As information technology (IT) continues to reach into every corner of our lives, the digital age also raises serious concerns about information and data security, and the urgent need for more research in these areas. Since January 2005, according to the Piracy Rights Clearinghouse, in the US alone there have been security breaches involving over 218 million records containing sensitive personal information. In such cases, people whose personal records are compromised are at risk for identity theft and financial fraud. Governments that want to fully exploit IT are aware of the need to put personal data protection laws in place, particularly in relation to the finance and biomedical sectors. However, the drive to secure digitised information spreads across several fronts in the IT world.

Singapore Management University’s School of Information Systems (SIS) is spearheading research to capitalise on the innovative use of technology to improve data and information security. According to information systems professor Li YingJiu, “Security is instituted not only to protect information. It is also a business enabler. One important part of retaining customers’ trust and loyalty is ensuring the security of confidential and sensitive client information which will instil confidence and lay the foundation for new ways of doing business.”

Five Areas

Putting the issues in perspective, Li emphasised that there is no single system which addresses all information security needs. Specifically, there are five areas that have to be addressed in information security: encryption of information during storage and transmission; implementation of an authentication system at log-in; intrusion detection to spot an attack on the system; inference control applications to filter out queries that can extract sensitive personal information; and digital rights management where data is seeded with watermarks or fingerprints.

Towards this end, the information security and trust laboratory at SIS focuses on research to apply state-of-the-art technologies and solutions to secure IT infrastructure, protect information belonging to businesses and individuals, and build trust among all parties. Working inhouse as well as in collaboration with other tertiary institutions, the SIS team -- led by information systems professor and associate dean Robert Deng -- is involved in research spanning a diverse range of information security projects.

Multi-recipient Mail Encryption

Li explained that various technology solutions are available for encryption of confidential and sensitive data during storage. The same information, he added, is also at risk when being transmitted between email destinations. Existing solutions are not efficient in handling encrypted carbon-copied emails or in protecting the privacy of multi-recipient emails. Therefore, SIS’ researchers were prompted to develop a new approach that gets around the limitations of existing email encryption technology.

Multi-recipient encryption of email is challenging because current practice, for example, requires concatenation of multiple email cipher texts which are encrypted with different recipients’ public keys. The result is that each recipient will only read what is decrypted on his computer without knowing the results from decryption by other email parties. This defeats the idea of trying to put multi-recipients on the same page, so to speak.

“Our prototype solution, known as multiplex encryption, is compatible with current email architecture, but manual changes must be made to the server and users are required to be in the same email domain,” explained Li. “SIS professor Xuhua Ding and his team will carry out further research on the feasibility of a new encryption paradigm without requiring third party involvement, as is currently the case in using partially trusted servers,” he added.      

Two-server Authentication

Authentication at log-in is very crucial to keep out unauthorised users. According to Li, a long established security practice is the use of password-based authentication where the information is stored in a central database. However, it is not unknown for hackers to illegally obtain passwords on a server with serious legal and financial repercussions to an organisation.

Touching on the background to this research, he said that multi-server password systems have been proposed to avoid the vulnerability inherent in single-server architecture. Such systems are, however, difficult to operate as users have to communicate simultaneously with multiple servers, or the protocols are quite expensive, he explained.

Li highlighted the success of SIS researchers in developing a prototype solution that splits a password and stores it in a novel way on two servers, thus depriving hackers from access to the full password in an attack. Elaborating on its features, Li said that only the front-end server engages with users while a control server with the remaining part of the password stays in the background. The solution can be applied to strengthen existing single-server password systems while securing the system against what is known as offline dictionary attacks mounted by Trojan horse viruses planted by hackers on either of the two servers.

Intrusion Detection

While authentication helps to keep out unauthorised users, hackers will continue to mount insidious attacks aimed at exploiting weaknesses of computer programmes. According to Debin Gao, also an SIS professor at SMU, reports on computer programme vulnerabilities have grown from 1090 in 2000 to 7239 in 2007.

One such weakness, for example, may permit an attacker to inject a code causing the computer to run the attacker’s programme. According to Gao, “Automatically detecting such intrusions and analysing the vulnerabilities are, therefore, critical in securing a computer system which is the job of intrusion detection systems (IDS).”  The IDS evaluates a suspected intrusion once it has taken place and raises the alarm. It is also on alert for attacks that can originate from within the system.

One approach of IDS software is to detect anomalies by comparing the results from monitoring with established models that characterise the normal behaviour and interactions of the programmes. An alarm is raised when deviation is detected.

Gao explained: “Getting true readings from the analyses is a challenge, partly because of the tremendous resources called up by a computer and the network with corresponding system responses, all of which have to be monitored and evaluated. Moreover, it is made more difficult with the added sophistication of malicious injected codes which can mimic the original software, even returning the correct response while carrying out the attacks.” This can result in the system not detecting an attack, known as ‘false negative’, or raising the alarm when there is actually no attack, known as ‘false positive’.

Ideally the IDS should be proactive rather than reactive, the latter being more the case with present systems. Gao expanded on the team’s response to this shortcoming: “Hence, our researchers have been working on a new approach known as ‘Behavioural Distance for Intrusion Detection’. Rather than monitoring and comparing the readings against an established model to detect any anomalies, comparison is made against a similar live application running in parallel on another operating system, for example Windows and Linux platforms, injecting the notion of ‘behavioural distance’”. Their research results show that the new approach offers strong defence against hard-to-detect mimicry attacks.

Inference Control

Vigilance against intruders or even authorised users abusing privileges to access sensitive information is another aspect of information security. Li said the focus in this case is mainly related to databases, in particular massive data sets as in national census information.

“Statistical inference control software are needed for privacy protection of sensitive data and access control while striking a balance arising from the increasing need for accurate statistical data,” he added.

On the basics of inference control, Li, said that access to confidential information is controlled in one way by the software refusing to respond to queries for sensitive data. “Users can still get around access control by combining requests for non-sensitive information from which results on sensitive values can be inferred,” he stressed. “Such inferences will not be captured by traditional access control as the queries are seemingly innocent.”

Taking into account that databases today are no longer viewed in two dimensions but can be cross referenced in multi-dimensions, a higher degree of artificial intelligence has to be built into the inference control software, not only for greater efficiency but also to cope with correlation of added parameters to avoid disclosing sensitive information. Li explained, “Our researchers have been working on inference control for data cubes which will provide the basis for such next generation software.” 

Digital Rights Management (DRM)

Concerns about owner rights of digitised information, which can be easily copied by others, led to the evolution of digital rights management where watermarks or fingerprints were seeded into the product. In its research, SIS took a page from well established technology related to watermarking of multimedia documents and customised it for relational databases, said Li. “Our research aims to develop a new database watermarking scheme that can be used for publicly verifiable ownership protection. Our approach has some unique properties.”

According to Li, these include a publicly verifiable key which allows watermark detection and ownership proof to be effectively performed publicly by anyone as many times as necessary. Secondly, this approach introduces no errors to the underlying data which is a challenge for other DRM software. Li added that this system can, therefore, be used for watermarking any type of data including integer numeric, real numeric, character and Boolean, without fear of any error constraints. It also allows for incremental updating of database without affecting the watermark. Li added: “Our scheme is robust. It is difficult to invalidate watermark detection and ownership proof through typical database and other attacks.”

He said that users appreciated the watermarking technique because of its practical application in the real world in protecting ownership of published or distributed databases. SMU’s research in information security, Li concluded, will contribute towards further securing computer systems and the Internet, as well as protecting the integrity of digital products and ownership rights.