Alisa Pankova

Jelizaveta Vakarjuk, Alisa Pankova

European Digital Identity (EUDI) Wallet aims to provide end users with a way to get attested credentials from issuers, and present them to different relying parties. An important property mentioned in the regulatory frameworks is the possibility to revoke a previously issued credential. While it is possible to issue a short-lived credential, in some cases it may be inconvenient, and a separate revocation service which allows to revoke a credential at any time may be necessary. In this work, we propose a full end-to-end description of a generic credential revocation system, which technically relies on a single server and secure transmission channels between parties. We prove security of the proposed revocation functionality in the universal composability model, and estimate its efficiency based on a proof-of-concept implementation.

Gamal Elkoumy, Alisa Pankova, Marlon Dumas

The applicability of process mining techniques hinges on the availability of event logs capturing the execution of a business process. In some use cases, particularly those involving customer-facing processes, these event logs may contain private information. Data protection regulations restrict the use of such event logs for analysis purposes. One way of circumventing these restrictions is to anonymize the event log to the extent that no individual can be singled out using the anonymized log. This article addresses the problem of anonymizing an event log in order to guarantee that, upon release of the anonymized log, the probability that an attacker may single out any individual represented in the original log does not increase by more than a threshold. The article proposes a differentially private release mechanism, which samples the cases in the log and adds noise to the timestamps to the extent required to achieve the above privacy guarantee. The article reports on an empirical comparison of the proposed approach against the state-of-the-art approaches using 14 real-life event logs in terms of data utility loss and computational efficiency.

Gamal Elkoumy, Alisa Pankova, Marlon Dumas

The applicability of process mining techniques hinges on the availability of event logs capturing the execution of a business process. In some use cases, particularly those involving customer-facing processes, these event logs may contain private information. Data protection regulations restrict the use of such event logs for analysis purposes. One way of circumventing these restrictions is to anonymize the event log to the extent that no individual can be singled out using the anonymized log. This paper addresses the problem of anonymizing an event log in order to guarantee that, upon disclosure of the anonymized log, the probability that an attacker may single out any individual represented in the original log, does not increase by more than a threshold. The paper proposes a differentially private disclosure mechanism, which oversamples the cases in the log and adds noise to the timestamps to the extent required to achieve the above privacy guarantee. The paper reports on an empirical evaluation of the proposed approach using 14 real-life event logs in terms of data utility loss and computational efficiency.

Gamal Elkoumy, Alisa Pankova, Marlon Dumas

Process mining techniques enable organizations to analyze business process execution traces in order to identify opportunities for improving their operational performance. Oftentimes, such execution traces contain private information. For example, the execution traces of a healthcare process are likely to be privacy-sensitive. In such cases, organizations need to deploy Privacy-Enhancing Technologies (PETs) to strike a balance between the benefits they get from analyzing these data and the requirements imposed onto them by privacy regulations, particularly that of minimizing re-identification risks when data are disclosed to a process analyst. Among many available PETs, differential privacy stands out for its ability to prevent predicate singling out attacks and its composable privacy guarantees. A drawback of differential privacy is the lack of interpretability of the main privacy parameter it relies upon, namely epsilon. This leads to the recurrent question of how much epsilon is enough? This article proposes a method to determine the epsilon value to be used when disclosing the output of a process mining technique in terms of two business-relevant metrics, namely absolute percentage error metrics capturing the loss of accuracy (a.k.a. utility loss) resulting from adding noise to the disclosed data, and guessing advantage, which captures the increase in the probability that an adversary may guess information about an individual as a result of a disclosure. The article specifically studies the problem of protecting the disclosure of the so-called Directly-Follows Graph (DFGs), which is a process mining artifact produced by most process mining tools. The article reports on an empirical evaluation of the utility-risk trade-offs that the proposed approach achieves on a collection of 13 real-life event logs.

Joosep Jääger, Alisa Pankova

Logic Programming (LP) is a subcategory of declarative programming that is considered to be relatively simple for non-programmers. LP developers focus on describing facts and rules of a logical derivation, and do not need to think about the algorithms actually implementing the derivation. Secure multiparty computation (MPC) is a cryptographic technology that allows to perform computation on private data without actually seeing the data. In this paper, we bring together the notions of MPC and LP, allowing users to write privacy-preserving applications in logic programming language.

Gamal Elkoumy, Stephan A. Fahrenkrog-Petersen, Marlon Dumas et al.

Process mining is a family of techniques for analysing business processes based on event logs extracted from information systems. Mainstream process mining tools are designed for intra-organizational settings, insofar as they assume that an event log is available for processing as a whole. The use of such tools for inter-organizational process analysis is hampered by the fact that such processes involve independent parties who are unwilling to, or sometimes legally prevented from, sharing detailed event logs with each other. In this setting, this paper proposes an approach for constructing and querying a common type of artifact used for process mining, namely the frequency and time-annotated Directly-Follows Graph (DFG), over multiple event logs belonging to different parties, in such a way that the parties do not share the event logs with each other. The proposal leverages an existing platform for secure multi-party computation, namely Sharemind. Since a direct implementation of DFG construction in Sharemind suffers from scalability issues, the paper proposes to rely on vectorization of event logs and to employ a divide-and-conquer scheme for parallel processing of sub-logs. The paper reports on an experimental evaluation that tests the scalability of the approach on real-life logs.

Peeter Laud, Alisa Pankova

There are numerous methods of achieving $ε$-differential privacy (DP). The question is what is the appropriate value of $ε$, since there is no common agreement on a "sufficiently small" $ε$, and its goodness depends on the query as well as the data. In this paper, we show how to compute $ε$ that corresponds to $δ$, defined as the adversary's advantage in probability of guessing some specific property of the output. The attacker's goal can be stated as Boolean expression over guessing particular attributes, possibly within some precision. The attributes combined in this way should be independent. We assume that both the input and the output distributions have corresponding probability density functions, or probability mass functions.

Aivo Toots, Reedik Tuuling, Maksym Yerokhin et al.

Pleak is a tool to capture and analyze privacy-enhanced business process models to characterize and quantify to what extent the outputs of a process leak information about its inputs. Pleak incorporates an extensible set of analysis plugins, which enable users to inspect potential leakages at multiple levels of detail.

Peeter Laud, Alisa Pankova, Martin Pettai

We introduce derivative sensitivity, an analogue to local sensitivity for continuous functions. We use this notion in an analysis that determines the amount of noise to be added to the result of a database query in order to obtain a certain level of differential privacy, and demonstrate that derivative sensitivity allows us to employ powerful mechanisms from calculus to perform the analysis for a variety of queries. We have implemented the analyzer and evaluated its efficiency and precision. We also show the flexibility of derivative sensitivity in specifying the quantitative privacy notion of the database, as desired by the data owner. Instead of only using the `number of changed rows' metric, our metrics can depend on the locations and amounts of changes in a much more nuanced manner. This will help to make sure that the distance is not larger than the data owner desires (which would undermine privacy), thereby encouraging the adoption of differentially private data analysis mechanisms.