TC: Medium: Collaborative Research: User-Controllable Policy Learning

TC：媒介：协作研究：用户可控的策略学习

• 批准号: 0905403
• 负责人: Steven Bellovin
• 金额: $ 45万
• 依托单位: Columbia University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-10-01 至 2013-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0905403&HistoricalAwards=false
• 关键词: TC; Medium; Collaborative; Research; User

As both corporate and consumer-oriented applications introduce new functionality and increased levels of customization and delegation, they inevitably give rise to more complex security and privacy policies. Yet, studies have repeatedly shown that both lay and expert users are not good at configuring policies, rendering the human element an important, yet often overlooked source of vulnerability. This project aims to develop and evaluate a new family of user-controllable policy learning techniques capable of leveraging user feedback and presenting them with incremental, user-understandable suggestions on how to improve their security or privacy policies. In contrast to traditional machine learning techniques, which are generally configured as ?black boxes? that take over from the user, user-controllable policy learning aims to ensure that users continue to understand their policies and remain in control of policy changes. As a result, this family of policy learning techniques offers the prospect of empowering lay and expert users to more effectively configure a broad range of security and privacy policies. The techniques to be developed in this project will be evaluated and refined in the context of two strategically important domains, namely privacy policies in social networks and firewall policies. In the process, work to be conducted in this project is also expected to lead to a significantly deeper understanding of (1) the difficulties experienced by users as they try to specify and refine security and privacy policies, and (2) what it takes to overcome these difficulties. The latter includes developing models of the types of policy modifications users can relate to and exploit as well as an understanding of the tradeoffs between usability and the number of policy modifications users are presented with. It also includes understanding how the effectiveness of user-controllable policy learning is impacted by the expressiveness of underlying policy languages, modes of interaction with the user (e.g. graphical versus text-based), and the topologies across which policies are deployed,

随着企业和面向消费者的应用程序都引入了新的功能以及更高级别的定制和委派，它们不可避免地会产生更复杂的安全和隐私策略。然而，研究一再表明，非专业用户和专家用户都不擅长配置策略，这使得人为因素成为一个重要的、但往往被忽视的脆弱性来源。该项目旨在开发和评估一系列新的用户可控的策略学习技术，这些技术能够利用用户反馈，并为他们提供关于如何改进其安全或隐私策略的增量、用户可理解的建议。与传统的机器学习技术不同，传统的机器学习技术通常被配置为？黑盒？用户可控策略学习取代了用户，旨在确保用户继续了解他们的策略并保持对策略更改的控制。因此，这一系列策略学习技术使非专业用户和专家用户能够更有效地配置广泛的安全和隐私策略。本项目中将要开发的技术将在两个具有重要战略意义的领域--社交网络中的隐私策略和防火墙策略--的背景下进行评估和改进。在这一过程中，预计该项目中将开展的工作还将大大加深对以下问题的理解：(1)用户在尝试指定和完善安全和隐私政策时所经历的困难，以及(2)克服这些困难需要采取的措施。后者包括开发用户可以涉及和利用的策略修改类型的模型，以及对可用性和向用户呈现的策略修改数量之间的权衡的理解。它还包括理解用户可控策略学习的有效性如何受到底层策略语言的表达能力、与用户的交互模式(例如，基于图形的与基于文本的)以及部署策略的拓扑的影响，