SlideShare a Scribd company logo
1 of 21
Capturing policies for fine
grained access control
on mobile devices
PRAJIT KUMAR DAS, ANUPAM JOSHI, TIM FININ
UMBC ebiquity lab
We present MITHRIL, a framework for
capturing user access control policies that
are fine-grained, context-sensitive and are
represented using Semantic Web
technologies and thereby manages access
control decisions for user data on mobile
devices.
Motivation
Android image source courtesy: Aha-Soft
2
Related Work
• Policy Engineering: Requires substantial technical knowledge,
understanding of access control issues (Feltus’08)
• Most people are ‘Privacy Pragmatists’ (Kumaraguru’05)
• Convergence of Enterprise usage and personal usage due to BYOD
adoption (Kodeswaran, Chakraborty et. al.’13)
• Users unsure of policy (Benisch, Sadeh’11)
• Privacy profiles used for user preferences (Liu et. al.’14)
3
Image courtesy: Android App Market
4
Image courtesy: Android App Market
5
Image courtesy: Android App Market
6
Contributions
MITHRIL has three key contributions
• Policy representation
• Expressing policy rules: extensible & expressive semantic model
• RDF/OWL allows easy reuse/integration with concepts from
DBpedia, Linked Data, schema.org,etc.
• User-preferred & specific policy capture
• Policy enforcement
7
System
overview
Observer mode
8
System
overview
Enforcer mode
9
System
overview
Enforcer mode
10
• Semantic Web Rule Language
• antecedent => consequent
• Attribute-Based Access Control model
• Context pieces as attributes
Rule representation
11
Rule representation
A1: RequesterInfo = Facebook &
A2: UserActivity = Work &
A3: UserLocation = Office &
A4: UserTime = Working hours on Week day &
A5: ProtectedResource = Location
->
C1: Prohibit
When at work Professors do not share
their location in FB
Image courtesy: www.phdcomics.com
12
Image courtesy: www.phdcomics.comGeneric Rule: Professors do not share their location on FB
During lunch Professor Smith shares location
This is Prof. Smith. He likes to
check in to FB during lunch.
13
Rule learning
When out to lunch Professor Smith shares
location with students if he has lunch
scheduled with them and he is in town
14
Rule Learning – User Feedback Capture
Image courtesy: www.phdcomics.com
15
This is Prof. Smith.
Good policy
The system either knows all his policies or it does not!
Violation Metric
Image courtesy: www.phdcomics.com
16
Bad policy
The system either knows all his policies or it does not!
Violation Metric
False violation: Use cases
• Rule requires
• Deletion
• Antecedent generalization
• Antecedent specialization
• Delete conditions
• Add conditions
17
Experimental
Results
18
Consistent
feedback
Emulating XPrivacy
19
Source: http://www.xprivacy.eu/
License: GNU General Public License version 3
Future Work
• More experiments validating violation metric
• Finer granularity capture of policy violation
• Possible predictive model for policy generation
• Using machine learning to generate policies
• Inducing policy using logic programming
20
Conclusion
We presented MITHRIL
• Framework for capturing ABAC access control policies
• User-preferred & specific policy capture
• Fine-grained, context-sensitive
• Uses Semantic Web technologies
• Policy enforcement
21
UMBC ebiquity lab

More Related Content

Similar to Capturing policies for fine-grained access control on mobile devices

Collaborative policy administration
Collaborative policy administrationCollaborative policy administration
Collaborative policy administrationshanofa sanu
 
Intelligent access control policies for Social network site
Intelligent access control policies for Social network siteIntelligent access control policies for Social network site
Intelligent access control policies for Social network siteijcsit
 
Privacy Protection Using Formal Logics in Onlne Social Networks
Privacy Protection Using   Formal Logics in Onlne Social NetworksPrivacy Protection Using   Formal Logics in Onlne Social Networks
Privacy Protection Using Formal Logics in Onlne Social NetworksIRJET Journal
 
Security Awareness 9 10 09 V4 Workplace Policies
Security Awareness 9 10 09 V4 Workplace PoliciesSecurity Awareness 9 10 09 V4 Workplace Policies
Security Awareness 9 10 09 V4 Workplace PoliciesCatherine MacAllister
 
Study reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutesStudy reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutesWaqas Amir
 
Social media & data protection policy v1.0 141112
Social media & data protection policy v1.0 141112 Social media & data protection policy v1.0 141112
Social media & data protection policy v1.0 141112 Dave Shannon
 
