Visible to the public Scientific Understanding of Policy Complexity - January 2015

Submitted by drwright on Mon, 12/08/2014 - 12:07pm

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Ninghui Li, Robert Proctor, Emerson Murphy-Hill
Researchers: Jing Chen, Haining Chen, Brooke Jordan

 

HARD PROBLEM(S) ADDRESSED

  • Policy-Governed Secure Collaboration -  Security policies can be very complex, in the sense that they are difficult for humans to understand and update.  We are interested in two kinds of complexity measures.  The first is a measure of the inherent complexity of a policy.  The second is a measure of the representational complexity, which is the complexity of a particular way to encode the policy.  It is desirable to have a scientific understanding of both kinds of complexity.  Part of this work includes breaking down complex vulnerabilities into their constituent parts. We break the policy problem down into two parts, one called policy specification and the other called policy conceptualization. We use firewall rules as an example of policy specification and NIST's Common Weakness Enumeration as an example of policy conceptualization. Policy-makers use policy conceptualization as a foundation to construct policies in the form of policy specifications.
  • Human Behavior - Our policy complexity is based on how easy for humans to understand and write policies.  There is thus a human behavior aspect to it. 

PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

 

 

ACCOMPLISHMENT HIGHLIGHTS

  • We have developed a "modular normal form'' for firewall policies so that firewall policies can be specified in a way that is much more modular.  In this normal form, a firewall policy is divided into a number of modules so that to understand what is the policy for a subset, admins only need to look at a few modules, instead of the whole policy.
  • We have created an initial prototoype tool to enable policy-makers and developers to explore connections between security vulnerabiltiies that share common concepts. 
Groups: