A growing number of domains are adopting semantic models as a centralized gateway to heterogeneous data sources, or directly for modeling and managing relevant information. In such contexts, it is crucial to grant access to the semantic model and its data only to the authorized users. In this paper, we present a fine-grained access control model specifically tailored to semantic models. One of the relevant features of the model is the granularity of the resources that can be protected. Access control can be enforced at the level of both the model’s concepts and the concepts’ instances by means of a query rewriting strategy. The proposed model has been implemented adopting the XACML standard and the SeRQL query language; services exposed by the implementation can be used to transparetly integrate authorization into existing systems.

Countering threats to an organization’s internal databases from database applications is an important area of research. In this paper, we propose a novel framework based on anomaly detection techniques, to detect malicious behaviour of database application programs. Specifically, we create a fingerprint of an application program based on SQL queries submitted by it to a database. We then use association rule mining techniques on this fingerprint to extract useful rules. These rules succinctly represent the normal behaviour of the database application. We then apply an anomaly detection algorithm to detect queries that do not conform to these rules. We further demonstrate how this model can be used to detect SQL Injection attacks on databases. We show the validity and usefulness of our approach on synthetically generated datasets and SQL Injected queries. Experimental results show that our techniques are effective in addressing various types of SQL Injection threat scenarios.

This paper deals with the development of interactive Virtual Reality (VR) environments. We argue that the integration of such environments with Database (DB) technology has the potential of providing on one side much flexibility and, on the other hand, of resulting in enhanced interfaces for accessing contents from digital archives. The paper discusses the main issues related to such integration. It also describes two projects related to the use of advanced tools for the dissemination of Cultural Heritage (CH) content. Within these projects an integrated framework has been developed that enhances conventional VR environments with DB interactions.

XACML is being increasingly adopted in large enterprise systems for specifying access control policies. However, the efficient analysis and integration of multiple policies in such large distributed systems still remains a difficult task. In this paper, we propose an annotation technique which is a simple extension to XACML, and may greatly benefit the policy analysis process. We also discuss an important consistency problem during XACML policy translation and point out a few possible research directions.

Various mechanisms for authentication and access control have been developed over time. Operating systems and DBMS implement such mechanisms and support quite rich access control models. A major limitation, however, of such mechanisms is that they are not extensible; thus whenever an application domain requires more sophisticated access controls or authentication, the applications must include logics for such controls. Such an approach leads to increased costs in application development and maintenance. For these reasons, models and mechanisms apt to separate those functions have emerged, also fostered by XML and Web services. At the same time, the need to drive the behaviour of security through clearly stated and machine-processable policies has fostered the development of various policy models and policy management mechanisms. A policy-based approach enhances flexibility, and reduces the application development costs. Changes to the access control or authentication requirements simply entail modifying the policies, without requiring changes to the applications. It is thus clear that an important approach to the problem of security is represented by the development of policy-based security services providing all functions for security management relevant to applications. Such an approach is particularly promising for applications organized according to the Service Oriented (SOA) paradigm. In this paper we discuss basic concepts of such an approach to security and we present a reference architectural framework. We discuss three relevant classes of security services, namely digital identity management services, authentication services, access control services, and outline research directions for each such class.

Content services such as content filtering and transcoding, adapt contents to meet system requirements, display capacities, or user preferences. Data security in such a framework is an important problem, and crucial for many web applications. In this paper, we propose an approach that addresses data integrity and confidentiality in content adaptation and caching by intermediaries. Our approach permits multiple intermediaries to simultaneously perform content services on different portions of the data. Our protocol supports decentralized proxy and key managements and flexible delegation of services. Our experimental results show that our approach is efficient and minimizes the amount of data transmitted across the network.

Web services are a successful technology for enterprise information management, where they are used to expose legacy applications on the corporate intranet or in businessto- business scenarios. The technologies used to expose applications as web services have matured, stabilized, and are defined as W3C standards. Now, the technology used to build applications based on web services, a process known as orchestration, is also maturing around the Web Services Business Process Execution Language (WS-BPEL). WS-BPEL falls short on one feature though: as it is focused on orchestration of fully automatic web-services, WSBPEL does not provide means for specifying human interactions, even less their access-control requirements. Human interactions are nonetheless needed for flexible business processes. This lacking feature of WS-BPEL has been highlighted in a white paper issued jointly by IBM and SAP, which “describes scenarios where users are involved in business processes, and defines appropriate extensions to WS-BPEL to address these.” These extensions, called BPEL4People, are well explained, but their implementation isn’t. In this paper, we propose a language for specifying these extensions, as well as an architecture to support them. The salient advantage of our architecture is that it allows for the reuse of existing BPEL engines. In addition, our language allows for specifying these extensions within the main BPEL script, hence preserving a global view of the process. We illustrate our extensions by revisiting the classic loan approval BPEL example.

This paper presents the case study of an interactive digital narrative and real-time visualization of an Italian theatre during the 19th century. This case study illustrates how to integrate the traditional concepts of cultural heritage with Virtual Reality (VR) technologies. In this way virtual reconstructions of cultural sites are lift up to an exciting new edutainment level. Novel multimedia interaction devices and digital narrative representations combined with environment historical and architectural certified, offer to the users real-time immersive visualization where to live experiences of the past. Starting to the studies of several project strengthening the great benefits connected at the use of the VR technologies in the cultural fields, the paper illustrates the motivations that have triggered a collaboration between the department of Computer Science[1] and the department of Performing Arts of the University of Milano [2] in order to develop this educational and entertaining system.

Privacy is one of the most important properties an information system must satisfy. A relatively new trend shows that classical access control techniques are not sufficient to guarantee privacy when datamining techniques are used. Privacy Preserving Data Mining (PPDM) algorithms have been recently introduced with the aim of modifying the database in such a way to prevent the discovery of sensible information. Due to the large amount of possible techniques that can be used to achieve this goal, it is necessary to provide some standard evaluation metrics to determine the best algorithms for a specific application or context. Currently, however, there is no common set of parameters that can be used for this purpose. This paper explores the problem of PPDM algorithm evaluation, starting from the key goal of preserving of data quality. To achieve such goal, we propose a formal definition of data quality specifically tailored for use in the context of PPDM algorithms, a set of evaluation parameters and an evaluation algorithm. The resulting evaluation core process is then presented as a part of a more general three step evaluation framework, taking also into account other aspects of the algorithm evaluation such as efficiency, scalability and level of privacy.

Distributed workflow based systems are widely used in various application domains including e-commerce, digital government, healthcare, manufacturing and many others. Workflows in these application domains are not restricted to the administrative boundaries of a single organization [1]. The tasks in a workflow need to be performed in a certain order and often times are subject to temporal constraints and dependencies [1, 2]. A key requirement for such workflow applications is to provide the right data to the right person at the right time. This requirement motivates for dynamic adaptations of workflows for dealing with changing environmental conditions and exceptions.

Security is today a relevant requirement for any distributed application, and in particular for these enabled by the Web such as e-health, e-commerce, and e-learning. It is thus crucial that the use of Web services, stand-alone or composed, provide strong security guarantees. Web services security encompasses several requirements that can be described along the well known security dimensions, that is: integrity, whereby a message must remain unaltered during transmission; confidentiality, whereby the contents of a message cannot be viewed while in transit, except by authorized services; availability, whereby a message is promptly delivered to the intended recipient, thus ensuring that legitimate users receive the services they are entitled to. Moreover, each Web service must protect its own resources against unauthorized access. This in turn requires suitable means for: identification, whereby the recipient of a message must be able to identify the sender; authentication, whereby the recipient of a message needs to verify the claimed identity of the sender; authorization, whereby the recipient of a message needs to apply access control policies to determine whether the sender has the right to use the required resources.

Multimedia presentations are composed of objects belonging to different data types such as video, audio, text, and image. An important aspect is that, quite often, the user defining a presentation needs to express sophisticated temporal and spatial constraints among the objects composing the presentation. In this paper, we present a system (called MPGS—Multimedia Presentation Generator System) which supports the specification of constraints among multimedia objects and the generation of multimedia presentations according to the specified constraints. The constraint model provided by MPGS is very flexible and powerful in terms of the kinds of object constraints it can represent. A large number of innovative features are supported including: asynchronous and simultaneous spatial constraints; components of interest and priority levels; motion functions. Obviously, the flexibility provided to the users requires the development of nontrivial techniques to check constraint consistency and to generate a presentation satisfying the specified constraints. In this paper, we illustrate the solutions we have devised in the framework of MPGS.