A Lattice-based Access Control Model for Social Networks
Yingjun Zhang1 , Kai Chen2, Yuling Liu1, Yifeng Lian1 1Trusted Computing and Information Assurance Laboratory,Institute of Software, Chinese Academy of Sciences Beijing, China , [email protected] 2Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
Abstract—Nowadays, social networks have been used widely. based approaches have been really applied in They help people communicate with family, friends or colleagues modern social networks. Also, it is known that a easily. However, they are lack of effective protection and user’s friends can be changed in a highly frequent monitoring about message transmission. In addition, the rapid way. It is not efficient to update the graph whenever updates of messages and user information also give difficulties to his friend information is updated. administrators. The existing security protection mechanisms in Fine-grained control across multiple users. Current social networks could not protect users' private information models do not support access control across effectively. In this paper, a lattice-based access control method is multiple users well. For example, when a message used to solve these problems. In our method, first, we will extract of a user A is forwarded by another user B, it is users’ attributes to form the lattice element and construct the access control model based on lattice according the policies; then highly difficult for user A to control who can we define the partial relation to optimize the polices and append view/forward the forwarded message (since current the policies on lattice element; at last, we do some experiments to access models only consider the messaged as B’s verify it. and care about who can view B’s message). Handle timely information. The value of Keywords-component; social networks; access control; lattice information changes with time. On the one hand, the requester’s status should be updated in time. On the other hand, a timely message attracts users who I. INTRODUCTION intensively like to forward or comment. As time Social networks have become indispensable in most goes by, the message may not attract their attention people’s daily life. Facebook [19], one of the most famous any more. So the bar for accessing the message social networks, has over 890 million daily active users should be lowered with time. around the world [8]. Twitter, with 288 million monthly Considering the large number of users (e.g., billions of active users, has 500 million Tweets sent per day [22]. users in Facebook, Twitter, Weibo and WeChat), it is fairly According to eMarketer reports [23], there are more than hard to meet the requirements above. In this paper, we 1,200,000,000 users in social networks. When using the propose a novel user-centric lattice-based access control social network, users like to upload their photos, share their model. By extracting several attributes and forming a lattice positions and talk to their families and friends. Those element, a user can define the access control policies which common operations make the social network full of users’ meet the three requirements mentioned above. Specially, a sensitive private information. lattice structure is constructed using these policies for each While holding such a large amount of private information, user. When a message of user A is accessed by another user social networks should give the information enough B, B’ lattice element using his attributes is compared with protection according to users’ requirements. Access control the lattice structure of A. The comparison result determines is an effective way. However, traditional access control whether the access is allowed or not. models (e.g., DAC [25], MAC [1], RBAC [2] and ABAC [3]) Lattice has a good property: it can be easily extended are incapable or inefficient to support millions of users (with with more (diverse) attributes (i.e., elements), and it is highly complex relationship) in social networks [4]. Some new efficient to compare an attribute with elements in a lattice access models (e.g., Rule-based access control model [9] and (lattice has partial relationship which lets the comparison do Relationship-based access control model [13]) are proposed not need to go through all elements). Also, there is no need to handle the problem of large number of users. But they to spend lots of efforts to construct a global graph of cannot always meet the basic requirements of access control relationships among all users. When a user changes his status, for social networks as follows: it can be reflected in his lattice element instantly. Secondly, High efficiency. Current access control models for lattice supports fine-grained control across multiple users. social network are not efficient enough. For No matter how many users forward a message, the attributes example, relationship-based model has to construct of those users can be compared with the lattice one by one, the relationship graph of a user’s all friends, which which makes the comparison still happens between only two is extremely time-consuming so that no relationship sets of attributes. Thirdly, every user can be defined using a friend and stranger. “Follower” is easy to understand. In set of attributes, which lets a user fairly recognize others Figure 1, C is a follower of E. We also note that A is B’s only through the attributes, avoiding allowing the unknown follower and B is also A’s follower. Then the relationship friends’ friend or Sybil users [21] to access sensitive between A and B is defined as friends. If two users do not messages. To meet the last requirement, the lattice element follow each other, their relationship is “stranger”. Trust level can be abstract when accessing some messages, so the status is usually defined for each pair of users, and a concrete can be updated timely. In addition, the time information can number is used to represent the closeness of such level. For be attached as an attribute with a message to reflect the example, the trust level for friend, follower and stranger are timely information. In sum, the contributions