Data plays a key role in the digital society; it is part of modern business models and acts as a technology enabler. At the same time, data is a major target of many cyber-attacks, which requires effective security solutions to protect data. It is crucial that such security solutions are designed in such a way that they do not hinder the legitimate usage and processing of data. TUCCR's research line on Data Security therefore focuses on both Security for Data as well as on the usage of data; particularly of Data for Security. While we concentrate on data-driven security challenges, our research contains explicit components of software and system security research.
Data breaches happen in various forms but eventually are mainly attributed to an improper protection of data. While traditional encryption technology can be used for the protection of data at rest and in transit, it requires a decryption step for processing the data which in turn exposes the data in the clear and makes it vulnerable to attacks. To close this security vulnerability, we investigate the construction of cryptographic protocols based on non-traditional encryption, such as homomorphic encryption, that allow for the processing of data under encryption without the need to decrypt. Growing amounts of data and increasing complexities of the processing algorithms are complicating factors that largely lead to efficiency problems. We approach this by sacrificing some security for efficiency. Concretely, we explore allowing for some quantifiable leakage (e.g. in terms of differential privacy) to gain efficiency. By studying the success of possible leakage-abuse attacks, we can quantify the loss in security and achieve application-specific, practical tradeoffs between security and efficiency. Moreover, for proper data protection, we need to control who has or had access to data at a given point in time. Traditional access control mechanisms typically rely on the complete trust in a single system or administrator, which constitutes a single point of failure. To mitigate this issue, we study decentralized access control approaches based on attribute-based encryption. Furthermore, we explore the use of distributed ledger technologies to protect data in such decentralized systems and to enable the secure sharing of data. All of the above is based on secure key management and communication channels, which we study both in the classical world and the quantum world.
Traditional security solutions are targeted towards the protection from known threats and are dominantly based on insights acquired through costly manual analysis, which is often too slow to cope with the rapid emergence of new threats. To overcome this, we aim at a fully automated threat identification, analysis, and response and research the use of artificial intelligence, such as machine learning-based threat classification and clustering, to automatically analyze known threats with corresponding mitigation strategies to learn prediction models that allow for the identification of new/unseen threats and adapted mitigation approaches. Moreover, to be one step ahead of possible attackers, we explore automated security testing techniques, such as static and dynamic analysis, to learn models of vulnerable system and software components and associated patches that we use to discover and patch new vulnerabilities. We put a special focus on the threat of data leakage for which we also build new (automated) attacks for data exfiltration and leakage exploitation that we use to learn models to detect and quantify data leakage. Next to the data-driven handling of threats and vulnerabilities, we also develop data-driven authentication mechanisms based on biometric data. Throughout all our research, we make extensive use of simulations and real-world experiments for the validation of achieved results.