airavat security and privacy for mapreduce
play

Airavat: Security and Privacy for MapReduce Indrajit Roy, Srinath - PowerPoint PPT Presentation

May 09, 2023 •264 likes •792 views

Airavat: Security and Privacy for MapReduce Indrajit Roy, Srinath T.V. Setty, Ann Kilzer, Vitaly Shmatikov, Emmett Witchel The University of Texas at Austin Computing in the year 201X 2 Illusion of infinite resources Data Pay only for

  1. Airavat: Security and Privacy for MapReduce Indrajit Roy, Srinath T.V. Setty, Ann Kilzer, Vitaly Shmatikov, Emmett Witchel The University of Texas at Austin

  2. Computing in the year 201X 2  Illusion of infinite resources Data  Pay only for resources used  Quickly scale up or scale down …

  3. Programming model in year 201X 3  Frameworks available to ease cloud programming  MapReduce: Parallel processing on clusters of machines Output Map Reduce • Data mining • Genomic computation Data • Social networks

  4. Programming model in year 201X 4  Thousands of users upload their data  Healthcare, shopping transactions, census, click stream  Multiple third parties mine the data for better service  Example: Healthcare data  Incentive to contribute: Cheaper insurance policies, new drug research, inventory control in drugstores…  Fear: What if someone targets my personal data?  Insurance company can find my illness and increase premium

  5. Privacy in the year 201X ? 5 Information leak? Untrusted MapReduce program Output • Data mining • Genomic computation Health Data • Social networks

  6. Use de-identification? 6  Achieves ‘privacy’ by syntactic transformations  Scrubbing , k-anonymity …  Insecure against attackers with external information  Privacy fiascoes: AOL search logs, Netflix dataset Run untrusted code on the original data? How do we ensure privacy of the users?

  7. Audit the untrusted code? 7  Audit all MapReduce programs for correctness? Aim: Confine the code instead of auditing Hard to do! Enlightenment? Also, where is the source code?

  8. This talk: Airavat 8 Framework for privacy-preserving MapReduce computations with untrusted code. Untrusted Protected Program Data Airavat Airavat is the elephant of the clouds (Indian mythology).

  9. Airavat guarantee 9 Bounded information leak* about any individual data after performing a MapReduce computation. Untrusted Protected Program Data Airavat *Differential privacy

  10. Outline 10  Motivation  Overview  Enforcing privacy  Evaluation  Summary

  11. Background: MapReduce 11 map(k 1 ,v 1 )  list(k 2 ,v 2 ) reduce(k 2 , list(v 2 ))  list(v 2 ) Data 1 Data 2 Output Data 3 Data 4 Map phase Reduce phase

  12. MapReduce example 12 Map(input)  { if (input has iPad) print (iPad, 1) } Reduce(key, list(v))  { print (key + “,”+ SUM(v)) } Counts no. of iPads sold iPad Tablet PC (iPad, 2) iPad SUM Laptop Map phase Reduce phase

  13. Airavat model 13  Airavat framework runs on the cloud infrastructure  Cloud infrastructure: Hardware + VM  Airavat: Modified MapReduce + DFS + JVM + SELinux 1 Airavat framework Trusted Cloud infrastructure

  14. Airavat model 14  Data provider uploads her data on Airavat  Sets up certain privacy parameters 2 Data provider 1 Airavat framework Trusted Cloud infrastructure

  15. Airavat model 15  Computation provider writes data mining algorithm  Untrusted, possibly malicious Computation provider 2 3 Program Data provider Output 1 Airavat framework Trusted Cloud infrastructure

  16. Threat model 16  Airavat runs the computation, and still protects the privacy of the data providers Threat Computation provider 2 3 Program Data provider Output 1 Airavat framework Trusted Cloud infrastructure

  17. Roadmap 17  What is the programming model?  How do we enforce privacy?  What computations can be supported in Airavat?

  18. Programming model 18 Split MapReduce into untrusted mapper + trusted reducer Limited set of stock reducers Untrusted MapReduce Trusted Mapper program for Reducer data mining Airavat No need to audit Data Data

  19. Programming model 19 Need to confine the mappers ! Guarantee: Protect the privacy of data providers Untrusted MapReduce Trusted Mapper program for Reducer data mining Airavat No need to audit Data Data

  20. Challenge 1: Untrusted mapper 20  Untrusted mapper code copies data, sends it over the network Peter Peter Chris Map Reduce Leaks using system Meg resources Data

  21. Challenge 2: Untrusted mapper 21  Output of the computation is also an information channel Peter Chris Output 1 million if Peter bought Vi*gra Map Reduce Meg Data

  22. Airavat mechanisms 22 Mandatory access control Differential privacy Prevent leaks through Prevent leaks through storage channels like network the output of the connections, files… computation Output Map Reduce Data

  23. Back to the roadmap 23  What is the programming model? Untrusted mapper + Trusted reducer  How do we enforce privacy?  Leaks through system resources  Leaks through the output  What computations can be supported in Airavat?

  24. Airavat confines the untrusted code Given by the Untrusted computation provider program MapReduce Add mandatory + DFS access control (MAC) Airavat SELinux Add MAC policy

  25. Airavat confines the untrusted code  We add mandatory access control to the MapReduce framework Untrusted  Label input, intermediate values, program output MapReduce  Malicious code cannot leak labeled + DFS data SELinux Data 1 Output Data 2 Data 3 Access MapReduce control label

  26. Airavat confines the untrusted code  SELinux policy to enforce MAC  Creates trusted and untrusted Untrusted domains program  Processes and files are labeled to MapReduce restrict interaction + DFS  Mappers reside in untrusted domain SELinux  Denied network access, limited file system interaction

  27. But access control is not enough 27  Labels can prevent the output from been read  When can we remove the labels? if (input belongs-to Peter) print (iPad, 1000000) Output leaks the presence Peter of Peter ! iPad Tablet PC (iPad, 2) (iPad, 1000002) iPad SUM Laptop Access control Map phase Reduce phase label

  28. But access control is not enough 28 Need mechanisms to enforce that the output does not violate an individual’s privacy.

  29. Background: Differential privacy 29 A mechanism is differentially private if every output is produced with similar probability whether any given input is included or not Cynthia Dwork. Differential Privacy . ICALP 2006

  30. Differential privacy (intuition) 30 A mechanism is differentially private if every output is produced with similar probability whether any given input is included or not A Output distribution B F(x) C Cynthia Dwork. Differential Privacy . ICALP 2006

  31. Differential privacy (intuition) 31 A mechanism is differentially private if every output is produced with similar probability whether any given input is included or not A A Similar output distributions B B F(x) F(x) C C D Bounded risk for D if she includes her data! Cynthia Dwork. Differential Privacy . ICALP 2006

  32. Achieving differential privacy 32  A simple differentially private mechanism Tell me f(x) x 1 … f(x)+noise x n  How much noise should one add?

  33. Achieving differential privacy 33  Function sensitivity (intuition): Maximum effect of any single input on the output  Aim: Need to conceal this effect to preserve privacy  Example: Computing the average height of the people in this room has low sensitivity  Any single person’s height does not affect the final average by too much  Calculating the maximum height has high sensitivity

  34. Achieving differential privacy 34  Function sensitivity (intuition): Maximum effect of any single input on the output  Aim: Need to conceal this effect to preserve privacy  Example: SUM over input elements drawn from [0, M] X 1 X 2 SUM Sensitivity = M X 3 Max. effect of any input element is M X 4

  35. Achieving differential privacy 35  A simple differentially private mechanism Tell me f(x) x 1 … f(x)+Lap( ∆ (f)) x n Intuition: Noise needed to mask the effect of a single input Lap = Laplace distribution ∆ (f) = sensitivity

  36. Back to the roadmap 36  What is the programming model? Untrusted mapper + Trusted reducer  How do we enforce privacy?  Leaks through system resources MAC  Leaks through the output  What computations can be supported in Airavat?

  37. Enforcing differential privacy 37  Mapper can be any piece of Java code (“black box”) but…  Range of mapper outputs must be declared in advance  Used to estimate “sensitivity” (how much does a single input influence the output?)  Determines how much noise is added to outputs to ensure differential privacy  Example: Consider mapper range [0, M]  SUM has the estimated sensitivity of M

  38. Enforcing differential privacy 38  Malicious mappers may output values outside the range  If a mapper produces a value outside the range, it is replaced by a value inside the range  User not notified… otherwise possible information leak Ensures that code is not Range more sensitive than declared enforcer Data 1 Mapper Data 2 Reducer Data 3 Mapper Range Data 4 Noise enforcer

  39. Enforcing sensitivity 39  All mapper invocations must be independent  Mapper may not store an input and use it later when processing another input  Otherwise, range-based sensitivity estimates may be incorrect  We modify JVM to enforce mapper independence  Each object is assigned an invocation number  JVM instrumentation prevents reuse of objects from previous invocation

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Flow Analysis Using MapReduce Strengths and Limitations Markus De Shon Sr. Security Engineer

Flow Analysis Using MapReduce Strengths and Limitations Markus De Shon Sr. Security Engineer

Flow Analysis Using MapReduce Strengths and Limitations Markus De Shon Sr. Security Engineer Agenda MapReduce What is it? Case Study Entropy Timeseries Scaling MapReduces Other thoughts, Conclusions MapReduce: What is it? A parallel

380 views • 12 slides
CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
MapReduce Andrew Crotty Alex Galakatos What is MapReduce? MapReduce is a framework for:

MapReduce Andrew Crotty Alex Galakatos What is MapReduce? MapReduce is a framework for:

MapReduce Andrew Crotty Alex Galakatos What is MapReduce? MapReduce is a framework for: parallelizable problems large datasets cluster/grid computing Background Google project Implemented many special-purpose computations

373 views • 26 slides
Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much easier if there were someone we could all TRUST with our data Be8er data mining -- using MORE data, while respec@ng users PRIVACY

888 views • 35 slides
Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

814 views • 43 slides
Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data Protecting Personal Data Privacy & Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned Did you know... 77 percent of all Americans feel their personal health information privacy is very important, and 84 percent said they

769 views • 50 slides
How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and Security Conference Privacy and Security by Choice, not Chance Afternoon Workshop Wednesday February 3, 2016 Victoria, B.C. Canada Gerry Bliss

1.11k views • 63 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director

The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director

The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director Global Privacy & Security by Design Centre Technion Summer School on Cyber Security Haifa, Israel September 9, 2020 Lets Dispel The Myths

929 views • 55 slides
CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt //

CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt //

CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt // http://yxiao.info i i f Outline Outline What is Location Privacy Basic Techniques Private Information Retrieval Probabilistic

415 views • 24 slides
The Platform for Privacy Preferences ( P3 P) December 2000 Update A user empowerment approach

The Platform for Privacy Preferences ( P3 P) December 2000 Update A user empowerment approach

The Platform for Privacy Preferences ( P3 P) December 2000 Update A user empowerment approach Marc Langheinrich ETH Zurich APPEL Subgroup Chair P3P Working Group Outline P3P December 2000 Update Platform for Privacy Preferences ! What

914 views • 55 slides
Large-Scale Data Engineering Data warehousing with MapReduce event.cwi.nl/lsde2015 Todays

Large-Scale Data Engineering Data warehousing with MapReduce event.cwi.nl/lsde2015 Todays

Large-Scale Data Engineering Data warehousing with MapReduce event.cwi.nl/lsde2015 Todays agenda How we got here: the historical perspective MapReduce algorithms for processing relational data Evolving roles of relational databases

816 views • 54 slides
Flow Networks A new perspective of complex systems Contents 1 Flow Networks 2 Common Patterns

Flow Networks A new perspective of complex systems Contents 1 Flow Networks 2 Common Patterns

LOGO School of Systems Beijing Normal University Jiang Zhang @ Ali forum of complexity science 2014 Flow Networks A new perspective of complex systems Contents 1 Flow Networks 2 Common Patterns 3 Constructal Law? School of Systems

420 views • 25 slides
R ecently, we ran a marketing work- To our surprise, the participants were shop with an

R ecently, we ran a marketing work- To our surprise, the participants were shop with an

DEEP insight This document is an authorized copy for personal use of Mr. Skiera, 25/03/2017 MARKETING IN A DIGITAL AGE Using Big Search Data to Map Your Market By BERND SKIERA and DANIEL M. RINGEL R ecently, we ran a marketing work- To our

563 views • 7 slides
Recommending Crowdsourced Trips on wOndary Linus W. Dietz and Achim Weimert Technical

Recommending Crowdsourced Trips on wOndary Linus W. Dietz and Achim Weimert Technical

Recommending Crowdsourced Trips on wOndary Linus W. Dietz and Achim Weimert Technical University of Munich, Germany wOndary, London, UK RecTour Workshop, Vancouver, Canada October 7, 2018 A Platform for Travel Planning

201 views • 8 slides
Elastic and Secure Energy Forecasting in Cloud Environments Andr Martin * , Andrey Brito # and

Elastic and Secure Energy Forecasting in Cloud Environments Andr Martin * , Andrey Brito # and

Elastic and Secure Energy Forecasting in Cloud Environments Andr Martin * , Andrey Brito # and Christof Fetzer * andre.martin@tu-dresden.de, andrey@dsc.ufcg.edu.br, christof.fetzer@tu-dresden.de * SE Group - Technische Universitt Dresden -

561 views • 11 slides
Price Optimization in Fashion E-Commerce AI for fashion supply chain The fifth international

Price Optimization in Fashion E-Commerce AI for fashion supply chain The fifth international

Price Optimization in Fashion E-Commerce AI for fashion supply chain The fifth international workshop on fashion and KDD 23 August 2020, San Diego, California - USA Sajan Kedia, Samyak Jain, Abhishek Sharma Problem Statement - Biggest

839 views • 16 slides
Getting Started with Azure IoT Edge Machine Intelligence Modern Infrastructure http://mi2.live

Getting Started with Azure IoT Edge Machine Intelligence Modern Infrastructure http://mi2.live

Getting Started with Azure IoT Edge Machine Intelligence Modern Infrastructure http://mi2.live What is MI2? MI2 Webinars focus on the convergence of machine intelligence and modern infrastructure . Every alternate week, I deliver informative

718 views • 18 slides

More recommend