are as follows: 0.6, 0.3 and 0, respectively (as shown in Figure 2). Suppose To the best of our knowledge, we are the first to A posts a message and it is also forwarded by B, C, D and F. propose a user-centric lattice-based access control Whether H can forward the message depends on the trust model for social networks. Using this model, for level between A and H. In particular, the path between A and each of the billions of users, they can define their H should be figured out and the trust level between each pair own access control policies using attributes of users. of users should be considered. In this example, there are two We propose a method for policy appending. After paths (i.e., A-B-D-H and A-B-C-F-H) between A and H. So constructing the lattice structure, we can append the the calculation of trust level between A and H should be policies to the element in the lattice. So the performed twice. For a big graph consisting millions of users, requester can compare the attributes with lattice the graph will be very complex, containing huge number of element to do the evaluation efficiently. different paths which makes it quite difficult to compute the We did some experiments to verify the access trust level between two users. This is the main reason why control model. The results show that this model is current access control models are so inefficient. Also, users’ capable, flexible and efficient. relationship (i.e., follower, friend and stranger) can be This paper is organized as follows. Section 2 describes changed highly frequently. Under this access control model, the motivation. Section 3 presents the lattice for social the relationship must also be updated frequently (“Timely networks. Section 4 gives the access control model for social information” requirement in Introduction). This is so time- networks. Section 5 and Section 6 shows our implementation consuming for judging whether an access request can be and evaluation. Section 7 and section 8 give related work and allowed or not (does not meet “high efficiency” requirement conclusion. in Introduction). One may think of only allowing friends to forward a message (i.e., one-level friendship in relationship- II. MOTIVATION based models). This does not need to traverse a graph Messages in social networks can be forwarded many globally for finding paths between two users. For example, if times (e.g., tens of thousands) across different users. C wants to forward B’s message which is forwarded from A, Applying current main access control models for social C only have to check whether she can access B’s message. networks (e.g., relationship-based models [13] and trust- So A cannot control the region of spreading the message. based models [6]) is extremely inefficient due to that the Neither can she control every user for accessing (does not construction and update of various kinds of graphs from meet “Fine-grained control across multiple users” users’ relationship takes too long time. We use an example to requirements in Introduction) illustrate the problems of current models and give insights for solving them.
Figure 2. The graph based on users’ relationship
To solve the problems of current access control models, we have three insights for building a novel access control model which can meet the three basic requirements. Firstly, we found the low efficiency is caused by graph. Both Figure 1. The relationship among users construction and update of graphs are too time-consuming. Avoiding using such graphs in representing users’ Figure 1 gives an example: nodes in the figure represent confidence level can increase the efficiency. Based on this users, and edges connecting nodes represent the two users’ idea, we choose some useful attributes to reflect the user’s relationship. According to work [9], three kinds of status and characteristics. For example, attributes like relationship between users are typically defined: follower, number of photos and user VIP status can be considered. Secondly, we found that some operations across multiple Although we only show seven attributes in current users will cause the low efficiency (e.g., “forward” definition of lattice element, it is straightforward to add operation), because we have to check the policies belonging more attributes for some social networks. We use L = {l1, …, to each user one by one. The more number of involved users ln} to represent all lattice elements in a social network. A will decrease the efficiency in a linear way. To solve this user can choose the attributes that she cares to perform problem, our insight is that the newly designed access access control. control method should be quickly judging. Thirdly, we found Definition 2 (Average number of comments). Average that the frequent “update” of users’ attributes (e.g., number of comments Ci = Tci/Ti. Tci∈N is the total number relationship between friends) is a reason of low efficiency. of all comments of user i. The new model should reflect the value of those attributes in Definition 3 (Average number of messages). Average real time. That is, when a user updates her status (e.g., send a number of messages Tfi = Ttfi/Ti. Ttfi∈N is the number of new photo), the model can be quick enough to capture such all messages (of the user i) forwarded by other users. changes. Definition 4 (Lattice). Lattice = (L,≼) is a partially Based on these insights, we find that lattice [27] is a ordered set. Any two elements in L have a least upper bound potential data structure to meet the requirements. One and a greatest lower bound. advantage of lattice is that it is highly efficient to compare We use “join” operation (e1∧e2) to represent the least one element with others. Once a user’s attributes are packed upper bound of two elements (e and e ) and use “meet” into an element in a lattice, the comparison between two 1 2 operation (e ∨e ) to represent their greatest lower bound. users become quite efficient. Moreover, while an operation is 1 2 across multiple users, the least upper bound or greatest lower We define ≼ on two elements l1 and l2. Suppose l1 =
Figure 5. The Evaluation Processing.
