• Home

  • Documents

  • Access Control & Privacy Preservation in Online Social Networks

If you can't read please download the document

Access Control & Privacy Preservation in Online Social Networks

  • Upload
    lulu

  • View
    43

  • Download
    2

Tags:

Embed Size (px)

DESCRIPTION

Institute for Cyber Security. Access Control & Privacy Preservation in Online Social Networks. Feb. 22, 2013 CS6393 Lecture 6 Yuan Cheng Institute for Cyber Security University of Texas at San Antonio [email protected] http://www.my.cs.utsa.edu/~ycheng. - PowerPoint PPT Presentation

Citation preview

A User-to-User Relationship-based Access Control Framework for Online Social Networks

Access Control & Privacy Preservation in Online Social NetworksFeb. 22, 2013CS6393 Lecture 6

Yuan ChengInstitute for Cyber SecurityUniversity of Texas at San [email protected]://www.my.cs.utsa.edu/~ycheng1Institute for Cyber SecurityWorld-Leading Research with Real-World Impact!1OutlineIntroduction Security & Privacy Issues in OSNsAccess Control for OSNsOther Privacy Preservation Solutions2World-Leading Research with Real-World Impact!Online Social Networks3

World-Leading Research with Real-World Impact!3StatisticsFacebook, the largest OSN:More than a billion monthly active users as of December 2012.Approximately 82% of our monthly active users are outside the U.S. and Canada.618 million daily active users on average in December 2012.680 million monthly active users who used Facebook mobile products as of December 31, 2012.4World-Leading Research with Real-World Impact!

5

Representation of an OSNAn OSN is represented by means of a graphUsers are denoted as nodesRelationships are represented as edgesEdges may be labeled to represent typesEdges may be directed 6

OutlineIntroduction Security & Privacy Issues in OSNsAccess Control for OSNsOther Privacy Preservation Solutions7World-Leading Research with Real-World Impact!Security & Privacy IssuesSecurity issues in OSNs can be organized into four categoriesPrivacy breaches Spam and phishing attacksSybil attacksMalware attacks Privacy breachesEasy to happen from OSN providers, other users, and 3rd party applicationsOSN providers store user data3rd party applications provide extra functionalitiesMajor threats are from peer usersNot aware of who they share with and how muchHave difficulty in managing privacy controls

8World-Leading Research with Real-World Impact!Why Privacy is Hard to ProtectUsers tend to give out too much informationUnaware of privacy issuesPromote sharing vs. Protect privacyUsers tend to be Reactive rather than ProactivePrivacy policies Changing over timeConfusingPrivacy thresholds vary by individuals

9World-Leading Research with Real-World Impact!OutlineIntroduction Security & Privacy Issues in OSNsAccess Control for OSNsOther Privacy Preservation Solutions10World-Leading Research with Real-World Impact!Control on Social InteractionsA user wants to control other users access to her own shared informationOnly friends can read my post A user wants to control other users activities who are related to the userMy children cannot be a friend of my co-workersMy activities should not be notified to my co-workersA user wants to control her outgoing/incoming activitiesNo accidental access to violent contentsDo not poke meA users activity influences access control decisionsOnce Alice sends a friend request to Bob, Bob can see Alices profile

11World-Leading Research with Real-World Impact!What existing OSNs offerMany OSNs allow users to choose from a pre-defined policy vocabularypublic, private, friend, friend of friend,Some systems support customized relationshipscircle, friend listEither too restrictive or too loose!12World-Leading Research with Real-World Impact!The Challenges of OSN Access ControlLack of a Central AdministratorTraditional access control mechanisms, such as RBAC, requires an administrator to manage access controlNo such administrator exists in OSNsDynamic Changing EnvironmentFrequent content updates and volatile nature of relationshipsIdentity and attribute-based access control are not scalable for OSNs

13World-Leading Research with Real-World Impact!Relationship-based Access ControlUsers in OSNs are connected by social relationships (user-to-user relationships)Owner of the resource can control its release based on such relationships between the access requester and the owner14

