A Lattice-Based Access Control Model for Social Networks

A Lattice-based Access Control Model for Social Networks

Yingjun Zhang1 , Kai Chen2, Yuling Liu1, Yifeng Lian1 1Trusted Computing and Information Assurance Laboratory,Institute of Software, Chinese Academy of Sciences Beijing, China , [email protected] 2Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

Abstract—Nowadays, social networks have been used widely. based approaches have been really applied in They help people communicate with family, friends or colleagues modern social networks. Also, it is known that a easily. However, they are lack of effective protection and user’s friends can be changed in a highly frequent monitoring about message transmission. In addition, the rapid way. It is not efficient to update the graph whenever updates of messages and user information also give difficulties to his friend information is updated. administrators. The existing security protection mechanisms in  Fine-grained control across multiple users. Current social networks could not protect users' private information models do not support access control across effectively. In this paper, a lattice-based access control method is multiple users well. For example, when a message used to solve these problems. In our method, first, we will extract of a user A is forwarded by another user B, it is users’ attributes to form the lattice element and construct the access control model based on lattice according the policies; then highly difficult for user A to control who can we define the partial relation to optimize the polices and append view/forward the forwarded message (since current the policies on lattice element; at last, we do some experiments to access models only consider the messaged as B’s verify it. and care about who can view B’s message).  Handle timely information. The value of Keywords-component; social networks; access control; lattice information changes with time. On the one hand, the requester’s status should be updated in time. On the other hand, a timely message attracts users who I. INTRODUCTION intensively like to forward or comment. As time Social networks have become indispensable in most goes by, the message may not attract their attention people’s daily life. Facebook [19], one of the most famous any more. So the bar for accessing the message social networks, has over 890 million daily active users should be lowered with time. around the world [8]. Twitter, with 288 million monthly Considering the large number of users (e.g., billions of active users, has 500 million Tweets sent per day [22]. users in Facebook, Twitter, Weibo and WeChat), it is fairly According to eMarketer reports [23], there are more than hard to meet the requirements above. In this paper, we 1,200,000,000 users in social networks. When using the propose a novel user-centric lattice-based access control social network, users like to upload their photos, share their model. By extracting several attributes and forming a lattice positions and talk to their families and friends. Those element, a user can define the access control policies which common operations make the social network full of users’ meet the three requirements mentioned above. Specially, a sensitive private information. lattice structure is constructed using these policies for each While holding such a large amount of private information, user. When a message of user A is accessed by another user social networks should give the information enough B, B’ lattice element using his attributes is compared with protection according to users’ requirements. Access control the lattice structure of A. The comparison result determines is an effective way. However, traditional access control whether the access is allowed or not. models (e.g., DAC [25], MAC [1], RBAC [2] and ABAC [3]) Lattice has a good property: it can be easily extended are incapable or inefficient to support millions of users (with with more (diverse) attributes (i.e., elements), and it is highly complex relationship) in social networks [4]. Some new efficient to compare an attribute with elements in a lattice access models (e.g., Rule-based access control model [9] and (lattice has partial relationship which lets the comparison do Relationship-based access control model [13]) are proposed not need to go through all elements). Also, there is no need to handle the problem of large number of users. But they to spend lots of efforts to construct a global graph of cannot always meet the basic requirements of access control relationships among all users. When a user changes his status, for social networks as follows: it can be reflected in his lattice element instantly. Secondly,  High efficiency. Current access control models for lattice supports fine-grained control across multiple users. social network are not efficient enough. For No matter how many users forward a message, the attributes example, relationship-based model has to construct of those users can be compared with the lattice one by one, the relationship graph of a user’s all friends, which which makes the