Video Episodes:
6 Views
00:30:00 04/26/12
Christine Task, "A Practical Beginners' Guide to Differential Privacy"
[LESS INFO] 6 VIEWS | ADDED 00:30:00 04/26/12
Differential privacy is a very powerful approach to protecting individual privacy in data-mining; it's also an approach that hasn't seen much application outside academic circles. There's a reason for this: many people aren't quite certain how it works. Uncertainty poses a serious problem when considering the public release of sensitive data. Intuitively, differentially private data-mining applications protect individuals by injecting noise which "covers up" the impact any individual can have on the query results. In this talk, I will discuss the concrete details of how this is accomplished, exactly what it does and does not guarantee, common mistakes and misconceptions, and give a brief overview of useful differentially privatized data-mining techniques. This talk will be accessible to researchers from all domains; no previous background in statistics or probability theory is assumed. My goal in this presentation is to offer a short-cut to researchers who would like to apply differential privacy to their work and thus enable a broader adoption of this powerful tool.
2 Views
00:30:00 04/19/12
Steve Battista, "What firmware exists in your computer and how the fight for your systems will be below your operating system"
[LESS INFO] 2 VIEWS | ADDED 00:30:00 04/19/12
Many security professionals look to software on hardrives as the source of compromise. To detect compromises, they use systems to check the hashes of all files on disk, When a machine is compromised, they wipe the hardrive, and assume that the machine in clean. The battlefield between attackers and defenders is moving to the firmware level. This presentation will explore what firmware exists in your computer and how the fight for your systems will be below your operating system and what can be done about this.
5 Views
00:30:00 04/12/12
Traian Truta, ": K-Anonymity in Social Networks: A Clustering Approach"
[LESS INFO] 5 VIEWS | ADDED 00:30:00 04/12/12
The proliferation of social networks, where individuals share private information, has caused, in the last few years, a growth in the volume of sensitive data being stored in these networks. As users subscribe to more services and connect more with their friends, families, and colleagues, the desire to use this information from the networks has increased. Online social interaction has become very popular around the globe and most sociologists agree that this will not fade away. Social network sites gather confidential information from their users (for instance, the social network site PacientsLikeMe collects confidential health information) and, as a result, social network data has begun to be analyzed from a different, specific privacy perspective. Since the individual entities in social networks, besides the attribute values that characterize them, also have relationships with other entities, the risk of disclosure increases. In this talk we present a greedy algorithm for anonymizing a social network and a measure that quantifies the information loss in the anonymization process due to edge generalization.
9 Views
00:30:00 03/29/12
Nabeel Mohamed, "Privacy preserving attribute based group key management"
[LESS INFO] 9 VIEWS | ADDED 00:30:00 03/29/12
Group key management (GKM) is a fundamental building block in any secure group communication applications. In fact, successful management of group keys is critical to the security of any cryptosystem. In this talk, I will first give an overview of the traditional GKM approaches and their limitations to support current technological trends and large dynamic systems. Then I will present a new approach to GKM that is expressive and privacy preserving. The talk is based on our work appeared in ICDE 2010, CCS 2011 and CollaborateCom 2011.