World-Leading Research with Real-World Impact!14Related WorksFong et al. [ESORICS 09]Fong et al. [CODASPY 11]Carminati et al. [ACM TISS 08]Carminati et al. [SACMAT 09]15World-Leading Research with Real-World Impact!Fong et al. 11Relationship-Based Access Control: Protection Model and Policy LanguageFeatures:Poly-relational, in the sense that it tracks not only whether a relationship exists, but also the type of that relationshipAuthorization decision is solely based on the relationship between owner and accessorA tree-shaped hierarchy of Access Contexts, which supports the scoping of the effectiveness of relationships

16World-Leading Research with Real-World Impact!Fong 11: Policy ExamplesGrant access to the owners spouse aGrant access to the owners child aGrant access to grand parents aGrant access to parents, aunts and uncles a a a

17World-Leading Research with Real-World Impact!Fong 11: Policy Examples (cont.)Grant access unless the accessor is a parent of the owner a Grant access to a sibling who is not married(a [spouse] )Grant access to a married sibling(a [spouse] )Grant access if accessor is the only child of the owner a [-parent] a

18World-Leading Research with Real-World Impact!Carminati et al. 08FeaturesDiscretionaryRule-basedSemi-decentralizedPolicies are specified in terms of:Relationship TypesDepth (Maximum length of the path)Trust Levels (Minimum trust level)19World-Leading Research with Real-World Impact!C08: ApproachRequestor must prove to the resources owner that he/she satisfies the requirement stated in access control policyRequestor sends access request to resource ownerOwner replies by sending access rulesRequestor provide the owner with a proofOwner locally verifies the proof by a reasonerOwner grants or rejects access.

20World-Leading Research with Real-World Impact!C08: Trust RepresentationA trust relationship is usually modeled as a directed edgeTrust relationship is transitiveWe can use trust paths ABC to determine how much A considers C trustworthy

21World-Leading Research with Real-World Impact!C08: Trust ComputationVariant of the TidalTrust [Golbeck 2005]1: all the shortest paths are discovered2: set a trust threshold maxT, which is used to discard trust paths consisting of edges with a trust value less than maxT3: trust is computed by considering only the paths with a strength >= maxT

22

World-Leading Research with Real-World Impact!C08: How Trust WorksTrustworthiness of the proofRelationship certificatesCertificate path - a set of certificatesCertificate server - a trusted third partyWhy is certificate server needed?The requestor may maliciously omit one or more of the paths, providing only the paths with the highest level of trustThe server stores into a central certificate directory all the relationship certificates specified by OSN nodes, and discovers certificates paths

23World-Leading Research with Real-World Impact!C08: Trust-based Access ControlProsWe do it in realityRequires little user inputConsThe concept of trust is complex and vagueLacks of a standard measurement

24World-Leading Research with Real-World Impact!Carminati et al. 09A Semantic Web Based Framework for Social Network Access ControlMotivations:Most of existing OSNs:Implement very basic access control systems, by marking a given item as public, private, accessible by direct contacts, or some variants of this kind of setting.Lack flexibilityPlatform-specific

25World-Leading Research with Real-World Impact!C09: The IdeaEncode social network-related information by means of an ontologyUser Profiles, Relationships among users, Resources, Relationships between users and resources, ActionsConstruct the Social Network Knowledge Base (SNKB)Define security policies as rulesEncode authorizations to obtain the Security Authorization Knowledge Base (SAKB)Use a centralized reference monitor to enforce the policies

26World-Leading Research with Real-World Impact!C09: Security PoliciesAccess Control PoliciesRegulate how resources can be accessed by SN participantsFiltering PoliciesSpecify by a user to state which information she prefers not to accessProtect users from inappropriate or unwanted contentDo not equal to negative access control policiesAdmin PoliciesState who is authorized to specify policies and for which users and objects

27World-Leading Research with Real-World Impact!C09: The ValuesRelationships between users and resourcesAccess control of most existing models is solely based on the relationships between accessing user and resource ownerThe only relationship between user and resource is ownershipAnnotation based relationships need to be addressedAdmin Policy ModelIn SN, users should be recognized as the main authority over AC policies regarding the information related to themFiltering PoliciesProtect users from inappropriate or unwanted dataHierarchical Structure for Policy InferenceFacilitate automatic policies propagation