comparison still happens between only two is extremely time-consuming so that no relationship sets of attributes. Thirdly, every user can be defined using a friend and stranger. “Follower” is easy to understand. In set of attributes, which lets a user fairly recognize others Figure 1, C is a follower of E. We also note that A is B’s only through the attributes, avoiding allowing the unknown follower and B is also A’s follower. Then the relationship friends’ friend or Sybil users [21] to access sensitive between A and B is defined as friends. If two users do not messages. To meet the last requirement, the lattice element follow each other, their relationship is “stranger”. Trust level can be abstract when accessing some messages, so the status is usually defined for each pair of users, and a concrete can be updated timely. In addition, the time information can number is used to represent the closeness of such level. For be attached as an attribute with a message to reflect the example, the trust level for friend, follower and stranger are timely information. In sum, the contributions are as follows: 0.6, 0.3 and 0, respectively (as shown in Figure 2). Suppose  To the best of our knowledge, we are the first to A posts a message and it is also forwarded by B, C, D and F. propose a user-centric lattice-based access control Whether H can forward the message depends on the trust model for social networks. Using this model, for level between A and H. In particular, the path between A and each of the billions of users, they can define their H should be figured out and the trust level between each pair own access control policies using attributes of users. of users should be considered. In this example, there are two  We propose a method for policy appending. After paths (i.e., A-B-D-H and A-B-C-F-H) between A and H. So constructing the lattice structure, we can append the the calculation of trust level between A and H should be policies to the element in the lattice. So the performed twice. For a big graph consisting millions of users, requester can compare the attributes with lattice the graph will be very complex, containing huge number of element to do the evaluation efficiently. different paths which makes it quite difficult to compute the  We did some experiments to verify the access trust level between two users. This is the main reason why control model. The results show that this model is current access control models are so inefficient. Also, users’ capable, flexible and efficient. relationship (i.e., follower, friend and stranger) can be This paper is organized as follows. Section 2 describes changed highly frequently. Under this access control model, the motivation. Section 3 presents the lattice for social the relationship must also be updated frequently (“Timely networks. Section 4 gives the access control model for social information” requirement in Introduction). This is so time- networks. Section 5 and Section 6 shows our implementation consuming for judging whether an access request can be and evaluation. Section 7 and section 8 give related work and allowed or not (does not meet “high efficiency” requirement conclusion. in Introduction). One may think of only allowing friends to forward a message (i.e., one-level friendship in relationship- II. MOTIVATION based models). This does not need to traverse a graph Messages in social networks can be forwarded many globally for finding paths between two users. For example, if times (e.g., tens of thousands) across different users. C wants to forward B’s message which is forwarded from A, Applying current main access control models for social C only have to check whether she can access B’s message. networks (e.g., relationship-based models [13] and trust- So A cannot control the region of spreading the message. based models [6]) is extremely inefficient due to that the Neither can she control every user for accessing (does not construction and update of various kinds of graphs from meet “Fine-grained control across multiple users” users’ relationship takes too long time. We use an example to requirements in Introduction) illustrate the problems of current models and give insights for solving them.

Figure 2. The graph based on users’ relationship

To solve the problems of current access control models, we have three insights for building a novel access control model which can meet the three basic requirements. Firstly, we found the low efficiency is caused by graph. Both Figure 1. The relationship among users construction and update of graphs are too time-consuming. Avoiding using such graphs in representing users’ Figure 1 gives an example: nodes in the figure represent confidence level can increase the efficiency. Based on this users, and edges connecting nodes represent the two users’ idea, we choose some useful attributes to reflect the user’s relationship. According to work [9], three kinds of status and characteristics. For example, attributes like relationship between users are typically defined: follower, number of photos and user VIP status can be considered. Secondly, we found