TC: Medium: Collaborative Research: User-Controllable Policy Learning

TC：媒介：协作研究：用户可控的策略学习

• 批准号: 0905403
• 负责人: Steven Bellovin
• 金额: $ 45万
• 依托单位: Columbia University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-10-01 至 2013-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0905403&HistoricalAwards=false
• 关键词: TC; Medium; Collaborative; Research; User; TC; Medium; Collaborative; Research; User

As both corporate and consumer-oriented applications introduce new functionality and increased levels of customization and delegation, they inevitably give rise to more complex security and privacy policies. Yet, studies have repeatedly shown that both lay and expert users are not good at configuring policies, rendering the human element an important, yet often overlooked source of vulnerability. This project aims to develop and evaluate a new family of user-controllable policy learning techniques capable of leveraging user feedback and presenting them with incremental, user-understandable suggestions on how to improve their security or privacy policies. In contrast to traditional machine learning techniques, which are generally configured as ?black boxes? that take over from the user, user-controllable policy learning aims to ensure that users continue to understand their policies and remain in control of policy changes. As a result, this family of policy learning techniques offers the prospect of empowering lay and expert users to more effectively configure a broad range of security and privacy policies. The techniques to be developed in this project will be evaluated and refined in the context of two strategically important domains, namely privacy policies in social networks and firewall policies. In the process, work to be conducted in this project is also expected to lead to a significantly deeper understanding of (1) the difficulties experienced by users as they try to specify and refine security and privacy policies, and (2) what it takes to overcome these difficulties. The latter includes developing models of the types of policy modifications users can relate to and exploit as well as an understanding of the tradeoffs between usability and the number of policy modifications users are presented with. It also includes understanding how the effectiveness of user-controllable policy learning is impacted by the expressiveness of underlying policy languages, modes of interaction with the user (e.g. graphical versus text-based), and the topologies across which policies are deployed,

随着公司和面向消费者的应用程序都引入了新的功能，并提高了自定义和授权水平，它们不可避免地会产生更复杂的安全性和隐私政策。然而，研究反复表明，外行和专家用户都不擅长配置政策，从而使人类因素成为重要但经常被忽视的脆弱性来源。该项目旨在开发和评估一个可利用用户反馈并向他们提出有关如何改善其安全性或隐私政策的逐步，用户可靠的建议，并向他们介绍新的可控制策略学习技术的新家族。与传统的机器学习技术相反，通常将它们配置为“黑匣子”？从用户接管的情况下，可控制用户的策略学习旨在确保用户继续了解其政策并保持控制策略更改。结果，这种政策学习家族提供了授权外行和专家用户更有效地配置广泛的安全性和隐私政策的前景。该项目中要开发的技术将在两个具有战略上重要的领域的背景下进行评估和完善，即社交网络和防火墙政策中的隐私政策。在此过程中，预计在该项目中要进行的工作还会使（1）用户试图指定和完善安全性和隐私政策时遇到的困难，以及（2）克服这些困难所需的事情。后者包括开发用户可以与和利用的策略修改类型的模型，以及对可用性与用户所呈现的策略修改数量之间的权衡的理解。它还包括了解用户控制策略学习的有效性如何受到潜在策略语言的表现力，与用户的互动方式（例如，基于图形的文本）的互动方式以及部署，部署，策略的拓扑。