28World-Leading Research with Real-World Impact!Our Own Work Developed access control for OSNs based on relationships on the social graphUURAC: User-to-User Relationship-based Access Control (DBSec 12)URRAC: User-to-Resource Relationship-based Access Control (Winner of Best Paper Award at PASSAT 12)29World-Leading Research with Real-World Impact!Motivating ExamplesRelated Users ControlThere exist several different types of relationships in addition to ownershipe.g., Alice and Carol want to control the release of Bobs photo which contains Alice and Carols image.Administrational ControlA change of relationship may result in a change of authorizationTreat administrative activities different from normal activitiesPolicy specifying, relationship invitation and relationship recommendatione.g., Bobs mother Carol may not want Bob to become a friend with her colleagues, to access any violent content or to share personal information with others.30World-Leading Research with Real-World Impact!Rudimentary friend-of-friend approach; focus on U2U relationships; at least implicitly assume ownership is the only manifestation of U2R. Failed to capture many user activities found in OSN applications.Tagged user want to control other related users access to the photo.Allowing U2R relationships enables users to specify policies for related resources and users. Policy administration becomes critical since OSN needs to ensure only the right users are authorized to do it.30ProblemsTraditional access control mechanisms are not suitable for OSNsOSNs keep massive resources and change dynamicallyExisting relationship-based access control approaches are coarse-grained and limitedCommercial systems support either limited types or limited depth of U2U relationshipsAcademic works are also not flexible and expressive enough in relationship compositionPolicy administration and conflict resolution are missingMultiple users can specify policies for the same resource31World-Leading Research with Real-World Impact!Big bulk of data, Changing dynamically, traditional methods are not scalableVarious types of resources need to be protected, such as user sessions, relationships, policies and events.Current solutions rely on an implicit relationship, ownership. Authorization is still based on U2U.Extend social graph to incorporate arbitrary activities and objects31Scope and AssumptionsAssumptionsThe threat model does not include OSN providersUsers computers are not compromised by malicious intruders or malwaresDo not consider the case when a hacker gains unauthorized access to a sites code and logicScopeAim to improve the access control mechanism32World-Leading Research with Real-World Impact!Not realistic to fight against the business model of OSN systems32ComparisonThe advantages of our approach:Passive form of action allows outgoing and incoming action policyPath pattern of different relationship types and hopcount skipping make policy specification more expressiveSystem-level conflict resolution policy

33

World-Leading Research with Real-World Impact!Social NetworksSocial graph is modeled as a directed labeled simple graph G=Nodes U as usersEdges E as relationships={1, 2, ,n, 1-1, 2-1,, n-1} as relationship types supported34World-Leading Research with Real-World Impact!

Relationship is not mutual any more. We consider incoming relationships, so granting access to users who consider him as a friend is plausible (inverse relationship)34Characteristics of Access Control in OSNsPolicy IndividualizationUsers define their own privacy and activity preferencesRelated users can configure policies tooCollectively used by the system for control decisionUser and Resource as a Targete.g., poke, messaging, friendship invitation, etc.User Policies for Outgoing and Incoming ActionsUser can be either requester or target of activityAllows control on 1) activities w/o knowing a particular resource and 2) activities against the user w/o knowing a particular access requestore.g., block notification of friends activities; restrict from viewing violent contents35World-Leading Research with Real-World Impact!We summarize four essential characteristics that need to be supported in access control solutions for OSN systems.35U2U Relationship-based Access Control (UURAC) Model

36UA: Accessing UserUT: Target UserUC: Controlling UserRT: Target ResourceAUP: Accessing User PolicyTUP: Target User PolicyTRP: Target Resource PolicySP: System PolicyPolicy IndividualizationUser and Resource as a TargetSeparation of user policies for incoming and outgoing actions Regular Expression based path pattern w/ max hopcounts (e.g., )World-Leading Research with Real-World Impact!Access Request and EvaluationAccess Request ua tries to perform action on targetTarget can be either user ut or resource rt

Policies and Relationships used for Access EvaluationWhen ua requests to access a user utuas AUP, uts TUP, SPU2U relationships between ua and utWhen ua requests to access a resource rtuas AUP, rts TRP (associated with uc), SPU2U relationships between ua and uc37World-Leading Research with Real-World Impact!Policy Representationsaction-1 in TUP and TRP is the passive form since it applies to the recipient of actionTRP has an extra parameter rt to distinguish the actual target resource it applies toowner(rt) a list of ucU2U relationships between ua and uc SP does not differentiate the active and passive formsSP for resource needs r.type to refine the scope of the resource38