5 Views
00:30:00 03/22/12
Randall Brooks, "Adding a Software Assurance Dimension to Supply Chain Practices"
[LESS INFO] 5 VIEWS | ADDED 00:30:00 03/22/12
There is a long history of supply chain management, from which many related policies, practices, processes, and enabling artifacts have been developed and employed by those business enterprises that acquire hardware and software components from a third party. Traditionally, Supply Chain Risk Management (SCRM) has been the focal point of supply chain practices and has focused on business and contractual issues, although recent efforts have increasingly included engineering expertise for product quality evaluations. This presentation advocates the introduction of a security assurance dimension to the SCRM process. It does not, however, propose the addition of an independent, parallel track of SCRM process for security assurance evaluation, but rather practical steps for augmenting those SCRM processes that already exist. Just as is the case in legacy SCRM, the cyber dimension of SCRM is based on assessing and balancing risk vs. cost. The goal is to minimize the added costs associated with improved information assurance by efficiently incorporating relevant practices industry, government, and academia to provide a security assurance dimension into the supply chain process. SCRM-relevant industry and government practices will be presented in this paper in such a way that supply chain staff can easily make use of them, even without a background in information security. Also, it will be clearly noted when subcontract management, information assurance engineering, or other business or technical expertise may be needed to complement traditional supply chain activities in the pursuit of cyber-based SCRM. Points of discussion common to both hardware and to software component acquisition will include: 1. Acquirer business risk 2. End customer mission criticality and mission assurance 3. Subcontract management 4. Supplier secure development assessment 5. Supplier management practices for their suppliers 6. Supplier business assessment 7. Product assessment Points of discussion peculiar to hardware component acquisition will include: 1. Quality vs. counterfeiting vs. malicious alteration 2. ASICS, FPGAs, and microprocessors 3. Information storage in volatile memory 4. Information storage in non-volatile memory and permanent disk storage Points of discussion peculiar to software component acquisition will include: 1. COTS, contracted software, open source, and freeware 2. Software pedigree and provenance 3. License management of open source
34 Views
02:30:00 03/08/12
Chenyun Dai, "Privacy-Preserving Assessment of Location Data Trustworthiness"
[LESS INFO] 34 VIEWS | ADDED 02:30:00 03/08/12
Assessing the trustworthiness of location data corresponding to individuals is essential in several applications, such as forensic science and epidemic control. To obtain accurate and trustworthy location data, analysts must often gather and correlate information from several independent sources, e.g., physical observation, witness testimony, surveillance footage, etc. However, such information may be fraudulent, its accuracy may be low, and its volume may be insufficient to ensure highly trustworthy data. On the other hand, recent advancements in mobile computing and positioning systems, e.g., GPS-enabled cell phones, highway sensors, etc., bring new and effective technological means to track the location of an individual. Nevertheless, collection and sharing of such data must be done in ways that do not violate an individual’s right to personal privacy. Previous research efforts acknowledged the importance of assessing location data trustworthiness, but they assume that data is available to the analyst in direct, unperturbed form. However, such an assumption is not realistic, due to the fact that repositories of personal location data must conform to privacy regulations. In this work, we study the challenging problem of refining trustworthiness of location data with the help of large repositories of anonymized information. We show how two important trustworthiness evaluation techniques, namely common pattern analysis and conflict/support analysis, can benefit from the use of anonymized location data. We have implemented a prototype of the proposed privacy-preserving trustworthiness evaluation techniques, and the experimental results demonstrate that using anonymized data can significantly help in improving the accuracy of location trustworthiness assessment.
23 Views
02:30:00 03/01/12
Nishanth Chandran, "Cryptographic protocols in the era of cloud computing"
[LESS INFO] 23 VIEWS | ADDED 02:30:00 03/01/12
With the advent of cloud computing, our view of cryptographic protocols has changed dramatically. In this talk, I will give an overview of some of the newer challenges that we face in cloud cryptography and outline some of the techniques used to solve these problems. In particular, a few questions that I will address are: 1) How can we store sensitive data in the cloud, in an encrypted manner, and yet allow controlled access to certain portions of this data? 2) How can we ensure reliability of data across cloud servers that may be connected by only a low-degree communication network, even when some of the servers may become corrupted? 3) How can users authenticate themselves to the cloud in a user-friendly way? This talk will assume no prior knowledge of cryptography and is based on works that appear at TCC 2012, ICALP 2010 and STOC 2010.
