From Anita Borg Institute Wiki
Author's note: Below are the raw notes I took, unformatted and not checked, but I thought it would be more interesting to have them up quickly than have them be perfect!
Enhancing security and privacy in online social networks Sonia Jahid
- policies keep changing
* e.g. comment on photo, it becomes public later, and thus the comment also * does
- We want a private and secure online social network, but normally we don't
go through a 3rd party to talk to our friends
- shift the enforcement point, decentralize the network - where should we store our data? * just me, but if I'm offline then no one can access my data * Trusted parties (friends, organizations) * untrusted parties (not your true friends) * hybrid - Look at access control for social networks * attribute-based encryption (EASiER) * architecture design - distributed hash - distrubted network is bad for newsfeeds, so how to make that efficient? *** - What if we don't care so much about fb statuses? * there are other domains where we do, such as healthcare * this work can apply to more than one domain
Healthcare: - health information exchange "break the glass policy"
want private audit, authentication, access control, anonymity - health care network akin to social network with actors as doctors,
hospitals, clinics, patients
- revocable anonymity - log info to see who accessed data
- anonymous search
In case of emergency, break glass (policy) - want to make sure that data gets to where it needs to go - for example, what if Alice has an emergency in a strange city, how can the
new hospital get access to her medical networks?
- can't always set up the policies in advance - want Alice to be able to see who got her data - master key for emergency access? http://soniajahid.com
Question: familiar with diaspora*? - difference here: they don't do cryptographic schemes for confidentiality * (at least at the point when she looked) - can her ideas be merged into diaspora*? (which is now open source) * yes, potentially if they are interested * However, issues with research code maybe not ready for heavy use
Question: ideas seem at odds: need to audit data and handle anonymity for example - auditing is done cryptographically, does not store actual info
Securing Online Reputation Systems Yuhong Liu
(out of order)
Trust exists with people who know each other - is it possible to build up trust with people who don't know each other?
- yes, that's what online reputation systems are for (reddit, ebay, etc.)
but ratings can easily be manipulated e.g. IMDB: Resident Evil: Afterlife maintained high score during promo period of opening week, fell rapidly once it was over.
Single attacker - try to increase cost of getting single userids - investigate statistics and see those far away from majority - trust values
All of these can be worked around, can have problems
Defense: hybrid scheme 1. build statistic model, detect change - objects have intrinsic quality, unlikely to change rapidly - colluding malicious users have similar rating behaviour, but this similarity does not exist with normal users - what if there are multiple users? attack packages?
- different items have different rating profiles, will need to set up
- specific rating sts
- cannot handle users that don't overlap
Question: what is the computational complexity? - Do trend detection early on, don't need to look at all the ratings, only
the suspicious ones
- doing all would be hard
Question: What are you using? - modified q-sum detector (accumulated sum)
Is it really sensitive to time? - q-sum detector can do big change or smaller shifts over time by
On Detecting Deception Sadia Afroz
Deception: adversarial behaviour that disrupts regular behaviour of a system
Three cases - writing style - website (phishing) - blog comments
Writing style: linguistic choices that people make - when people deliberately change their writing style E.g. Amina Arraf (Gay Girl in Damascus) - real amina was Thomas MacMaster
Bill Keller - wrote article about Wikileaks (critical) - supporter created fake Bill Keller article, fooled a lot of people in media
Approach: data collection -> feature extraction -> classification -> ...
short-term deception vs long-term deception Hemmingway-Faulkner immigation contest Brennan-Greenstadt Corpus
- good at detecting short-term, not so good at long-term - more than one persona, hard to maintain writing style, can use authorship
tools to find the long-term stuff
Phishing: - detect website imitation - can detect with high
Deception in Blog comment: - e.g. comment spam - look similar to regular comments - spammers post same thing repeatedly - use compression ratio (LZMA) -- spammers are highly compressible - classifier: latent logistic regression
But spammers are smart, can buy tools to change rating/comment on blogs - create new accounts, use proxy, copy relevant words from other places on