in a stealthy manner that leading an adversary to a
desired, wrong conclusion.
Legal and Financial
Analysis
( http://www.cse.sc.edu/research/isl/SSW/themis.shtml
)
Cyber
attacks represent serious financial and legal burden. Current
inadequacies in national law and ambiguous interpretations of international
treaties make it difficult to prosecute cyber attackers and/or provide an
acceptable self-defense for legitimate counter attackers. With
collaborative support from USC Ph.D. students R. McCraw and S. Saxena, GMU
Ph.D. student Liesheng
Peng, and Drs. J. B. Michael, Naval Postgraduate School, D. Wijesekera,
George Mason University, and T. Wingfield, the Potomac Institute for Policy
Studies, we develop legal and economic models
that evaluate the effects of cyber attacks.
Currently we are working on a system that evaluates the direct and
cascading effects of cyber attacks, and use this evaluation to perform reasoning about
the severity of the attack and “lawful” response strategies. We also studying the different economic
models used by cyber insurance companies to estimate the insurance premium and
the level of compensation.
Secure, Self-Organizing
Communities
(http://www.cse.sc.edu/research/isl/anonimSys.shtml
)
In this project we propose a new approach to
provide accountability in self-organizing Web communities, while guaranteeing
high level of privacy. We present a framework for
electronic communities that support dynamic grouping and
collaborations. The system is controlled
by competition among communities. The
security protocols we developed for the system build upon community-based trust
and limits exposure of personal information on a trusted third party. We propose a two-layered privacy protection
architecture, that allows enforcement of internal- (web community) and external
(real world) accountability. Enforcement
of external accountability requires the release of mappings between real users
and their virtual identities, enforcement of internal accountability requires
the release of mappings among the virtual users. This work is in collaboration with Ph.D.
students G. Ziegler and Dr. A. Lorincz at Eotvos Lorand University,
Budapest.
Our research to improve the efficiency of Web crawlers is
closely related to our anonymity project.
A fleet of crawlers is observed as a self-organizing community with needs
for sharing and security. Our current
work focuses on the improvement of learning algorithms used by Web
crawlers. Our future work addresses the
security protocols needed for these communities. This work is in collaboration with Ph.D.
students Zs. Palotai and Dr. A. Lorincz at Eotvos Lorand University,
Budapest.
My Other Research
Areas Include
In my
future research I’m planning to study the following research areas. A brief overview of our current activities,
results, and publications for each area can be reached by following the
links.
·
Network Security
·
Secure telephone
conferencing
·
Agent-based Intrusion
Detection
·
Access Control Models
·
Automated support for
security policy integration
·
Access control for GIS
applications