csc 495.002 lecture 7 ai for privacy: privacy requirements · 2017. 11. 15. · privacy...

CSC 495.002 – Lecture 7AI for Privacy: Privacy Requirements

Dr. Ozgur Kafalı

North Carolina State UniversityDepartment of Computer Science

Fall 2017

PREVIOUSLY ON SOCIAL NETWORKS

Web/Social Networks Privacy

InferenceSharing and disclosureViolations and regretTargeted advertisingK-anonymity

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 1 / 26

AI FOR PRIVACY MODULE

What You Will Learn

Privacy requirements engineeringAutonomous agents and reasoning

ArgumentationNegotiation

Privacy normsReasoning about privacy breaches

OntologiesSemantic similarity


PRIVACY REQUIREMENTS PROBLEM

Requirements

Software requirements: Software has to provide solutions toestablish the needs of its stakeholders

Satisfy a capability needed by a user to achieve an objectiveFunctionality to comply with a contract, regulation, or standard

Example requirements from an electronic health records (EHR)software:The physician shall alter the current prescriptions of a patient oradd new prescriptions after a routine visitThe system shall respond to a patient scheduling request within30 seconds



Security and Privacy Requirements

Typically non-functional requirements, though might changedepending on the domainCan be implied from functional requirementsRequirement: The physician shall alter the current prescriptions ofa patient or add new prescriptions after a routine visit

What are the security and privacy implications of this requirement?Patients’ prescription list should be encryptedPatients’ prescription list should not be taken out of the hospitalwithout being anonymizedPhysicians should only access those patients that they arecurrently treating



Access Control Requirements

Describe who can access what using a role-based access controlmechanismCan be implemented as part of the EHR softwareIn an emergency, relax the access control mechanismInstead, a norm prohibits physicians from accessing EHR of otherpatientsYou can also log each access for auditing



Sample Requirements Taxonomy

Gharib et al. Privacy Requirements: Findings and Lessons Learned in Developing a Privacy Platform. RequirementsEngineering Conference (RE), pages 256–265, 2016



Phases of Requirements Engineering

Requirements elicitationRequirements analysis

ClassificationPrioritizationNegotiation

Requirements specificationRequirements validation



Sample Elicitation Process: VisiOn

Gharib et al. Privacy Requirements: Findings and Lessons Learned in Developing a Privacy Platform. RequirementsEngineering Conference (RE), pages 256–265, 2016



Sample Elicitation Process: i*

Liu et al. Security and privacy requirements analysis within a social setting. Requirements Engineering Conference (RE), pages151–161, 2003



Attacker Analysis

Assumption: “All actors are guilty until proven innocent”

Any actor (roles, positions, agents) can be a potential attackerTo the systemTo other actors

For example, in what ways a physician can misuse the system?What benefit will the physician gain from an informationdisclosure?


APPLICATION DOMAINS

Threat Modeling

Enumerate potential ways that your system might be attacked

Typically include only attack nodes

But, defense nodes can also be included that mitigate suchattacks


APPLICATION DOMAINS

Misuse Cases

Physician

AccessEHR

Logout

Guesspassword

Catchunattended

Adversary

threatens

threatens

mitigates


APPLICATION DOMAINS

Misuse Case Maps

Karpati et al. Investigating security threats in architectural context: Experimental evaluations of misuse case maps. Journal ofSystems and Software, 104(C):90–111, 2015


APPLICATION DOMAINS

Attack/Defense Trees

AccessEHR

Guesspassword

Catchcomputer

unattended

Strongpassword Logout

Do not usepublic

computer


APPLICATION DOMAINS

Exercise: Healthcare Threat Model

http://agile.csc.ncsu.edu/iTrust/wiki/doku.php?id=requirements


http://agile.csc.ncsu.edu/iTrust/wiki/doku.php?id=requirements

APPLICATION DOMAINS

Exercise: Internet of Things Threat Model

http://www.devolo.com/en/Products/devolo-Home-Control-Key-Fob-Switch/


TECHNIQUES & STUDIES

Eddy: A Formal Language for Privacy Requirements

Breaux et al. Eddy, a Formal Language for Specifying and Analyzing Data Flow Specifications for Conflicting PrivacyRequirements. Requirements Engineering, 19(3):281–307, 2014


http://www.devolo.com/en/Products/devolo-Home-Control-Key-Fob-Switch/


Example: Facebook and Zynga



Data Flow between Parties



Objectives

Develop a privacy requirements specificationTo align multi-party expectationsAcross multi-tier applicationsAnd, to formally check conflicts among requirements

High-level design document to be used bySoftware developersPrivacy law expertsEnd users



Conflicts

permission(X) ∧ prohibition(X) → conflict(X)



Methodology



Coded Policy



Specification in Eddy Syntax



Conflict Analysis: Between Facebook and Zynga

PROHIBIT TRANSFER user-dataFROM facebook TO ad-networkFOR anythingPERMIT TRANSFER aggregate-information,anonymous-informationFROM anyone TO anyone

PROHIBIT TRANSFER user-dataFROM facebook TO third-partyFOR merger, acquisitionPERMIT TRANSFER informationFOR merger, acquisition



Conflict Analysis: Within AOL

PROHIBIT USE personally-identifiable-informationFROM registration-environmentFOR targeted-ads

PERMIT COLLECT personally-identifiable-informationFROM anyoneFOR improving-targeted-ads


csc 495.002 lecture 7 ai for privacy: privacy requirements · 2017. 11. 15. · privacy...

Documents