A. Construct the lattice of policies The lattice of policies includes all the policies of a user. Figure 4. Example of lattice with policies. In this way, for each user, the lattice can be updated locally when a user adds or deletes a policy, which will not impact C. Policy Evaluation other users’ lattice elements. According to the high We use a bottom-up approach in lattice to evaluate efficiency, even if the operation is related to multiple users, whether an access request is allowed or not. We first define we can compare each user with the lattice. the access request and then use an example to show the In lattice-based access control model, policies can also evaluation process. be combined in lattice. In previous section, we know that Definition 8 (Access Request). Access request Rq is a different policies can be added to the elements in lattice. In request from a user (i.e., requester) to access some resources. Algorithm 1, we show how to append different policies in It is denoted as Rq = (< rqid , lrq >, opr ,< rrid ,mid >, tr). rqid the lattice. and lrq is the id and lattice of the requester. opr is the In Algorithm 1, we first construct the lattice from the requested operation. rrid are the id of the requested user, and access control rules (Step 1). Then we attach policies to the mid is the accessing message id. tr is the time of the request. lattice for quick access control decision (Step 2). Example 2 Particularly, in Step 1, for lattice element in each rule in Rq1 = ( Bob, < 210, 52, SN, 532, 5, 8, 210 > , favor, < access control rules (ACR), we put them into the lattice L. Amy,1460 >, t1) Then we create a least upper bound (element) for each two Rq = ( Cathy, < 551, 22, S , 1510, 8, 6, 320 > , reply, 2 N other elements until any two elements have a least upper < Amy,1460>, t ) 2 bound. We also add edges from an element to its least upper Rq = ( David, < 320000, 30, S , 17001, 540, 780, 3 Y bound. In Step 2, we check whether a policy applies to any 6453 > , forward, < Amy,− > , t ) 3 lattice element. If true, we attach the policy to the policy list Rq4 = ( David, < 320000, 30, SY , 17001, 540, 780, 6453 > , read, < Amy,− >, t ) of the element. Note that, if a policy does not apply to an 4 element, we do not need to compare other elements that are Rq5 = ( Amy, < 216, 100, SN, 4325, 18, 23, 1890 > , held by this element as the least upper bound due to the modify, < Amy,->, t5) We find Bob’s lattice element lrq =< 210, 52, SN, 532, 5, partial order property of lattice, which greatly increases the 8, 210 > ≽ < 100, 50,−,−,−,−,− >. From Figure 4, Bob is performance of constructing the lattice. allowed to favor Amy’s message (id is 1460) according to time) of both the two implementations. The results are shown as TABLE II.
