CSC 495.002 – Lecture 7 AI for Privacy: Privacy Requirements Dr. ¨ Ozg ¨ ur Kafalı North Carolina State University Department of Computer Science Fall 2017 P REVIOUSLY ON S OCIAL N ETWORKS Web/Social Networks Privacy Inference Sharing and disclosure Violations and regret Targeted advertising K-anonymity Dr. ¨ Ozg ¨ ur Kafalı AI for Privacy: Privacy Requirements Fall 2017 1 / 26
14
Embed
CSC 495.002 Lecture 7 AI for Privacy: Privacy Requirements · 2017. 11. 15. · PRIVACY REQUIREMENTS PROBLEM Attacker Analysis Assumption: “All actors are guilty until proven innocent”
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CSC 495.002 – Lecture 7AI for Privacy: Privacy Requirements
Dr. Ozgur Kafalı
North Carolina State UniversityDepartment of Computer Science
Fall 2017
PREVIOUSLY ON SOCIAL NETWORKS
Web/Social Networks Privacy
InferenceSharing and disclosureViolations and regretTargeted advertisingK-anonymity
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 1 / 26
AI FOR PRIVACY MODULE
What You Will Learn
Privacy requirements engineeringAutonomous agents and reasoning
ArgumentationNegotiation
Privacy normsReasoning about privacy breaches
OntologiesSemantic similarity
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 2 / 26
PRIVACY REQUIREMENTS PROBLEM
Requirements
Software requirements: Software has to provide solutions toestablish the needs of its stakeholders
Satisfy a capability needed by a user to achieve an objectiveFunctionality to comply with a contract, regulation, or standard
Example requirements from an electronic health records (EHR)software:The physician shall alter the current prescriptions of a patient oradd new prescriptions after a routine visitThe system shall respond to a patient scheduling request within30 seconds
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 3 / 26
PRIVACY REQUIREMENTS PROBLEM
Security and Privacy Requirements
Typically non-functional requirements, though might changedepending on the domainCan be implied from functional requirementsRequirement: The physician shall alter the current prescriptions ofa patient or add new prescriptions after a routine visit
What are the security and privacy implications of this requirement?Patients’ prescription list should be encryptedPatients’ prescription list should not be taken out of the hospitalwithout being anonymizedPhysicians should only access those patients that they arecurrently treating
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 4 / 26
PRIVACY REQUIREMENTS PROBLEM
Access Control Requirements
Describe who can access what using a role-based access controlmechanismCan be implemented as part of the EHR softwareIn an emergency, relax the access control mechanismInstead, a norm prohibits physicians from accessing EHR of otherpatientsYou can also log each access for auditing
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 5 / 26
PRIVACY REQUIREMENTS PROBLEM
Sample Requirements Taxonomy
Gharib et al. Privacy Requirements: Findings and Lessons Learned in Developing a Privacy Platform. RequirementsEngineering Conference (RE), pages 256–265, 2016
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 6 / 26
PRIVACY REQUIREMENTS PROBLEM
Phases of Requirements Engineering
Requirements elicitationRequirements analysis
ClassificationPrioritizationNegotiation
Requirements specificationRequirements validation
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 7 / 26
PRIVACY REQUIREMENTS PROBLEM
Sample Elicitation Process: VisiOn
Gharib et al. Privacy Requirements: Findings and Lessons Learned in Developing a Privacy Platform. RequirementsEngineering Conference (RE), pages 256–265, 2016
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 8 / 26
PRIVACY REQUIREMENTS PROBLEM
Sample Elicitation Process: i*
Liu et al. Security and privacy requirements analysis within a social setting. Requirements Engineering Conference (RE), pages151–161, 2003
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 9 / 26
PRIVACY REQUIREMENTS PROBLEM
Attacker Analysis
Assumption: “All actors are guilty until proven innocent”
Any actor (roles, positions, agents) can be a potential attackerTo the systemTo other actors
For example, in what ways a physician can misuse the system?What benefit will the physician gain from an informationdisclosure?
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 10 / 26
APPLICATION DOMAINS
Threat Modeling
Enumerate potential ways that your system might be attacked
Typically include only attack nodes
But, defense nodes can also be included that mitigate suchattacks
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 11 / 26
APPLICATION DOMAINS
Misuse Cases
Physician
AccessEHR
Logout
Guesspassword
Catchunattended
Adversary
threatens
threatens
mitigates
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 12 / 26
APPLICATION DOMAINS
Misuse Case Maps
Karpati et al. Investigating security threats in architectural context: Experimental evaluations of misuse case maps. Journal ofSystems and Software, 104(C):90–111, 2015
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 13 / 26
APPLICATION DOMAINS
Attack/Defense Trees
AccessEHR
Guesspassword
Catchcomputer
unattended
Strongpassword Logout
Do not usepublic
computer
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 14 / 26
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 16 / 26
TECHNIQUES & STUDIES
Eddy: A Formal Language for Privacy Requirements
Breaux et al. Eddy, a Formal Language for Specifying and Analyzing Data Flow Specifications for Conflicting PrivacyRequirements. Requirements Engineering, 19(3):281–307, 2014
Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 17 / 26