Система регистрации фактов доступа к защищаемым данным в системах цифровой экономики

 
Код статьиS123456780015725-8-1
DOI10.18254/S123456780015725-8
Тип публикации Статья
Статус публикации Опубликовано
Авторы
Аффилиация: Федеральный исследовательский центр «Информатика и управление» Российской академии наук, Москва, Россия
Адрес: Российская Федерация, Москва
Аффилиация: Федеральный исследовательский центр «Информатика и управление» Российской академии наук, Москва, Россия
Адрес: Российская Федерация, Москва
Аффилиация: Федеральный исследовательский центр «Информатика и управление» Российской академии наук, Москва, Россия
Адрес: Российская Федерация, Москва
Название журналаLaw & Digital Technologies
ВыпускТом 1 № 1
Страницы10-18
Аннотация

В статье рассматривается подход к построению системы регистрации фактов доступа к защищаемым данным. Информация о факте доступа содержит идентификационные данные субъектов, осуществивших доступ, данные об информационных системах и время доступа. Цель - помочь в расследовании уязвимостей и слабых мест в защите. Кроме того, такая система содержит данные сотрудников, ответственных за возможную утечку информации, со всеми юридическими и судебными последствиями. Идея состоит в применении технологий распределенного реестра (Distributed ledger technology). Система позволяет идентифицировать пользователей, которые пытались получить или получили ценную, защищаемую, информацию. В настоящее время техническая и теоретическая база для таких решений готова. Анализ текущей ситуации в рассматриваемой области показывает, что все ведущие игроки в этом сегменте ИТ-рынка, параллельно с разработкой математических моделей предлагают также использовать методы проблемно-ориентированного интеллектуального анализа данных. Значительное внимание при этом уделяется разработке программных и программно-аппаратных средств обеспечения производительности рассматриваемых решений.

Ключевые словаинформационная безопасность, защита ценной информации от компрометации по косвенным признакам, распределенный реестр, интеллектуальный анализ данных, выскокопроизводительные вычисления
Источник финансированияThe work is partially supported by Russian Foundation for Basic Research, projects 18-29-16145-mk and 18-07-03124-mk
Получено01.07.2021
Дата публикации02.07.2021
Кол-во символов29995
Цитировать   Скачать pdf Для скачивания PDF необходимо авторизоваться
1
  1. Introduction
2 In the coming Industry 4.0 epoch, data is of a particular value. Personal digital identification, medical data, accounts at telecom operators' services, users’ behavior profile on the Internet, financial and bank accounts statuses and transactions easily become a trade object (TAdviser 2020). Regardless of commercial purposes, there will always be examples of dishonest use: from the deliberately malicious use of the fake digital identification or blackmail to practically legal methods of determining the credit scoring points for loan agreements, including fraudulent phone calls, e-mail spamming, phishing attacks and other challenges of the early stage of the rapid digital economy growth.
3 The principal problem of these growth ills is that even after the so-called data anonymization or obfuscation, actual data owners can be relatively easily recovered indirectly. If we are talking about a person, then it can be biographical facts, the profile of his calls, contacts on social networks, mailing lists, recruitment, preferences when visiting Internet resources. Even when a company name is not present, the profile of banking operations did not give a reason for well-informed people to doubt which company they belonged to. With the current development of data aggregation and analysis technologies, it gets simpler and easier to identify the owner of a particular digital profile, and the more data is subjected to the machine analysis, the easier and more accurately the identification problem can be solved. Thus, sensitive information becomes more accessible and cheaper. In other words, even anonymized data have their own specifics, and people can identify an owner according to these data specifics with a high probability. Thus, there is a problem to protect privacy even in case of collecting valuable secondary information. If we cannot resist to collect and analyze data, then we have to make it more transparent who and when accesses it. Such kind of problem was considered in the literature (Grusho et al. 2019). So, if we register who and when retrieves data from various, even closed systems, then we can identify a potential infringer. In this way we could also gather the evidence base of accusation if needed.
4 2. Example
5 Obviously, for the treatment of most diseases, it is necessary to collect and use the experience gained by other doctors in various clinics. The problem of the combined use of medical databases has been discussed at many conferences and in numerous publications. Anonymization is used to protect personal data in the exchange of medical experience. However, as it was mentioned above, overcoming such protection with a malicious intent is quite possible. The method of using functional dependencies in databases has long been known (Su and Özsoyoglu 1987). The method includes multiple, specially created requests to the database. Moreover, in these requests, valuable information of interest to the potential adversary can be only indirectly indicated. At the same time, the summation of the results of queries gives the adversary the chance to unambiguously determine the diagnosis of a particular patient and other valuable data. If you remember the sequence and content of the requests made by the opponent, you can identify her/him and their targets. Note that one can use databases of various clinics under the guise of noble goals.
6 3. Technologies and proposals for technical solutions
7 Next, we will formulate the requirements for a tool to track attempts to obtain valuable information. We will also consider the existing technologies that allow building such a system (Piskovski et al. 2020). Thus, we'll construct in the whole the design and thereby prove the following statement:
8 Modern technologies and methods make it possible to develop and implement a publicly available system that tracks who, where and when accessed data, regardless of where this data is processed and stored. The system allows you to reliably identify who is trying to obtain valuable information. At the same time, the system itself is protected from unauthorized access and data collection.
9 Since this system collecting queries and accesses becomes also an attractive target to attack, we also have to protect this tool and its data. Since the system registers facts of data queries and accesses from different organizations, the most important aspect is to protect the integrity and ordering of such data. Moreover, the adversary is unknown a priori, so it is necessary to remember the requests of all users. Confidentiality is required to protect the analytics of the collected data. Thus, we have to close sensitive information storing in the system, and only authorized personnel could access it. An essential requirement is the amount of information stored and the growth rate of its volume. So, we should integrate distributed databases in order to carry out analysis concurrently for many users.
10 Summarizing all mentioned above, we could formulate the following principles:

