Results 1 - 10
of
17
Policy auditing over incomplete logs: Theory, implementation and applications
- in Proc. ACM CCS
, 2011
"... We present the design, implementation and evaluation of an algorithm that checks audit logs for compliance with privacy and security policies. The algorithm, which we name reduce, addresses two fundamental challenges in compliance checking that arise in practice. First, in order to be applicable to ..."
Abstract
-
Cited by 31 (8 self)
- Add to MetaCart
(Show Context)
We present the design, implementation and evaluation of an algorithm that checks audit logs for compliance with privacy and security policies. The algorithm, which we name reduce, addresses two fundamental challenges in compliance checking that arise in practice. First, in order to be applicable to realistic policies, reduce operates on policies expressed in a first-order logic that allows restricted quantification over infinite domains. We build on ideas from logic programming to identify the restricted form of quantified formulas. The logic can, in particular, express all 84 disclosure-related clauses of the HIPAA Privacy Rule, which involve quantification over the infinite set of messages containing personal information. Second, since audit logs are inherently incomplete (they may not contain sufficient information to determine whether a policy is violated or not), reduce proceeds iteratively: in each iteration, it provably checks as much of the policy as possible over the current log and outputs a residual policy that can only be checked when the log is extended with additional information. We prove correctness, termination, time and space complexity results for reduce. We implement reduce and optimize the base implementation using two heuristics for database indexing that are guided by the syntactic structure of policies. The implementation is used to check simulated audit logs for compliance with the HIPAA Privacy Rule. Our experimental results demonstrate that the algorithm is fast enough to be used in practice.
Normative systems represented as hybrid knowledge bases
- In
, 2011
"... Abstract. Normative systems have been advocated as an effective tool to regulate interaction in multi-agent systems. Logic programming rules intuitively correspond to conditional norms, and their semantics is based on the closed world assumption, which allows default negation, often used in norms. H ..."
Abstract
-
Cited by 11 (4 self)
- Add to MetaCart
(Show Context)
Abstract. Normative systems have been advocated as an effective tool to regulate interaction in multi-agent systems. Logic programming rules intuitively correspond to conditional norms, and their semantics is based on the closed world assumption, which allows default negation, often used in norms. However, there are cases where the closed world assumption is clearly not adequate, and others that require reasoning about unknown individuals, which is not possible in logic programming. On the other hand, description logics are based on the open world assumption and support reasoning about unknown individuals, but do not support default negation. In this paper, we demonstrate the need for the aforementioned features (closed and open world assumptions, and reasoning about unknown individuals) in order to model human laws, with examples from the Portuguese Penal Code. We advocate the use of hybrid knowledge bases combining rules and ontologies, which provide the joint expressivity of logic programming and description logics. We define a normative scenario as the pair of a set of facts and a set of norms, and give it a formal semantics by translation into an MKNF knowledge base. We describe the implementation of the language, which computes the relevant consequences of given facts and norms, and use it to establish the resulting sentence in a penal scenario. 1
Understanding and Protecting Privacy: Formal Semantics and Principled Audit Mechanisms ⋆
"... Abstract. Privacy has become a significant concern in modern society as personal information about individuals is increasingly collected, used, and shared, often using digital technologies, by a wide range of organizations. Certain information handling practices of organizations that monitor individ ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Privacy has become a significant concern in modern society as personal information about individuals is increasingly collected, used, and shared, often using digital technologies, by a wide range of organizations. Certain information handling practices of organizations that monitor individuals ’ activities on the Web, data aggregation companies that compile massive databases of personal information, cell phone companies that collect and use location data about individuals, online social networks and search engines—while enabling useful services—have aroused much indignation and protest in the name of privacy. Similarly, as healthcare organizations are embracing electronic health record systems and patient portals to enable patients, employees, and business affiliates more efficient access to personal health information, there is trepidation that the privacy of patients may not be adequately protected if information handling practices are not carefully designed and enforced. Given this state of affairs, it is very important to arrive at a general understanding of (a) why certain information handling practices arouse moral indignation, what practices or policies are appropriate in a given setting, and (b) how to represent and enforce such
Towards an automated assistant for clinical investigations
- the Second ACM SIGHIT International Health Informatics Symposium
, 2012
"... Abstract Before a drug can be made available to the general public, its effectiveness has to be experimentally evaluated. Experiments that involve human subjects are called Clinical Investigations (CIs). Since human subjects are involved, procedures for CIs are elaborated so that data required for ..."