that some operations across multiple Although we only show seven attributes in current users will cause the low efficiency (e.g., “forward” definition of lattice element, it is straightforward to add operation), because we have to check the policies belonging more attributes for some social networks. We use L = {l1, …, to each user one by one. The more number of involved users ln} to represent all lattice elements in a social network. A will decrease the efficiency in a linear way. To solve this user can choose the attributes that she cares to perform problem, our insight is that the newly designed access access control. control method should be quickly judging. Thirdly, we found Definition 2 (Average number of comments). Average that the frequent “update” of users’ attributes (e.g., number of comments Ci = Tci/Ti. Tci∈N is the total number relationship between friends) is a reason of low efficiency. of all comments of user i. The new model should reflect the value of those attributes in Definition 3 (Average number of messages). Average real time. That is, when a user updates her status (e.g., send a number of messages Tfi = Ttfi/Ti. Ttfi∈N is the number of new photo), the model can be quick enough to capture such all messages (of the user i) forwarded by other users. changes. Definition 4 (Lattice). Lattice = (L,≼) is a partially Based on these insights, we find that lattice [27] is a ordered set. Any two elements in L have a least upper bound potential data structure to meet the requirements. One and a greatest lower bound. advantage of lattice is that it is highly efficient to compare We use “join” operation (e1∧e2) to represent the least one element with others. Once a user’s attributes are packed upper bound of two elements (e and e ) and use “meet” into an element in a lattice, the comparison between two 1 2 operation (e ∨e ) to represent their greatest lower bound. users become quite efficient. Moreover, while an operation is 1 2 across multiple users, the least upper bound or greatest lower We define ≼ on two elements l1 and l2. Suppose l1 = and l2 =< Fr2, Fi2, V2, T2, C2, Tf2, I2 >. judgment of a request does not need to consider all the If l1 ≼l2, then each unit in l1 is less than l2. That is, Fr1≤Fr2, related users. The third requirement can also be met since it Fi1≤Fi2, T1≤T2, C1≤C2, Tf1≤Tf2, I1≤I2 and V1⊲V2 (we define is immediate for the element to reflect changes of a user’s SN⊲SY ). We say l2 is greater than l1 and each unit in l2 is status (only need to change the value of an attribute). greater than that in l1. Sometimes, a user’s status may not be Therefore, we leverage lattice to construct the access control available. We use “-” to represent this situation. For model.. example, < Frn,−,−,−,−,−,− > means only Frn is available. Any value of a unit is greater than −. III. LATTICE FOR SOCIAL NETWORKS However, the comparison of two elements cannot always give a result. If not all of the units in l are greater Based on the two insights in Section II, we use lattice to 1 than those in l , we cannot say l is greater. For example, construct access control model for social networks. In 2 1 suppose three elements in L are l1 = < 150, 135, particular, for each user, we construct an element (in lattice) S ,−,−,−,− > and l = < 120, 160, S ,−,−,−,− >. In this to represent her status. The element should be refreshed as Y 2 Y example, we cannot say l ≼ l or l ≼ l . This will impact the soon as the user’s status changes. 1 2 2 1 access control process. In this paper, we defined the result In social networks, the status of a user can be as denied. represented using multiple attributes such as the number of followers and the number of messages. These attributes IV. ACCESS CONTROL MODEL FOR SOCIAL NETWORKS show the first impression of a user, taking advantage of lattice which can be easily extended to more (diverse) Based on the definition of lattice, we define a novel attributes (in elements). For example, when a user Alice access control model. The model includes most of the decides whether her resources could be accessed by a features of a user in social network. By organizing them in a stranger Bob, Bob’s first impression is important to get partial order, the model achieves both capability and Alice’s approval. If Bob is a VIP user or has lots of flexibility. followers, he may be more likely to access Alice’s resources. A. Access Control Model For this representation, we fit those attributes into an Definition 5 (Access Control Model). The model M is a element. The formal definition is as follows. set of access control rules M = {m1,m2,…,mn}. For each m∈ Definition 1 (Lattice element). A lattice element li is a M, m = ( uid, lu , op, < ridbegin, ridend >, com, pt, t). uid is tuple of seven units, denoted as li =< Fri, Fii, Vi, Ti, Ci, Tfi, I >. Each unit represents an attribute of a user. Fr ∈N is the the id of a user, and lu is the lattice element of the user. com i i is the comparison operator between user and the requester number of followers of the user. Fii∈N shows how many (Definition 6). ridbegin and ridend indicate the