всего просмотров: 530

Оценка читателей: голосов 0

1. Agrawal, Rakesh, Tomasz Imieliński, Arun Swami. 1993. Mining association rules between sets of items in large databases. Proceedings of the 1993 ACM SIGMOD international conference on Management of data, June 1993, N.-Y., 207 – 216. https://doi.org/10.1145/170035.170072

2. Agrawal, Rakesh, and Ramakrishnan Srikant. 1994. Fast Algorithms for Mining Association Rules. Proceedings of the 20th VLDB Conference Santiago, Chile, 1994, 487-499.

3. Baird, Leemon, Mance Harmon, and Paul Madsen. 2019. Hedera: A Public Hashgraph. Network & Governing Council. The trust layer of the internet. https://www.hedera.com/hh-whitepaper-v1.4-181017.pdf.

4. Becker, Georg. 2008. “Merkle Signature Schemes, Merkle Trees and Their Cryptanalysis.” https://www.emsec.ruhr-uni-bochum.de/media/crypto/attachments/files/2011/04/becker_1.pdf.

5. Chen Tai-Yuan, Wei-Ning Huang, Po-Chun Kuo, Hao Chung, and Tzu-Wei Chao. 2018. A Highly Scalable, Decentralized DAG-Based Consensus Algorithm. https://eprint.iacr.org/2018/1112.pdf.

6. Churyumov, Anton. 2016. “Byteball: A Decentralized System for Storage and Transfer of Value.” https://obyte.org/Byteball.pdf.

7. Cohen, Paul. 2015. Big Mechanism (DARPA Big Mechanism Program). Physical Biology 12(4). https://doi.org/10.1088/1478-3975/12/4/045008

8. Department of Defense Trusted Computer System Evaluation Criteria, DoD. 1985. Accessed April 10, 2021. https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/dod85.pdf

9. Directed Acyclic Graphs (DAGs). In Version Control by Example. https://ericsink.com/vcbe/html/directed_acyclic_graphs.html.

10. ENISA. n.d. “ISO/IEC Standard 15408 - Information technology -- Security techniques -- Evaluation criteria for IT security.” Accessed April 10, 2021. https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/laws-regulation/rm-ra-standards/iso-iec-standard-15408

11. Finn, Victor et al. 2009. Automatic Generation of Hypotheses in Intelligent Systems, edited by Victor Finn. 2009. Moscow: Librokom.

12. Finn, Victor. 2011. J.S. Mill’s inductive methods in artificial intelligence systems. Scientific and Technical Information Processing 38(6): 385–402.

13. Finn, Victor. 2012. J.S. Mill’s inductive methods in artificial intelligence systems. Scientific and Technical Information Processing 39(5): 241–260.

14. Grusho, Alexander, Mikhail Zabezhailo, Alexander Zatsarinnyi, Victor Piskovskii, Sergey Borokhov. 2015. On the potential applications of data mining for information security provision of cloud-based environments. Automatic Documentation and Mathematical Linguistics 49(6): 193-201. https://doi.org/10.3103/S0005105515060023

15. Grusho, Alexander, Nikolay Grusho, Mikhail Zabezhailo and Elena Timonina. 2019. “Protection of valuable information in public information space” Communications of the ECMS. Proceedings of the 33th European Conference on Modelling and Simulation 33(1): 451–455.

16. Harris-Braun, Eric, Nicolas Luck, and Arthur Brock. 2018. Holochain. Scalable agent-centric distributed computing,” DRAFT (ALPHA 1) - 2/15/2018. https://whitepaperdatabase.com/holo-chain-hot-whitepaper/

17. Hauge, Bjorn. 2018. SWIFTNet, VisaNet and Blockchain: The Future of Clearing. https://medium.com/datadriveninvestor/swiftnet-visanet-and-blockchain-the-future-of-clearing-f42de3ced34c.

