Identification and Elimination of Attacks in Graph-based Process Models.

摘要

A process is a collection of steps, reading and writing data and annotations on data, carried out by either human or automated agents, to accomplish a specific goal. The agents in our process, through their interactions with the data and annotations via the steps, can carry out various privacy breaching attacks. By "privacy breach", we mean that an individual's personally identifiable information is disclosed to other individuals, without the former's consent. It is difficult to automatically identify these rogue agents and offending steps, which remain hidden among a large number of other non-malicious agents and steps. This dissertation presents a novel approach that automatically identifies the different ways in which an attack (mostly privacy breach related attack) can take place on a process. We first develop a graph-based language to model processes and possible attacks. Given a process and a possible attack modeled in this language, our approach determines if this attack can be successfully carried out on the process. If successful, our approach also finds out in how many different ways this same attack can be carried out on the process. We also identify collusion scenarios where multiple agents can collude to realize an attack. Attacks on complex processes which have collection-oriented data hierarchies (multiple data possessing parent-child relationship among them) and fine grained data dependencies, are also identified. Once an attack is found to be successful against a process, we automatically identify improvement opportunities in the process and carry them out, thereby eliminating ways in which the attack can succeed. The identification uses information about which steps in the process are most heavily attacked, and try to find improvement opportunities in them first, before moving onto the lesser attacked ones. We then evaluate the improved process to verify that our improvement is successful. This cycle of process improvement and evaluation iterates until all possible ways of attack are either thwarted or the remaining attack ways cannot be eliminated by the identified improvement opportunities.