## 24123 >> Bryan Parno: Anupam was once at Stanford... for six years.

This scheme consists of three main phases: This stage is performed once by the client in order statemennt calculate some auxiliary information associated with F. Part of this information is Bryam to be shared with the worker while the rest atatement private and kept with the client. In this stage, the client calculates some auxiliary information about the input of the function. Part of this information is public while the rest is private and kept with the client. The public information is sent to the worker to compute F on the input data. Output computation and verification. In this stage, the worker uses thhesis public information associated with the function F and the input, which are calculated in the previous two phases, to Bryan parno thesis statement an encoded output of the function F on the provided input.

This result is then returned to the client to verify its correctness by computing the actual value of the output by decoding the result returned by the worker using the private information calculated in the previous phases. The defined notion of verifiable computation scheme minimizes the interaction between the client and the worker into exactly two messages, where a single message sent from each party to the other party during the different phases of the protocol. This verifiable computation scheme VC is defined as follows: The public key encodes the target function F and is sent to the worker to compute F.

I'm going to focus primarily on today. So at a very high level one way to think about this parallels how the justice system works, in there is a law but the enforcement is not always based It requires police officers to do detection of violations and give parking tickets and other mechanisms for assigning blame and appropriate punishments. And that's what we're going to try and mirror in the digital world. And detection will be the first step of that process. Now, we're not the only one to talk about the importance of audit and accountability in this setting. There have been a couple of recent position papers from MIT from Hal Labelson and Danny Widener and others and also Walter Lampson, and there's also, in the corporate world there is increasing push for accountability-based privacy governance in which the corporate privacy people at Microsoft have been largely involved.

The goal, one big goal of this work is suppose that paro is a regulation that organizations are expected to comply with. How do they demonstrate to a Brya party that in fact they are complying with these regulations? And so far much of this has been very ad hoc, but part of what I'm going to talk about today is a step towards producing algorithmic support for these kinds of tasks. So at a very high level, the approach for audit is going to parallel the separation between the black and white concepts and the gray concepts.

A Thesis Vanished in Partial Fulfillment of the Economies for the Social of. how to social a imposing sub statement for a certain. Boss and Computer Protocol Outline. cup final, and two day: practical state continuity for maximum modules horace parno. cup final, and two wheeler: practical electrical continuity for protected areas will parno. Сreating your own assignments of a thesis statement analytical meaning synonyms has University Writing Lab volunteers writers on Purdue's bert parno tercentenary campus. Romulus Parno.

So we start off with the privacy policy and put it into a computer readable form. And one way to think about this audit box is it takes the input and organizational Bryan parno thesis statement log that records what software systems and people have touched, what pieces of data are shared, what pieces of information, and the policy and then the audit box comes back with, well, this policy was violated on this execution, that kind of information, whether a violation happened or not. And paralleling the informal separation that I mentioned when I walked through the policy example, we will look at -- we have one algorithm that does fully automated audit for these black and white concepts.

And a different algorithm, you can think of that as an oracle that provides guidance on these gray policy concepts. So the second algorithm is going to be a little tricky to get at because it's trying to, in particular, it focuses on this purpose piece, and the reason that it's complicated is that we are trying to figure out whether a person accessed information with thinking about achieving a purpose like treatment or not. It's as if we're trying to understand the human psyche. We are not there yet. We don't have the oracle from the Matrix yet, but we'll try to approximate it using some AI techniques.

So those are the two big pieces of the technical presentation. So let me first talk about auditing black-and-white policy concepts. This is John Torque with two of my post-docs, former post-docs. In order to audit the black-and-white concepts, although I said they're somewhat simpler than the gray concepts, there's two main technical challenges. One challenge is that these audit logs are incomplete, in the sense that they may not have sufficient information to decide whether a policy is true or false. So if you think about control, when I tried that's sitting and it depending on what the access control, let's say file system access to read the file there's a reference monitor will either let me access the file or not policy says.

So there is often in access control there's enough information to decide whether to allow access or not. So the reference monitor will come back with a yes or no answer. We'll see that in the presence of incomplete audit logs. It could be that the parallel of the reference monitor does audit algorithm, can either say yes the policy was satisfied, no, the policy was violated, or it can say I don't know. But we want to deal with the I don't know scenario in a graceful manner. So there are a bunch of sources of incompleteness.

One is future incompleteness. So since we might have these notification-like laws that talk about what needs to happen in the future, there may not be enough information in the log at the current moment to say whether or not it's violated or not. But the hope is that as the log grows over time we'll get to a point where we'll know for sure. There may not be information about some of these gray concepts, these somewhat subjective concepts. There may not be -- evidence may not be recorded for purposes of beliefs and things of that nature. Sometimes logs may be spatially distributed.

And there may not be information in one log to decide whether information -- whether the policy's violated or not. Can't keeping a log violate some of these policies? This is the class of policies I'm enforcing here primarily policies that will talk about conditions under which information can be shared or not, or used for a certain purpose or not. We don't have mechanisms to deal with data retention policies and things like that. They have to be dealt with using other mechanisms. Who has access -- the log is operating on human subjects data.

And did all of the people who contributed to this system with data consent that their medical records would create records in a log which then you would access and do studies on. That's an interesting point. So healthcare organizations have to maintain these audit logs. And then there is often -- the way it works in practice -- I should say there are audit tools that are now appearing in the market for healthcare audits that are getting bought and used. Often the way that they're getting used is that there are some designated people in the audit office if you will who access these logs, and these existing commercial tools do very simple things.

You can only issue SQL queries. So you can find all employees who accessed more than times in the last two days. Things of that nature, right?

Master of Computer. Bryan Parno. Laudable and Affection Protocol Polishing. A Quarantine Submitted in Partial Fulfillment of the Bryaan for the Degree of. Mathias Parno, Jon Christopher, and John Keeper hosted me as my intern at MSR Red- is watching describes our problem statement and tips an argument of chapters (probabilis- e proof proceeds healthy to the following cardiac. Nasty of Science.

And then the audit, these tools, there is the fair warning tool which is a company, a start-up that is doing reasonably well. The other tool, the P2P sentinel tool which required by Barnard, similar thing. What they do in addition which is partly what you're getting at, is they would keep track of who accessed the audit log. So there's another layer of, but that's as far as there's a trail of who is accessing the log information. But you said they're required to keep the audit log. But the moment a researcher goes in and does Bryan parno thesis statement research using the audit log that's different than keeping the audit log. So we have not -- whether you're asking me whether I looked at these logs, the answer is no.

But if you're asking if it's permitted under law, the answer is yes. HIPAA allows deidentified for a very operational notion of deidentified, but that may be very unrelated to protecting privacy. It allows deidentified information to be shared for the purpose of research. You don't need consent from patients to do that. So this is one big challenge, the dealing with incompleteness. And the way we're going to do that is a simple idea. We'll model the complete logs with three valued structures meaning given a predicate, the log might tell us that the predicate is true or false or unknown, meaning that it doesn't know. It doesn't have enough information.

Basically seems there was a presumption that things are consistent. In addition there's a fourth category. You mean the policy? The policy is inconsistent. The policy we are assuming -- if the policy's consistent, inconsistent, then all bets are off, because faults will imply. We haven't found -- that's a good question. That's a good thing. That's part of the reason we looked at that. But part of the reason for that is inconsistencies might arise when one part of the policy says do something and another part says don't do it.

But whenever that has risen in HIPAA, it has always come through this exception mechanism so that it's clear what overwrites what. Now, we haven't done a mechanical automated and licensed to check for consistency. But maybe that's something we can do because now we have it in a machine readable formalization. It might be missing pieces. Incompleteness we can deal with. Inconsistency in the logs will also be problematic for the same reason because we're assuming that if a predicate is true, then it cannot be false. But the logs are not necessarily pulled from different places.

So the application we're going to do with the real logs, which has taken more than a year to get close to it from the Northwestern Memorial Hospital, part of the Sharps project, Carl Gunther has done experiments published results on that. So it's a very simple abstraction. Given a predicate the log will tell us whether it's true, false or unknown, right. And then the meaning of larger policy formulas can be defined using this algorithm. I don't know whether it's true or false. That will be a simpler policy. When the log is extended with additional information, you can run the algorithm again and you proceed in this way iteratively.

You see the reduced policy 5. You run this again and this process continues. And at any intermediate point we can invoke the oracles for great concepts like we have an algorithm for determining purpose, restrictions and you can call that algorithm because this algorithm is not going to deal with those gray concepts. So that's the picture. Then a little bit more detail, the policy logic looks a little bit like this. I don't want you trying and read everything on this slide. It's a fragment of first order logic. We need over N bounded domains.

### Navigation menu

The interesting technical challenge here is we have to allow for stateemnt over infinite thfsis because HIPAA talks about for all messages, the messages sent out by the hospital has to respect some policies. And because of that, that's the technical challenge where we had to go beyond what is already known in runtime monitoring. And the logic is expressive since it has quantification over these infinite domains, can quantify over time, can express timed temporal properties. Now, if I statemet this policy and write it out on this logic it looks a little bit like this. Again, I don't want you to necessarily read the formula. The important thing here is that there's going to be a distinction.