range of the users in the social network are followed by the user. Vi∈ messages, using message ids. op is the operation (e.g. {SY,SN} shows whether the user is a VIP user (SY) or not (SN). forward, read, post, reply, mention(@)). pt = {Y ,N}, Ti∈N is the number of messages. Ci∈N is the average showing whether an access is permitted (Y ) or denied (N). t number of comments. Tfi ∈N is the average number of means the time period of posted messages. (Definition 7). messages forwarded by other users. We will give formal We also define partial order for elements in access definitions of Ci and Tfi in Definition 2 and 3. Ii∈N is the control model. This is very useful in optimizing policies. In number of images posted by the user. this paper, we define Y ≼pt N. Using this partial order, when a user’s two policies conflicts, we view it as denied. We also m2 = ( −, < 100, 50, SY ,−,−,−,− > , reply, < define partial order for operations. 1360,− >, ≼, N, −) In social networks, there are usually several kinds of m3 = ( −, < 1000,−, SN,−,−,−,− > , forward, < −,− >, operations (op). Most of them are listed in Table 1. ≽, Y , 10days) Sometimes, the privilege of one operation inherently m4 = ( −, − , favor, < −,− >, ≽, Y , −) includes that of another one. For example, if a user has the m5= ( Amy, − , modify, < −,− >, =, Y , −) privilege of “Forward” message, she can also “Read” or m6 = ( −, − , read, < −,− >, ≽, Y , −) “Favor” the message. In this situation, a user does not have In m1, the user’s lattice element lu is used instead of uid to define the permission for each operation. Instead, he only to limit other who can favor the resource of user u. In detail, needs to define the permission for operation “Forward”. any user having lattice element l ≽ lu (< 100, That means policies can be optimized. To achieve this, we 50,−,−,−,−,− >) can forward the resources with rid > 1360. give each operation a level using a number (in Table 1). In m2, any user with lattice element l ≼ lu (< 1000,−, Operations with different levels can be compared. We SN,−,−,−,− >) is denied to reply the resource with rid > define partially order (≼op) on operations. For example, 1360. In m3, any user with lattice element l ≽ < 1000,−, “Read” ≼op “Favor” ≼op “Forward” since their levels SN,−,−,−,− > can forward the resources if the time period meet ”1” ≼op”2” ≼op”3”. In other words, an operation with a between posting time and accessing time is more than lower level can be inferred from the operations with higher 10days. In m4, any user can favor resources. m5 shows only level. the user whose id is Amy can modify all the resources by herself. The read operation can be derived from favor, so TABLE I. OPERATION TYPES AND ALLOWED RANGE m4→m6, that means m6 can be derived from m4. Operation Types Operation Operation All the lattice elements in the policies can be derived Level Range from machine learning, which will not be discussed in this Post 3 Self paper. Modify 3 Self Delete 3 Self B. Appending Policies on Lattice Element Forward 3 Allowed Users Reply 2 Allowed Users After defining access control model, we can append the Favor 2 All Users policies on lattice elements for quick access control decision. Private Message 2 Allowed Users Mention 1 All Users In particular, for each lattice element, we add the Read 1 All Users corresponding policies to it. When there are more than one policy, we link them into a list. Definition 6 (Comparison Operator). Comparison First, we construct the lattice based on example1 as operator com compares two users. We can compare their ids figure3. As in figure 3, the red elements are the real (using operators { <, ≤, =, >, ≥}or their lattice elements policies’ elements in example 1. And we add the new (using operators { ≼, ≽}. elements as the black ones, which are the least upper bound Definition 7 (Time Period). Time period t = Τ(tnow- and the greatest lower bound in every two red ones. For tmessage). It shows the time period between the accessing time example, <1000,50,SN,-,-,-,-> is the least upper bound of and the post time of a message. tnow and tmessage are in the <100,50,-,-,-,-,-> and <1000,-,SN,-,-,-,->, and the <100,-,-,- form of "year/month/day " [17]. If there is no specific limit ,-,-,-> is the greatest lower bound. on the time, t =‘-’. For example, tmessage=[2015/9/1] , tnow=[2016/4/1], then t=213days. Definition 8 (Policy Derivation) Policy derivation “→” is used to optimize the policies. In our paper, we mainly focus on the combination of operation (op), comparison operator (com), permission (pt) and time (t) in rules (m). The combination of lattice is discussed in the process of lattice construction. For example, m1=( uid, lu , op1, < ridbegin, ridend >, com1, pt1, t1), m2=( uid, lu , op2, < ridbegin , ridend >, com2, pt2, t2). If (op1≼op op2)∩(com1≼com com2)∩(pt1≼pt pt2)∩(t1≼t t2), m2→m1. So we can optimize the policies. We use an example to illustrate the access control model. Figure 3. Example of lattice. In this example, we first define six access control rules (m1 ∼ m6 ) to protect Amy’s information. Then we explain how Then, we