Data mining technology has given us new capabilities to identify correlations in large data sets. This introduces risks when the data is to be made public, but the correlations are private. We introduce a method for selectively removing individual values from a database to prevent the discovery of a set of rules, while preserving the data for other applications. The efficacy and complexity of this method are discussed. We also present an experiment showing an example of this methodology.

Secure Multi-Party Computation enables parties with private data to collaboratively compute a global function of their private data, without revealing that data. The increase in sensitive data on networked computers, along with improved ability to integrate and utilize that data, make the time ripe for practical secure multi-party computation. This paper surveys approaches to secure multi-party computation, and gives a method whereby an efficient protocol for two parties using an untrusted third party can be used to construct an efficient peer-to-peer secure multi-party protocol.

Privacy preserving mining of distributed data has numerous applications. Each application poses different constraints: What is meant by privacy, what are the desired results, how is the data distributed, what are the constraints on collaboration and cooperative computing, etc. We suggest that the solution to this is a toolkit of components that can be combined for specific privacy-preserving data mining applications. This paper presents some components of such a toolkit, and shows how they can be used to solve several privacy-preserving data mining problems.

The problem of sharing manufacturing, inventory, or capacity to improve performance is applicable in many decentralized operational contexts. However, the solution of such problems commonly requires an intermediary or a broker to manage information security concerns of individual participants. Our goal is to examine use of cryptographic techniques to attain the same result without the use of a broker. To illustrate this approach, we focus on a problem faced by independent trucking companies that have separate pick-up and delivery tasks and wish to identify potential efficiency-enhancing task swaps while limiting the information they must reveal to identify these swaps. We present an algorithm that finds opportunities to swap loads without revealing any information except the loads swapped, along with proofs of the security of the protocol. We also show that it is incentive compatible for each company to correctly follow the protocol as well as provide their true data. We apply this algorithm to an empirical data set from a large transportation company and present results that suggest significant opportunities to improve efficiency through Pareto improving swaps. This paper thus uses cryptographic arguments in an operations management problem context to show how an algorithm can be proven incentive compatible as well as demonstrate the potential value of its use on an empirical data set.

Recent work has shown that conventional operating system audit trails are insufficient to detect low-level network attacks. Because audit trails are typically based upon system calls or application sources, operations in the network protocol stack go unaudited. Earlier work has determined the audit data needed to detect low-level network attacks. We describe an implementation of an audit system which collects this data and analyze the issues that guided the implementation. Finally, we report the performance impact on the system and the rate of audit data accumulation in a test network.

hen collecting requirements for software, designers may learn of needs for specific forms of protection to be present. These needs may be translated into requirements for encryption or authentication, but what about the non-obvious aspects of security - including privacy, auditability and assurance - that are usually overlooked in the requirements capture process? When we overlook these issues, we get software that doesn’t deserve our trust. In this paper, I discuss some of the aspects of security that are regularly overlooked by designers and suggest some standard questions that should be addressed in every design

Eugene Spafford discusses the books that have been most influential in shaping his attitudes about security and privacy.

On the evening of 2 November 1988, someone “infected” the Internet with a worm program. That program exploited flaws in utility programs in systems based on BSD-derived versions of UNIX. The flaws allowed the program to break into those machines and copy itself, thus infecting those systems. This program eventually spread to thousands of machines, and disrupted normal activities and Internet connectivity for many days. It was the first major network-wide attack on computer systems, and thus was a matter of considerable interest. We provide a brief chronology of both the spread and eradication of the program, a presentation about how the program worked, and details of the aftermath. That is followed by discussion of some observations of what has happened in the years since that incident. The discussion supports the title-that the community has failed to learn from the past.

Host-based intrusion detection systems attempt to identify attacks by discovering program behaviors that deviate from expected patterns. While the idea of performing behavior validation on-the-fly and terminating errant tasks as soon as a violation is detected is appealing, existing systems exhibit serious shortcomings in terms of accuracy and/or efficiency. To gain acceptance, a number of technical advances are needed. In this paper we focus on automated, conservative, intrusion detection techniques, i.e. techniques which do not require human intervention and do not suffer from false positives. We present a static analysis algorithm for constructing a flow- and context-sensitive model of a program that allows for efficient online validation. Context-sensitivity is essential to reduce the number of impossible control-flow paths accepted by the intrusion detection system because such paths provide opportunities for attackers to evade detection. An important consideration for on-the-fly intrusion detection is to reduce the performance overhead caused by monitoring. Compared to the existing approaches, our inlined automaton model (IAM) presents a good tradeoff between accuracy and performance. On a 32K line program, the monitoring overhead is negligible. While the space requirements of a naive IAM implementation can be quite high, compaction techniques can be employed to substantially reduce that footprint.

In memory of James P. Anderson

A low-cost, two-step location update/paging scheme in a macrocell/microcell network is proposed and investigated. To reduce operating cost, the location update is operated only in the macrocell tier. A callee will be paged in the macrocell tier first. If the paging delay in the macrocell tier is too high due to large queuing delay, the callee will then be paged in the microcell tier. Original searching method is used in the microcell tier paging. The operation for the scheme is simple, since the macrocell/microcell cellular network has the advantage that a mobile user in such a cellular network can receive a signal from both a macrocell and a microcell. The analytical results show that, along with the low location update/paging cost, the two-step paging scheme also achieves low paging delay.