I co-direct the ALPS lab (Albany Lab for Privacy Security) at the Department of Computer Science at the University of Albany.

My research interests revolve around information security, privacy, and trust in modern information systems. I am interested in developing theories and mechanisms for protecting information in complex systems such as online social networks and for enabling data sharing while preserving user privacy. In addition to the theories in the security domain, I am inspired by the work in formal methods, knowledge representation and reasoning, data mining, and information system design among others.

More specific areas of interest include, but not limited to:

  • Access Control Policies and Mechanisms: Modeling, Testing, and Verification
  • Privacy in Online Social Networks
  • Privacy in Sharing/Publishing Social Network Data and Location Data

Privacy Control in Online Social Networks

Online social networks (OSNs), such as Facebook, operate using various information resources related to their users, which are potentially privacy-sensitive. Protecting information in such an environment is challenging due to interconnected nature of information objects and users, and the fact that both users and the system should be able to specify authorization policies for data access. I study specification, enforcement, and analysis of privacy control policies in OSNs.

OSNAC

Anonymizing Social Network Datasets

Study of social networks is growing in different domains such as academia, business, and even government, in order to identify interesting patterns at either the node or network levels. In many social network datasets, the exact identity of the involved people does not matter to the purpose of the study. Yet such datasets may carry sensitive information, and hence adequate measures should be in place to ensure protection against reidentification. Recent work in the literature has shown that structural patterns can assist in reidentification attacks on naively-anonymized social networks. Consequently, there have been proposals to anonymize networks in terms of structure to avoid such attacks. However, such methods usually introduce a large amount of distortion to the social network datasets, thus, raising serious questions about their utility for useful social network analysis. My research focuses on improving anonymization methods in terms of utility without sacrificing the privacy guarantees.

Structural-Preserving Anonymization

Anonymizing Location-Rich Data

Many systems collect and leverage location information and movement traces today, ranging from search engines that retrieve results relevant to your location to OSNs for sharing for explicitly sharing your location such as Foursquare. However, your whereabouts can reveal a lot about you. An adversary may reidentify you in a location-rich dataset based on your location even if data is anonymized. Also, you may be tracked once your identity is exposed to an adversary. I have explored preserving user privacy in two areas: anonymizing location-based queries that are submitted to Location-Based Services (LBSs), and anonymizing datasets collected by geosocial networking systems (GSNSs). I propose safe notions of anonymity for LBSs unlike many approaches in the literature. I also propose notions of anonymity in geosocial networks based on not only a user’s location but also the location of her friends.

Anonymizing Geosocial Networks Anonymous LBS

Access Control and Secure Interoperation in Modern Information Environments

Modern information environments introduce challenging requirements for security and privacy. With a group of my colleagues, we have explored security issues in multi-agent systems and have proposed an access control model to secure interactions among agents. I have also studied secure interoperation in multi-domain environments, and proposed a secure interoperation framework that guarantees enforcing time and separation of duty access constraints across domains. I have also studied modelling and enforcing privacy policies in corporate access control policies.

RiBAC