CICI: RDP: Enforcing Security and Privacy Policies to Protect Research Data

CICI：RDP：执行安全和隐私政策以保护研究数据

• 批准号: 2325369
• 负责人: Yuan Tian
• 金额: $ 92.45万
• 依托单位: University of California-Los Angeles
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2024-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2325369&HistoricalAwards=false
• 关键词: CICI; RDP; Enforcing; Security; Privacy

Advances in computer systems over the past decade have laid a solid foundation for data collection at a staggering scale. Data generated from end-user devices has tremendous value to the research community. For example, mobile and Internet-of-Things devices can participate in large-scale Internet-based measurement or monitoring of patient's health conditions. While ground-breaking discovered may occur, malicious attacks or unintentional data leaks threaten the research data. Such a threat is hard to predict and difficult to recover from once it happens. Preventative and defensive measures should be taken where data is generated in order to protect private, valuable data from the attackers. Currently, there are efforts that try to regulate data management, for example, a research application might have a privacy policy that describes how the user data is being collected and protected. However, there is a disconnect between these documented policies and the implementations of a research project. In this project, the investigators propose to interpret the documented policies and enforce them in research projects, in order to protect the privacy of research data. This work can significantly reduce researchers' overhead in implementing policy-compliant code and reduce the complexity of protecting research datasets.In this project, the investigators provide a solution that protects research data using policies mandated by different regulatory entities, such as an application store and an Institutional Review Board (IRB). The system utilizes Natural Language Processing (NLP) techniques to extract security and privacy requirements from unstructured regulatory documents and translates these requirements to code that can patch a program that does not comply with the policies. The solution covers the lifetime of research data protection, from data collection to data storage, and data processing. This research has two thrusts. First, the investigators will build novel NLP techniques to extract security and privacy policies from unstructured, sparsely-labeled documents such as IRB protocols, and privacy disclosure of research applications. Second, the investigators will enforce these extracted policies in code, through context-aware program analysis to discover inconsistencies between a researcher's implementation and the extracted policies, and instrument researcher?s code to enforce compliant program behavior. The results of this work will have a transformative impact on the development of the next generation research data protection techniques, and more defensive security and privacy practices.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

过去十年来计算机系统的进步为以惊人的规模收集数据奠定了坚实的基础。终端用户设备产生的数据对研究界具有巨大的价值。例如，移动和物联网设备可以参与基于互联网的大规模患者健康状况测量或监测。虽然可能会发生突破性的发现，但恶意攻击或无意的数据泄露会威胁到研究数据。这样的威胁很难预测，一旦发生就很难恢复。在生成数据的地方应该采取预防和防御措施，以保护私人、有价值的数据不受攻击者的攻击。目前，有一些努力试图规范数据管理，例如，研究应用程序可能具有描述如何收集和保护用户数据的隐私策略。然而，这些记录在案的政策与研究项目的实施之间存在着脱节。在这个项目中，研究人员建议解释文件中的政策并在研究项目中执行这些政策，以保护研究数据的隐私。这项工作可以显著减少研究人员在实施符合策略的代码时的开销，并降低保护研究数据集的复杂性。在这个项目中，调查人员提供了一个解决方案，使用不同监管实体(如应用程序商店和机构审查委员会(IRB))授权的策略来保护研究数据。该系统利用自然语言处理(NLP)技术从非结构化的法规文档中提取安全和隐私要求，并将这些要求转换为可以为不符合策略的程序打补丁的代码。该解决方案涵盖了研究数据保护的整个生命周期，从数据收集到数据存储，再到数据处理。这项研究有两个突破口。首先，研究人员将构建新的NLP技术，从非结构化、稀疏标签的文档(如IRB协议)和研究应用程序的隐私披露中提取安全和隐私策略。其次，调查人员将在代码中强制执行这些提取的策略，通过上下文感知程序分析来发现研究人员的实现和提取的策略之间的不一致，并工具研究人员？S代码来强制执行合规的程序行为。这项工作的结果将对下一代研究数据保护技术以及更多防御性安全和隐私实践的发展产生革命性影响。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Is Your Policy Compliant?: A Deep Learning-based Empirical Study of Privacy Policies' Compliance with GDPR

• DOI: 10.1145/3559613.3563195
• 发表时间: 2022-11
• 期刊: Proceedings of the 21st Workshop on Privacy in the Electronic Society
• 作者: Tamjid Al Rahat;Minjun Long;Yuan Tian

PLUE: Language Understanding Evaluation Benchmark for Privacy Policies in English

PLUE：英语隐私政策的语言理解评估基准

• 发表时间: 2023
• 期刊: The 61st Annual Meeting of the Association for Computational Linguistics (ACL
• 作者: Chi, J.;Ahmad, W.;Tian, Y.;Chang, K.
• 通讯作者: Chang, K.

CHKPLUG: Checking GDPR Compliance of WordPress Plugins via Cross-language Code Property Graph

• DOI: 10.14722/ndss.2023.24610
• 发表时间: 2023
• 期刊: Proceedings 2023 Network and Distributed System Security Symposium
• 作者: F. H. Shezan;Zihao Su;Ming-Zhi Kang;Nicholas Phair;Patrick William Thomas;Michelangelo van Dam;Yinzhi Cao;Yuan Tian

Cerberus : Query-driven Scalable Security Checking for OAuth Service Provider Implementations

• 发表时间: 2022
• 作者: Tamjid Al Rahat