Integration of an adaptive trust-based e-assessment system into virtual learning environments—The TeSLA project experience

E-assessment is a novel form to evaluate learners’ knowledge and skills in online education. Issues concerning security and privacy of learners’ data must be guaranteed. Such issues are discussed under the scope of the TeSLA project, a EU-funded project that aims at providing learners with an innovative environment that allows them to take assessments remotely, thus avoiding mandatory attendance constraints. In this letter, we outline the main concepts underlying TeSLA in terms of security and privacy of learners’ data. We also report some technical hands-on experience conducted by members of the consortium during the pilot phases of the project

which aims at covering those requirements by combining technologies such as biometrics, digital certificates, and trusted time stamping. 4Identification and authentication in TeSLA includes, but is not limited to, keystroke detection, 5,6 face recognition, 7 and voice recognition. 8Authorship and cheating are addressed by using solutions such as plagiarism detection. 9,10The combination of all such techniques is the proposed method of TeSLA to derive trust evidences associated with the learners.
The remaining sections of this letter are structured as follows.Section 2 presents generic background on the TeSLA architecture and a quick overview to the technological building blocks concerning security and privacy of learners.Section 3 reports a technical hands-on experience conducted by the consortium partners during the evaluation pilots of the project.Section 4 closes the letter with some conclusions about the ongoing results of the project.

BACKGROUND
Figure 1 depicts the TeSLA architecture, which is comprised of several components that belong to 2 different domains: (1)  educational components (hereafter denoted as university domain) and (2) e-assessment components (ie, the TeSLA domain).
Components that belong to the university domain must be present in the network of each university willing to make use of the TeSLA e-assessment framework, while components that belong to the TeSLA domain are completely independent of the university network.The 2 domains do not share data unless explicitly stated.The TeSLA domain contains the following components: (1) the TeSLA E-assessment Portal (TEP), which acts as a service broker that gathers and forward requests to the TeSLA components; (2) the TeSLA Portal that aims at gathering statistics regarding the e-assessment activities; and (3) instruments that analyze authorship and authentication properties (eg, biometric samples) and send some analysis results back to the client side.The university domain contains the following components: (1) a virtual learning environment (VLE), which can be provided by a classic learning management system such as Moodle 11 ; (2) a plugin integrated to the VLE that acts as a client-side interface with the TeSLA components; (3) various tools integrated to the VLE that send requests and data to the TeSLA components through the plugin.There are 3 categories of tools: the learner tool, the instructor tool, and external tools.The learner tool and instructor tool are, respectively, designed to take or setup an e-assessment.External tools are in charge of sampling the learner's biometric data and sending them to TeSLA instruments for evaluation, as part of the anti-cheating countermeasures; and (4) the TeSLA identity provider (TIP), which is in charge of generating pseudonymous for the learners, called TeSLA ID, to be used in the communication with the TeSLA components.

