Professional Documents
Culture Documents
IEEE6th
6thInternational
InternationalAdvanced
Conference
Computing
on Advanced
Conference
Computing
Abstract—Online Social Network (OSN) has become a popular Each multi-party contents is associated with multiple num-
and de facto portal for digital information sharing. Preserving ber of stakeholders and privacy preference of each stakeholder
information privacy is indispensable in such applications, as would be different. These preferences lead to policy conflicts
the shared information would be sensitive. The issue becomes that make the access control a challenging task. To address
more challenging due to participation of multiple parties on the the multi-party access control issues, present OSNs provide
shared resources or data. In this paper, we propose an effective
access control technique to allow or disallow the shared resources
a preliminary level of protection mechanism. For instance,
considering authorization requirements of all the multiple parties. Facebook allows a tagged user in a group photo to report/
A logical representation of the proposed access control technique remove the tag, if s/he does not want to share that with others.
is prepared to analyse the privacy risk. However, that photo still remains visible to others. Further, if a
stakeholder wants to fully remove the photo s/he has to request
Keywords—Online Social Network; Access Control; Collabora-
the user who has uploaded it.
tive Policy; Stakeholders; Trust.
At present, no OSN offers access control facility for multi-
I. I NTRODUCTION party resources. The proposed existing multi-party access
Online Social Networks (OSNs) are web-based social plat- control schemes for OSNs are not fine-grained, flexible and
forms that allow users to create their online virtual social expressive enough. Therefore, a flexible and efficient solution
relationship network. In recent years, OSNs have seen an is urgently needed to control the access to multi-party contents.
unprecedented growth which is reflected by the fact that upto In this paper, we propose a simple and flexible access con-
March-2015, 58% of Internet users were part of atleast one trol model where stakeholders collaboratively specify access
OSN [1]. During 2012-13, top three popular OSN platforms policies equipped with simple conflict resolution technique.
Facebook, Twitter, and Google+ grown at the rate of 23%, The scheme uses trust among stakeholders (of the resource)
43%, 33% respectively [2]. and requester to take access decision. A logical representation
OSNs provide to their users, a diverse set of built-in of proposed model using Answer Set Programming (ASP)[4]
information sharing services like wall posts, sharing statuses, is developed to formally establish the correctness of the model.
photos, videos, links and many more. These services enable The rest of the paper is organized as follows. We provide
users to express themselves to other users. To avail these related work in Section II, and system model with security
offered services one needs to register with the OSN of his requirements in Section III. In Section IV, we describe our
choice. proposed scheme. In Section V, we describe a logical represen-
During interaction, OSN users post number of messages, tation of the proposed model developed to verify its correctness
photos, videos etc., into their own or others user spaces. that is followed by discussion in Section VI. Section VII
All such stuffs including user profiles contain huge amount concludes our work.
of personal and sensitive information of the respective OSN
users. Most often, these contents contain/reveal private and II. R ELATED W ORK
sensitive information of other OSN users as well, like a group
photo with other users. Such contents are known as multi-party Most of the current access control models including [5],
contents. [6], [7], [8] used in OSNs are relationship based. These
models exploit relationship between users and resources to
At present, OSNs offer a basic level access control to define take access decisions. A semantic-web based model proposed
target audience for their private and sensitive resources. For in [9] represents the user relationships, their resources, and
example Facebook the most popular OSN, allows its users actions in the form of ontologies. The access control policies
to specify the audience of a resource from a list containing are enforced by querying the database storing these ontologies.
friends, friends of friends, only me, public, custom [3]. This Unfortunately, none of these solutions addresses the problem
type of access control models is neither flexible nor fine- of multi-party access control.
grained. Besides that, the existing solutions only control the
access to those data or resources reside in user’s space owned Recent solutions [10], [11], [12], [13], target to address
by that user. the problem of multi-party access control. In [13] a game
The label l ∈ I, assigned to each edge e ∈ E, specifies the • R Owner (r) returns the owner of a resource r ∈ R.
relationship that vi has with vj . Note that, l(vi , vj ) = l(vj , vi ) • ST (r) returns all the stakeholders of a resource r.
for symmetric relationship, but l(vi , vj ) = l(vj , vi ) for asym-
metric relationship. For example relationships like spouse, • T (v1 , v2 ) gives the trust v1 have on v2 .
colleague, friend are symmetric relationships and relationships • RAP (r) returns all access control policies specified
like father, mother are asymmetric relationships. The constant for the resource r.
T (vi , vj ) ∈ [0, 1] gives a measure of strength of relationship
referred as trust from user vi to user vj . This trust value may • SC (v) returns all social contacts of a user v.
be different from the trust value from the user vj to the user vi
i.e. T (vi , vj ) = T (vi , vj ). Figure-1 shows a partial snapshot of B. Security Objective
1) Data Privacy: The user should be able to reveal his
private data selectively with his social contacts as per
his privacy preferences.
2) Multi-party Access Control: The access control
model must provide a mechanism to control the
access of multi-party contents. The protocol must
allow all the stakeholders to have a precise control
on who can access the data and who can not.
Additionally, the system should be flexible and easy to use.
This is very important requirement for an access control model
as most of the users are not smart enough to work with a
complex access control system.
20
18
• F = f1 ∪ f2 ∪ ... ∪ fk After receiving policies from all the stakeholders, it aggregates
and stores them into a local database called Access Policy
• fi ∩ fj = ∅ where i = j, ∀i, j = 1, 2, .., k
Database. Any request to access the resource is served after the
Each partition can be assigned a range of trust values by each access policies for rv are completely defined. Further, CACPM
user in the interval [0, 1]. Trust value 0 represents no trust and of the owner evaluates the access request for the resources rv
1 represents the full trust. Trust value of a user to each of his and allows or prevents to access the resource accordingly.
social connection can be assigned according to his perceived
strength of the relationship with
the target
user. If a user v ∈ V B. Access Policy Specification
adds a new connection with v ∈ V , v is added as per the user
recommendation in one of the set of the partition. The initial When user uploads a resource, its access control policy
trust value of the connection T (v, v ) is set by the user or it is needs to be specified.
set to the default, that is, the lowest value of the relationship 1) Access Policy: Access control policy or access policy
class. Table-I, represents a sample range of trust values for its of a user resource r ∈ R is a 5-tuples (Controller, controller
contact sub-classes. type, resource id, Trust Condition, action), where
TABLE I. D ISTRIBUTION OF TRUST T ACROSS RELATIONSHIP
CLASSES • Controller: The user who specified the policy.
Contact sub-class Trust(T ) • Controller type : Specifies whether controller is the
Family 0.75 ≤ T ≤ 1
Close Friends 0.5 ≤ T < 0.75
owner or any Co-owner.
Normal Friends 0.25 ≤ T < 0.5
Others 0 ≤ T < 0.25
• Resource id: This is a unique identifier of the re-
source.
• Trust Condition: It is a relational expression that
The proposed multiparty access control mechanism CACO specifies the trust level needed by a requester to get
consists of three major components as depicted in figure 2 are access to the resource.
described as follows.
• Action: It states the actions to be allowed if user
satisfies the access conditions in the policy.
action ⊆ {view, comment, share, tag, like, ..} and
action = φ means deny.
21
19
1) Alice posts her photo vacation.jpeg, (id = r2 ) and After calculation of Tef f (s, Y ) for every s ∈ Sr , CACPM
wants that only her social contact with trust greater checks, if there is any policy conflict. If there is no policy
than or equal to 0.7 could view and comment on the conflict, the request is granted or denied according to the
photo. outcome of the policy evaluation. The flowchart in Figure-3,
2) Alice uploads a video “party.flv”, (id = r3 ) and wants shows the evaluation process of an access request according
that none of her contacts who are close to her having to our model.
trust ≥ 0.5 could watch the video”.
3) Alice wants to share a link to a news
“www.abcnew.com/Obama-to-visit-UK”, (id = r4 )
with every body.
The policies for above access conditions can be specified as
follows:
1) P1 = (Alice, OW, r2 , T ≥ 0.7, {view, comment})
2) P2 = (Alice, OW, r3 , T < 0.5, {view})
3) P1 = (Alice, OW, r4 , T ≥ 0, {view})
2) Access Request:: A user Y issues an access request for
the resource rX can be specified as a 5-tuple as follows:
22
20
A. Logical Definition of Owner and Co-owner The working of the proposed access control model is
illustrated with examples as follows:
The owner and co-owner of a resource are defined using
rules in ASP as follows:
D. Use Cases
• The owner X of the resource R is represented by the
following rule: Let us assume Bob and Alice are very close friends. The
owner(X, R) : − uploads(X, R), access trust(X, R, direct trust values of the users are given in table II.
T rust), user(X), resource(R). TABLE II. S AMPLE TRUST VALUES BETWEEN OSN USERS .
• The co-owner Y of the resource R is represented by User Pair Trust User Pair Trust
the following rule: (Alice, Bob) 0.7 (Bob, Alice) 0.75
coowner(Y, R) : − ref ers(R, Y ), not owner(Y, R), (Bob, Carol) 0.5 (Carol, Bob) 0.56
(Alice, Rose) 0.7 (Rose, Alice) 0.6
access trust(Y, R, T rust), user(Y ), resource(R). (Carol, Rose) 0.8 (Rose, Carol) 0.65
(Carol, Alice) 0.4 (Alice, Carol) 0.3
• The fact that there is only one owner is ensured by (Alice, Arnold) 0.7 (Arnold, Alice) 0.5
the following rule:
1{owner(X, R) : user(X)}1 : − resource(R).
Suppose Alice uploads a photo r5 of birthday party of her
B. Access Policy Specification friend Bob. In the photo she tags Bob and her another friend
Carol. Let the photo be private and sensitive to Alice and Bob,
The access policy specification is done in terms of ASP but not for Carol. Thus Alice, Bob and Carol set a required
rules as follows: trust level to view the photo as 0.7, 0.8, 0.2 respectively. So,
• If the requester is one of the controllers (i.e. owner the access policies for the photo are as follows:
or co-owner), s/he is given access immediately. So (Alice, Owner, r5 , T ≥ 0.7, allow) (2)
accordingly the rule is as follows:
access decision(Z2 , Z1 , R, permit) : − controller (Bob, Co − owner, r5 , T ≥ 0.8, allow) (3)
(Z1 , R), controller(Z2 , R), request(Z2 , R), user (Carol, Co − owner, r5 , T ≥ 0.2, allow) (4)
(Z2 ), resource(R).
Example-1: Let Rose, one of the friends of Alice and Carol
• To make final decision the aggregation of results of all requests access to r5 . After receiving the access request
individual policy evaluation is done by the following CACPM first verifies the evidence provided by Rose. After
rule; verifying the path CACPM calculates the indirect trust of
aggregate decision(Z2 , R, K) : −K = #sum{1 : Bob with Rose. Alice and Carol have trust level of 0.7, 0.8
access decision(Z2 , Z1 , R, permit); −1 : access respectively with Rose. The effective trust of Bob with Rose
decision(Z2 , Z1 , R, deny)}N, controller(Z1 , R), comes to 0.4. Now, CACPM evaluates each of the policies
not controller(Z2 , R), request(Z2 , R), no con and detects the conflict as policy of Bob is not satisfied. So,
troller(N, R), user(Z2 ), resource(R) it calculates value of C which evaluates to 1, thus it grants
access to Rose.
• The final decision is ”permit” if following rule is Example-2: Let Arnold, a friend of Alice with trust value
satisfied; T (Alice, Arnold) = 0.7 requests access to r5 . The effec-
f inal decision(Z2 , R, permit) : − K > 0, aggre tive trust on Arnold for Bob and Carol is calculated to be
gate decision(Z2 , R, K), resource(R), request(Z2 , 0.525, 0.28 respectively. Arnold satisfies policies of Alice,
R), user(Z2 ) . and Carol but does not satisfy the same for Bob. This leads to
a policy conflict. To resolve the conflict, CACPM calculates
C. Formal verification of CACO Collaborative Decision Coefficient for Arnold which comes to
The logical representation of the proposed model in ASP 1 > 0. Thus CACPM grants access of photo to Arnold.