Ijricit 01-008 confidentiality strategy deduction of user-uploaded pictures o...
Ijricit 01-008 confidentiality strategy deduction of user-uploaded pictures o...Ijricit 01-008 confidentiality strategy deduction of user-uploaded pictures o...
Ijricit 01-008 confidentiality strategy deduction of user-uploaded pictures o...Ijripublishers Ijri
 
User-Controllable Security and Privacy for Pervasive Computing, at Hotmobile...
User-Controllable Security and Privacy for Pervasive Computing, at Hotmobile...User-Controllable Security and Privacy for Pervasive Computing, at Hotmobile...
User-Controllable Security and Privacy for Pervasive Computing, at Hotmobile...Jason Hong
 
Thomas
ThomasThomas
Thomasanesah
 
Running head COMPANY Facebook Department of Defense (DoD) Ready1.docx
Running head COMPANY Facebook Department of Defense (DoD) Ready1.docxRunning head COMPANY Facebook Department of Defense (DoD) Ready1.docx
Running head COMPANY Facebook Department of Defense (DoD) Ready1.docxtodd271
 
System Analysis &DesignDr.Sameer AlimamyFall Semester .docx
System Analysis &DesignDr.Sameer AlimamyFall Semester .docxSystem Analysis &DesignDr.Sameer AlimamyFall Semester .docx
System Analysis &DesignDr.Sameer AlimamyFall Semester .docxmabelf3
 
JPA1404 Context-based Access Control Systems for Mobile Devices
JPA1404  Context-based Access Control Systems for Mobile DevicesJPA1404  Context-based Access Control Systems for Mobile Devices
JPA1404 Context-based Access Control Systems for Mobile Deviceschennaijp
 
Context based access control systems for mobile devices
Context based access control systems for mobile devicesContext based access control systems for mobile devices
Context based access control systems for mobile devicesJPINFOTECH JAYAPRAKASH
 
How We Will Fail in Privacy and Ethics for the Emerging Internet of Things
How We Will Fail in Privacy and Ethics for the Emerging Internet of ThingsHow We Will Fail in Privacy and Ethics for the Emerging Internet of Things
How We Will Fail in Privacy and Ethics for the Emerging Internet of ThingsJason Hong
 
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...mkeane
 
Privacy on Mobile Apps
Privacy on Mobile AppsPrivacy on Mobile Apps
Privacy on Mobile AppsMays Mrayyan
 

Similar to Capturing policies for fine-grained access control on mobile devices (20)

I018145157
I018145157I018145157
I018145157
 
Collaborative policy administration
Collaborative policy administrationCollaborative policy administration
Collaborative policy administration
 
Collaborative policy administration
Collaborative policy administrationCollaborative policy administration
Collaborative policy administration
 
Intelligent access control policies for Social network site
Intelligent access control policies for Social network siteIntelligent access control policies for Social network site
Intelligent access control policies for Social network site
 
Privacy Protection Using Formal Logics in Onlne Social Networks
Privacy Protection Using   Formal Logics in Onlne Social NetworksPrivacy Protection Using   Formal Logics in Onlne Social Networks
Privacy Protection Using Formal Logics in Onlne Social Networks
 
Security Awareness 9 10 09 V4 Workplace Policies
Security Awareness 9 10 09 V4 Workplace PoliciesSecurity Awareness 9 10 09 V4 Workplace Policies
Security Awareness 9 10 09 V4 Workplace Policies
 
Study reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutesStudy reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutes
 
Social media & data protection policy v1.0 141112
Social media & data protection policy v1.0 141112 Social media & data protection policy v1.0 141112
Social media & data protection policy v1.0 141112
 
Ijricit 01-008 confidentiality strategy deduction of user-uploaded pictures o...
Ijricit 01-008 confidentiality strategy deduction of user-uploaded pictures o...Ijricit 01-008 confidentiality strategy deduction of user-uploaded pictures o...
Ijricit 01-008 confidentiality strategy deduction of user-uploaded pictures o...
 