18. IBM Cloud Services. n.d. Accessed April 10, 2021. http://www-935.ibm.com/services/us/en/it-services/cloud-services/

19. Lally, Adam, Sugato Bachi, Michael Barborak, David Buchanan, Jennifer Chu-Carroll, David Ferrucci, Michael Glass, Aditya Kalyanpur, Erik Mueller, William Murdock et al. 2014. WatsonPaths: Scenario-based Question Answering and Inference over Unstructured Information (IBM Research Report RC25489). www.patwardhans.net/papers/LallyEtAl14.pdf

20. Leemon, Baird. 2016. “The Swirlds Hashgraph Consensus Algorithm: Fair, Fast, Byzantine Fault Tolerance.” https://www.swirlds.com/downloads/SWIRLDS-TR-2016-01.pdf.

21. Pearl, Judea. 2000. Causality: Models, Reasoning, and Inference. Cambridge: Cambridge University Press.

22. Piskovski, Victor, Alexander Grusho, Mikhail Zabezhailo, Andrey Nikolaev, Vladimir Senchilo, and Elena Timonina. 2020. Security Architectures in Digital Economy Systems, International. Journal of Open Information Technologies 8(9): 48-52.

23. Plotkin, Gordon. 1970. “A Note on Inductive Generalization.” In Machine Intelligence 5. 153-164. Edinburgh: Edinburgh University Press.

24. Plotkin, Gordon. 1971. “A Further Note on Inductive Generalization.” In Machine Intelligence 6. 101-124. Edinburgh: Edinburgh University Press.

25. Rudakov, Konstantin. 1986. Some universal restrictions for classification algorithms. Zh. Vychisl. Mat. Mat. Fiz. 26(11): 1719–1730.

26. SAS Institute. n.d. FORTUNE: 100 Best Companies to Work for. Accessed April 10, 2021. http://fortune.com/best-companies/sas-institute-4/

27. SAS Institute Inc. n.d. Patent applications. Accessed April 10, 2021. http://www.faqs.org/patents/assignee/sas-institute-inc/

28. SAS Institute Inc. 2013. Data Mining Using SAS Enterprise MinerTM: A Case Study Approach. http://support.sas.com/documentation/cdl/en/emcs/66392/PDF/default/emcs.pdf

29. SAS Institute Inc. 2015. SAS/STAT 14.1 User’s Guide: High-Performance Procedures. http://support.sas.com/documentation/cdl/en/stathpug/68163/PDF/default/stathpug.pdf

30. SAS Institute Inc. 2015. Base SAS. High-Performance Procedures. Accessed April 10, 2021. http://support.sas.com/documentation/cdl/en/prochp/68141/PDF/default/prochp.pdf

31. Sobti, Rajeev, and Ganesan Geetha. 2012. Cryptographic Hash Functions: A Review. International Journal of Computer Science Issues 9(2): 461-479. https://www.researchgate.net/publication/267422045_Cryptographic_Hash_Functions_A_Review.

32. Stathakopoulou,

33. Su, Tzong-An, and Gultekin Özsoyoglu. 1987. “Data Dependencies and Inference Control in Multilevel Relational Database Systems.” In Proceedings of the IEEE Symposium on Security and Privacy: 202-202.

34. TAdviser. 2020. Systems of BI and Big Data in Russia. Accessed April 10, 2021. https://www.tadviser.ru/index.php/BI.

35. VISA. Accessed April 10, 2021. https://usa.visa.com/partner-with-us/payment-technology/visa-b2b-connect.html.

36. Wikipedia. Merkle Tree. Accessed April 10, 2021. https://en.wikipedia.org/wiki/Merkle_tree.

37. Zabezhailo, Mikhail. 2014. Some capabilities of enumeration control in the DSM method. Scientific and Technical Information Processing 41(6): 335–361.

38. Zhu, Wei-Dong, Bob Foyle, Daniel Gagné, Vijay Gupta, Josemina Magdalen, Amarjeet Mundi, Tetsuya Nasukawa, Mark Paulis, Jane Singer and Martin Triska. 2014. IBM Watson Content Analytics: Discovering Actionable Insight from Your Content IBM Redbooks: IBM Corp. http://www.redbooks.ibm.com/abstracts/sg247877.html?Open

39. Zhuravlev, Yuri. 1977. Correct algebras on sets of incorrect (heuristic) algorithms. Kibernetika 4: 5–17.

40. Zhuravlev, Yuri. 1977. Correct algebras on sets of incorrect (heuristic) algorithms. Kibernetika 6: 21–27.;

41. Zhuravlev, Yuri. 1978. Correct algebras on sets of incorrect (heuristic) algorithms. Kibernetika 2: 35–43.

42. Zhuravlev, Yuri, Vladimir Ryazanov, and Oleg Sen’ko. 2006. “Recognition.” Mathematical Methods. Software System. Practical Applications. Moscow: Fazis.

Система Orphus

Загрузка...
Вверх