Abstract
-
Cited by 3 (3 self)
- Add to MetaCart
(Show Context)
Abstract Before a drug can be made available to the general public, its effectiveness has to be experimentally evaluated. Experiments that involve human subjects are called Clinical Investigations (CIs). Since human subjects are involved, procedures for CIs are elaborated so that data required for validating the drug can be collected while ensuring the safety of subjects. Moreover, CIs are heavily regulated by public agencies, such as the Food and Drug Administration (FDA). Violations of regulations or deviations from procedures should be avoided as they may incur heavy penalties and more importantly may compromise the health of subjects. However, CIs are prone to human error, since CIs are carried out by the study team, which might be overloaded with other tasks, such as hospital and/or pharmacy duties, other trials, etc. In order to avoid discrepancies, we propose developing an automated assistant for helping all the parties to correctly carry out CIs as well as to detect and prevent discrepancies as early as possible. This way the proposed automated assistant would minimize error, and therefore increase the safety of the involved subjects. This paper takes the first steps towards that direction. In particular, we propose a model for collaborative systems with explicit time, called Timed Local State Transition Systems (TLSTS), and argue that it can be used for specifying procedures and regulations for CIs, which mention time explicitly. Finally we show how to implement a TLSTS specification using Maude, an existing computational tool based on rewriting.
On XACML’s adequacy to specify and to enforce HIPAA
- In USENIX Workshop on Health Security and Privacy
, 2012
"... In the medical sphere, personal and medical informa-tion is collected, stored, and transmitted for various pur-poses, such as, continuity of care, rapid formulation of diagnoses, and billing. Many of these operations must comply with federal regulations like the Health Insurance Portability and Acco ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
In the medical sphere, personal and medical informa-tion is collected, stored, and transmitted for various pur-poses, such as, continuity of care, rapid formulation of diagnoses, and billing. Many of these operations must comply with federal regulations like the Health Insurance Portability and Accountability Act (HIPAA). To this end, we need a specification language that can precisely capture the requirements of HIPAA. We also need an enforcement engine that can enforce the pri-vacy policies specified in the language. In the current work, we evaluate eXtensible Access Control Markup Language (XACML) as a candidate specification lan-guage for HIPAA privacy rules. We evaluate XACML based on the set of features required to sufficiently ex-press HIPAA, proposed by a prior work. We also discuss which of the features necessary for expressing HIPAA are missing in XACML. We then present high level de-signs of how to enhance XACML’s enforcement engine to support the missing features. 1
Privacy through Accountability: A Computer Science Perspective ⋆
"... Abstract. Privacy has become a significant concern in modern society as personal information about individuals is increasingly collected, used, and shared, often using digital technologies, by a wide range of organizations. To mitigate privacy concerns, organizations are required to respect privacy ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. Privacy has become a significant concern in modern society as personal information about individuals is increasingly collected, used, and shared, often using digital technologies, by a wide range of organizations. To mitigate privacy concerns, organizations are required to respect privacy laws in regulated sectors (e.g., HIPAA in healthcare, GLBA in financial sector) and to adhere to self-declared privacy policies in self-regulated sectors (e.g., privacy policies of companies such as Google and Facebook in Web services). This article provides an overview of a body of work on formalizing and enforcing privacy policies. We formalize privacy policies that prescribe and proscribe flows of personal information as well as those that place restrictions on the purposes for which a governed entity may use personal information. Recognizing that traditional preventive access control and information flow control mechanisms are inadequate for enforcing such privacy policies, we develop principled accountability mechanisms that seek to encourage policy-compliant behavior by detecting policy violations, assigning blame, and punishing violators. We apply these techniques to several U.S. privacy laws and organizational privacy policies, in particular, producing the first complete logical specification and audit of all disclosure-related clauses of the HIPAA Privacy Rule. 1
A Learning-theoretic Basis for Privacy Protection
, 2011
"... Audit mechanisms are essential for privacy protection in permissive access control regimes, such as in hospitals where denying legitimate access requests can adversely affect patient care. Recognizing this need, we develop a principled approach to audits. Our first contribution is a game-theoretic m ..."
