Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Attribute-Aware Relationship-Based Access Control for Online Social Networks World-Leading Research with Real-World Impact! Yuan Cheng, Jaehong Park.

Published byAllan Hood Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Attribute-Aware Relationship-Based Access Control for Online Social Networks World-Leading Research with Real-World Impact! Yuan Cheng, Jaehong Park."— Presentation transcript:

1 1 Attribute-Aware Relationship-Based Access Control for Online Social Networks World-Leading Research with Real-World Impact! Yuan Cheng, Jaehong Park and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio 7/14/2014 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec 2014)

2 Relationship-based Access Control (ReBAC) Motivation UURAC A Model Algorithm Conclusion © Ravi Sandhu 2 World-Leading Research with Real-World Impact! Outline

3 Users in OSNs are connected by social relationships (user-to-user relationships) Owner of the resource can control its release based on such relationships between the access requester and the owner Access conditions are usually based on type, depth, or strength of relationships Relationship-based Access Control

4 Related Work Fong 2009Fong 2011Carminati 2009aCarminati 2009bUURAC A Relationship Category Multiple Relationship Types √√√√ Directional Relationship √√√ Model Characteristics Policy Individualization √√√√√ User & Resource as a Target (partial)√ Outgoing/Incoming Action Policy (partial)√ Relationship Composition Relationship Depth0 to 20 to n1 to n 0 to n Relationship Composition f, f of f Exact type sequence Path of same type Exact type sequence Path pattern of different types Attribute-aware Access Control Common-friends k √√ User Attributes(partial)√ Relationship Attributes (partial)√  Passive form of action allows outgoing and incoming action policy  Path pattern of different relationship types makes policy specification more expressive  Attribute-aware access control based on attributes of users and relationships

5 Motivation ReBAC usually relies on type, depth, or strength of relationships, but cannot express more complicated topological information ReBAC lacks support for attributes of users, resources, and relationships Useful examples include common friends, duration of friendship, minimum age, etc.

6 UURAC A Model Extended from the UURAC model (DBSec 12) Social graph is modeled as a directed labeled simple graph G=  Nodes U as users  Edges E as relationships  Σ={σ 1, σ 2, …,σ n, σ 1 -1, σ 2 -1,…, σ n -1 } as relationship types supported

7 U A : Accessing User U T : Target User U C : Controlling User R T : Target Resource AUP: Accessing User Policy TUP: Target User Policy TRP: Target Resource Policy SP: System Policy Policy Individualization User and Resource as a Target Separation of user policies for incoming and outgoing actions Regular Expression based path pattern w/ max hopcounts (e.g., ) Policy Individualization User and Resource as a Target Separation of user policies for incoming and outgoing actions Regular Expression based path pattern w/ max hopcounts (e.g., ) U2U Relationship-based Access Control (UURAC) Model

8 Access Request  u a tries to perform action on target  Target can be either user u t or resource r t Policies and Relationships used for Access Evaluation  When u a requests to access a user u t u a ’s AUP, u t ’s TUP, SP U2U relationships between u a and u t  When u a requests to access a resource r t u a ’s AUP, r t ’s TRP, SP U2U relationships between u a and u c Access Request and Evaluation

9 Policy Representation action -1 in TUP and TRP is the passive form since it applies to the recipient of action TRP has an extra parameter u c to specify the controlling user  U2U relationships between u a and u c SP does not differentiate the active and passive forms SP for resource needs r.typename, r.typevalue to refine the scope of the resource

10 Example

11 Attributes in OSNs Node attributes Define user’s identity and characteristics: e.g., name, age, gender, etc. Edge attributes Describe the characteristics of the relationship: e.g., weight, type, duration, etc. Count attributes Depict the occurrence requirements for the attribute-based path specification, specifying the lower bound of the occurrence of such path

12 12 +0 +1 +2 -2 -0 +1 +2-2 ∀ [+1, -2], age(u) > 18 ∃ [+1, -1], weight(e) > 0.5 ∃ {+1, +2, -1}, gender = “male” -2 World-Leading Research with Real-World Impact! Attribute-based Policy

13 Strategy: DFS Parameters: G, path, hopcount, s, t 13 World-Leading Research with Real-World Impact! f п0п0 п0п0 п1п1 п1п1 п2п2 п2п2 п3п3 п3п3 f f c c f DFA for f*cf* Access Request: (Alice, read, r t ) Policy: (read -1, r t, (f*cf*, 3)) Path pattern: f*cf* Hopcount: 3 Path-checking Algorithm

14 14 George Fred Carol Harry Ed Alice Dave Bob f f c f f f f f f f c c c п0п0 п0п0 п1п1 п1п1 п2п2 п2п2 п3п3 п3п3 f f c c f d: 0 currentPath: Ø stateHistory: 0 Path pattern: f*cf* Hopcount: 3 Harry п0п0 п0п0 Dave п1п1 п1п1 d: 1 currentPath: (H,D,f) stateHistory: 01 Case 1: next node is already visited, thus creates a self loop d: 2 currentPath: (H,D,f)(D,B,f) stateHistory: 011 f Bob Alice Case 3: currentPath matches the prefix of the pattern, but DFA not at an accepting state d: 2 currentPath: (H,D,f)(D,B,c) stateHistory: 012 п2п2 п2п2 п3п3 п3п3 d: 3 currentPath: (H,D,f)(D,B,c)(B,A,f) stateHistory: 0123 Case 2: found a matching path and DFA reached an accepting state

15 15 George Fred Carol Harry Ed Alice Dave Bob f f f f f f f f f f f Occupation = ‘student’ +1 +1 Occupation = ‘teacher’ Occupation = ‘student’ Occupation = ‘teacher’ Occupation = ‘student’ World-Leading Research with Real-World Impact! Example: Node Attributes

16 16 George Fred Carol Harry Ed Alice Dave Bob f f f f f f f f f f f Since = June, 2013 Since = Feb, 2014 Since = Aug, 2010 Since = May, 2009 Since = Aug, 2008 World-Leading Research with Real-World Impact! Example: Edge Attributes

17 Complexity Time complexity is bounded between [O(dmin Hopcount ),O(dmax Hopcount ) ], where dmax and dmin are maximum and minimum out-degree of node  Users in OSNs usually connect with a small group of users directly, the social graph is very sparse  Given the constraints on the relationship types and hopcount limit, the size of the graph to be explored can be dramatically reduced  Attribute-based check introduces overhead costs when it finds a possible qualified path, which are proportional to the amount of attributes as well as the type of attribute functions considered

18 Conclusion Presented an extended UURAC model for OSNs Formalized the attribute-based policies and the grammar for policy specifications Enhanced the path checking algorithm with attribute- awareness

19 Questions

Download ppt "1 Attribute-Aware Relationship-Based Access Control for Online Social Networks World-Leading Research with Real-World Impact! Yuan Cheng, Jaehong Park."

Similar presentations

Access Control for Online Social Networks using Relationship Type Patterns Yuan Cheng Department of Computer Science University of Texas at San Antonio.

Access Control for Online Social Networks using Relationship Type Patterns Yuan Cheng Department of Computer Science University of Texas at San Antonio.
Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.

Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.
Data and Computer Communications

Data and Computer Communications
Access Control & Privacy Preservation in Online Social Networks

Access Control & Privacy Preservation in Online Social Networks
Evaluating “find a path” reachability queries P. Bouros 1, T. Dalamagas 2, S.Skiadopoulos 3, T. Sellis 1,2 1 National Technical University of Athens 2.

Evaluating “find a path” reachability queries P. Bouros 1, T. Dalamagas 2, S.Skiadopoulos 3, T. Sellis 1,2 1 National Technical University of Athens 2.
A Provenance-based Access Control Model for Dynamic Separation of Duties July 10, 2013 PST 2013 Dang Nguyen, Jaehong Park, and Ravi Sandhu Institute for.

A Provenance-based Access Control Model for Dynamic Separation of Duties July 10, 2013 PST 2013 Dang Nguyen, Jaehong Park, and Ravi Sandhu Institute for.
A Provenance-based Access Control Model (PBAC) July 18, 2012 PST’12, Paris, France Jaehong Park, Dang Nguyen and Ravi Sandhu Institute for Cyber Security.

A Provenance-based Access Control Model (PBAC) July 18, 2012 PST’12, Paris, France Jaehong Park, Dang Nguyen and Ravi Sandhu Institute for Cyber Security.
11 World-Leading Research with Real-World Impact! Integrated Provenance Data for Access Control in Group-centric Collaboration Dang Nguyen, Jaehong Park.

11 World-Leading Research with Real-World Impact! Integrated Provenance Data for Access Control in Group-centric Collaboration Dang Nguyen, Jaehong Park.
1 Security and Trust Convergence: Attributes, Relations and Provenance Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown.

1 Security and Trust Convergence: Attributes, Relations and Provenance Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown.
Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu.

Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu.
11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification.

11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification.
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.
Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.
Connected Components, Directed Graphs, Topological Sort COMP171.

Connected Components, Directed Graphs, Topological Sort COMP171.
Connected Components, Directed graphs, Topological sort COMP171 Fall 2005.

Connected Components, Directed graphs, Topological sort COMP171 Fall 2005.
Graphs & Graph Algorithms Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.

Graphs & Graph Algorithms Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.
1 Efficient Discovery of Conserved Patterns Using a Pattern Graph Inge Jonassen Pattern Discovery Arwa Zabian 13/07/2015.

1 Efficient Discovery of Conserved Patterns Using a Pattern Graph Inge Jonassen Pattern Discovery Arwa Zabian 13/07/2015.
Memory-Efficient Regular Expression Search Using State Merging Department of Computer Science and Information Engineering National Cheng Kung University,

Memory-Efficient Regular Expression Search Using State Merging Department of Computer Science and Information Engineering National Cheng Kung University,
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Manohar – Why XML is Required Problem: We want to save the data and retrieve it further or to transfer over the network. This.

Manohar – Why XML is Required Problem: We want to save the data and retrieve it further or to transfer over the network. This.

Similar presentations

Ads by Google