Policy by Example: An Approach for Security Policy Specification
This addresses the challenge of security policy specification for users in systems that rely on their decisions, though it is an incremental application of programming by example to a new domain.
The paper tackles the problem of specifying user-specific security policies for personal data by proposing Policy by Example (PyBE), which uses examples and active learning to predict policy decisions, achieving 76% accuracy in a feasibility study.
Policy specification for personal user data is a hard problem, as it depends on many factors that cannot be predetermined by system developers. Simultaneously, systems are increasingly relying on users to make security decisions. In this paper, we propose the approach of Policy by Example (PyBE) for specifying user-specific security policies. PyBE brings the benefits of the successful approach of programming by example (PBE) for program synthesis to the policy specification domain. In PyBE, users provide policy examples that specify if actions should be allowed or denied in certain scenarios. PyBE then predicts policy decisions for new scenarios. A key aspect of PyBE is its use of active learning to enable users to correct potential errors in their policy specification. To evaluate PyBE's effectiveness, we perform a feasibility study with expert users. Our study demonstrates that PyBE correctly predicts policies with 76% accuracy across all users, a significant improvement over naive approaches. Finally, we investigate the causes of inaccurate predictions to motivate directions for future research in this promising new domain.