Xiao-ning JIANG,Cheng-qing YE,Xue-zeng PAN

2001-01-01

Journal of Computer Research and Development

Abstract:Electronic commerce is a main trend in Internet applications, which should be based on fair exchange. A new fair exchange protocol with off-line semi-trusted third party is proposed. It is also efficient in the sense that it only needs 4 messages in a transaction. In the meantime all messages are encrypted naturally, which makes it appealing over large open networks that have little or no physical security, such as Internet. It is based on publicly verifiable secret sharing (PVSS) theory.

Vijay Mookerjee,Dengpan Liu

2006-01-01

Abstract:The ever expanding realm of E-Commerce has seen the advent of three key phenomena---(i) the increasing urge to secure sensitive information stored at web sites, which have suffered great loss from attacking in the past few years, (ii) the need to deploy the optimum advertising strategy considering IT capacity constraints, and (iii) the adoption of personalization technology to deliver personalized service to each on-line customer. My dissertation consists of three essays, each of which separately addresses one of these three important aspects. Essay I is to analyze how managerial decisions, such as decisions on information security investment and decisions on security information sharing, get affected by the nature of information stored at different sites. Essay II is to examine the impact of limited information processing capacity at an electronic retailer's web site on the optimal effort in advertising, or any related activity that generates traffic to the site. Essay III is to address the problem of allocating personalization server resources for content delivery sites. In essay I, I found that the nature of sensitive information stored at two firms does affect certain characteristics of the system, e.g., system vulnerability and the amount of investment, when firms make security investment and knowledge sharing decisions. I also developed coordination schemes which can make firms achieve the social optimum level security investment. In essay II, I examined how the IT capacity constraints affect the advertising strategy in both monopoly and duopoly cases. In monopoly case, I show that when the capacity constraint is imposed, firms should advertise less in certain regions and sometimes, take exactly opposite decisions; and as a result, the steady state market share also reduces. In duopoly case, I show that when the capacity constraint is imposed, at the Nash Equilibrium, the heterogeneity of steady state market share reduces, i.e., IT capacity constraint will dilute the advantage of the firm which has higher advertising efficiency; the advertising rate also changes and the changing pattern is identified. In essay III, I presented the batching approach to allocate personalization service to arriving requests at content-delivery websites, and identified that requests selected for personalization within a batch should be scheduled in reverse order of their profile quality. When the arrival rate is relatively low and high, our approach leads to substantially improved profits as compared to two viable heuristics. When the request arrival rate is moderate, the maximum selection heuristic slightly outperforms our proposed batching approach. We also develop an experimental procedure to determine the optimal batch length based on data about visitors of a site. The optimal batch length is sensitive to the request arrival rate when the rate is close to or less than the server capacity. The batch length is relatively stable for high arrival rates (peak times), which is when our policy is most useful.

Matteo Dell’Amico

DOI: https://doi.org/10.1007/978-3-030-55196-4_7

2020-01-01

Abstract:How to decide whether to engage in transactions with strangers? Whether we’re offering a ride, renting a room or apartment, buying or selling items, or even lending money, we need a degree of trust that the others will behave as they should. Systems like Airbnb, Uber, Blablacar, eBay and others handle this by creating systems where people initially start as untrusted, and they gain reputation over time by behaving well. Unfortunately, these systems are proprietary and siloed, meaning that all information about transactions becomes property of the company managing the systems, and that there are two types of barriers to entry: first, whenever new users enter a new system they will need to restart from scratch as untrusted, without the possibility of exploiting the reputation they gained elsewhere; second, new applications have a similar cold-start problem: young systems, where nobody has reputation yet, are difficult to kickstart.We propose a solution based on a web of trust: a decentralized repository of data about past interactions between users, without any trusted third party. We think this approach can solve the aforementioned issue, establishing a notion of trust that can be used across applications while protecting user privacy. Several problems require consideration, such as scalability and robustness, as well as the trade-off between privacy and accountability.In this paper, we provide an overview of issues and solutions available in the literature, and we discuss the directions to take to pursue this project.

Li Kuang,Yingjie Xia,Caijun Sun,Jiaming Wu,Liangdi Bao

DOI: https://doi.org/10.19026/rjaset.5.4738

2013-01-01

Abstract:With wide adoption of Service Computing and Mobile Computing, people tend to invoke services with mobile devices, requiring accurate and real-time feedback from services at any time and any place. Among these services, some are private to limited users and require identity authorization before use; hence secure access control in wireless network should be provided. To address the challenge, in this study, we propose the architecture and protocols of a system of access to private services for mobile clients, which combines the technologies of trusted computing, Diffie-Hellman key agreement protocol, digital certificate, DES data encryption algorithm and twice verification. We further show the implementation of the proposed system, in which we have realized the authentication and authorization of mobile clients and then secure data transfer between mobile clients in the unsafe Internet and private services in the Intranet. © 2013 Maxwell Scientific Organization.

Akash Bhardwaj

Abstract:the ideas, Trust, Risk, Privacy and Security, are broadly utilized in different investigations done by numerous controls, and they are frequently mistakenly allowed to nearly as equivalent words. The point is to clear up the ideas from the buyer perspective in internet business. The discoveries of our subjective examination recommend a few connections between the four ideas and fills in as building obstructs for further research. Electronic business has expanded significantly as of late, as a result of the transformation in data innovation. The administrations given by online business organizations could be influenced by a few factors, for example, protection, security, trusts and saw dangers. In this paper, we propose a fundamental hypothetical model that researches the connection between protection, security concerns, and saw dangers, and how it would identify with clients' dimension of trust in internet business. An overview that includes 100 members has been directed and broke down testing various theories concentrated on concentrate the qualities of each factor, and its impact on the apparent dangers related with startling circumstances. The aftereffects of this examination think about demonstrate that a positive relationship exists between the apparent dangers and a portion of the security properties, for example, control and notice. A positive relationship additionally exists between the apparent dangers and a portion of the security traits, for example, privately and uprightness. Further, the investigation exhibits a positive connection between saw dangers and clients' dimension of trust.

Computer Science,Business

Yuqing Kong,Yiping Ma,Yifan Wu

DOI: https://doi.org/10.48550/arXiv.1903.07379

2019-03-18

Computer Science and Game Theory

Abstract:In future, information may become one of the most important assets in economy. However, unlike common goods (e.g. clothing), information is troublesome in trading since the information commodities are \emph{vulnerable}, as they lose their values immediately after revelation, and possibly unverifiable, as they can be subjective. By authorizing a trusted center (e.g. Amazon) to help manage the information trade, traders are ``forced'' to give the trusted center the ability to become an information monopolist. To this end, we need a trust-free (i.e. without a trusted center and with only strategic traders) unverifiable information trade protocol such that it 1) motivates the sellers to provide high quality information, and the buyer to pay for the information with a fair price (truthful); 2) except the owner, the information is known only to its buyer if the trade is executed (secure). In an unverifiable information trade scenario (e.g. a medical company wants to buy experts' opinions on multiple difficult medical images with unknown pathological truth from several hospitals), we design a trust-free, truthful, and secure protocol, Smart Info-Dealer (SMind), for information trading, by borrowing three cutting-edge tools that include peer prediction, secure multi-party computation, and smart contract. With SMind, without a trusted center, a seller with high-quality information is able to sell her information securely at a fair price and those with low-quality information cannot earn extra money with poor information or steal information from other sellers. We believe SMind will help describe a free and secure information trade scenario in the future.

Wang Haoyu

DOI: https://doi.org/10.1109/iccis.2012.213

2012-01-01

Abstract:There has been increasing challenges in the effective structure of crucial information for effectual information security, personal privacy and data protection. Especially, when in an age of e-commerce, risks and threats from e-commerce transaction have been keeping rising up. Both new ways of cyber information security and security breach, which have affected people's life in some particular aspects, are stated and renewed all the time. Because of the specific characteristics of carrying out online transaction, data transition plays a very heavy role in personal information security, and also, it incurs security breaches.

Adish Singla,Eric Horvitz,Ece Kamar,Ryen White

DOI: https://doi.org/10.48550/arXiv.1404.5454

2014-04-22

Abstract:Online services such as web search and e-commerce applications typically rely on the collection of data about users, including details of their activities on the web. Such personal data is used to enhance the quality of service via personalization of content and to maximize revenues via better targeting of advertisements and deeper engagement of users on sites. To date, service providers have largely followed the approach of either requiring or requesting consent for opting-in to share their data. Users may be willing to share private information in return for better quality of service or for incentives, or in return for assurances about the nature and extend of the logging of data. We introduce \emph{stochastic privacy}, a new approach to privacy centering on a simple concept: A guarantee is provided to users about the upper-bound on the probability that their personal data will be used. Such a probability, which we refer to as \emph{privacy risk}, can be assessed by users as a preference or communicated as a policy by a service provider. Service providers can work to personalize and to optimize revenues in accordance with preferences about privacy risk. We present procedures, proofs, and an overall system for maximizing the quality of services, while respecting bounds on allowable or communicated privacy risk. We demonstrate the methodology with a case study and evaluation of the procedures applied to web search personalization. We show how we can achieve near-optimal utility of accessing information with provable guarantees on the probability of sharing data.

