research-article

Graph-Based Data-Collection Policies for the Internet of Things

Authors:

Maribel Fernández,

Jenjira Jaimunk,

Bhavani ThuraisinghamAuthors Info & Claims

ICSS '18: Proceedings of the 4th Annual Industrial Control System Security Workshop

Pages 9 - 16

https://doi.org/10.1145/3295453.3295455

Published: 04 December 2018 Publication History

Abstract

Smart industrial control systems (e.g., smart grid, oil and gas systems, transportation systems) are connected to the internet, and have the capability to collect and transmit data; as such, they are part of the IoT. The data collected can be used to improve services; however, there are serious privacy risks. This concern is usually addressed by means of privacy policies, but it is often difficult to understand the scope and consequences of such policies. Better tools to visualise and analyse data collection policies are needed. Graph-based modelling tools have been used to analyse complex systems in other domains. In this paper, we apply this technique to IoT data-collection policy analysis and visualisation. We describe graphical representations of category-based data collection policies and show that a graph-based policy language is a powerful tool not only to specify and visualise the policy, but also to analyse policy properties. We illustrate the approach with a simple example in the context of a chemical plant with a truck monitoring system. We also consider policy administration: we propose a classification of queries to help administrators analyse policies, and we show how the queries can be answered using our technique.

References

[1]

Sandra Alves and Maribel Fernández. 2016. A graph-based framework for the analysis of access control policies. Theoretical Computer Science (2016), --.

[2]

Steve Barker. 2009. The Next 700 Access Control Models or a Unifying Meta-model?. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT '09). ACM, New York, NY, USA, 187--196.

Digital Library

[3]

E. Bertino, C. Brodie, S. B. Calo, L. F. Cranor, C. Karat, J. Karat, N. Li, D. Lin, J. Lobo, Q. Ni, P. R. Rao, and X. Wang. 2009. Analysis of privacy and security policies. IBM Journal of Research and Development 53, 2 (March 2009), 3:1--3:18.

Digital Library

[4]

Clara Bertolissi and Maribel Fernández. 2014. A metamodel of access control for distributed environments: Applications and properties. Information and Computation 238 (2014), 187--207. Special Issue on Security and Rewriting Techniques.

Digital Library

[5]

Alessio Botta, Walter de Donato, Valerio Persico, and Antonio Pescapè. 2016. Integration of Cloud computing and Internet of Things: A survey. Future Generation Comp. Syst. 56 (2016), 684--700.

Digital Library

[6]

M. Fernández, M. Kantarcioglu, and B. Thuraisingham. 2016. A Framework for Secure Data Collection and Management for Internet of Things. In ICSS '16: Proceedings of the 2nd Annual Industrial Control System Security Workshop. ACM, Los Angeles, CA, USA, 30--37.

Digital Library

[7]

David F. Ferraiolo, D. Richard Kuhn, and Ramaswamy Chandramouli. 2007. Role-Based Access Control (second edition ed.). Artech House.

Digital Library

[8]

Dieter Gollmann. 2011. Computer Security (third edition ed.). John Wiley & Sons.

Digital Library

[9]

H. Haddadi, H. Howard, A. Chaudhry, J. Crowcroft, A. Madhavapeddy, and R. Mortier. 2015. Personal Data: Thinking Inside the Box. ArXiv e-prints (Jan. 2015). arXiv:cs.CY/1501.04737

[10]

A. Heydon, M. W. Maimone, J. D. Tygar, J. M. Wing, and A. M. Zaremski. 1990. Miro: visual specification of security. IEEE Transactions on Software Engineering 16, 10 (Oct 1990), 1185--1197.

Digital Library

[11]

James Allen Hoagland. 2000. Specify and Implementing Security Policies Using LaSCO, the Language for Security Constraints on Objects. Ph.D. Dissertation. University of California, Davis.

[12]

Farzad Kamrani, Mikael Wedlin, and Ioana Rodhe. 2016. Internet of Things: Security and Privacy Issues. (2016). https://www.foi.se/download/18.34436e8515b47f6c5f04025/1493034293722/FOI-R--4362--SE.pdf

[13]

N. Li, T. Li, and S. Venkatasubramanian. 2007. t-Closeness: Privacy Beyond k-Anonymity and l-Diversity. In 2007 IEEE 23rd International Conference on Data Engineering. 106--115.

[14]

A. Machanavajjhala, J. Gehrke, D. Kifer, and M. Venkitasubramaniam. 2006. L-diversity: privacy beyond k-anonymity. In 22nd International Conference on Data Engineering (ICDE'06). 24--24.

Digital Library

[15]

M. Moniruzzaman, M. Sadek Ferdous, and R. Hossain. 2010. A study of privacy policy enforcement in access control models. In 2010 13th International Conference on Computer and Information Technology (ICCIT). 352--357.

[16]

Min Mun, Shuai Hao, Nilesh Mishra, Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, and Ramesh Govindan. 2010. Personal Data Vaults: A Locus of Control for Personal Data Streams. In Proceedings of the 6th International COnference (Co-NEXT '10). ACM, New York, NY, USA, Article 17, 12 pages.

