Publications

Patiëntendata zijn onmisbaar voor het verkrijgen van nieuwe medische inzichten. Het vrijelijk delen en aan elkaar koppelen van dergelijke data is echter vaak praktisch onmogelijk en bovendien in strijd met de privacywetgeving. Het project LANCELOT ontwikkelt nu technologieën die het mogelijk maken wel oncologisch onderzoek te doen op basis van verschillende databronnen, maar dan met behoud van privacy.

With an increased dependence on digital systems and a rise in severe cyber security incidents and -threats, it’s increasingly hard - if not impossible - for businesses to keep up in the rat race between attackers and defenders. While cyber security has transformed into an essential prerequisite for businesses to function, the products and systems we need to protect become increasingly complex, dynamic, and exposed. A reactive approach to cyber security is no longer feasible, nor sufficient. Society requires cyber-resilient products and systems with the inherent ability to prevent, withstand, and recover from incidents. Inherent cyber resilience of products and systems benefits business continuity and lowering the overall life-cycle costs by reducing damages, product updates and recalls. Yet, industry parties involved in systems design and engineering are having difficulty crafting a convincing business case.

In this presentation, we will showcase TNO’s current research and vision on cyber resilient system design, touching upon topics including design & lifecycle management, software verification & validation and human-centric engineering. In addition, we will discuss and demonstrate the possibilities and limitations of TNO's “self-healing for cyber security (SH4CS)” software. Inspired by biological mechanisms in cells and the human immune system, this novel software aims to make products and systems autonomously cope with any type of operational (runtime) abnormalities.

Als gevolg van de digitalisering ontwikkelen, bouwen, onderhouden en exploiteren we systemen die steeds meer ICT-technologie bevatten en verbonden zijn. Veel van deze cybersystemen worden gedurende vele jaren ontwikkeld, met als bijgevolg dat deze systemen kwetsbaarheden kunnen bevatten. Om de cyberweerbaarheid van deze systemen te waarborgen is het essentieel om anders te ontwerpen en te ontwikkelen zodanig dat cybersecurity in alle fases van de levenscyclus wordt meegenomen.

Invited short talk as part of WP2 Session on "Design"

The importance of cybersecurity in our digitalising society is nowadays well-understood. In practice however, cybersecurity is too often an afterthought. Countermeasures are taken in reaction to vulnerability exposures and cyber incidents as they happen. A transition towards inherently cyber-resilient systems starts with early and systematic testing of these systems and the software that drives them. Software security testing is complementary to regular (functional) software testing and focuses specifically on discovering security risks and vulnerabilities.This memo summarises the field of software security testing, providing a comprehensive overview of the techniques and tools employed within this field of testing. It aims to make the connection between current practice and newer technologies. This is important as newer technologies can greatly improve the effectiveness and efficiency of current software security testing techniques. In particular, by applying smart automation they can reduce the human effort and required expertise for testing. This lowers the threshold and builds a business case for software security testing.In this document, the capabilities and characteristics of technologies are discussed on a qualitative level, based on desk research and experience available within TNO. No extensive experimental assessment was performed to verify all functionalities or acquire performance metrics.

Concerned about the security and reliability of the REST APIs? Go fuzz!

With the growing number of web services around us, the question of their quality and security is of continuous concern. Manual testing cannot keep up, so automated solutions are needed. TNO presents WuppieFuzz, an open source automated testing tool that makes use of fuzzing techniques and code coverage measurements to find bugs, errors and/or vulnerabilities in REST APIs.

Researchers in oncology require comprehensive patient data to reflect on cancer care and prevention. However, given the complexity of cancer, some research questions require patient data that is distributed over multiple registries, and it can be challenging to access or exchange such highly sensitive health data. To get around this problem, the Netherlands Comprehensive Cancer Organisation (IKNL) and the Netherlands Organisation for Applied Scientific Research (TNO) have collaboratively developed algorithms that enable survival analyses on distributed data with rigorous privacy guarantees.

Criminal transaction flows can be obfuscated by spreading transactions over multiple banks. Collaboration between banks is key to tackling this; however, data sharing between banks is often undesirable for privacy reasons or is restricted by legislation. In the MPC4AML project, research institute TNO and Dutch banks ABN AMRO and Rabobank are researching the feasibility of using Secure Multi-Party Computation (MPC) to detect money laundering.

While the importance of designing for user experience has long been acknowledged, there has been relatively little exploration of the actual processes involved in constructing usable and cybersecure systems. In many conventional projects, cybersecurity and usability are not considered primary goals, making them likely candidates for sacrifice in the rush to meet project deadlines. Unfortunately, designing systems with both cybersecurity and usability in mind is easier said than done and typically requires a change towards an organizational culture more conducive of human-centric designing. This position paper advocates for expanded research to explore the connection between culture and engineering practices, highlighting their impact on advancing a cyber-secure society. We explore ways in which the behavior of software development team members towards designing software and products that are both usable and cybersecure can be influenced through organizational culture. We conclude that initiating change within culture requires additional knowledge that future research must seek to provide. Three of these areas are discussed in the paper for immediate attention. The practical implication of this paper is that it encourages research in the field and provides some propositions to guide future empirical investigations.

Money laundering is a serious financial crime where criminals aim to conceal the illegal source of their money via a series of transactions. Although banks have an obligation to monitor transactions, it is difficult to track these illicit money flows since they typically span over multiple banks, which cannot share this information due to privacy concerns. We present secure risk propagation, a novel efficient algorithm for money laundering detection across banks without violating privacy concerns. In this algorithm, each account is assigned a risk score, which is then propagated through the transaction network. In this article we present two results. Firstly, using data from a large Dutch bank, we show that it is possible to detect unusual activity using this model, with cash ratio as the risk score. With a recall of 20%, the precision improves from 15% to 40% by propagating the risk scores, reducing the number of false positives significantly. Secondly, we present a privacy-preserving solution for securely performing risk propagation over a joint, inter-bank transaction network. To achieve this, we use Secure Multi-Party Computation (MPC) techniques, which are particularly well-suited for the risk propagation algorithm due to its structural simplicity. We also show that the running time of this secure variant scales linearly in the amount of accounts and transactions. For 200, 000 transactions, two iterations of the secure algorithm between three virtual parties, run within three hours on a consumer-grade server.

The performance of the AFL++ CmpLog feature varies considerably for specific programs under test (PUTs). In this paper it is demonstrated that the main cause of the poor performance is low seed entropy, and a lack of deduplication of magic bytes candidates. An improvement is proposed by mapping comparisons to input bytes, in order to track which comparisons are controlled by what input bytes. This mapping is then used to fuzz only the comparison values that are magic byte candidates for that input part. Second, a caching mechanism is introduced to reduce the number of redundant executions. The evaluation of the improved versions shows a significant coverage gain compared to the original AFL++ implementation of CmpLog for all PUTs, without breaking functionality. The proposed solution in this paper provides a solid basis for a redesign of CmpLog.

Background

Analysing distributed medical data is challenging because of data sensitivity and various regulations to access and combine data. Some privacy-preserving methods are known for analyzing horizontally-partitioned data, where different organisations have similar data on disjoint sets of people. Technically more challenging is the case of vertically-partitioned data, dealing with data on overlapping sets of people. We use an emerging technology based on cryptographic techniques called secure multi-party computation (MPC), and apply it to perform privacy-preserving survival analysis on vertically-distributed data by means of the Cox proportional hazards (CPH) model. Both MPC and CPH are explained.

Results

Our secure solution is implemented in a setting with three different machines, each presenting a different data holder, which can communicate through the internet. The MPyC platform is used for implementing this privacy-preserving solution to obtain the CPH model. We test the accuracy and computation time of our methods on three standard benchmark survival datasets. We identify future work to make our solution more efficient.

Conclusions

Our secure solution is comparable with the standard, non-secure solver in terms of accuracy and convergence speed. The computation time is considerably larger, although the theoretical complexity is still cubic in the number of covariates and quadratic in the number of subjects. We conclude that this is a promising way of performing parametric survival analysis on vertically-distributed medical data, while realising high level of security and privacy.

Background

Recent developments in machine learning have shown its potential impact for clinical use such as risk prediction, prognosis, and treatment selection. However, relevant data are often scattered across different stakeholders and their use is regulated, e.g. by GDPR or HIPAA.

As a concrete use-case, hospital Erasmus MC and health insurance company Achmea have data on individuals in the city of Rotterdam, which would in theory enable them to train a regression model in order to identify high-impact lifestyle factors for heart failure. However, privacy and confidentiality concerns make it unfeasible to exchange these data.

Methods

This article describes a solution where vertically-partitioned synthetic data of Achmea and of Erasmus MC are combined using Secure Multi-Party Computation. First, a secure inner join protocol takes place to securely determine the identifiers of the patients that are represented in both datasets. Then, a secure Lasso Regression model is trained on the securely combined data. The involved parties thus obtain the prediction model but no further information on the input data of the other parties.

Results

We implement our secure solution and describe its performance and scalability: we can train a prediction model on two datasets with 5000 records each and a total of 30 features in less than one hour, with a minimal difference from the results of standard (non-secure) methods.

Conclusions

This article shows that it is possible to combine datasets and train a Lasso regression model on this combination in a secure way. Such a solution thus further expands the potential of privacy-preserving data analysis in the medical domain.

We propose a study on the use of post-quantum cryptographic primitives for the Tor network in order to make it safe in a quantum world. With this aim, the underlying keying material has first been analysed. We observe that breaking the security of the algorithms/protocols that use long- and medium-term keys (usually RSA keys) have the highest impact in security. Therefore, we investigate the cost of quantum-safe variants. Six different post-quantum cryptographic algorithms that ensure level 1 NIST security are evaluated. We further target the Tor circuit creation operation and evaluate the overhead of the post-quantum variant. This comparative study is performed through a reference implementation based on SweetOnions that simulates Tor with slight simplifications. We show that a quantum-safe Tor circuit creation is possible and suggest two versions - one that can be used in a purely quantum-safe setting, and one that can be used in a hybrid setting.