Download
advertisement n.
Skip this Video
Loading SlideShow in 5 Seconds..
Advertisement PowerPoint Presentation
Download Presentation
Advertisement

Advertisement

171 Vues Download Presentation
Télécharger la présentation

Advertisement

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Advertisement

  2. Audit Mechanisms for Provable Risk Management and Accountable Data Governance Jeremiah Blocki, Nicolas Christin, Anupam Datta, Arunesh Sinha Carnegie Mellon University

  3. Motivation Breach • Goal: treatment • Rigid access control hinders treatment • Permissive access control ⇒ privacy violations

  4. A real problem

  5. Auditing • Audit – instead of rigid access control • Have a permissive access control regime • Inspect accesses later to find violations • Punish violators • Repetitive process • Audits - Why Cry Over Spilt Milk? • deters (near) rational employees

  6. Audit Challenges • How much and what to audit? • Within budgetary constraints • How much to punish? • Without de-motivating employees • Human in the loop • Realistic model of human behavior

  7. Contribution • A formal repeated game model of the audit process • An asymmetric equilibrium concept for games • An audit mechanism that is an equilibrium • Demonstrate usefulness of the model and equilibrium • Predicts commonly observed phenomenon • Predicts interesting results that calls for empirical analysis “essentially, all models are wrong, but some are useful” - George Box

  8. Outline • Game Model • Equilibrium concepts • Equilibrium of Audit game • Predictions • Budget allocation and Fairness 1 2 3 4 5

  9. 1 Game Model Repeated Game Model • The interaction repeats for each audit cycle (rounds of repeated game) • Typical actions in one round • Emp action: (a, v) = (30, 2) • Org action: (α, P) = (0.33, $100) Inspect Access, Violate One audit cycle (round) Punishment rate J. Blocki, N. Christin, A. Datta, A. Sinha, Regret Minimizing Audits: A Learning-Theoretic Basis for Privacy Protection, IEEE Computer Security Foundations, 2011

  10. 1 Game Model Abstractions • Independence assumptions • K types of violations (and accesses) • Each employee acts independently for each type • One repeated game for each type and employee • Parameters of the model known through studies[P][V] • Risk factors (cost of violations) • Audit cost • Employee benefit in violating • …. • Infinite horizon audit interaction for fixed parameters [Game Theory, Fudenberg and Tirole] [P] Ponemon Institute Studies, [V}Verizon Data Breach Studies

  11. 1 Game Model Violation detection • Given v violations and αfraction inspection • Expected number of violations caught internally - v. f(α) • Violations caught externally • Assume fixed probability p of external detection • Expected number – p.v.(1 – f(α))

  12. 1 Game Model Payoffs • Organization’s payoff • Employee’s payoff Audit Cost ∝ α.a High Punishment Rate Loss ∝ p.v.(1 – f(α)) Reputation Loss ∝ P • ∝ v.f(α) PB.v P.v.(p.(1 – f(α)) + f(α)) Personal Benefit Punishment

  13. 1 Game Model Additional Considerations • Employees likely to not act rationally • Computationally constrained, Wrong beliefs • ϵprobability of arbitrary behavior • Org’s expected payoff for fixed P, α and employee action (a,v) • (1 - ϵ).(expected payoff with (a,v)) + ϵ.(expected payoff with (a,a)) Worst Case

  14. 1 Game Model Graphical View of Payoffs • Different employee best response partitions organization’s action space • Best response: v = 0 in deterred, v = a in un-deterred • More generally with non-linear payoff, a best response of k number of violations defines a partition 2 a 3 Deterred P Punishment Rate (P) PB 0 1 Un-Deterred Fraction of accesses inspected (α) α

  15. 2 Equilibrium concepts Subgame Perfect Equilibrium • Strategy σ: nodes → actions • Pay(σ1,σ2) = δ-discounted sum of round payoffs • (σ1,σ2) is NE if no unilateral profitable deviation • Node N defines a subgame GN with restricted strategy σ1N • (σ1,σ2) is SPE if (σ1N,σ2N) is NE for GN Action of P1 = {a, b} Action of P2 = {a,’ b’} {} aa’ ab’ ba’ bb’ ab’; aa’

  16. 2 Equilibrium concepts Asymmetric approximate equilibrium • Any SPE has the single stage deviation property • Pay(σ1sd,σ2) ≤ Pay(σ1,σ2) • Pay(σ1,σ2sd) ≤ Pay(σ1,σ2) • ϵ-SPE allows ϵ deviation by either player • (ϵ1, ϵ2)-SPE allows ϵ1, ϵ2 deviation by player P1, player P2 • Special relevant case for security: (ϵ1, 0)-SPE • Attacker (player P2) has no incentive to deviate • Deviations by attacker may be costly for defender

  17. 3 Equilibrium Proposed equilibrium • Organization: maximize utility subject to best response of employee (Stackelberg games) • Commitment by organization • Employee plays best response PB The equilibrium attained is an (ϵ1, 0) SPE Deterred P ϵ1 is the sum of a) difference from optimum due to uncertainty in PB b) ϵ . maximum loss in reputation Un-Deterred α

  18. 3 Equilibrium Advantages of commitment • Makes the decision easier for not so rational employee • Computing single round best response is easier • Predictable employee response – not based on beliefs (beliefs affected by many factors) • Addresses the problem of equilibrium selection • “Open design: The design should not be secret”[SS] [SS] The Protection of Information in Computer Systems, Saltzer, J. H. and Schroeder, M. D.

  19. 4 Predictions Predictions • Doctors punished less than nurses • Punishing a doctor is more costly for hospitals • Less audit cost, better tools means more inspections • Organizations audit to protect against greater loss • Increasing difference in cost of externally and internally caught violation leads to more inspections • Should be studied empirically • Can be used as an effective policy tool • Data Breach Notiifcation law [SR] vs. External audits [SR]Romanosky, S., Hoffman, D., Acquisti, A., Empirical analysis of data breach litigation, International Conference on Information Systems. (2011)

  20. 5 Fair Auditing Budget Allocation • Organization plays multiple games • Organization is constrained by total budget • Let the games be 1….n. Let the budget be B. • Budget bi yields equilibrium Eq(bi) in game i • Eq(bi) results in payoff Pay(bi) in game i • Solve max ∑iPay(bi) subject to ∑ibi ≤ B

  21. 5 Fair Auditing Towards Accountable Data Governance • Utility maximization may lead to unfair allocation • Add fairness constraints • Minimum level of inspection, punishment rate for each type

  22. Conclusion • Future Work: • Study the accountability problem in depth • Study complexity/algorithmic aspects of computing equilibrium Audit near-rational employees to optimize organization’s utility in a fair manner

  23. References • Zhao, X., Johnson, M.E., Access governance: Flexibility with escalation and audit, Hawaii International International Conference on Systems Science, 2010 • Zhang, N., Yu, W., Fu, X., Das, S.K.,Towardseffective defense against insider attacks: The establishment of defender’s reputation, IEEE International Conference on Parallel and Distributed Systems. (2008) • Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S., Fuzzy Multi-Level Security : An Experiment on Quantified Risk-Adaptive Access Control,Proceedings of the IEEE Symposium on Security and Privacy. (2007) • Feigenbaum, J., Jaggard, A.D., Wright, R.N., Towards a formal model of accountability, Proceedings of the 2011 workshop on New security paradigms workshop. (2011)