Artificial Intelligence

Stanley Y.W. Su,Chunbo Huang,Joachim Hammer,Yihua Huang,Haifei Li,Liu Wang,Youzhong Liu,Charnyote Pluempitiwiriyawej,Minsoo Lee,Herman Lam

DOI: https://doi.org/10.1007/s007780100051

2001-01-01

Abstract:. This paper describes the design and implementation of a replicable, Internet-based negotiation server for conducting bargaining-type negotiations between enterprises involved in e-commerce and e-business. Enterprises can be buyers and sellers of products/services or participants of a complex supply chain engaged in purchasing, planning, and scheduling. Multiple copies of our server can be installed to complement the services of Web servers. Each enterprise can install or select a trusted negotiation server to represent his/her interests. Web-based GUI tools are used during the build-time registration process to specify the requirements, constraints, and rules that represent negotiation policies and strategies, preference scoring of different data conditions, and aggregation methods for deriving a global cost-benefit score for the item(s) under negotiation. The registration information is used by the negotiation servers to automatically conduct bargaining type negotiations on behalf of their clients. In this paper, we present the architecture of our implementation as well as a framework for automated negotiations, and describe a number of communication primitives which are used in the underlying negotiation protocol. A constraint satisfaction processor (CSP) is used to evaluate a negotiation proposal or counterproposal against the registered requirements and constraints of a client company. In case of a constraint violation, an event is posted to trigger the execution of negotiation strategic rules, which either automatically relax the violated constraint, ask for human intervention, invoke an application, or perform other remedial operations. An Event-Trigger-Rule (ETR) server is used to manage events, triggers, and rules. Negotiation strategic rules can be added or modified at run-time. A cost-benefit analysis component is used to perform quantitative analysis of alternatives. The use of negotiation servers to conduct automated negotiation has been demonstrated in the context of an integrated supply chain scenario.

Jung-San Lee,Kun-Shian Lin

DOI: https://doi.org/10.1016/j.elerap.2012.09.005

IF: 6

2013-01-01

Electronic Commerce Research and Applications

Abstract:With the benefits of discount and convenience, the group-buying mechanism has become a popular commerce service. Nevertheless, there exist several drawbacks in current group-buying systems. First, the absence of security consideration may reveal the privacy of involved participants. Moreover, buyers must pay money to the initiator in advance. Without a trusted third party to monitor the purchase, the initiator may vanish after collecting the money. To mitigate the risk of the above weaknesses, we propose a new mechanism introducing a group-buying server to secure and monitor the transaction. Because the server acts as a mediator, it can help the buyer and vender to negotiate with each other through a secure channel. Mutual authentication between the buyer and vender is guaranteed under the BAN logic model. In particular, we employ the Bloom filter and XOR operation to reduce the size of the transaction table and the computational cost. Thus, the new method can be implemented in mobile devices.

business,computer science, information systems, interdisciplinary applications

Adam Hess,Jason Holt,Jared Jacobson,Kent E. Seamons

DOI: https://doi.org/10.1145/1015040.1015044

2004-08-01

ACM Transactions on Information and System Security

Abstract:The focus of access control in client/server environments is on protecting sensitive server resources by determining whether or not a client is authorized to access those resources. The set of resources is usually static, and an access control policy associated with each resource specifies who is authorized to access the resource. In this article, we turn the traditional client/server access control model on its head and address how to protect the sensitive content that clients disclose to and receive from servers. Since client content is often dynamically generated at run-time, the usual approach of associating a policy with the resource (content) a priori does not work. We propose a general-purpose access control model designed to detect whenever sensitive information is being transmitted, and determine whether the sender or receiver is authorized. The model identifies sensitive content, maps the sensitive content to an access control policy, and establishes the trustworthiness of the sender or receiver before the sensitive content is disclosed or received. We have implemented the model within TrustBuilder, an architecture for negotiating trust between strangers based on properties other than identity. The implementation targets open systems, where clients and servers do not have preexisting trust relationships. The implementation is the first example of content-triggered trust negotiation. It currently supports access control for sensitive content disclosed by web and email clients.