User-Controllable Security and Privacy for Pervasive Computing, at Hotmobile...
User-Controllable Security and Privacy for Pervasive Computing, at Hotmobile...User-Controllable Security and Privacy for Pervasive Computing, at Hotmobile...
User-Controllable Security and Privacy for Pervasive Computing, at Hotmobile...
 
social networking site
social networking sitesocial networking site
social networking site
 
Thomas
ThomasThomas
Thomas
 
Running head COMPANY Facebook Department of Defense (DoD) Ready1.docx
Running head COMPANY Facebook Department of Defense (DoD) Ready1.docxRunning head COMPANY Facebook Department of Defense (DoD) Ready1.docx
Running head COMPANY Facebook Department of Defense (DoD) Ready1.docx
 
System Analysis &DesignDr.Sameer AlimamyFall Semester .docx
System Analysis &DesignDr.Sameer AlimamyFall Semester .docxSystem Analysis &DesignDr.Sameer AlimamyFall Semester .docx
System Analysis &DesignDr.Sameer AlimamyFall Semester .docx
 
JPA1404 Context-based Access Control Systems for Mobile Devices
JPA1404  Context-based Access Control Systems for Mobile DevicesJPA1404  Context-based Access Control Systems for Mobile Devices
JPA1404 Context-based Access Control Systems for Mobile Devices
 
Context based access control systems for mobile devices
Context based access control systems for mobile devicesContext based access control systems for mobile devices
Context based access control systems for mobile devices
 
How We Will Fail in Privacy and Ethics for the Emerging Internet of Things
How We Will Fail in Privacy and Ethics for the Emerging Internet of ThingsHow We Will Fail in Privacy and Ethics for the Emerging Internet of Things
How We Will Fail in Privacy and Ethics for the Emerging Internet of Things
 
Ethics.ppt
Ethics.pptEthics.ppt
Ethics.ppt
 
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
 
Privacy on Mobile Apps
Privacy on Mobile AppsPrivacy on Mobile Apps
Privacy on Mobile Apps
 

Capturing policies for fine-grained access control on mobile devices

  • 1. Capturing policies for fine grained access control on mobile devices PRAJIT KUMAR DAS, ANUPAM JOSHI, TIM FININ UMBC ebiquity lab
  • 2. We present MITHRIL, a framework for capturing user access control policies that are fine-grained, context-sensitive and are represented using Semantic Web technologies and thereby manages access control decisions for user data on mobile devices. Motivation Android image source courtesy: Aha-Soft 2
  • 3. Related Work • Policy Engineering: Requires substantial technical knowledge, understanding of access control issues (Feltus’08) • Most people are ‘Privacy Pragmatists’ (Kumaraguru’05) • Convergence of Enterprise usage and personal usage due to BYOD adoption (Kodeswaran, Chakraborty et. al.’13) • Users unsure of policy (Benisch, Sadeh’11) • Privacy profiles used for user preferences (Liu et. al.’14) 3
  • 4. Image courtesy: Android App Market 4
  • 5. Image courtesy: Android App Market 5
  • 6. Image courtesy: Android App Market 6
  • 7. Contributions MITHRIL has three key contributions • Policy representation • Expressing policy rules: extensible & expressive semantic model • RDF/OWL allows easy reuse/integration with concepts from DBpedia, Linked Data, schema.org,etc. • User-preferred & specific policy capture • Policy enforcement 7
  • 11. • Semantic Web Rule Language • antecedent => consequent • Attribute-Based Access Control model • Context pieces as attributes Rule representation 11
  • 12. Rule representation A1: RequesterInfo = Facebook & A2: UserActivity = Work & A3: UserLocation = Office & A4: UserTime = Working hours on Week day & A5: ProtectedResource = Location -> C1: Prohibit When at work Professors do not share their location in FB Image courtesy: www.phdcomics.com 12
  • 13. Image courtesy: www.phdcomics.comGeneric Rule: Professors do not share their location on FB During lunch Professor Smith shares location This is Prof. Smith. He likes to check in to FB during lunch. 13 Rule learning
  • 14. When out to lunch Professor Smith shares location with students if he has lunch scheduled with them and he is in town 14 Rule Learning – User Feedback Capture
  • 15. Image courtesy: www.phdcomics.com 15 This is Prof. Smith. Good policy The system either knows all his policies or it does not! Violation Metric
  • 16. Image courtesy: www.phdcomics.com 16 Bad policy The system either knows all his policies or it does not! Violation Metric
  • 17. False violation: Use cases • Rule requires • Deletion • Antecedent generalization • Antecedent specialization • Delete conditions • Add conditions 17
  • 20. Future Work • More experiments validating violation metric • Finer granularity capture of policy violation • Possible predictive model for policy generation • Using machine learning to generate policies • Inducing policy using logic programming 20
  • 21. Conclusion We presented MITHRIL • Framework for capturing ABAC access control policies • User-preferred & specific policy capture • Fine-grained, context-sensitive • Uses Semantic Web technologies • Policy enforcement 21 UMBC ebiquity lab

