Tuesday, November 27, 2012

CyLab Researchers Make Major Advances In Audit Technology For Privacy Protection



A team of researchers at Carnegie Mellon University led by Dr. Anupam Datta, Assistant Research Professor at CyLab and Electrical & Computer Engineering, has developed algorithms that can help protect individual privacy by checking that organizations such as hospitals and banks are disclosing personal information about their customers to third parties in compliance with privacy regulations. They have produced the first complete formal specification of disclosure clauses in two important US privacy laws -- the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the Gramm-Leach-Bliley Act (GLBA).

They also built an algorithm that can help investigators detect violations of these laws and similar privacy policies. The research team included Henry DeYoung (a graduate student in the Computer Science Department) and three postdoctoral researchers in Dr. Datta's research group: Dr. Deepak Garg (now faculty at MPI-SWS), Dr. Limin Jia (now faculty at CMU CyLab), and Dr. Dilsun Kaynar (now faculty at CMU Computer Science Department).

Privacy has become a significant concern in modern society as personal information about individuals is increasingly collected, used, and shared, often using digital technologies, by a wide range of organizations. To mitigate privacy concerns, organizations are required to respect privacy laws in regulated sectors (e.g., HIPAA in healthcare, GLBA in financial sector) and to adhere to self-declared privacy policies in self-regulated sectors (e.g., privacy policies of companies such as Google and Facebook in Web services). Enforcing these kinds of privacy policies in organizations is difficult because privacy laws and enterprise policies typically identify a complex set of conditions governing the disclosure of personal information. For example, the HIPAA Privacy Rule includes over 80 clauses that permit, deny, and even require the disclosure of personal health information, making it difficult to manually ensure that all disclosures are compliant with the law. 

The research team at Carnegie Mellon University created a formal language for specifying a rich class of privacy policies. They then used this language to produce the first complete formal specification of disclosure clauses in two important US privacy laws -- the Health InsurancePortability and Accountability Act (HIPAA) Privacy Rule and theGramm-Leach-Bliley Act (GLBA). Recognizing that certain portions of complex privacy policies such as HIPAA are subjective and might require input from human auditors for compliance determination, the specification clearly separates out the subjective and the objective portions of a given policy.

The team then developed an algorithm that checks audit logs for compliance with privacy policies expressed in their language.  The algorithm has two distinct characteristics. First, it automatically checks the objective portion of the privacy policy for compliance and outputs the subjective portion for inspection by human auditors. Second, recognizing that audit logs are often incomplete in practice (i.e., they may not contain sufficient information to determine whether a policy is violated or not), the algorithm proceeds iteratively: in each iteration it checks as much of the policy it possibly can over the current log and outputs a residual policy that can only be checked when the log is extended with additional information. Initial experiments with a prototype implementation checking compliance of simulated audit logs with the HIPAA Privacy Rule indicates that the algorithm is fast enough to be used in practice. 

Additional information about this work can be found on the project web page:http://www.andrew.cmu.edu/user/danupam/privacy.html

Carnegie Mellon CyLab Awarded DHS Contract For Research Into Understanding And Disrupting The Economics Of Cybercrime



Carnegie Mellon University CyLab has been awarded a multi-million dollar contract for research into Understanding and Disrupting the Economics of Cybercrime. Nicolas Christin, CyLab Senior Systems Scientist and Associate Director of the Information Networking Institute (INI), is Principle Investigator (PI). His co-PIs are fellow CyLab researcher Alessandro Acquisti, along with Tyler Moore of Southern Methodist University, Ross Anderson of Cambridge University, and Ryan Williams of NFCTA. Richard Clayton of Cambridge University will also participate as instrumental senior personnel.