Digital Library

[17]

A. Paschke. 2005. RBSLA A declarative Rule-based Service Level Agreement Language based on RuleML. In International Conference on Computational Intelligence for Modelling, Control and Automation and International Conference on Intelligent Agents, Web Technologies and Internet Commerce (CIMCA-IAWWTIC'06), Vol. 2. 308--314.

Digital Library

[18]

Charles P. Pfleeger, Shari Lawrence Pfleeger, and Jonathan Margulies. 2015. Security in Computing (fifth edition ed.). Pearson Education.

Digital Library

[19]

Pierangela Samarati and Latanya Sweeney. 1998. Protecting Privacy when Disclosing Information: k-Anonymity and Its Enforcement through Generalization and Suppression. Technical Report.

Cited By

Al Muhander BWiese JRana OPerera C(2023)Interactive Privacy Management: Toward Enhancing Privacy Awareness and Control in the Internet of ThingsACM Transactions on Internet of Things10.1145/36000964:3(1-34)Online publication date: 7-Jun-2023
https://dl.acm.org/doi/10.1145/3600096
Jaimunk J(2023)The Analysis of Security Properties for Dynamic Privacy-Policy in Data Collection and Access ControlAdvances in Systems Engineering10.1007/978-3-031-40579-2_17(175-182)Online publication date: 4-Aug-2023
https://doi.org/10.1007/978-3-031-40579-2_17
Fernandez MJaimunk JThuraisingham B(2019)Privacy-Preserving Architecture for Cloud-IoT Platforms2019 IEEE International Conference on Web Services (ICWS)10.1109/ICWS.2019.00015(11-19)Online publication date: Jul-2019
https://doi.org/10.1109/ICWS.2019.00015

Index Terms

Graph-Based Data-Collection Policies for the Internet of Things
1. Security and privacy
  1. Formal methods and theory of security
    1. Formal security models
    2. Logic and verification
  2. Security services
    1. Access control
    2. Privacy-preserving protocols

Recommendations

Privacy promises that can be kept: a policy analysis method with application to the HIPAA privacy rule
SACMAT '13: Proceedings of the 18th ACM symposium on Access control models and technologies

Organizations collect personal information from individuals to carry out their business functions. Federal privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), mandate how this collected information can be shared ...
Refinement checking for privacy policies

This paper presents a framework for analysis and comparison of privacy policies expressed in P3P (Platform for Privacy Preferences). In contrast to existing approaches to policy analysis, which focus on demonstrations of equality or equivalence of ...
PriPoCoG: Guiding Policy Authors to Define GDPR-Compliant Privacy Policies
Trust, Privacy and Security in Digital Business
Abstract
The General Data Protection Regulation (GDPR) makes the creation of compliant privacy policies a complex process. Our goal is to support policy authors during the creation of privacy policies, by providing them feedback on the privacy policy they ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICSS '18: Proceedings of the 4th Annual Industrial Control System Security Workshop

December 2018

43 pages

ISBN:9781450362207

DOI:10.1145/3295453

Program Chairs:
Sajal Bhatia
Sacred Heart University
,
Alvaro Cardenas
University of Texas at Dallas
,
Ernest Foo
Queensland University of Technology, Australia
,
Marina Krotofil
FireEye, Inc.
,
Sye Loong Keoh
University of Glasgow
,
Thomas Locher
ABB
,
Daisuke Mashima
Advanced Digital Science Center in Singapore
,
Tommy Morris
University of Alabama in Huntsville
,
John Mulder
Sandia National Laboratories
,
Stephen McLaughlin
Samsung Research America
,
Igor Nai Fovino
Institute for the Protection and Security of the Citizen, Joint Research Centre
,
Julian Rrushi
Oakland University
,
Bradley Schatz
Schatz Forensic
,
Jared Smith
Oak Ridge National Laboratory
,
Saman Zonouz
Rutgers University
,
Tim Zimmerman
NIST

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICSS '18

ICSS '18: 4th Annual Industrial Control System Security Workshop

December 4, 2018

PR, San Juan, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
105
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Al Muhander BWiese JRana OPerera C(2023)Interactive Privacy Management: Toward Enhancing Privacy Awareness and Control in the Internet of ThingsACM Transactions on Internet of Things10.1145/36000964:3(1-34)Online publication date: 7-Jun-2023
https://dl.acm.org/doi/10.1145/3600096
Jaimunk J(2023)The Analysis of Security Properties for Dynamic Privacy-Policy in Data Collection and Access ControlAdvances in Systems Engineering10.1007/978-3-031-40579-2_17(175-182)Online publication date: 4-Aug-2023
https://doi.org/10.1007/978-3-031-40579-2_17
Fernandez MJaimunk JThuraisingham B(2019)Privacy-Preserving Architecture for Cloud-IoT Platforms2019 IEEE International Conference on Web Services (ICWS)10.1109/ICWS.2019.00015(11-19)Online publication date: Jul-2019
https://doi.org/10.1109/ICWS.2019.00015

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents