TC: Medium: Collaborative Research: User-Controllable Policy Learning

TC：媒介：协作研究：用户可控的策略学习

• 批准号: 0905403
• 负责人: Steven Bellovin
• 金额: $ 45万
• 依托单位: Columbia University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-10-01 至 2013-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0905403&HistoricalAwards=false
• 关键词: TC; Medium; Collaborative; Research; User

As both corporate and consumer-oriented applications introduce new functionality and increased levels of customization and delegation, they inevitably give rise to more complex security and privacy policies. Yet, studies have repeatedly shown that both lay and expert users are not good at configuring policies, rendering the human element an important, yet often overlooked source of vulnerability. This project aims to develop and evaluate a new family of user-controllable policy learning techniques capable of leveraging user feedback and presenting them with incremental, user-understandable suggestions on how to improve their security or privacy policies. In contrast to traditional machine learning techniques, which are generally configured as ?black boxes? that take over from the user, user-controllable policy learning aims to ensure that users continue to understand their policies and remain in control of policy changes. As a result, this family of policy learning techniques offers the prospect of empowering lay and expert users to more effectively configure a broad range of security and privacy policies. The techniques to be developed in this project will be evaluated and refined in the context of two strategically important domains, namely privacy policies in social networks and firewall policies. In the process, work to be conducted in this project is also expected to lead to a significantly deeper understanding of (1) the difficulties experienced by users as they try to specify and refine security and privacy policies, and (2) what it takes to overcome these difficulties. The latter includes developing models of the types of policy modifications users can relate to and exploit as well as an understanding of the tradeoffs between usability and the number of policy modifications users are presented with. It also includes understanding how the effectiveness of user-controllable policy learning is impacted by the expressiveness of underlying policy languages, modes of interaction with the user (e.g. graphical versus text-based), and the topologies across which policies are deployed,

随着企业和面向消费者的应用程序引入新功能以及定制和委托级别的提高，它们不可避免地会产生更复杂的安全和隐私策略。然而，研究一再表明，外行和专家用户都不擅长配置策略，使人为因素成为一个重要但往往被忽视的脆弱性来源。该项目旨在开发和评估一个新的家庭用户可控的政策学习技术，能够利用用户的反馈，并向他们提出增量，用户可以理解的建议，如何提高他们的安全或隐私政策。与传统的机器学习技术相比，这些技术通常被配置为？黑盒用户可控的策略学习旨在确保用户继续理解他们的策略并保持对策略变化的控制。因此，这一系列的策略学习技术提供了前景授权外行和专家用户更有效地配置广泛的安全和隐私策略。将在两个具有重要战略意义的领域，即社交网络中的隐私政策和防火墙政策的背景下，对本项目开发的技术进行评估和改进。在此过程中，本项目中开展的工作也有望使人们更深入地了解（1）用户在尝试指定和完善安全和隐私政策时遇到的困难，以及（2）克服这些困难的方法。后者包括开发用户可以涉及和利用的策略修改类型的模型，以及对可用性和策略修改用户数量之间的权衡的理解。它还包括理解用户可控策略学习的有效性如何受到底层策略语言的表达能力、与用户交互的模式（例如，图形与基于文本的）以及策略部署的拓扑结构的影响，