Some ideas for a Master thesis
If you are interested in the topics below, contact Nicola Zannone (email: n.zannone * tue.nl (replace * with @) )
Auditing for privacy compliance:
Privacy is becoming a urgent issue in information systems because of the stringent requirements imposed by data protection regulations.
Traditional access control mechanisms are not adequate to address these requirements.
The underlying fundamental problem is that those approaches are preventive and thus they are not able to deal with exceptions.
The goal of the project is to develop a practical privacy framework that shifts the problem of preventing infringements into a problem
of detecting infringements.
The project requires investigation on systematic log auditing techniques, use of patterns and privacy metrics to detect and quantify infringements.
- A. Adriansyah, B. van Dongen, and N. Zannone.
Controlling Break-The-Glass Through Alignment.
ASE SCIENCE Journal, 2(4):198-212, 2013.
- M. Alizadeh, M. de Leoni, N. Zannone.
Constructing Probable Explanations of Nonconformity: A Data-aware and History-based Approach.
In Proceedings of the IEEE Symposium on Computational Intelligence and Data Mining (IEEE CIDM'15), 2015. IEEE Computer Society Press.
- S. Banescu and N. Zannone.
Measuring Privacy Compliance with Process Specifications.
In Proceedings of the 7th International Workshop on Security Measurements and Metrics (MetriSec'11),
IEEE Computer Society Press. 2011.
Policy compliance over incomplete logs:
Organizations that collect, use and share personal data have to ensure that data are processed according to security and privacy policies.
Compliance is usually assessed by analyzing audit logs, which record user behavior, against policy specifications.
However, the logs maintained by an organization may be incomplete (i.e., they may not contain all information needed to determine whether policies have been violated or not) or unavailable.
The goal of this project is to investigate methods and techniques aims to assist auditors in assessing policy compliance over incomplete logs.
Collaborative Access Control:
In recent years, collaboration has become an important aspect of information systems.
With more and more users being connected through the Internet, the need of online collaborative environments has arisen.
This has spurred the development of several collaborative systems like web application platforms (e.g., Microsoft Sharepoint) and social networks (e.g., Facebook and Google+).
Collaborative systems provide users an environment in which they can work together to achieve a common goal.
A main feature of collaborative systems is the possibility to share (possibly sensitive) information.
Indeed, sharing information in a collaboration might be required to achieve a common goal.
This information, however, might be sensitive and should be accessed exclusively by authorized users.
Information is usually protected by means of access control.
However, access control mechanisms usually assume that information is "owned" by single users.
This may not be the case in collaborative environments.
Here, more that one user may retain some rights on the information; moreover, each user may regulate access to information in different capacity.
The goal of this project is to investigate novel access control models for collaborative systems.
- H. Hu, G. J. Ahn and J. Jorgensen.
Multiparty Access Control for Online Social Networks: Model and Mechanisms.
IEEE Transactions on Knowledge and Data Engineering, vol. 25, no. 7, pp. 1614-1627, 2013.
- R. Mahmudlu, J. den Hartog, N. Zannone.
Data Governance & Transparency for Collaborative Systems.
In DBSec, 2016.
- S. Damen, J. den Hartog, and N. Zannone.
CollAC: Collaborative Access Control.
In Proceedings of the 2014 International Conference on Collaboration Technologies and Systems (CTS 2014), 2014. IEEE.
Over the years several organizations have migrated to more practical solutions to regulate access to sensitive information, e.g. Role-Based Access Control (RBAC). This has spurred the design and development of techniques and methods to automatically extract access control policies from the current set of permissions assigned to users. In particular, several role mining techniques have been proposed to automatically extract RBAC policies.
In the last years Attribute-Based Access Control (ABAC) is emerging as the new paradigm for the specification and enforcement of access control policies.
However, the specification of ABAC policies is not trivial for end-users.
The goal of this project is to design and develop novel techniques that assist end-users in the mining of ABAC policies from from the current set of permissions assigned to users.
Policy administration in TBA:
Tag-Based Authorization (TBA) is a hybrid access control model that combines the ease of use of extensional access control models with the expressivity of logic-based formalisms.
In particular, it allows the users of a system to assign descriptive tags to the system's resources (i.e., subjects and objects); security experts then
write logical authorization policies in terms of those tags. The main limitation of the TBA model is that it lacks support for policy administration.
More precisely, it does not allow policy-writers to specify administrative policies that constrain the tags that users can assign, and to verify the compliance of assigned tags with these policies.
The goal of this project is to enable policy administration in TBA.
- S. Etalle, T. L. Hinrichs, A. J. Lee, D. Trivellato, and N. Zannone.
Policy Administration in Tag-Based Authorization.
In Proceedings of the 5th International Symposium on Foundations & Practice of Security (FPS 2012), 2012.
Risk/benefit-based access control:
Businesses have become more dynamic and, thus, organizations have to adapt quickly to changes in structure, businesses, and environmental conditions.
Organizations thus have to deal increasingly often with unexpected situations and exceptions. For instance, a physician can take actions that diverge from the procedures adopted by the hospital to face emergency situations. Preventing such actions may be critical for the life of the patient.
Traditional access control systems are too inflexible to be used in dynamic environments. Their inflexibility often forces users to bypass them and, in extreme cases, to switch off security measures.
The objective of this project is to design and develop an acess control mechanism that supports the system in making informed decision on data access by performing real-time risk/benefit analysis.
Anomaly detection, analysis and response:
Anomaly detection systems are usually employed to monitor database activities in order to detect security incidents. These systems raise alerts when anomalous activities are detected. The alerts raised have to be analyzed to timely respond to the security incidents. Their analysis, however, is time-consuming and costly. This problem increases with the large number of alerts often raised by anomaly detection systems.
The goal of this project is to devise novel methods and techniques for anomaly detection, analysis and response.
- E. Costante, J. den Hartog, M. Petkovic, S. Etalle, M. Pechenizkiy.
Hunting the Unknown - White-Box Database Leakage Detection. DBSec 2014: 243-59
- S. Vavilis, A. Egner, M. Petkovic, N. Zannone.
An anomaly analysis framework for database systems.
Computers & Security, 53: 156-173, 2015.
- E. Costante, D. Fauri, S. Etalle, J. den Hartog, and N. Zannone.
A Hybrid Framework for Data Loss Prevention and Detection.
In Proceedings of the Workshop on Research for Insider Threats (WRIT 2016), 2016. IEEE.