CICI: RDP: Enforcing Security and Privacy Policies to Protect Research Data

CICI：RDP：执行安全和隐私政策以保护研究数据

• 批准号: 1920462
• 负责人: Yuan Tian
• 金额: $ 92.45万
• 依托单位: University of Virginia Main Campus
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-08-01 至 2023-05-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1920462&HistoricalAwards=false
• 关键词: CICI; RDP; Enforcing; Security; Privacy

Advances in computer systems over the past decade have laid a solid foundation for data collection at a staggering scale. Data generated from end-user devices has tremendous value to the research community. For example, mobile and Internet-of-Things devices can participate in large-scale Internet-based measurement or monitoring of patient's health conditions. While ground-breaking discovered may occur, malicious attacks or unintentional data leaks threaten the research data. Such a threat is hard to predict and difficult to recover from once it happens. Preventative and defensive measures should be taken where data is generated in order to protect private, valuable data from the attackers. Currently, there are efforts that try to regulate data management, for example, a research application might have a privacy policy that describes how the user data is being collected and protected. However, there is a disconnect between these documented policies and the implementations of a research project. In this project, the investigators propose to interpret the documented policies and enforce them in research projects, in order to protect the privacy of research data. This work can significantly reduce researchers' overhead in implementing policy-compliant code and reduce the complexity of protecting research datasets.In this project, the investigators provide a solution that protects research data using policies mandated by different regulatory entities, such as an application store and an Institutional Review Board (IRB). The system utilizes Natural Language Processing (NLP) techniques to extract security and privacy requirements from unstructured regulatory documents and translates these requirements to code that can patch a program that does not comply with the policies. The solution covers the lifetime of research data protection, from data collection to data storage, and data processing. This research has two thrusts. First, the investigators will build novel NLP techniques to extract security and privacy policies from unstructured, sparsely-labeled documents such as IRB protocols, and privacy disclosure of research applications. Second, the investigators will enforce these extracted policies in code, through context-aware program analysis to discover inconsistencies between a researcher's implementation and the extracted policies, and instrument researcher?s code to enforce compliant program behavior. The results of this work will have a transformative impact on the development of the next generation research data protection techniques, and more defensive security and privacy practices.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

在过去的十年中，计算机系统的进步为数据收集的稳固基础以惊人的规模奠定了基础。最终用户设备产生的数据对研究界具有巨大的价值。例如，移动设备和本互联网设备可以参与基于Internet的大规模测量或监测患者的健康状况。尽管可能发生了突破性的发现，但恶意攻击或无意数据泄漏威胁了研究数据。这种威胁很难预测，一旦发生，就难以恢复。为了保护私人，有价值的数据免受攻击者的影响，应采取预防和防御措施。当前，正在尝试调节数据管理的一些努力，例如，研究应用程序可能具有一项隐私政策，以描述用户数据的收集和保护。但是，这些已记录的政策与研究项目的实施之间存在脱节。在该项目中，调查人员建议解释已记录的政策并在研究项目中执行它们，以保护研究数据的隐私。这项工作可以大大减少研究人员在实施符合政策的代码方面的开销，并降低保护研究数据集的复杂性。在本项目中，研究人员提供了一种解决方案，该解决方案使用不同监管实体（例如应用程序商店和机构审查委员会（IRB））规定的政策来保护研究数据。该系统利用自然语言处理（NLP）技术从非结构化的监管文档中提取安全性和隐私要求，并将这些要求转换为可以修补不符合策略的程序的代码。该解决方案涵盖了从数据收集到数据存储和数据处理的研究数据保护的寿命。这项研究有两个推力。首先，研究人员将建立新颖的NLP技术，以从非结构化的，稀少的标记文件（例如IRB协议）以及研究应用程序的隐私披露中提取安全性和隐私政策。其次，调查人员将通过上下文感知程序分析在代码中执行这些提取的政策，以发现研究人员的实施与提取的策略之间的矛盾，以及仪器研究人员的代码以执行符合符合计划的计划行为。这项工作的结果将对下一代研究数据保护技术的发展以及更具防御性的安全性和隐私惯例产生变革性的影响。该奖项反映了NSF的法定任务，并被认为是值得通过基金会的智力优点评估和更广泛的影响来获得支持的。

项目成果

Findings: PolicyQA: A Reading Comprehension Dataset for Privacy Policies

研究结果：PolicyQA：隐私政策的阅读理解数据集

• 发表时间: 2020
• 期刊: Conference on Empirical Methods in Natural Language Processing
• 作者: Ahmad, A.;Chi, J.;Tian, Y.;Chang, K.
• 通讯作者: Chang, K.

Malware Family Classification via Residual Prefetch Artifacts

通过残留预取工件进行恶意软件家族分类

• DOI: 10.1109/ccnc49033.2022.9700530
• 发表时间: 2022
• 期刊: Proc. 19th IEEE Consumer Communications and Networking Conference (CCNC’22
• 作者: Duby, Adam;Taylor, Teryl;Zhuang, Yanyan
• 通讯作者: Zhuang, Yanyan

Intent Classification and Slot Filling for Privacy Policies

• DOI: 10.18653/v1/2021.acl-long.340
• 发表时间: 2021-01
• 作者: Wasi Uddin Ahmad;Jianfeng Chi;Tu Le;Thomas B. Norton;Yuan Tian;Kai-Wei Chang

OAUTHLINT: An Empirical Study on OAuth Bugs in Android Applications

• DOI: 10.1109/ase.2019.00036
• 发表时间: 2019-11
• 期刊: 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE)
• 作者: Tamjid Al Rahat;Yu Feng;Yuan Tian

Read Between the Lines: An Empirical Measurement of Sensitive Applications of Voice Personal Assistant Systems

• DOI: 10.1145/3366423.3380179
• 发表时间: 2020-04
• 期刊: Proceedings of The Web Conference 2020
• 作者: F. H. Shezan;Hang Hu;Jiamin Wang;Gang Wang;Yuan Tian