Controlled Release of Information Based on Contents
George Mason University, Fairfax VA
Investigators
Abstract
Traditionally, access controls have been used to restrict users to limited views of available data. Although early access control models were devised for structured data, they are being extended to deal with XML data. Access controls, however, are not always sufficient to secure complex information environments. Threats may come, for example, from incorrect categorization of information or users, derivation of inferences from legally obtained data, unauthorized exchanges of information between users, and combining data obtained from different internal sources. This proposal will use a complementary approach to current access control mechanisms based on checking data not before they are extracted from data sources, but when they are released across a gate representing a critical security boundary. The checking process is not based simply on source/destination addresses as in current firewall systems, or on simple ``dirty word'' matching as in current filtering software, but on a deeper content analysis based on release constraints. In order to achieve this objective, a comprehensive framework is required that takes into account the different formats outgoing data can have, the complexity and diversity of release control rules, and the necessary support for the security officers in the definition and management of these rules. A major characteristic of this approach to separate the specification of critical data, called the controlled items, from the way it is matched against any outgoing information. Technical problems involved in the definition of such a framework include (i) the specification of appropriate formalisms to represent controlled items and matching rules, (ii) the automatic derivation of controlled items from access control rules and their integration with controlled items provided by security officers, (iii) the computation of complete and minimal representation of controlled items and matching rules, and (iv) the design of efficient matching algorithms that are capable of dealing with different matching rules and data formats.
View original record on NSF Award Search →