29 Views
02:30:00 02/23/12
Ben Calloni, "Vulnerability Path and Assessment"
[LESS INFO] 29 VIEWS | ADDED 02:30:00 02/23/12
US Government, Department of Defense, and Enterprise computer systems must be trusted to protect data with varying levels of sensitivity / security. Affordability requirements are driving the need to incorporate many diverse commercial software products of unknown quality and pedigree into said systems. While there exist many Static Code Analysis products, the depth, rigor, and coverage of these tools is incomplete and inconsistent. In addition, finding and eliminating computer flaws or weaknesses is not the same as determining true vulnerabilities. Further there is significant cost reduction that can occur if automated support for establishing the case for trust and assurance can be achieved. The collection of evolving standards known as the OMG Software Assurance (SwA) Ecosystem is supported and endorsed by AFRL, NIST, SEI, OSD/NII, and DHS Cyber Security Division among others. The SwA Ecosystem defines several standard protocols to enable interoperability for tools, services and security researchers in developing, exchanging and utilizing machine-readable content (e.g. vulnerability patterns, enumerations, rules) for security assurance of existing software based systems. This standard-based plug-and-play framework integrates software analysis and data mining tools and facilitates highly automated fact-oriented approach to assurance by providing traceability link between assurance claims and high-fidelity system facts as evidence to justify assurance claims. This presentation will focus on the work funded by AFRL and OSD/NII to addressing the Vulnerability Path Assessment piece of the Ecosystem.
30 Views
02:30:00 02/16/12
Simson Garfinkel, "Forensic Carving of Network Packets with bulk_extractor and tcpflow"
[LESS INFO] 30 VIEWS | ADDED 02:30:00 02/16/12
Using validated carving techniques, we show that popular operating systems (\eg Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of other systems present on the system's LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structures can also be recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation. We present our network carving techniques, algorithms and tools, and validate these against both purpose-built memory images and a readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.
41 Views
02:30:00 02/09/12
Kelley Misata, "Digital Citizenship: A Target's View of Security and Life Online"
[LESS INFO] 41 VIEWS | ADDED 02:30:00 02/09/12
As technological advancements continue to expand the range of information access, issues of privacy and cyber security have risen to the forefront. Technology is only one part of a larger conversation. Looking through a different lens, consider the humans behind the machines. Technology can now be used with unprecedented ease and anonymity as a malicious vehicle to harass, defame and stalk. This presentation recounts the very personal and in-depth journey of a target of cyberstalking whose efforts to navigate within the system have been met with both successes and failures. Learn the profound impact this journey has had on life online as well as off, catalyzing a shift in perspective from fear to redefining responsible digital citizenship. The conversation will provide new insights into security issues, communication, and business management, as well as the limitations of the systems currently in place.
14 Views
02:30:00 02/02/12
George Vanecek, "Is it time to add Trust to the Future Internet/Web?"
[LESS INFO] 14 VIEWS | ADDED 02:30:00 02/02/12
The future web, and Internet, are undergoing a humanization of their technologies which increasingly make their services more personalized, individualized and transparent. This is jointly fueled by the inexpensive yet easily accessible huge computing and storage capacities in clouds, the adoption of personal, mobile smart devices used across consumer/enterprise interchangeably, and the emergence of personal agents and services attaining personalized perception of the real-world and its control on behalf of the users. In this human/machine convergences, trust is being recognized as potentially playing a huge role in addressing future human/machine security, commerce and social on-line issues. However, trust has been adopted only partially and independently by certain services and not made integral in the fabric of the Internet or the web. This talk explores the technical and social issues for the establishment of a ubiquitous trust network in the Future Internet. The talk reviews necessary technologies from the Semantic Web, Intercloud, and broader Identity methodologies, and provides a number of use cases for how the Future Internet would benefit from the trust network.
12 Views
02:30:00 01/26/12
Frank Tompa, "A Flexible System for Access Control"
[LESS INFO] 12 VIEWS | ADDED 02:30:00 01/26/12
A variety of mechanisms have been used in access control systems to support enterprises' diverse security needs. For example, some enterprises might allow individual users to assign privileges on files that they own, whereas others might require that permissions be granted and revoked by security administrators only; some enterprises wish to operate under closed access policies (where permission is denied unless explicitly granted), whereas others prefer to allow access only if the number of positive authorizations exceeds the number of negative ones. We will explore two frameworks, namely creation time policies and conflict resolution policies, that together allow software vendors to support a wide variety of discretionary access control mechanisms using a single code base.