Based on the realization that focusing on a particular attack, or a specific set of attacks, is unlikely to provide the detailed level of understanding necessary to design meaningful intervention policies against cybercrime, the methodology developed by Christin and his colleagues holistically combines network measurements with behavioral and economic analysis. The project will consist of four research tasks: designing cybercrime indicators, designing data interchange formats and standards, modeling online-crime supply chains and modeling attackers' behavioral psychology The contract is one of thirty four, totaling $40 million that the U.S. Department of Homeland Security (DHS) Science and Technology Directorate (DHS S&T) has awarded to twenty-nine academic and research organizations. This funding is for research and development of cyber security solutions.

In January 2011, the DHS S&T Cyber Security Division (CSD) issued a Cyber Security R&D Broad Agency Announcement (BAA 11-02) that solicited proposals for 14 Technical Topic Areas (TTAs) aimed at improving security in federal networks and across the Internet while developing new and enhanced technologies for detecting, preventing and responding to cyber attacks on the nation's critical information infrastructure. BAA 11-02 elicited white paper responses from more than 1,000 offerors.

Following extensive review and down-select process, more than 200 offerors were invited to submit full proposals for final review. And of those, new awards were made to the twenty-nine organizations that were announced on October 26, 2012.

"The work to be accomplished through these contracts will significantly advance cyber security and support the mission of the DHS Science and Technology Directorate's Cyber Security Division to create a safe, secure and resilient cyber environment," Dr. Douglas Maughan, director of DHS' S&T Cyber Security Division told Homeland Security Today. "Our goal," said Maughan, "is to transform the cyber-infrastructure to be resistant to attack so that critical national interests are protected from catastrophic damage and our society can confidently adopt new technological advances." (See Homeland Security Today, 10-26-12)


Monday, November 5, 2012

Glimpses into the 9th Annual CyLab Partners Conference

CyLab Researchers Nicolas Christin, Rahul Telang, Alessandro Acquisti
9th Annual Cylab Partners Conference (October 2012)
Glimpses into the 9th Annual CyLab Partners Conference

[NOTE: This CyBlog post is also cross-posted as a CyLab Chronicles on the main CyLab web site.]

The 9th Annual CyLab Partners Conference was held at the main campus of Carnegie Mellon University (Pittsburgh, Pa.), on October 2nd and 3rd, 2012.

The Partners Confernce is an exclusive benefit of membership in the CyLab Partners program, and like the recruitment opportunities, reputational boost and Seminar webcasts, it is one of several benefits that is available to all Partners, whether at $25,000 level, the $100,000 level or the $350,000 level.

For two days, representatives from CyLab's corporate Partners recieve research updates from our work across a broad range of areas, e.g., Next Generation Internet, Trustworthy Computing, Mobility, Software Security, Usable Privacy and Security, Businss Risks and Economic Implications, and more. Perhaps even more important is the time to interact one on one with faculty researchers during breaks and meals, and to interact with CyLab's graduate students at the poster session.

Annual Partners Conference content is archived on the CyLab Partners Portal (another exclusive benefit of membership), including videos of the research presentations, along with .pdfs of the slides for each presentation, as well as electronic files of the student posters, documenting current projects.

To entice you to consider taking advantage of the benefits of CyLab partnership, and to contribute to the general dialogue on the vital issues of cyber security and privacy, we have posted a CyLab Partners Conference video sampler and some other content to both the CyLab YouTube Channel and the CyLab iTunesU Store.

The sampler, 9th Annual Partners Conferenece Excerpts, includes two or three minute snippets from each of the following six presentations:
  • Virgil Gligor - "On Foundations of Trust in Networksof Humans and Computers"
  • David Brumley - "Automatically Finding Exploitable Bugs in Off-The-Shelf Executables"
  • Mike Farb - "SafeSlinger: Applied Ad-Hoc Smartpone Trust Establishment"
  • Lorrie Cranor - "Measuring the Success of Web-based Spoofing Attacks on OS Password-Entry Dialogs" 
  • Collin Jackson - "Web Security" 
  • Rahul Telang - "Competition and Data Breaches"
  • Norman Sadeh - "Mobile Privacy"


Four full faculty researcher presentations have also been made available publicly:
Related Posts