1. Technical Field
The present invention relates to network security, and more particularly, to an access control method and a system for privacy protection.
2. Discussion of the Related Art
Privacy protection of personally identifiable information (PII) in information systems used in industry and government applications has become increasingly important due to the proliferation of computerized information and management systems. The work on privacy protection in computer systems that rely on databases and data mining algorithms for storing and processing information has largely focused on masking protected data at the point of retrieval, e.g., at the data source. In the area of information security protection, significant attention has focused on information flows between multiple principals.
The protection of PII involves two aspects: information security and privacy protection. Information security measures such as access control, firewalls, sandboxing and secure communication channels are used to prevent unauthorized access to PII. Information security measures alone are not enough for information systems to be privacy preserving since they are low level and do not distinguish between accessing PII for statistics computation or record retrieval. Privacy policies generally allow the former and prohibit the latter.
Existing privacy protection methods, such as privacy-preserving data mining, R. Agrawal and R. Srikant. Privacy-preserving data mining. In Proc. SIGMOD-97, 1997, define a formal framework for privacy analysis and protection. A common assumption in existing privacy protection methods is that its software, e.g., data mining software, can be trusted to protect private information. However, this is not always the case, especially when large systems are built using a large set of components that are open source or using commercial software developed by third parties.
Further, business circumstances often demand that the third party software be installed and running as soon as possible. However, there may not always be sufficient time to verify the code for potential security flaws or Trojan horses. One example of such an application where privacy constraints are important is the national airline passenger-prescreening program called Secure Flight that is currently being developed by the Transportation Security Administration (TSA) of the U.S. Department of Homeland Security, Secure Flight Program. U.S. Department of Homeland Security, Transportation Security Administration, http://www.tsa.gov/public/interapp/editorial/editorial—1716.xml.
Lattice-based access control (LBAC) models, such as those of Bell and LaPadula D. Bell and L. LaPadula. Secure computer system: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, ESD/AFSC, Hanscom AFB, Bedford, Mass., 1975, and Denning D. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236-243, May 1976, can provide formal end-to-end security guarantees in systems where the components are not trusted. These models are often overly restrictive. However, these issues can be address by modifications that permit declassification of data using trusted components, e.g., D. Bell. Secure computer systems: A refinement of the mathematical model. MTR-2547, Vol. III, MITRE Corp., 1974.
Tracking data integrity as data is transformed within stream processing systems is also important and can be addressed by the Biba integrity model as described, e.g., in, K. J. Biba. Integrity considerations for secure computer systems. Technical Report ESD-TR-76-372, ESD/AFSC, Hanscom AFB, Bedford, Mass., 1977.
The Bell-LaPadula policy is widely used in multi-level secure (MLS) systems. The models of Bell-LaPadula, Denning, Biba and several others can be unified under the common LBAC framework described by Sandhu, R. Sandhu. Lattice-based access control models. IEEE Computer, 26(11):9-19, 1993. Security and integrity models have been combined in practice, e.g., in the Caernarvon protocol H. Scherzer, R. Canetti, P. A. Karger, H. Krawczyk, T. Rabin, and D. C. Toll. Authenticating mandatory access controls and preserving privacy for a high-assurance smart card. In ESORICS, pages 181-200, 2003.
While the above-mentioned models are well suited for protection of confidentiality and integrity, they do not completely address the needs of privacy protection since they do not protect anonymity as well as confidentiality. For example, anonymity protection methods, such as k-anonymity, described in L. Sweeney. k-anonymity: a model for protecting privacy. Int. J. Uncertain. Fuzziness Knowl.-Based Syst., 10(5):557-570, 2002, are often parametric and provide varying degrees of protection depending on their configuration. In addition, selection, e.g., content-based filtering, may noticeably reduce anonymity, especially if it results in the disclosure of data derived from a significantly smaller population. Further, privacy policies mandate that different access decisions must be made for different access purposes; however, the notion of purpose is not supported by the LBAC models.