Security and privacy features in the TeSLA framework
The security of the architectural components, as well as the intellectual property rights of TeSLA via software licenses, is ensured by using standard technologies like public key infrastructure (PKI) and X509 certificates. 12The communication exchanges between all the components of the architecture use the Transport Layer Security (TLS) protocol. 13Mutual authentication is enforced over the whole architecture, hence ensuring confidentiality and integrity of every data exchange.The underlying PKI infrastructure allows TLS deployment and management of certificates and authorities (cf. 14and citations thereof, for further details about the TeSLA PKI infrastructure).Taking an e-assignment in this architecture first requires to log in on the VLE that contains the client-side plugin.The learner can require the e-assignment using the learner tool available on the VLE as a third-party tool.The learner tool sends a request through the plugin to the TEP.The incoming request does not contain the name of the learner, but only the TeSLA ID, that the plugin requests from the TIP.Then, the TEP fetches the e-assignment in its database and sends it back to the VLE, where the learner will take the assignment while external tools and sample biometric data that will be regularly sent to instruments, for example, for anti-cheating analysis.
The learner's identity verification performed in the TeSLA e-assessment system relies on specific data of the learners (such as the biometric samples), collected from their environment via some external tools embedded in the VLE.The communications between the institution and the TeSLA components rely on exchanges between the VLE and the TEP.On the VLE side, an embedded plugin is in charge of establishing the authenticated connection with the TEP.Since the external tools, written in JavaScript, are also embedded in the VLE, they must be able to establish secure connections with the TEP in order to transmit sensitive data.Security risks associated with the JavaScript code of the external tools is handled using authentication tokens. 15ince the JavaScript code is always available on the client side, this may allow learners to obtain control elements used by the external tool to authenticate to the TEP.The plugin retrieves the token from the TEP and transmits it to the external tool.When the plugin has successfully authenticated to the TEP, the latter generates and signs a token that will be transmitted by the plugin to the external tool, which will only have to send the token back to the TEP for validity checking.The corresponding architecture is displayed in Figure 2.
In terms of data protection, the constraints associated to the collection of learners' data makes possible the use of pseudonymity with regard to the components located in the TeSLA domain.Since it is mandatory to store the association between learners' identifiers and their real identity, only partial anonymity, that is, pseudonymity, can be provided to learners during exchanges with the TeSLA components.In this regard, pseudonymity is ensured with the randomized TeSLA identifier (ie, the aforementioned TeSLA ID), which becomes the learner's identity within the TeSLA domain.This way, no TeSLA component shall ever access to the learner's true identity.The TeSLA ID is generated by the TIP component as a random number computed according to version 4 of the UUID standard. 16The matching between the learner's identity and the TeSLA ID is stored in the TIP database.The TIP database is placed at the university side and is not accessible from TeSLA.The TIP database shall be shared with all the VLEs.All the interactions between the university domain and the TeSLA domain will involve the plugin on the one hand, and the TEP on the other hand.This is sufficient to make sure that any request sent to the TEP through the plugin is first redirected to the TIP to retrieve the learner's TeSLA ID and use it in place of the learner's identity.
An additional enhancement of the TeSLA architecture toward improved privacy features relies on the use of anonymous certification.As described in, 17,18 anonymous certification allows to perform a privacy-friendly access control, in order to certify that users are allowed to access a resource because they own some attributes required by the verifier.Anonymous certification can be naturally integrated to the VLE.Indeed, one of the functions of the VLE is to let the learners access material for courses they registered at.To ensure this function, the VLE does not need to identify the learner, but only requires the proof that the learner is authorized.Such authorization can be performed by defining the following attributes: (1) the university where the learner is enrolled and (2) the courses at which the learner registered.These attributes are sufficient to let the learners access to the VLE pages they are entitled to visit without relying on authentication (even using a pseudonym or an anonymized identifier), hence enhancing the learners' privacy.Indeed, the system is unable to profile the learners and keep track of meta information such as at which hours the learners are awake, or at what time and at which frequency they accessed the course material.It is also possible to enhance the privacy of e-assignments' post processing.When an e-assignment is completed by a learner, it must first be sent to a number of external anti-cheating instruments that perform a number of verifications, such as whether the assignment contains plagiarism.To ensure the authenticity of these requests, one solution would be to transmit the e-assessment along with the learner's TeSLA ID.The requests can be anonymized and authorized using anonymous certification, without any need for identification, with the same set of attributes previously described.The unlinkability properties of the approach guarantee that 2 different instruments will not be able to deduce that the request was emitted from the same learner.This greatly limits the possibility for the instruments to correlate data, hence a significant improvement to the learners' privacy.

DEPLOYMENT USE CASE DURING THE PILOTS OF THE PROJECT
As a EU-funded innovation action, the TeSLA project is a conducting large-scale pilots to evaluate the technological building blocks presented in the previous section.The evaluations are being performed taking into account quality assurance in education, privacy, and ethical issues, as well as educational and technological requirements throughout Europe.The pilots are used formatively to evaluate e-assessment scenarios among the institutional partners of the project.The pilots are conducted in order to asses constructed response tests, e-Portfolios, and peer review collaborative learning. 19The response to an activity can be of various kinds (ie, the learner has to select, create, or perform the activity) but they all comprise technological actions such as text typing or code programming.The assessor (ie, a university teacher) uses the identification, authentication, and authorship mechanism of TeSLA as a posteriori auditing tool, during the validation of results.Most of the pilots assume the following scenarios.Learners and assessors use a VLE based on, for example, Moodle. 11The piloting activity uses the TeSLA plugin to access the TeSLA domain (cf.Section 2 and on-line video-captures at the website of TeSLA for further details 1 ).The TIP converts the identities of the learners into the pseudonyms when learners start working on their assessments upon TeSLA-enabled VLEs.The data of the learners are captured during the execution of the activities, and redirected to the TeSLA instruments through the TEP.The TEP may also interrogate the related instruments to analyze and process learners' data (eg, their biometric models) while verifying their identities.Finally, the TEP may also receive requests from, for example, the auditing tools executed by the assessors, to verify that learners did not cheat during the execution of their activities.
Figure 3 shows a practical hands-on deployment and testing of the TeSLA system at the Technical University of Sofia (TUS).The TUS is a face-to-face university providing blended education supported by electronic platforms for distant learning.The VLE of TUS is based on Moodle. 11The deployment decision for the TeSLA system in the institutional VLE was presupposed by the existing infrastructure of their electronic platforms.VLEs in TUS are distributed between separate faculty servers.The installation of the TeSLA system was performed on top of the Moodle services of TUS.The deployment of TeSLA is conducted using the Docker containers 20 provided by the TeSLA Technical Consortium.The remainder elements of the infrastructure and instruments are obtained and installed via the TeSLA framework by web-based wizards (see Figure 3A and available media at the project websites, 1 for on-line video-captures).The TeSLA framework offers a web portal for the monitoring and automation of the installation processes and the provision of the TeSLA system as a series of cloud services.Locally, the network infrastructure of TUS for the evaluation of the TeSLA system involves 150 Mbit/s guaranteed connection.The amount used for the maintenance of students logged into the TeSLA system is 80 Mbit/s.By implementing compression of some activities, such as the enrollment activities (ie, to build the biometric models of learners, as shown in Figure 3C) required about 8 Mbit/s per student.Pilots are being conducted by groups of 10 students working in parallel, which required about 80 Mbit/s.
The deployment is performed over a series of virtual hosts running at the TeSLA server of TUS, using Docker Swarm. 20The result of the infrastructure deployment is the initialization of all the TeSLA components discussed in Section 2, for example, TEP and TIP components, together with their databases.The instrument deployment presents the biometric and authorship instruments for learner authentication.Some other modules, such as the certification authority (CA) associated with the PKI of the TeSLA framework, are initialized as well (cf.Figure 3B).The cloud structure of the deployment consists of the TEP, TIP, CA, and the biometric instruments.Both PKI and TeSLA ID deployments, based on, [14][15][16] allow protecting learners' identity.Protection of the Docker containers and virtual Docker images follow well established recommendations. 21igure 3D shows the visualization of sample audit tool results.
Data management is complemented with a series of remote database servers over on-demand cloud computing platforms for TeSLA at Amazon Web Services.Dedicated databases at TUS handle the anonymized learner data from all the assessment activities.The TeSLA plug-in has been tested over different operating systems including Windows-based operating systems (eg, Windows-7 and Windows-10, Professional, Home, Education editions) and GNU/Linux operating systems (eg, CentOS).In terms of web browsers, tests included browsers such as Firefox, Chrome, Internet Explorer, and Edge.Fault redundancy of the platform is ensured against physical (hardware, electrical supply failures, environmental factors) and virtual infrastructure (human and program errors) risks by: (1) support of alternative servers at another location; (2) server resources are enhanced with duplicate processor technologies, operating memory, and RAID massive for enhancing the disk capacity; (3) electric supply failure is mitigated with UPS devices of a market leader company; (4) external device backups of all virtual machines at periods of 72 hours in a month are maintained for eliminating human and program errors.
The system reached relatively stable exploitation status.It provided for monitoring and data gathering from enrollment and assessment activities from the pilots.TUS designed some test-bed scenarios suiting their existing distributed platforms for online distance education.To avoid collisions and problems with their existing learning environments, TUS implemented a parallel replica.The data from the different faculty servers were duplicated, and the test infrastructure was connected to TUS e-learning framework to test connectivity and student data transfers.This was achieved by a server Linux-based (KVM) virtualization.The results showed fault redundancy of educational process and compliance with the existing working infrastructure in TUS.Further formative evaluation results of the pilots at TUS are available online, at the website of TeSLA. 1

CONCLUSION
In this letter, we have presented TeSLA, an e-assessment system that provides to educational institutions an adaptive way for assuring online assessment.It supports both continuous and final evaluation in either full online or blended environments.
The system has been implemented and deployed taking into account challenging issues such as security, trust, and privacy of learners.We have reported how the TeSLA project consortium has handled the deployment of the TeSLA platform during the evaluation phases of the project.More precisely, we have reported some technical hands-on experience conducted by partners of the consortium, during the preparation of the pilots of the project, including close collaboration with technical leads from the involved institutions.

FIGURE 1
FIGURE 1 Representation of the TeSLA framework

FIGURE 3
FIGURE 3 Practical hands-on deployment (based on available online media).(A) TeSLA deployment portal.(B) System initialization.(C) Enrollment of learners.(D) Visualization of sample audit tool results

Plugin 2. TLS communication with mutual authentication TeSLA e- Assessment Portal (TEP) 1. Emission of authentication tokens External tool 3. JavaScript code with authentication token 4. TLS authentication to TEP using the token FIGURE 2
Authentication of external tools