Risk-aware access control systems grant or deny access to resources based on the notion of risk. It has many advantages compared to classical approaches, allowing for more flexibility, and ultimately supporting for a better exploitation of data. The authors propose and demonstrate a risk-aware access control framework for information disclosure, which supports run-time risk assessment. In their framework access-control decisions are based on the disclosure-risk associated with a data access request and, differently from existing models, adaptive anonymization operations are used as risk-mitigation method. The inclusion of on-the-fly anonymization allows for extending access to data, still preserving privacy below the maximum tolerable risk. Risk thresholds can be adapted to the trustworthiness of the requester role, so a single access control framework can support multiple data access use cases, ranging from sharing data among a restricted (highly trusted) group to public release (low trust value). The authors have developed a prototype implementation of their framework and have assessed it by running a number of queries against the Adult Data Set from the UCI Machine Learning Repository, a publicly available dataset that is widely used by the research community. The experimental results are encouraging and confirm the feasibility of the proposed approach
Risk-Based Privacy-Aware Information Disclosure
Armando, Alessandro;Metoui, Nadia;
2015-01-01
Abstract
Risk-aware access control systems grant or deny access to resources based on the notion of risk. It has many advantages compared to classical approaches, allowing for more flexibility, and ultimately supporting for a better exploitation of data. The authors propose and demonstrate a risk-aware access control framework for information disclosure, which supports run-time risk assessment. In their framework access-control decisions are based on the disclosure-risk associated with a data access request and, differently from existing models, adaptive anonymization operations are used as risk-mitigation method. The inclusion of on-the-fly anonymization allows for extending access to data, still preserving privacy below the maximum tolerable risk. Risk thresholds can be adapted to the trustworthiness of the requester role, so a single access control framework can support multiple data access use cases, ranging from sharing data among a restricted (highly trusted) group to public release (low trust value). The authors have developed a prototype implementation of their framework and have assessed it by running a number of queries against the Adult Data Set from the UCI Machine Learning Repository, a publicly available dataset that is widely used by the research community. The experimental results are encouraging and confirm the feasibility of the proposed approachI documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