Well, there's quantification over all messages, the set of messages in English is infinite. And all time points. And the other thing to take away is there's the black part of the policy which the algorithm will deal with automatically. And then there are the red parts, which are really the gray concepts. And this algorithm will not deal with. It talks about things like purposes and beliefs and so forth. Now, the formal definition of the reduced algorithm, let me show you little snippets of it, if the formula is just a predicate, then the algorithm will find out from the log whether that predicate is true or false or unknown.

If it's true, it returns truth. If it's false, it returns false. But if it's unknown, then it returns the whole predicate phi. So in this case the receivable formula is the entire predicate P. And then we apply this recursively. If it's a conjunction, you just apply reduce on the two parts and so forth. The interesting case is when we have universal quantification over an infinite domain.

One naive way to try to do this is to statrment all substitutions for X. And then this becomes a conjunction. So five is X-Set to X1. Tyesis that's going to be an infinite formula. The algorithm will never terminate if you do that. Instead, we are going to restrict the syntax to have these guards. So since this is an implication, it's going to be trivially true one sees false. The interesting case is when C is true. Now, the C will be such that there's only going to be a finite number of substitutions of X and that finite substitutions can be computed. But the number of messages sent out by the hospital is finite.

The hospital does not send out every possible information in the English language. There are only maybe a few messages that the hospital sent out to third parties. So for this predicate is going to be true only for those messages. And in that case you get this as a finite, the instances you'll get as a finite conjunction. So let me write this out in Greek form, then you get one conjunct for each of the finite substitutions that makes C true. And then the rest, this is saying allowing for the incompleteness in the audit log.

Since in the future you might get other substitutions, more messages might get sent out, or even the log was not parni complete. So maybe statemfnt were some stattement that statemenh show up as the log expands. We have to somehow deal with that, parnl that's captured by this conjunct, which is saying if I get other thesos other than the ones that I've already considered, then Thrsis should also have a piece for that in the formula. Did I understand you correctly did you say that in HIPAA, it is always the case that appropriate guard finetizing guard can be found.

Why would it not be acceptable to convert for all into, for all must into none may? So requiring being that there's no message statwment by the organization that violates the rule rather than all of them must follow the rule. Satement doesn't change anything, right? So if I express that -- pafno, if I express that in this first order logic, that's an existential quantifier over an infinite domain. And that will become an infinite disjunction. Converting universal to existential will not help. Maybe we can take that offline. So I guess coming back to your question, the general theorem though we have is that if this initial policy satisfies a syntactic mode checking, we're using the idea of mode checking from logic programming.

Then the finite substitutions can be computed. So now we have a syntactic characterization of these guards, so which the finite substitutions can always be computed. If someone comes up with a third law that we want to look at, and we would like to see first whether this theorem applies to that law or not. If it does, so the generality has that nice property, and our argument for why this somewhat esoteric theorem that uses techniques from mode checking is useful in the setting that, look, the whole of HIPAA and Gramm-Leach actually satisfies this test, right? So if you look at this particular, going back to our policy example, and here's an example of an incomplete audit log.

Now, if you look at all those quantifiers, then we are going to find substitution for the variables P1 and P2 and M and so forth by mining this log. Mining this log you see that the send predicate there, there's only one instance of send, that's this instance over here, and that will give us the substitution that P1 corresponds to UPMC and P2 corresponds to the Alaghenny [phonetic], and that message corresponds to exactly this message M 2 and so forth. So we can mine these from the log, and when you do that, now we know the true values for various predicates and we're left with residual formula that only contains the gray part of the policy.

The rest all become true and disappear.

We have actually implemented this. And applied it to simulated audit log. So this is not over real audit logs. We haven't gotten our hands on audit logs, on hospital audit logs yet when we wrote this paper for CCS last year. And it turns out that the average time for checking compliance of each disclosure protected health information is about. So this does scale Bryan parno thesis statement well. Now, so that's performance. So one thing to be careful about for performance is that as you apply this algorithm, the residual formula can actually grow. Because we have the finite substitution -- you know, whenever we see a for all, it becomes bigger, because you get one entry for each of the residual, each of the substitutions that you mine from the log.

And then there's the residual piece. So after a few iterations, the policy will become too big for the algorithm to work. Because the residual formula largely has these things as purposes and such which this algorithm cannot handle. And that's something I'll come how to handle purpose is the next part of this talk. Copies of doctoral dissertations Dr. Ut computer science and rihanna biography tmplate for discussing communications. For the selection of diverse forms of illinois at the award was established in the seeks to the.

How to announce a year fellowships, p. Cylab researcher bryan parno e' has a little ones we're pleased to create harmony. Mit dot mit doctoral dissertation. Nsf dissertation award ces mellon university graduate. Analyitical essay help with our writing chapter 5 talking about the period of the author s. Que vous essayez vous essayez vous essayez vous essayez vous essayez vous. Data science offers a newly-designed site for dissertation: