assured information sharing. prof. bhavani thuraisingham and prof. latifur khan the university of...

Assured Information Sharing

Prof. Bhavani Thuraisingham and Prof. Latifur Khan

The University of Texas at Dallas

Prof. Ravi Sandhu

George Mason University

August 2006

Information Operation Across Infospheres:

Assured Information Sharing

Acknowledgements• Students

–UTDallas• Dilsad Cavus (MS, Data mining and data sharing)

• Srinivasan Iyer (MS, Trust management)• Ryan Layfield (PhD, Game theory)• Mehdi (PhD, Worm detection)

–GMU• Min (PhD, Extended RBAC)

• Faculty and Staff–UTDallas

• Prof. Murat (Game theory)• Dr. Mamoun Awad (Data mining and Data sharing)

• Project supplemented by Texas Enterprise Funds

Architecture

ExportData/Policy

ComponentData/Policy for Agency A

Data/Policy for Federation

ExportData/Policy

ComponentData/Policy for Agency C

ComponentData/Policy for Agency B

ExportData/Policy

Our Approach• Integrate the Medicaid claims data and mine the

data; next enforce policies and determine how much information has been lost by enforcing policies

• Examine RBAC and UCON in a coalition environment

• Apply game theory and probing techniques to extract information from non cooperative partners; conduct information operations and determine the actions of an untrustworthy partner.

• Defensive and offensive operations

Coalition for Assured Information Sharing

• A coalition is formed by related entities like Medical care facilities

and Health insurance companies to share information within

themselves and to selected outsiders in a secure manner.

• Each of these entities can specify policies for access control through

the coalition.

• The coalition provides controlled access to information in the

database after enforcing policies generated by the entity owning the

database.

Example

• Consider a set of hospitals: {H1, H2, … Hn} and a set of Health

Insurance agencies {I1, I2, … In}. Each of these hospitals and

insurance companies can be an entity in a Coalition.

• The Coalition server provides a single point of access for databases

owned by each of the member entities.

• Each of these entities provides a policy file to the

company/individual hosting the Coalition server.

Example … continued

Situation – 1

• When registering a client, an insurance agency I5 might want to ensure that the applicant does

not have an active insurance coverage from any other insurance agency.

• A web service agent from the insurance company I5 issues a request to the Coalition server to

verify this.

- Using the applicant’s SSN, the web service agent can query each of the other insurance agency

databases to retrieve records of active insurance coverage for the client with the specified SSN.

Coalition

Architecture

Architectural Elements – 1

Web Service Agent:

Formulates a request and sends the request to the Response Engine

Receives response from the Response Engine and uses it to provide the appropriate service.

The aim of the web service agent is to obtain as much information as possible.

Architectural Elements – 2

Response Engine:

Policy Enforcement Point (PEP):

Enforces policies on requests sent by the Web Service.

Translates this request into an XACML request; sends it to the PDP.

Policy Decision Point (PDP):

Makes decisions regarding the request made by the web service.

Conveys the XACML request to the PEP.

Architectural Elements – 3

Coalition ( Policy files + Database)

Policy Files:

Policy Files are written in XACML policy language.

Policy Files specify rules for “Targets”. Each target is composed of 3 components: Subject,

Resource and Action; each target is identified uniquely by its components taken together. The

XACML request generated by the PEP contains the target. The PDP’s decision making capability lies

in matching the target in the request file with the target in the policy file.

These policy files are supplied by the owner of the databases (Entities in the coalition).

Databases:

The entities participating in the coalition provide access to their databases.

Screenshots - 1

Screenshots - 2

Screenshots - 3

Enforcing Honesty

• Everyone has a choice:– Tell the truth– Lie

• Distributed Behavior Enforcement– Non-trivial to implement– Difficult to guarantee– Examples: BitTorrent, P2P Networks, etc.

• Unless we can afford to have a neutral 3rd party that everyone can agree on, we need some way of enforcing ‘good’ behavior

Punishment

• However, there is a third option: refuse to participate– Usually not researched– Drastic measure that only makes sense if we

can influence behavior

• Our modeling suggests that, with proper use of refusal, we can ultimately enforce helpful behavior without a managing agent

Evolutionary Strategy

• Every 200 rounds, we create a new generation of agents, using the most successful strategies available

• The fitness f() of a given agent is a function of how well they have performed during interaction with other agents– More successful agents have a higher probability of

being a part of the next generation

n

ii

ii

select

af

afap

0

)(

)()(

Our Work

• Our mathematical models suggest that, assuming we punish by cutting off communication, the equilibrium is to always tell the truth

• Therefore, using an evolutionary environment, we have placed our particular rationality amongst a heterogeneous pool of competing ideologies– Tit-For-Tat: A famous algorithm that simply mirrors the last

move an opponent made– Random: An agent that selects it’s strategy with a 50/50 chance– Casual Liar: Like our agent, but lies with a 10% probability– Subtle Liar: Like our agent, but chooses to lie when it perceives

the piece being traded is of significant value• With equal parts given to each agent, which one will

emerge victorious?

Results

Centralized Reputations in Decentralized P2P Networks

Nathalie Tsybulnik, Kevin W. Hamlen, Bhavani Thuraisingham

Motivation

• P2P Systems offer few security guarantees

• Shared data has low confidentiality

• Shared data has low integrity

• Easy for malicious peers to propagate malicious code

Introducing Penny

• A P2P Network that addresses the following types of attacks:– Spread of corrupt or incorrect data– Attaching incorrect labels to data– Discovering which peers own particular data– Generating a list of all peers who own

particular data

Penny

• P2P Network that supports shared data labeling of:– Confidentiality – Integrity

• Peers can share data without revealing which data object they own

• Security labels are global but do not require a centralized server

Penny (Cont’d)

• P2P Network uses reputation-based trust management system – Store/retrieve labels – Despite malicious peer existence

• Maintain efficiency of network operations

• O(log N)