helps to formally analyse the authorization properties. It is Example-3: Let Jim a casual friend of Bob and Carol with
translated into problem of checking whether the program π ∪ trust value say, T (Bob, Jim) = 0.3, T (Carol, Jim) = 0.5
πquery has no answer set, where program π in ASP represents respectively, requests to access r5 . The effective trust Alice
user-to-user, and user-to-resource relationships with the access has with Jim is 0.21. Thus, Jim does not satisfy any of
control policies associated with the resources. Program πquery the policies (1), (2), but satisfies policy (3). To resolve this
encodes negation of access request. The CACO is analysed conflict, CACPM calculates the value of C which comes to −1
on the machine having i7- (2.70 GHz), CPU, 4GB RAM, and hence it denies the request.
and Ubuntu 14.10 platform, by providing π with encoding of
various queries to grounder gringo[14] and answer set solver VI. D ISCUSSION
clasp[15].
The important thing about CACO is that, it uses the degree
To check, if a given access request is satisfied or not, we of intimacy (trust level) between stakeholders and requesting
submit negation of the query to our ASP logical model. If the user to make access decision. When the owner uploads a
query is satisfied, it does not return any answer set. Otherwise resource r, s/he specifies the corresponding stakeholders. Each
the returned answer set will work as a counter example. Due stakeholder specifies a level of trust needed to access r.
to space limitation, we could not provide the snapshots of the In CACO, each user has a CACPM module to administer
output of the program. the collaborative policy specification and access to the user’s
23
21
resources. After receiving an access request for r from user y, VII. C ONCLUSIONS
CACPM calculates the effective trust on y for all stakeholders
In this paper, we have proposed a simple and effec-
towards r. Then, it checks whether any policy conflict is there
tive multi-party access control scheme CACO. The proposed
between the stakeholders. If CACPM finds no policy conflict
scheme computes trust (direct or indirect) with each stake-
then, it takes access decision according to the outcome of
holder of the resource to verify the policy rules. The access
the policy evaluation. In case of any conflict, it calculates the
request to the resource is granted only if all the policy rules
Collaborative Decision Coefficient to make any decision.
are satisfied. We have verified the correctness of CACO using
The most attractive features of our scheme includes its its logical representation in ASP. The development of CACO
simplicity in policy specification and conflict resolution. The prototype in the form of a Facebook application to understand
users specify the audience of their contents on the basis usability and acceptability of the model among OSN users.
of required trust with requesting user. They do not require
complex access policies to specify audience of their resources. R EFERENCES
CACO is efficient because access request evaluation involves [1] “Statistics brain research institute: Social networking statistics,”
only CACPM of the resource owner. March 2015. [Online]. Available: http://www.statisticbrain.com/
social-networking-statistics/
TABLE III. C OMPARISON OF EXISTING ACCESS C ONTROL SOLUTIONS [2] K. Morrison, “The growth of social media: From
FOR OSN WITH CACO. passing trend to international obsession,” january 2014.
[Online]. Available: http://www.adweek.com/socialtimes/
Model Trust Relationship Multi- Auto- the-growth-of-social-media-from-trend-to-obsession-infographic/
type party mation 142323
Squicciarini[13] no U-U yes yes
[3] Facebook, “Facebook data policy,” January 2015. [Online]. Available:
Carminati[9] yes U-U, U-R, U-A no yes
Fong[6] no U-U no no
www.facebook.com/about/privacy/
Carminati[11] yes U-U yes no [4] V. Lifschitz, “What is answer set programming?” in Proceedings of the
Cheng [5] yes U-U, U-R, R-R no no Twenty-Third AAAI Conference on Artificial Intelligence, AAAI 2008,
Hu [12] no U-U yes yes Chicago, Illinois, USA, July 13-17, 2008, 2008, pp. 1594–1597.
