Data sharing is increasingly important. Companies share data internally across business units to gain business insights, they share data externally with data analytics vendors, and they often share data simply to make money. Ensuring the anonymity of users in the data set is necessary. The process of approving or certifying anonymization however is costly, time consuming, and uncertain. Current approaches to anonymization are ad hoc at best. They require a custom strategy for each new data sharing scenario, and it is often unclear whether the data is really anonymized or not.
In this informative and lively session, corporate DPOs, vendors of analytics solutions, and privacy researchers share their experiences with data anonymization and the approval process. They provide case studies illustrating the pitfalls of "do it yourself" anonymization, and show how some new ready-for-use anonymization can eliminate the delays and guesswork of data anonymization.
The workshop will be held May 25 in San Jose, CA.
For over 40 years, the holy grail of database anonymization is a system that allows a wide variety of statistical queries with minimal answer distortion, places no limits on the number of queries, is easy to configure, and gives strong protection of individual user data. This keynote presents Diffix, a database anonymization system that promises to finally bring us within reach of that goal. Diffix adds noise to query responses, but "fixes" the noise to the response so that repeated instances of the same response produce the same noise. While this addresses the problem of averaging attacks, it opens the system to "difference attacks" which can reveal individual user data merely through the fact that two responses differ. Diffix proactively examines queries and responses to defend against difference attacks. This talk presents the design of Diffix, gives a demo of a commercial-quality implementation, and discusses shortcomings and next steps.
Our understanding of exploit documents as a vector to deliver targeted malware is limited to a handful of studies done in collaboration with the Tibetans, Uyghurs, and political dissidents in the Middle East. In this measurement study, we present a complementary methodology relying only on publicly available data to capture and analyze targeted attacks with both greater scale and depth. In particular, we detect exploit documents uploaded over one year to a large anti-virus aggregator (VirusTotal) and then mine the social engineering information they embed to infer their likely targets and contextual information of the attacks. We identify attacks against two ethnic groups (Tibet and Uyghur) as well as 12 countries spanning America, Asia, and Europe. We then analyze the exploit documents dynamically in sandboxes to correlate and compare the exploited vulnerabilities and malware families targeting different groups. Finally, we use machine learning to infer the role of the uploaders of these documents to VirusTotal (i.e., attacker, targeted victim, or third-party), which enables their classification based only on their metadata, without any dynamic analysis. We make our datasets available to the academic community.
Over the next six years their project "imPACT: Privacy, Accountability, Compliance, and Trust in Tomorrow's Internet" will receive almost 10 million euros, which will allow them to explore how to protect users against eavesdropping and fraud on the Internet without restricting trade, freedom of expression or access to information.
A recent WWW 2012 paper by Krishna Gummadi, Bimal Viswanath, and their coauthors was covered by GigaOM, a popular technology news blog, in an article titled Who's to blame for Twitter spam? Obama, Gaga, and you.
Steven le Blond's work on security flaws in Skype and other peer-to-peer applications has been receiving global media attention: WSJ, Le Monde (French), die Zeit (German), Daily Mail, New Scientist, Slashdot, Wired, and the New Scientist "One Percent" blog.
We are pleased to announce that three new faculty will join MPI-SWS this fall.
Björn Brandenburg is joining us from the University of North Carolina at Chapel Hill (UNC), where he obtained his Ph.D. in computer science. Björn's research interests include multiprocessor real-time system, real-time synchronization protocols, and operating systems. Björn is the lead designer and developer of LITMUSRT, an extension of the Linux kernel for real-time scheduling and synchronization on multicore platforms.
Deepak Garg is joining us from the Cybersecurity Lab (CyLab) at Carnegie Mellon University, where he was a post-doctoral researcher. He obtained his Ph.D. from Carnegie Mellon's Computer Science Department. His research interests are in the areas of computer security and privacy, formal logic and programming languages. He is specifically interested in logic-based models of secure systems and formal analysis of security properties of systems.
Ruzica Piskac is joining us from EPFL, where she has completed her Ph.D. in computer science. The goal of her research is to make software development easier and software more reliable via automated reasoning techniques. She is specifically interested in decision procedures, their combinations and applications in program verification and software synthesis.