8 Views
02:30:00 01/19/12
Salmin Sultana, " Secure Provenance Transmission for Data Streams"
[LESS INFO] 8 VIEWS | ADDED 02:30:00 01/19/12
Many application domains, such as real-time financial analysis, e-healthcare systems, sensor networks, are characterized by continuous data streaming from multiple sources and through intermediate processing by multiple aggregators. Keeping track of data provenance in such highly dynamic context is an important requirement, since data provenance is a key factor in assessing data trustworthiness which is crucial for many applications. Provenance management for streaming data requires addressing several challenges, including the assurance of high processing throughput, low bandwidth consumption, storage efficiency and secure transmission. In this talk, I will discuss a novel approach to securely transmit provenance for streaming data (focusing on sensor network) by embedding provenance into the inter-packet timing domain while addressing the above mentioned issues. As provenance is hidden in another host-medium, our solution can be conceptualized as watermarking technique. However, unlike traditional watermarking approaches, we embed provenance over the inter-packet delays rather than in the sensor data themselves, hence avoiding the problem of data degradation due to watermarking. Provenance is extracted by the data receiver utilizing an optimal threshold-based mechanism which minimizes the probability of provenance decoding errors. The resiliency of the scheme against outside and inside attackers is established through an extensive security analysis. Experiments show that our technique can recover provenance upto a certain level against perturbations to inter-packet timing characteristics.
15 Views
02:30:00 01/12/12
Stephen Elliott, ""Introduction to Biometrics""
[LESS INFO] 15 VIEWS | ADDED 02:30:00 01/12/12
A discussion about biometrics, performance and error. Learn more about biometric technologies and challenges related to performance.
39 Views
02:30:00 12/01/11
Apu Kapadia, "Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones"
[LESS INFO] 39 VIEWS | ADDED 02:30:00 12/01/11
We introduce Soundcomber, a "sensory malware" for smartphones that uses the microphone to steal private information from phone conversations. Soundcomber is lightweight and stealthy. It uses targeted profiles to locally analyze portions of speech likely to contain information such as credit card numbers. It evades known defenses by transferring small amounts of private data to the malware server utilizing smartphone-specific covert channels. Additionally, we present a general defensive architecture that prevents such sensory malware attacks.
11 Views
02:30:00 11/17/11
Loukas Lazos, "Jam me if you can: Mitigating the Impact of Inside Jammers"
[LESS INFO] 11 VIEWS | ADDED 02:30:00 11/17/11
The open nature of the wireless medium leaves wireless communications exposed to interference caused by the concurrent operation of co-located wireless devices over the same frequency bands. While unintentional signal interference is managed at the physical and mac layers using an array of techniques (advanced signal processing, channel coding and error correction, spread spectrum communications, multiple access protocols, etc.), in a hostile environment, wireless communications remain vulnerable to intentional interference attacks typically referred to as jamming. Jamming can take the form of an external attack launched by "foreign" devices that are unaware of the network secrets (e.g., cryptographic credentials) or its protocols. Such external attacks are relatively easy to neutralize through a combination of cryptography-based measures and spreading techniques. In contrast, when jamming attacks are launched from compromised nodes, they are much more sophisticated in nature. These attacks exploit knowledge of network secrets (e.g., cryptographic keys and pseudo-random spreading codes) and its protocol semantics to maximize their detrimental impact by selectively and adaptively targeting critical data transmissions. In this talk, we discuss the feasibility and impact of selective jamming attacks in the presence of inside adversaries. The attacker's selectivity is considered at different granularities, namely on a per-channel basis and on a per-packet basis. We describe several mitigation methods that do not rely on the existence of shared secrets, but defeat selectivity via a combination of temporary packet hiding and uncoordinated frequency hopping.
03/05/09