Winnie Cheng,Jun Li,Keith Moore,Alan H. Karp

2007-01-01

Abstract:Mobile companions such as smartphones and PDAs are very personal and carry a lot of sensitive data about their owners. With new services aimed at providing more targeted information retrieval through increased interactions with these devices, privacy concerns of individuals must be addressed. Existing solutions give users little control over release of this information. MUPPET is a privacy-aware information brokerage framework that incorporates a number of novel techniques to give users control over the release of their data. First, it introduces Operation-focused Access Control, a purpose-based access control model that supports flexible and fine-grain policies using typed operation labels. Second, our system allows RewardDriven Information Exchange. It provides a protocol for explicit communication of justifications and rewards and tunable privacy policies based on ongoing evaluation of the information exchange. Third, MUPPET includes a Purpose Detection Engine with an intuitive user interface for purpose management and supports explicit as well as implicit purpose activations based on context or authorizations. To validate our design, the MUPPET prototype has been integrated with a coupon personalization application for two different service providers in an experimental retail kiosk setting.

Giovanni Russello,Clark Thomborson

2012-01-01

Abstract:Single sign-on (SSO) protocols allow one person to use the same login credentials for several organizations. Enterprises face increasing competitive pressure to position themselves with regard to SSO, yet the ramifications of a move to SSO are not fully understood. In this paper we discuss OpenID, a relatively new SSO protocol that is gaining traction on the web. We apply enterprise application modelling techniques to OpenID in order to obtain well-founded decision aids for enterprises: we show how published modelling approaches can be used to analyse risks in OpenID, and show that these can identify security problems with common OpenID practice. Finally, we propose analysis principles that condense important general insights of authentication modelling. [2] A. R. Beresford, A. Rice, N. Skehin, and R. Sohan, “MockDroid: trading privacy for application functionality on smartphones,” in Proceedings of the 12th Workshop on Mobile Computing Systems and Applications, ser. HotMobile ’11. New York, NY, USA: ACM, 2011, pp. 49–54. [Online]. Available: http://dx.doi.org.ezproxy.auckland.ac. nz/10.1145/2184489.2184500 Abstract. MockDroid is a modified version of the Android operating system which allows a user to ‘mock’ an application’s access to a resource. This resource is subsequently reported as empty or unavailable whenever the application requests access. This approach allows users to revoke access to particular resources at run-time, encouraging users to consider the trade-off between functionality and the disclosure of personal MockDroid is a modified version of the Android operating system which allows a user to ‘mock’ an application’s access to a resource. This resource is subsequently reported as empty or unavailable whenever the application requests access. This approach allows users to revoke access to particular resources at run-time, encouraging users to consider the trade-off between functionality and the disclosure of personal information whilst they use an application. Existing applications continue to work on MockDroid, possibly with reduced functionality, since existing applications are already written to tolerate resource failure, such as network unavailability or lack of a GPS signal. We demonstrate the practicality of our approach by successfully running a random sample of twentythree popular applications from the Android Market. [3] T. Bletsch, X. Jiang, and V. Freeh, “Mitigating code-reuse attacks with control-flow locking,” in Proceedings of the 27th Annual Computer Security Applications Conference, ser. ACSAC ’11. New York, NY, USA: ACM, 2011, pp. 353–362. [Online]. Available: http://doi.acm.org.ezproxy.auckland.ac.nz/10.1145/2076732.2076783 Abstract. Code-reuse attacks are software exploits in which an attacker directs control flow through existing code with Code-reuse attacks are software exploits in which an attacker directs control flow through existing code with

Stephen E. Fienberg

DOI: https://doi.org/10.1214/088342306000000240

2006-09-11

Abstract:The growing expanse of e-commerce and the widespread availability of online databases raise many fears regarding loss of privacy and many statistical challenges. Even with encryption and other nominal forms of protection for individual databases, we still need to protect against the violation of privacy through linkages across multiple databases. These issues parallel those that have arisen and received some attention in the context of homeland security. Following the events of September 11, 2001, there has been heightened attention in the United States and elsewhere to the use of multiple government and private databases for the identification of possible perpetrators of future attacks, as well as an unprecedented expansion of federal government data mining activities, many involving databases containing personal information. We present an overview of some proposals that have surfaced for the search of multiple databases which supposedly do not compromise possible pledges of confidentiality to the individuals whose data are included. We also explore their link to the related literature on privacy-preserving data mining. In particular, we focus on the matching problem across databases and the concept of ``selective revelation'' and their confidentiality implications.