Cheng[8] yes U-U,U-R,R-R no no
[5] Y. Cheng, J. Park, and R. Sandhu, “Relationship-based access con-
CACO yes U-U yes semi
trol for online social networks: Beyond user-to-user relationships,”
in Privacy, Security, Risk and Trust (PASSAT), 2012 International
Conference on and 2012 International Confernece on Social Computing
Table-III gives a comparison of CACO with some popular (SocialCom), Sept 2012, pp. 646–655.
existing schemes. The schemes proposed in [5], [6], [8], [9] [6] P. Fong, “Relationship-based access control: Protection model and
do not address the problem of multi-party access. As we have policy language,” in Proceedings of the First ACM Conference on Data
and Application Security and Privacy. New York, USA: ACM, 2011,
already discussed in Section-II, the scheme in [13] is not pp. 191–202.
flexible and user-friendly. The scheme in [11] is not scalable [7] J. Pang and Y. Zhang, “A new access control scheme for facebook-style
as it requires a centralized entity called Social Manager that is social networks,” CoRR, vol. abs/1304.2504, 2013.
involved in verification and evaluation of every access requests [8] Y. Cheng, J. Park, and R. Sandhu, “Attribute-aware relationship-based
to all OSN resources. It creates risk of central point of failure access control for online social networks,” in Data and Applications
and problem of performance bottleneck. MPAC [12] is not fine- Security and Privacy XXVIII, ser. Lecture Notes in Computer Science.
grained and failed to express various types of access control Springer Berlin Heidelberg, 2014, vol. 8566, pp. 292–306.
policies. For example, suppose Alice wants to share a photo [9] B. Carminati, E. Ferrari, R. Heatherly, M. Kantarcioglu, and B. Thu-
raisingham, “Semantic web-based social network access control,” Com-
(id = r4 ), with her contacts who are highly trusted (trust value puters & Security, vol. 30, no. 2-3, pp. 108–115, mar 2011.
≥ 0.75). MPAC only allows her to specify audience of r4 using [10] A. Besmer and R. L. Heather, “Moving beyond untagging: Photo
either relationships or group names or a list of users. In this privacy in a tagged world,” in Proceedings of the SIGCHI Conference
case she can only list all the target audience explicitly which on Human Factors in Computing Systems. New York, USA: ACM,
would be difficult. But, our scheme allows Alice to specify 2010, pp. 1563–1572.
this policy very easily as follows: [11] B. Carminati and E. Ferrari, “Collaborative access control in on-line so-
cial networks,” in Collaborative Computing: Networking, Applications
and Worksharing (CollaborateCom), 2011 7th International Conference
(Alice, Owner, r4 ), T ≥ 0.75, {view}) on, Oct 2011, pp. 231–240.
[12] H. Hu, G. J. Ahn, and J. Jorgensen, “Multiparty access control for
online social networks: Model and mechanisms,” Knowledge and Data
Another limitation of MPAC model is that it does not Engineering, IEEE Transactions on, vol. 25, no. 7, pp. 1614–1627, July
distinguish between different access actions. Thus, it does not 2013.
enable a user to specify a policy where requester can only [13] A. C. Squicciarini, M. Shehab, and F. Paci, “Collective privacy man-
view a photo with restricting to comment on it. But, in CACO agement in social networks,” in Proceedings of the 18th International
Conference on World Wide Web, ser. WWW ’09. New York, USA:
a stakeholder can specify the allowed action for the audience ACM, 2009, pp. 521–530.
of the resource. In MPAC there is no collaboration at the
[14] M. Gebser, R. Kaminski, A. König, and T. Schaub, “Advances in gringo
time of policy specification, and each stakeholder specify their series 3,” pp. 345–351.
access policy for the resource independently. In case, if any [15] M. Gebser, B. Kaufmann, and T. Schaub, “Conflict-driven answer set
stakeholder is not satisfied with the current privacy settings solving: From theory to practice,” Artificial Intelligence, vol. 187-188,
s/he can change the policy but have to ask the resource owner pp. 52–89, 2012.
to change the conflict resolution policy. But in our case, no
change is required in conflict resolution policy, and any user
can update his/her access policy.
24
22