World-Leading Research with Real-World Impact!Graph Rule Grammar39

World-Leading Research with Real-World Impact!Example40World-Leading Research with Real-World Impact!Change to plaintext40Policy ExtractionPolicy:

Graph Rule: start, path rule

Path Rule: path spec | path spec

Path Spec: path, hopcount41It determines the starting node, where the evaluation startsThe other user involved in access becomes the evaluating nodePath-check each path spec using Algorithm 2 (introduced in detail later)World-Leading Research with Real-World Impact!Policy EvaluationEvaluate a combined result based on conjunctive or disjunctive connectives between path specsMake a collective result for multiple policies in each policy set. Policy conflicts may arise. We assume system level conflict resolution strategy is available (e.g., disjunctive, conjunctive, prioritized).Compose the final result from the result of each policy set (AUP, TUP/TRP, SP)42World-Leading Research with Real-World Impact!Path Checking AlgorithmParameters: G, path, hopcount, s, tTraversal Order: Depth-First SearchActivities in OSN typically occur among people with close distanceDFS needs only one pair of variables to keep the current status and history of explorationHopcount limit prevents DFS from lengthy useless search43World-Leading Research with Real-World Impact!Initiation44Access Request: (Alice, read, rt)Policy: (read-1, rt, (f*cf*, 3))Path pattern: f*cf*Hopcount: 3f0123ffccfDFA for f*cf*World-Leading Research with Real-World Impact!45GeorgeFredCarolHarryEdAliceDaveBobffcfffffffccc0123ffccfd: 0 currentPath: stateHistory: 0Path pattern: f*cf*Hopcount: 3Harry0Dave1d: 1 currentPath: (H,D,f)stateHistory: 01Case 1: next node is already visited, thus creates a self loopd: 2 currentPath: (H,D,f)(D,B,f)stateHistory: 011fBobAliceCase 3: currentPath matches the prefix of the pattern, but DFA not at an accepting stated: 2 currentPath: (H,D,f)(D,B,c)stateHistory: 01223d: 3 currentPath: (H,D,f)(D,B,c)(B,A,f)stateHistory: 0123Case 2: found a matching path and DFA reached an accepting stateBeyond U2U RelationshipsThere are various types of relationships between users and resources in addition to U2U relationships and ownershipe.g., share, like, comment, tag, etcU2U, U2R and R2RU2R further enables relationship and policy administration 46World-Leading Research with Real-World Impact!46URRAC Model Components47

AU: Accessing UserAS: Accessing SessionTU: Target UserTS: Target SessionO: ObjectP: PolicyPAU: Accessing User PolicyPAS: Accessing Session PolicyPTU: Target User PolicyPTS: Target Session PolicyPO: Object PolicyPP: Policy for PolicyPSys: System PolicyWorld-Leading Research with Real-World Impact!Differences with UURACAccess Request(s, act, T) where T may contain multiple objectsHopcount SkippingOption to omit the hops created by resourcesHopcount stated inside [[]] will not be counted in the global hopcounte.g., ([f*,3][[c*,2]],3)Policy AdministrationUser-session Distinction