Statistics Theory

David Gefen

DOI: https://doi.org/10.1016/s0305-0483(00)00021-9

IF: 8.673

2000-12-01

Omega

Abstract:Familiarity is a precondition for trust, claims Luhmann [28: Luhmann N. Trust and power. Chichester UK: Wiley, 1979. (translation from German)], and trust is a prerequisite of social behavior, especially regarding important decisions. This study examines this intriguing idea in the context of the E-commerce involved in inquiring about and purchasing books on the Internet. Survey data from 217 potential users support and extend this hypothesis. The data show that both familiarity with an Internet vendor and its processes and trust in the vendor influenced the respondents’ intentions to inquire about books, and their intentions to purchase them. Additionally, the data show that while familiarity indeed builds trust, it is primarily people’s disposition to trust that affected their trust in the vendor. Implications for research and practice are discussed.

management,operations research & management science

Anne James,Waleed Bul’ajoul,Yahaya Isah Shehu,Yinsheng Li,Godwin Attah Obande

DOI: https://doi.org/10.1049/pbse001e_ch6

2018-01-01

Abstract:The advantages of economic growth and increasing ease of operation afforded by e-business and e-commerce developments are unfortunately matched by growth in cyberattacks. This chapter outlines the common attacks faced by e-business and describes the defenses that can be used against them. It also reviews the development of newer security defense methods. These are (1) biometrics for authentication, (2) parallel processing to increase power and speed of defenses, (3) data mining and machine learning to identify attacks, (4) peer-to-peer security using blockchains, (5) enterprise security modeling and security as a service, and (6) user education and engagement. The review finds overall that one of the most prevalent dangers is social engineering in the form of phishing attacks. Recommended counteractions include education and training, and the development of new machine learning and data sharing approaches so that attacks can be quickly discovered and mitigated.

Liam Wagner

DOI: https://doi.org/10.48550/arXiv.cs/0404004

2004-04-02

Cryptography and Security

Abstract:In secure communications networks there are a great number of user behavioural problems, which need to be dealt with. Curious players pose a very real and serious threat to the integrity of such a network. By traversing a network a Curious player could uncover secret information, which that user has no need to know, by simply posing as a loyalty check. Loyalty checks are done simply to gauge the integrity of the network with respect to players who act in a malicious manner. We wish to propose a method, which can deal with Curious players trying to obtain "Need to Know" information using a combined Fault-tolerant, Cryptographic and Game Theoretic Approach.

Alex Berke,Nicolas Lee,Patrick Chwalek

DOI: https://doi.org/10.48550/arXiv.2108.07354

2021-08-02

Computers and Society

Abstract:The past decade has seen tremendous shifts in how people live, work, and buy goods, with an increased reliance on e-commerce and deliveries. Purchase histories generated through e-commerce can be highly personal, revealing identifying information about individuals and households. Constructing profiles from these data allows for the targeting of individuals and communities through practices such as targeted marketing and information campaigns. Furthermore, when purchase profiles are connected with delivery addresses, these data can measure the demographics of a local community and allow for individualized targeting to reach beyond the digital realm to the physical one. Events that accelerated shifts towards e-commerce, such as an infectious disease epidemic, have also widened equity gaps. This work is about alternative e-commerce delivery network models that address both rising privacy and wealth inequality concerns. This includes strategies that mask and add noise to purchase histories, and allow people to "buy privacy" through charitable contributions.

Brian Y. Lim,Daqing Zhang,Manli Zhu,Song Zheng,Mounir Mokhtari

DOI: https://doi.org/10.1007/978-3-540-73549-6_18

2007-01-01

Abstract:Many physical spaces such as homes, museums, airports and shopping malls are being augmented with computers, sensors, wireless hotspots to provide digital content and services. However, often specialized hardware and software are needed to access the services available in a particular space. This paper proposes a lightweight service framework which can aggregate services offered by heterogeneous devices and sources in a smart space and allow the users of currently available mobile clients, such as, smart phones, PDAs and Ultra-Mobile PCs, to spontaneously discover and access services in heterogeneous spaces. By leveraging a captive and service portal mechanism, the desirable services can be discovered and presented automatically to the mobile client of the user, while the mobile devices do not need to install any additional software or hardware. In this paper, we present the system requirements for spontaneous interaction, the service framework design and implementation details.

Yan Li,Ming Zhao,Huiping Sun,Zhong Chen

DOI: https://doi.org/10.1109/icebe.2008.80

2008-01-01

Abstract:As e-commerce always suffers from the uncertainty, cheats and attacks, concepts of trust and risk are brought in to enhance on-line business. Several models or frameworks for dealing with uncertainty and threats in cyberspace have been proposed in the literature, but few explicitly consider trust and risk as two separate factors that influence different aspects of on-line interactions independently. This paper presents a novel framework which considers trust and risk as two key dimensions to strengthen interactions in e-commerce. Moreover, a novel method of trust evaluation is proposed to represent confidence in the success of a transaction. And a new method of risk assessment is also presented to indicate impacts on assets and resources. Finally, simulation results also indicate that our framework is able to enhance interactions in e-commerce more powerfully, efficiently and rationally.