add these polices as Figure 4, which shows the these rules work. example after appending policies on lattice elements in Example 1 Figure 3. After constructing the lattice, we add an empty m1 = ( −, < 100, 50,−,−,−,−,− > , favor, < 1360,− >, element (<−,−,−,−,−,−,− >) to the bottom of Figure 4. ≽, Y , −) Since partial order exists in policies, we have to add these policies to corresponding nodes. In Example 3 and Figure 4, the users whose lattice elements are < 100, 50,−,−,−,−,− >, m1. Cathy is denied according to m2 since lrq =< 551, 22, SN, < 100, 50, SY ,−,−,−,− >, < 1000, 50, SN,−,−,−,− > or < 1510, 8, 6, 320 > ≱ < 100, 50, SY ,−,−,−,− >. Rq3 is only 1000, 50, SY ,−,−,−,− > are allowed to forward. Because allowed to forward resources if the time t3 is 10 days later these node all satisfied the policies m1. From m2, the users than the posting time, according to m3. Rq4 is allowed to whose lattice elements are < 100, 50,−,−,−,−,− >, < 100,−, read the resource because favor ≽ read and lrq meets the SN,−,−,−,− >, < 100,−,−,−,−,−,− >, < −,−,−,−,−,−,− > requirements according to m4 and TABLE 1. At last, Rq5 is are all denied to reply. From m3, < 1000,−, SN,−,−,−,− >, < allowed according to m5. 1000,50, SN, −,−,−,− > and < 1000, 50, SY ,−,−,−,− > are allowed to share resource 10days after posting. From m4, V. IMPLEMENTATION each node in Figure 4 is allowed to favor resources at any In order to verify our method, we designed and time. From m5, the policy is only added to implemented a prototype system called “LaBAC”. It is a <−,−,−,−,−,−,− >, which shows there is no restrict on middleware between users and social networks. Figure 5 lattice (because user id is used for access control). If M also shows the evaluation process in social networks access has other elements having partial orders (e.g., op, t). We can control decision. The main process of LaBAC is mainly use similar way to append them to the lattice as that in divided into two parts. The first one is to construct the lattice Figure 4. of policies based on policy set. The second one is access control decision. In this process, we first have to extract the requester’s characteristics and construct the lattice element, then compare it with the lattice structure of polices. The result will be given after the evaluation.

Figure 5. The Evaluation Processing.

A. Construct the lattice of policies The lattice of policies includes all the policies of a user. Figure 4. Example of lattice with policies. In this way, for each user, the lattice can be updated locally when a user adds or deletes a policy, which will not impact C. Policy Evaluation other users’ lattice elements. According to the high We use a bottom-up approach in lattice to evaluate efficiency, even if the operation is related to multiple users, whether an access request is allowed or not. We first define we can compare each user with the lattice. the access request and then use an example to show the In lattice-based access control model, policies can also evaluation process. be combined in lattice. In previous section, we know that Definition 8 (Access Request). Access request Rq is a different policies can be added to the elements in lattice. In request from a user (i.e., requester) to access some resources. Algorithm 1, we show how to append different policies in It is denoted as Rq = (< rqid , lrq >, opr ,< rrid ,mid >, tr). rqid the lattice. and lrq is the id and lattice of the requester. opr is the In Algorithm 1, we first construct the lattice from the requested operation. rrid are the id of the requested user, and access control rules (Step 1). Then we attach policies to the mid is the accessing message id. tr is the time of the request. lattice for quick access control decision (Step 2). Example 2 Particularly, in Step 1, for lattice element in each rule in Rq1 = ( Bob, < 210, 52, SN, 532, 5, 8, 210 > , favor, < access control rules (ACR), we put them into the lattice L. Amy,1460 >, t1) Then we create a least upper bound (element) for each two Rq = ( Cathy, < 551, 22, S , 1510, 8, 6, 320 > , reply, 2 N other elements until any two elements have a least upper < Amy,1460>, t ) 2 bound. We also add edges from an element to its least upper Rq = ( David, < 320000, 30, S , 17001, 540, 780, 3 Y bound. In Step 2, we check whether a policy applies to any 6453 > , forward, < Amy,− > , t ) 3 lattice element. If true, we attach the policy to the policy list Rq4 = ( David, < 320000, 30, SY , 17001, 540, 780, 6453 > , read, < Amy,− >, t ) of the element. Note that, if a policy does not apply to an 4 element, we do not need to compare other elements that are Rq5 = ( Amy, < 216, 100, SN, 4325, 18, 23, 1890 > , held by this element as the least upper bound due to the modify, < Amy,->, t5) We find Bob’s lattice element lrq =< 210, 52, SN, 532, 5, partial order property of lattice, which greatly increases the 8, 210 > ≽ < 100, 50,−,−,−,−,− >. From Figure 4, Bob is performance of constructing the lattice. allowed to favor Amy’s message (id is 1460) according to time) of both the two implementations. The results are shown as TABLE II.

Algorithm 2: Access control decision

We can see that the time of evaluation based on lattice is orders of magnitude shorter than the method based on linked list. This is due to the inherent characteristics (i.e., partial order) of lattice. When a request is compared with a set of policies, not all of them need to be compared. However, if the list-based comparison is used, each element needs to be compared. Because of this reason, our lattice-based access control model only needs 13 times of comparison even when there are 10,000 policies, while linked-list based model needs 10,000 times.

TABLE II. THE NUMBER OF COMPARISON BASED ON LINKED LIST AND LATTICE. Algorithm 1: How to construct lattice NR is the number of request; NP is the number of policies. NR NP Lattice Linked List B. Access control decision l 100 7 100 1000 10 1000 After the construction of lattice of policies, LaBAC can 10000 13 10000 give a Yes/No answer to the access request. In detail, when an access request comes, LaBAC first extracts the 10 100 66 1000 1000 100 10000 requester’s features and constructs a lattice element. Then 10000 133 100000 evaluation model compares the element with the lattice of policies. If the access request is allowed, the model 100 100 664 10000 continues the execution and lets the social network execute 1000 997 100000 10000 1329 1000000 the request. Otherwise, the request is denied. Algorithm 2 gives the details. We also compare the results of memory usage. The results show that the two implementations are similar (in VI. EVALUATION Table III). This means, LaBAC does not need too much We evaluated the effectiveness and efficiency of LaBAC more memory space for getting the high efficiency (only using tens of thousands of policies. several megabytes).

A. Effective and Efficiency TABLE III. THE MEMORY USAGE OF EVALUATION BASED ON LINKED LIST AND LATTICE We implemented the access control prototype using lattice. In order to compare the efficiency with others, we Number of Policies Linked List Lattice also performed a linked-list-based implementation which is 100 50KB 72KB commonly used by current access control models ([2,3]). 1000 500KB 659KB Then we gave them a set of requests as inputs. We measured 10000 5MB 6.33MB and compared the number of comparisons (indicating the We also compare this approach with graph-based access VII. RELATED WORK control models [6,9,13]. Given such a social network with Traditional access control models such as Discretionary 10,000,000 users, usually, each user has 208 friends in Access Control (DAC) [25], Mandatory Access Control average [30]. When graph-based access control models are used, a graph indicating the relationship between every two (MAC) [1,7], Role Based Access Control (RBAC) [2] and users may have to be first computed. To construct such a Attribute Based Access Control [3]) do not satisfy the graph, those approaches have to check the friends of each relationship-based architecture in social networks, which user (around 2 billion times, 10,000,000*200=2,000,000,000) makes them either incapable of or inefficient to handle the for initialization. Then for each request of an access, the large number of users (e.g., one million or even one billion) number of comparison is highly related to the policies. For in social networks. To solve this problem, some new access example, if a graph-based access control model allows a models are proposed. For example, B.Carminati et.al [9] friend’s friend (two-level friends) to access a resource (e.g., a proposed a rule-based access control model based on the message), it may have to compare 40,000 (i.e., 200*200) depth and trust-level of relationship. Based on this, the times for checking whether the requester is a friend of the authors also proposed privacy enhancing model [11], [12]. owner’s friend. The situation becomes more complex when Relationship-based access control model [13,14]) are built the graph is changing (almost happens many times in each according to the type and depth of relationship, and trust second, e.g., a user adds a new friend). Then the graph will level. The policies for authorization are defined using paths be updated, which takes long time. Because of this reason, on the graph. Trust-level-based access control models (e.g., social networks rarely use a policy that needs to compare