48World-Leading Research with Real-World Impact!Hopcount SkippingU2R and R2R relationships may form a long sequenceOmit the distance created by resourcesLocal hopcount stated inside [[]] will not be counted in global hopcount.E.g., ([f*,3][[c*, 2]],3), the local hopcount 2 for c* does not apply to the global hopcount 3, thus allowing f* to have up to 3 hops.Six degrees of separationAny pair of persons are distanced by about 6 people on average. (4.74 shown by recent study)Hopcount for U2U relationships is practically small49World-Leading Research with Real-World Impact!Policy Conflict ResolutionSystem-defined conflict resolution for potential conflicts among user-specified policiesDisjunctive, conjunctive and prioritized order between relationship types,, > represent disjunction, conjunction and precedence@ is a special relationship null that denotes self50World-Leading Research with Real-World Impact!Multiple policies having weight in authorization result in decision conflicts inevitably. While assuming policies specified by the system will always be unambiguous, conflict resolution policies are responsible for interpreting how the potential policy conflicts within each category of user-specified policies can be resolved in terms of the precedence or connectives over relationship types50Policy Conflict Resolution (cont.)51World-Leading Research with Real-World Impact!ExampleView a photo where a friend is tagged. Bob and Ed are friends of Alice, but not friends of each other. Alice posted a photo and tagged Ed on it. Later, Bob sees the activity from his news feed and decides to view the photo: (Bob, read, Photo2)Bobs PAS(read): Photo2s PO(read-1) by Alice: Photo2s PO(read-1) by Ed: APSys(read): CRPSys(read): 52World-Leading Research with Real-World Impact!In conflictsExample (cont.)Parental control of policies. The system features parental control such as allowing parents to configure their childrens policies. The policies are used to control the incoming or outgoing activities of children, but are subject to the parents will. For instance, Bobs mother Carol requests to set some policy, say Policy1 for Bob: (Carol, specify policy, Policy1)Carols PAS(specify_policy): Policy1s PP(specify_policy-1) by Bob: PSys(specify_policy): CRPSys(specify_policy): 53World-Leading Research with Real-World Impact!OutlineIntroduction Security & Privacy Issues in OSNsAccess Control for OSNsOther Privacy Preservation Solutions54World-Leading Research with Real-World Impact!flyByNight: Mitigating the Privacy Risks of Social NetworkingA Facebook application designed to encrypt and decrypt data with an objective to mitigate privacy risks in OSNs. Primary goal:Hide information transferred through the OSN from the provider and the application server.Key ideas:Encrypt sensitive data on the client side and send the cipher text to intended parties.Uses El-Gamal encryptionProxy Cryptography

55World-Leading Research with Real-World Impact!How It Works56InitializationClient generates Public/Private key pair, passwordClient transfers encrypted private key to flyByNight server, and saves in key DatabaseSend Data:Client encrypts private data M with friends PK, and tags the encrypted data with friends ID, saves encrypted data in message Database on flyByNight serverReceive Data:Client decrypts private key with password, decrypts M with the private key

World-Leading Research with Real-World Impact!NOYB: Privacy in Online Social NetworksAn architecture that scatters user data to protect privacy while preserving the functionality of OSN serviceKey Ideas:Encrypt user data such that the cipher text shares the same semantic and statistical properties with legitimate dataAllow the OSN provider to work on cipher text

57World-Leading Research with Real-World Impact!Architecture58Uses out of band channel for key managementUser data is divided into atomsAtoms of similar type constitute a dictionaryAtoms are replaced with other atoms from the dictionary58

(Alice, F, 26)

(Bob, M, 30)(Alice, F) (26)(Bob, M) (30)(Alice, F, 27)(Bob, M, 26)(Carol, F, 27)(Carol, F) (27)

World-Leading Research with Real-World Impact!ConclusionThe emergence of OSNs pose severe privacy risks to usersLots of work have been done to protect privacy and security of user dataAccess control modelsCryptographic solutionsSocial networking platforms for third party applications59World-Leading Research with Real-World Impact!Questions?60World-Leading Research with Real-World Impact!Fong [14]Fong [12,13]Carminati [8]Carminati [5,6]UURAC [10]URRAC [9]

Relationship Category

Multiple Relationship Types

Directional Relationship

U2U Relationship

U2R Relationship

Model Characteristics

Policy Individualization

User & Resource as a Target(partial)

Outgoing/Incoming Action Policy(partial)

Relationship Composition

Relationship Depth0 to 20 to n1 to n1 to n0 to n0 to n

Relationship Compositionf, f of fexact type sequencepath of same typeexact type sequencepath pattern of different typespath pattern of different types


Personalized Privacy Preservation

Personalized Privacy Preservation

Documents
Auditing Distributed Preservation Networks

Auditing Distributed Preservation Networks

Technology
Privacy Notions and Review of Privacy Preservation ... · constraints in the wireless sensor networks .To achieve the same various specific routing schemes ,MAC and cross layered

Privacy Notions and Review of Privacy Preservation ... · constraints in the wireless sensor networks .To achieve the same various specific routing schemes ,MAC and cross layered