Abstract
- Add to MetaCart
Audit mechanisms are essential for privacy protection in permissive access control regimes, such as in hospitals where denying legitimate access requests can adversely affect patient care. Recognizing this need, we develop a principled approach to audits. Our first contribution is a game-theoretic model that captures the interaction between the defender (e.g., hospital auditors) and the adversary (e.g., hospital employees). The model takes pragmatic considerations into account, in particular, the periodic nature of audits, a budget that constrains the number of actions that the defender can inspect, and a loss function that captures the economic impact of detected and missed violations on the organization. We assume that the adversary is worst-case as is standard in other areas of computer security. We also formulate a desirable property of the audit mechanism in this model based on the concept of regret in learning theory. Our second contribution is an efficient audit mechanism that provably minimizes regret for the defender. This mechanism learns from experience to guide the defender’s auditing efforts. The regret bound is significantly better than prior results in the learning literature. The stronger bound is important from a practical standpoint because it implies that the recommendations from the mechanism will converge faster to the best fixed auditing strategy for the defender. I.
A Rewriting Framework for Activities Subject to Regulations
"... Activities such as clinical investigations or financial processes are subject to regulations to ensure quality of results and avoid negative consequences. Regulations may be imposed by multiple governmental agencies as well as by institutional policies and protocols. Due to the complexity of both re ..."
Abstract
- Add to MetaCart
Activities such as clinical investigations or financial processes are subject to regulations to ensure quality of results and avoid negative consequences. Regulations may be imposed by multiple governmental agencies as well as by institutional policies and protocols. Due to the complexity of both regulations and activities there is great potential for violation due to human error, misunderstanding, or even intent. Executable formal models of regulations, protocols, and activities can form the foundation for automated assistants to aid planning, monitoring, and compliance checking. We propose a model based on multiset rewriting where time is discrete and is specified by timestamps attached to facts. Actions, as well as initial, goal and critical states may be constrained by means of relative time constraints. Moreover, actions may have non-deterministic effects, i.e., they may have different outcomes whenever applied. We demonstrate how specifications in our model can be straightforwardly mapped to the rewriting logic language Maude, and how one can use existing techniques to improve performance. Finally, we also determine the complexity of the plan compliance problem, that is, finding a plan that leads from an initial state to a desired goal state without reaching any undesired critical state. We consider all actions
Checking System Compliance by Slicing and Monitoring Logs?
, 2013
"... Abstract. It is a growing concern of companies and end users whether the agents of an IT system, i.e., its processes and users, comply with security policies, which, e.g., stipulate how sensitive data must and must not be used by the agents. We present a scalable solution for compliance checking bas ..."
Abstract
- Add to MetaCart
Abstract. It is a growing concern of companies and end users whether the agents of an IT system, i.e., its processes and users, comply with security policies, which, e.g., stipulate how sensitive data must and must not be used by the agents. We present a scalable solution for compliance checking based on monitoring the agents ’ behavior, where policies are specified in an expressive temporal logic and the system actions are logged. In particular, our solution utilizes the MapReduce framework to parallelize the process of monitoring the logged actions. We also provide the theoretical underpinnings of our solution as a theoretical framework for slicing logs, i.e., the reorganization of the logged actions into parts that can be analyzed independently of each other. We present orthogonal methods for generating such slices and provide means to combine these methods. Finally, we report on a real-world case study, which demonstrates the feasibility and the scalability of our monitoring solution. 1
Bootstrapping Privacy Compliance in Big Data Systems
"... Abstract—With the rapid increase in cloud services collecting and using user data to offer personalized experiences, ensuring that these services comply with their privacy policies has become a business imperative for building user trust. However, most compliance efforts in industry today rely on ma ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract—With the rapid increase in cloud services collecting and using user data to offer personalized experiences, ensuring that these services comply with their privacy policies has become a business imperative for building user trust. However, most compliance efforts in industry today rely on manual review processes and audits designed to safeguard user data, and therefore are resource intensive and lack coverage. In this paper, we present our experience building and operating a system to automate privacy policy compliance checking in Bing. Central to the design of the system are (a) LEGALEASE—a language that allows specification of privacy policies that impose restrictions on how user data is handled; and (b) GROK—a data inventory for Map-Reduce-like big data systems that tracks how user data flows among programs. GROK maps code-level schema elements to datatypes in LEGALEASE, in essence, annotating existing programs with information flow types with minimal human input. Compliance checking is thus reduced to information flow analysis of big data systems. The system, bootstrapped by a small team, checks compliance daily of millions of lines of ever-changing source code written by several thousand developers. I.
