csc 495.002 lecture 7 ai for privacy: privacy requirements · 2017. 11. 15. · privacy...
TRANSCRIPT
CSC 495.002 – Lecture 7AI for Privacy: Privacy Requirements
Dr. Ozgur Kafalı
North Carolina State UniversityDepartment of Computer Science
Fall 2017
PREVIOUSLY ON SOCIAL NETWORKS
Web/Social Networks Privacy
InferenceSharing and disclosureViolations and regretTargeted advertisingK-anonymity
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 1 / 26
AI FOR PRIVACY MODULE
What You Will Learn
Privacy requirements engineeringAutonomous agents and reasoning
ArgumentationNegotiation
Privacy normsReasoning about privacy breaches
OntologiesSemantic similarity
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 2 / 26
PRIVACY REQUIREMENTS PROBLEM
Requirements
Software requirements: Software has to provide solutions toestablish the needs of its stakeholders
Satisfy a capability needed by a user to achieve an objectiveFunctionality to comply with a contract, regulation, or standard
Example requirements from an electronic health records (EHR)software:The physician shall alter the current prescriptions of a patient oradd new prescriptions after a routine visitThe system shall respond to a patient scheduling request within30 seconds
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 3 / 26
PRIVACY REQUIREMENTS PROBLEM
Security and Privacy Requirements
Typically non-functional requirements, though might changedepending on the domainCan be implied from functional requirementsRequirement: The physician shall alter the current prescriptions ofa patient or add new prescriptions after a routine visit
What are the security and privacy implications of this requirement?Patients’ prescription list should be encryptedPatients’ prescription list should not be taken out of the hospitalwithout being anonymizedPhysicians should only access those patients that they arecurrently treating
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 4 / 26
PRIVACY REQUIREMENTS PROBLEM
Access Control Requirements
Describe who can access what using a role-based access controlmechanismCan be implemented as part of the EHR softwareIn an emergency, relax the access control mechanismInstead, a norm prohibits physicians from accessing EHR of otherpatientsYou can also log each access for auditing
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 5 / 26
PRIVACY REQUIREMENTS PROBLEM
Sample Requirements Taxonomy
Gharib et al. Privacy Requirements: Findings and Lessons Learned in Developing a Privacy Platform. RequirementsEngineering Conference (RE), pages 256–265, 2016
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 6 / 26
PRIVACY REQUIREMENTS PROBLEM
Phases of Requirements Engineering
Requirements elicitationRequirements analysis
ClassificationPrioritizationNegotiation
Requirements specificationRequirements validation
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 7 / 26
PRIVACY REQUIREMENTS PROBLEM
Sample Elicitation Process: VisiOn
Gharib et al. Privacy Requirements: Findings and Lessons Learned in Developing a Privacy Platform. RequirementsEngineering Conference (RE), pages 256–265, 2016
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 8 / 26
PRIVACY REQUIREMENTS PROBLEM
Sample Elicitation Process: i*
Liu et al. Security and privacy requirements analysis within a social setting. Requirements Engineering Conference (RE), pages151–161, 2003
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 9 / 26
PRIVACY REQUIREMENTS PROBLEM
Attacker Analysis
Assumption: “All actors are guilty until proven innocent”
Any actor (roles, positions, agents) can be a potential attackerTo the systemTo other actors
For example, in what ways a physician can misuse the system?What benefit will the physician gain from an informationdisclosure?
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 10 / 26
APPLICATION DOMAINS
Threat Modeling
Enumerate potential ways that your system might be attacked
Typically include only attack nodes
But, defense nodes can also be included that mitigate suchattacks
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 11 / 26
APPLICATION DOMAINS
Misuse Cases
Physician
AccessEHR
Logout
Guesspassword
Catchunattended
Adversary
threatens
threatens
mitigates
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 12 / 26
APPLICATION DOMAINS
Misuse Case Maps
Karpati et al. Investigating security threats in architectural context: Experimental evaluations of misuse case maps. Journal ofSystems and Software, 104(C):90–111, 2015
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 13 / 26
APPLICATION DOMAINS
Attack/Defense Trees
AccessEHR
Guesspassword
Catchcomputer
unattended
Strongpassword Logout
Do not usepublic
computer
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 14 / 26
APPLICATION DOMAINS
Exercise: Healthcare Threat Model
http://agile.csc.ncsu.edu/iTrust/wiki/doku.php?id=requirements
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 15 / 26
APPLICATION DOMAINS
Exercise: Internet of Things Threat Model
http://www.devolo.com/en/Products/devolo-Home-Control-Key-Fob-Switch/
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 16 / 26
TECHNIQUES & STUDIES
Eddy: A Formal Language for Privacy Requirements
Breaux et al. Eddy, a Formal Language for Specifying and Analyzing Data Flow Specifications for Conflicting PrivacyRequirements. Requirements Engineering, 19(3):281–307, 2014
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 17 / 26
TECHNIQUES & STUDIES
Example: Facebook and Zynga
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 18 / 26
TECHNIQUES & STUDIES
Data Flow between Parties
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 19 / 26
TECHNIQUES & STUDIES
Objectives
Develop a privacy requirements specificationTo align multi-party expectationsAcross multi-tier applicationsAnd, to formally check conflicts among requirements
High-level design document to be used bySoftware developersPrivacy law expertsEnd users
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 20 / 26
TECHNIQUES & STUDIES
Conflicts
permission(X) ∧ prohibition(X) → conflict(X)
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 21 / 26
TECHNIQUES & STUDIES
Methodology
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 22 / 26
TECHNIQUES & STUDIES
Coded Policy
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 23 / 26
TECHNIQUES & STUDIES
Specification in Eddy Syntax
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 24 / 26
TECHNIQUES & STUDIES
Conflict Analysis: Between Facebook and Zynga
PROHIBIT TRANSFER user-dataFROM facebook TO ad-networkFOR anythingPERMIT TRANSFER aggregate-information,anonymous-informationFROM anyone TO anyone
PROHIBIT TRANSFER user-dataFROM facebook TO third-partyFOR merger, acquisitionPERMIT TRANSFER informationFOR merger, acquisition
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 25 / 26
TECHNIQUES & STUDIES
Conflict Analysis: Within AOL
PROHIBIT USE personally-identifiable-informationFROM registration-environmentFOR targeted-ads
PERMIT COLLECT personally-identifiable-informationFROM anyoneFOR improving-targeted-ads
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 26 / 26