D-FOAF [5] and SAC [6]) give a value to every two users three-level of friends. having some relationship in order to measure and compare If lattice-based access control model is used, it only takes the level of trustworthy. Access control is performed based several-times of comparison (Table II). Compared to 40,000 on the values. In the work [28], the authors proposed a new times in graph-based access control models, our model saves access control model for social networks by combining lots of time in judging access request. More efficiently, the update operation is quite simple in lattice-based access users’ relation and public information (e.g., countries, control model, whose lattice is rarely changed. Also, the hobbies and background). However, it is also time- model does not need to care about the levels of friends in the consuming. model (two-level of friends is almost the limit of graph- In addition, some researchers start to pay more attention based access control models). In this way, lattice-based to the protection of privacy in social networks. This is due access control can efficiently handle the requests in access to that some messages contain users’ private information control on social networks. (e.g., personal photos including several other users who may not want to post their photos online). So some researchers B. Case Study on Special Operations proposed frameworks to protect the shared messages. In the We show the capability of lattice based access control work [20], the authors proposed a multi-party authorization model. That is, it can handle the problem of complex framework to enable collaborative management of share operations. We use operation “forward” as an example here data, in which an access control model is used to capture the to illustrate. essence of multiparty authorization. In [10], the authors Suppose a user Alice defines an access control rule m3 = proposed a community-centric access control method called (−, < 1000, −, SN,−,−, −,− > , forward, < 1360,− >, ≽, myCommunity, in which they use some heuristic methods Y , 10days). That means, any user having lattice element l ≽ to efficiently compute myCommunity and evaluate the < 1000, −, SN,−,−,−,− > can forward the resources with traces. B.Carminati et al. proposed a semantic web based rid > 1360. Suppose user David with lattice < 320000, framework [29], which improves the social network access −,−,−,−,−,− > forwards the message (this is allowed control system based on semantic web tools. The according to the rules). He defines an access control rule m7 authorization is based on trust relationship. = ( −, < 200, 10,−,−,−,−,− > , forward, < 1020,− >, ≽, All these methods do not pay enough attention to the Y , −). Then if Cathy wants to forward this message from fine-grained control across multiple users and cannot David, she must meet Alice’s policy m3 and David’s policy achieve high efficiency. In this paper, we propose a novel m7. However, Cathy with lattice <551,22, −,−,−,−,−> does model based on lattice to solve these problems. not satisfy the condition of Alice, so the request is rejected. Note that, in the graph-based access control methods, the VIII. CONCLUSION S requester Cathy has to compare the relationship graph with We propose a novel user-centric lattice-based access Alice and the graph with David, which is time-consuming. control model. By giving each requester a unified lattice But in our method, only two comparisons are needed even if element and construct a lattice structure for each user there are more than one rules here because these policies are according to the policies, we compare the two corresponding all appended to the lattice. This is the reason why LaBAC can elements when a requester wants to access a message. Based achieve high performance. on the inherent characteristics (partial order) of lattice, the judging process is high-efficient. Also it is suitable for operations which are related to multi-users (e.g., the “forward”) by comparing multi-times. Finally, we did some [12] B Carminati, E Ferrari, R Heatherly, et al, ”Semantic web-based experiments to verify the access control model. The results social network access control”, Computers And Security, Vol.30(2-3), show that this model is capable, flexible and efficient. pp.108- 115, 2011. [13] P W L Fong, ”Relationship-Based Access Control: Protection Model and Policy Language”, CODASPY’11, pp.191-201, 2011. ACKNOWLEDGMENT [14] G Bruns, P Fong, I Siahaan, M Huth, ”Relationship-Based Access This research was financially supported by the National Control: Its Expression and Enforcement Through Hybrid Logic”, Natural Science Foundation of China (NSFC) (Grant CODASPY’ 12, pp.117-124, 2012. No.U1536106, 61303248, 61402456), National High [15] M Anwar, P W L Fong, ”A Visualization Tool for Evaluating Access Technology Research and Development Program of China Control Policies in Facebook-style Social Network Systems”, (863 Program) (No. 2015AA016006), Youth Innovation Proceedings of the 27th ACM Symposium on Applied Computing (SAC’12), 2012. Promotion Association CAS, and strategic priority research [16] L.C.Freeman, D.R.White, ”Using Galois Lattices to represent program of CAS (XDA06010701). Key Lab of Information Network Data”, Sociological Methodology, Vol.23, pp.127-146,1993. Network Security, Ministry of Public Security (C15604). [17] Bertino E., Bonatti PA, Ferrari E. ”TRBAC: A temporal role based access control model”. ACM Trans on Information and System REFERENCES Security (TISSEC), 2001, 4(3):191-233. [1] Bell D.Elliott, La Padula, Leonard J, ”Secure computer systems: [18] Z.Chu, S.Gianvecchio, H.Wang, S.Jajodia. ”Who is Tweeting on unified exposition and multics interpretation”, DTIC Document, 1976. Twitter: Human, Bot or Cyborg?”. ACSAC, pp:21-30, 2010. [2] Sandhu R S, Coyne E J, Feinstein H L, et al, ”Role-based access [19] https://www.facebook.com/. control models”, Computer, 29(2), pp.38-47, 1995. [20] H.Hu, G.Ahn. Multiparty authorization framework for data sharing in [3] Zhang X, Li Y, NALLA D, ”An Attribute-based access matrix online social networks. IFIP, 2011. model”, Proceedings of the 2005 ACM Symposium on Applied [21] Gang Wang, Tristan Konolige, Christo Wilson, Xiao Wang, Haitao Computing, pp.359-363, 2005. Zheng and Ben Y. Zhao,“ You are How You Click: Clickstream [4] C Zhang, J Sun, X Zhu, et al, ”Privacy and Security for Online Social Analysis for Sybil Detection“, Proceedings of the 22nd USENIX Networks: Challenges and Opportunities”, IEEE Network, pp. 13-18, Security Symposium, 2013. July/August 2010. [22] http://abcnews.go.com/Business/twitter-ipo-filing-reveals-500- [5] S R Kruk, S Grzonkowski, A Gzella, et al, ”D-FOAF: Distributed milliontweets-day/story?id=20460493 . Identity Management with Access Rights Delegation”, ASWC 2006, [23] http://www.emarketer.com/Article/Social-Networking-Reaches- LNCS 4185, pp. 140-154, 2006. Nearly-One-Four-Around-World/1009976. [6] B Ali, W Villegas, M Maheswaran, ”A trust based approach for [24] http://venturebeat.com/2015/01/28/facebook-passes-1-39b- protecting user data in social networks”, Proceedings of the 2007 monthlyactive-users-and-890m-daily-active-users/. conference of the center for advanced studies on Collaborative research, pp.1-4 , 2007. [25] Trusted Computer System Evaluation Criteria,United States Department of Defense. December 1985. DoD Standard 5200.28- [7] R. S. Sandhu. Lattice-based access control models, STD. Computer,Volume:26 , Issue: 11,pp:9-19,1993. [26] Jun Panga,Yang Zhanga, ”A new access control scheme for [8] http://o.canada.com/news/facebook-now-has-1-39-billion-active- Facebookstyle social networks”,Computers and Security,2015. users-890-million-daily-users [27] D.E.Denning,”A Lattice Model of Secure Information [9] B Carminati, E Ferrari, A Perego, ”Rule-Based Access Control for Flow”,Operating System, 1975. Social Networks”, On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops, LNCS 4278, pp.1734-1744, 2006. [28] Jun Pang, Yang Zhang. “A new access control scheme for facebookstyle social networks”, Computer and security,54 , pp.44-59, 2015. [10] A.Ranjbar, M.Maheswaran. A case for community-centric controls for information sharing on online social networks. IEEE Globecom [29] B.Carminati, E.Ferrari, et al. A semantic web based framework for 2010 workshop on complex and communication networks. social network access control. SACMAT’09. [11] B Carminati, E Ferrari, A Perego, ”Enforcing access conntrol in [30] http://yourescapefrom9to5.com/average-number-of-twitter-followers- webbased social networks”, ACM Transactions on Information and is-208-infographic. System Security, vol 13(1), pp. 1-38, 2009.