Editor's Notes

  1. Most people are ‘Privacy Pragmatists’ who, while concerned about privacy, will sometimes trade it off for other benefits” Since the late 1970’s Dr. Alan Westin has conducted over 30 privacy surveys. For each of his surveys, Westin has created one or more Privacy Indexes to summarize his results and to show trends in privacy concerns. One such survey conducted in 2003 concluded that people would trade off privacy when they get other benefits. As per Westin/Harris Privacy Segmentation Model basic privacy groups are * fundamentalist: very high privacy concern. Passionate about what they [see] as business threats to their consumer privacy, and [favor] active government regulation of business and information practices * pragmatist: middle group with balanced privacy attitudes. Ask what benefits they get as consumers in sharing their personal information to balance against risks to their privacy interests, and they usually favor a mixture of government and private solutions. * unconcerned: little to no concern about consumer privacy issues.
  2. Why should we care? Apps collect user data Emails, Messages, Documents, Sensor data – Highly Personal Data Can’t App permissions handle privacy and security of data? App permissions – “Take it or leave it” Is user okay with sharing location in public place not private place, no way to control that Use Privacy and Security module to implement context-dependent Rules
  3. Why should we care? Apps collect user data Emails, Messages, Documents, Sensor data – Highly Personal Data Can’t App permissions handle privacy and security of data? App permissions – “Take it or leave it” Is user okay with sharing location in public place not private place, no way to control that Use Privacy and Security module to implement context-dependent Rules
  4. Why should we care? Apps collect user data Emails, Messages, Documents, Sensor data – Highly Personal Data Can’t App permissions handle privacy and security of data? App permissions – “Take it or leave it” Is user okay with sharing location in public place not private place, no way to control that Use Privacy and Security module to implement context-dependent Rules
  5. A key idea is expressing policy rules in an extensible and expressive  semantic model and RDF/OWL is a good standard to support this Using RDF/OWL allows easy reuse/integration with concepts from common semantic models, including DBpedia, Linked Data, schema.org, etc. An access-control policy representation technique using an ontology to model high-level semantic context on a mobile device. A framework for policy capture and using our VM metric to determine transitional state for MITHRIL. Access control decision handling and policy enforcement.
  6. Graduate students have a policy P for lunch hour If location not school don’t share lunch location with people from school Dan is a graduate student at UMBC Dan frequently has lunches with professors and students from school He modifies the policy rule that applies to lunch hours to lunch location shareable if in presence of people from school Thus we learn the specific policy P′ of Dan (who belongs to Graduate Student Group)
  7. We use an ontology to provide users with contextual options for choosing the conditions of a rule User feedback app uses feedback algorithm for rule refinement. Choices are to generalize or specialize rules.
  8. VM = TV / (FV + TV) Transitional marker
  9. VM = TV / (FV + TV) Transitional marker
  10. VM = TV / (FV + TV) Transitional marker
  11. The plan is to extend XPrivacy to be able to handle rules defined by us and have an API mechanism to allow such an execution. Mention that the solutions do not have contextual policies which you will bring in. Extend system to incorporate rule firing API Ensure contextual rule firing Ensure energy-efficient rule firing
  12. Norman Sadeh and his group from CMU have done substantial work with capturing user preferences. They captured location preferences of the user and used various learning techniques to boost their results. They observed that once some user feedback has been obtained, learning algorithms were better at predicting what the user’s rules would be. They also observed that user’s keep on switching between their preferences of sharing and not-sharing. Essentially concluding user’s were bad at predicting their own rules. We intend to use an ontology driven approach at capturing user feedback. We want to show that the when presented with fine-grained context-dependent rules and observed rule violations, users will be able to better predict their preferences.
  13. Other learning techniques have also been adopted in predicting the user’s intended choices which include decision trees to assist in predicting meeting timings in a calendar application, inductive logic programming to predict user behavior and carry our probabilistic rule learning. Inductive logic programming was used by corapi in an attempt to learn user behavior and later for rule learning in a planning scenario. He shows how one might be able to induce rules for user behavior. In the planning work he uses probabilities for rules and a knowledge base to minimize the error between target probability and entailed probability. Although his work started with a claim of learning privacy rules he did not complete his implementation for the domain due to the complexity and scalability issues of his method. In another work done by Tom Mitchell, decision trees were used in creating a smart assistant who predicts the meeting preferences of the user but required significant user input at times. In a third work Joseph Halpern used First order logic to reason about policies. However, he acknowledged that when using first-order logic we reach a point where the problem becomes intractable as because we have to prove validity of a first-order formula which is an undecidable problem. They also do not discuss any kind of performance or accuracy measure.