Documents
Mobile Networks - Module H2 Privacy in Wireless Networks

Mobile Networks - Module H2 Privacy in Wireless Networks

Documents
Mobile Networks - Module H2 Privacy in Mobile Networks Privacy notions and metrics Location privacy Privacy preserving routing in ad hoc networks Slides

Mobile Networks - Module H2 Privacy in Mobile Networks Privacy notions and metrics Location privacy Privacy preserving routing in ad hoc networks Slides

Documents
Location Privacy Preservation in Database-driven Wireless

Location Privacy Preservation in Database-driven Wireless

Documents
Template-Based Privacy Preservation in Classification Problems

Template-Based Privacy Preservation in Classification Problems

Documents
Privacy Preservation over Untrusted Mobile Networks

Privacy Preservation over Untrusted Mobile Networks

Documents
Social Networks Privacy - CyLab Usable Privacy and

Social Networks Privacy - CyLab Usable Privacy and

Documents
A Comparative study on Privacy Preservation techniques

A Comparative study on Privacy Preservation techniques

Documents
Mobile Networks - Module H2 Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks;

Mobile Networks - Module H2 Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks;

Documents
Location Privacy Preservation in Collaborative Spectrum Sensing

Location Privacy Preservation in Collaborative Spectrum Sensing

Documents
Differential Privacy Preservation for Deep Auto-Encoders

Differential Privacy Preservation for Deep Auto-Encoders

Science
Regional Preservation Networks palimpsest.stanford/byorg/callprsn.html

Regional Preservation Networks palimpsest.stanford/byorg/callprsn.html

Documents
Privacy Preservation for eHealth Big Data in Cloud

Privacy Preservation for eHealth Big Data in Cloud

Documents
Privacy in Wireless Networks

Privacy in Wireless Networks

Technology
Security and Privacy Preservation in Vehicular Social Networks

Security and Privacy Preservation in Vehicular Social Networks

Documents
Privacy Preservation in Data Mining using … rights reserved by 101 Privacy Preservation in Data Mining using Anonymization Technique Neha Prajapati M.E Student ... pin code, sex,

Privacy Preservation in Data Mining using … rights reserved by 101 Privacy Preservation in Data Mining using Anonymization Technique Neha Prajapati M.E Student ... pin code, sex,

Documents
Privacy Value Networks

Privacy Value Networks

Technology
Research Paper on Privacy Preservation by Data ...serialsjournals.com/serialjournalmanager/pdf/1473225798.pdf · Research Paper on Privacy Preservation ... Research Paper on Privacy

Research Paper on Privacy Preservation by Data ...serialsjournals.com/serialjournalmanager/pdf/1473225798.pdf · Research Paper on Privacy Preservation ... Research Paper on Privacy

Documents
Utility analysis on privacy-preservation algorithms for

Utility analysis on privacy-preservation algorithms for

Documents
Preservation of privacy in public-key cryptography

Preservation of privacy in public-key cryptography

Documents
Top-Down Specialization for Information and Privacy Preservation

Top-Down Specialization for Information and Privacy Preservation

Documents
Modeling Privacy Leakage Risks in Large-Scale …...SPECIAL SECTION ON PRIVACY PRESERVATION FOR LARGE-SCALE USER DATA IN SOCIAL NETWORKS Received January 24, 2018, accepted March 3,

Modeling Privacy Leakage Risks in Large-Scale …...SPECIAL SECTION ON PRIVACY PRESERVATION FOR LARGE-SCALE USER DATA IN SOCIAL NETWORKS Received January 24, 2018, accepted March 3,

Documents
Privacy Preservation for V2G Networks in Smart Grid: A Survey

Privacy Preservation for V2G Networks in Smart Grid: A Survey

Documents
Privacy Preservation for Data Streams

Privacy Preservation for Data Streams

Documents
Security and Privacy Preservation of Evidence in Cloud

Security and Privacy Preservation of Evidence in Cloud

Documents
Anatomy: Simple and Effective Privacy Preservation - Department of

Anatomy: Simple and Effective Privacy Preservation - Department of

Documents
A Tutorial of Privacy-Preservation of Graphs and Social Networks

A Tutorial of Privacy-Preservation of Graphs and Social Networks

Documents
Anatomy: Simple and Effective Privacy Preservation

Anatomy: Simple and Effective Privacy Preservation

Documents