Algorithm 2: Access control decision
We can see that the time of evaluation based on lattice is orders of magnitude shorter than the method based on linked list. This is due to the inherent characteristics (i.e., partial order) of lattice. When a request is compared with a set of policies, not all of them need to be compared. However, if the list-based comparison is used, each element needs to be compared. Because of this reason, our lattice-based access control model only needs 13 times of comparison even when there are 10,000 policies, while linked-list based model needs 10,000 times.
TABLE II. THE NUMBER OF COMPARISON BASED ON LINKED LIST AND LATTICE. Algorithm 1: How to construct lattice NR is the number of request; NP is the number of policies. NR NP Lattice Linked List B. Access control decision l 100 7 100 1000 10 1000 After the construction of lattice of policies, LaBAC can 10000 13 10000 give a Yes/No answer to the access request. In detail, when an access request comes, LaBAC first extracts the 10 100 66 1000 1000 100 10000 requester’s features and constructs a lattice element. Then 10000 133 100000 evaluation model compares the element with the lattice of policies. If the access request is allowed, the model 100 100 664 10000 continues the execution and lets the social network execute 1000 997 100000 10000 1329 1000000 the request. Otherwise, the request is denied. Algorithm 2 gives the details. We also compare the results of memory usage. The results show that the two implementations are similar (in VI. EVALUATION Table III). This means, LaBAC does not need too much We evaluated the effectiveness and efficiency of LaBAC more memory space for getting the high efficiency (only using tens of thousands of policies. several megabytes).
A. Effective and Efficiency TABLE III. THE MEMORY USAGE OF EVALUATION BASED ON LINKED LIST AND LATTICE We implemented the access control prototype using lattice. In order to compare the efficiency with others, we Number of Policies Linked List Lattice also performed a linked-list-based implementation which is 100 50KB 72KB commonly used by current access control models ([2,3]). 1000 500KB 659KB Then we gave them a set of requests as inputs. We measured 10000 5MB 6.33MB and compared the number of comparisons (indicating the We also compare this approach with graph-based access VII. RELATED WORK control models [6,9,13]. Given such a social network with Traditional access control models such as Discretionary 10,000,000 users, usually, each user has 208 friends in Access Control (DAC) [25], Mandatory Access Control average [30]. When graph-based access control models are used, a graph indicating the relationship between every two (MAC) [1,7], Role Based Access Control (RBAC) [2] and users may have to be first computed. To construct such a Attribute Based Access Control [3]) do not satisfy the graph, those approaches have to check the friends of each relationship-based architecture in social networks, which user (around 2 billion times, 10,000,000*200=2,000,000,000) makes them either incapable of or inefficient to handle the for initialization. Then for each request of an access, the large number of users (e.g., one million or even one billion) number of comparison is highly related to the policies. For in social networks. To solve this problem, some new access example, if a graph-based access control model allows a models are proposed. For example, B.Carminati et.al [9] friend’s friend (two-level friends) to access a resource (e.g., a proposed a rule-based access control model based on the message), it may have to compare 40,000 (i.e., 200*200) depth and trust-level of relationship. Based on this, the times for checking whether the requester is a friend of the authors also proposed privacy enhancing model [11], [12]. owner’s friend. The situation becomes more complex when Relationship-based access control model [13,14]) are built the graph is changing (almost happens many times in each according to the type and depth of relationship, and trust second, e.g., a user adds a new friend). Then the graph will level. The policies for authorization are defined using paths be updated, which takes long time. Because of this reason, on the graph. Trust-level-based access control models (e.g., social networks rarely use a policy that needs to compare D-FOAF [5] and SAC [6]) give a value to every two users three-level of friends. having some relationship in order to measure and compare If lattice-based access control model is used, it only takes the level of trustworthy. Access control is performed based several-times of comparison (Table II). Compared to 40,000 on the values. In the work [28], the authors proposed a new times in graph-based access control models, our model saves access control model for social networks by combining lots of time in judging access request. More efficiently, the update operation is quite simple in lattice-based access users’ relation and public information (e.g., countries, control model, whose lattice is rarely changed. Also, the hobbies and background). However, it is also time- model does not need to care about the levels of friends in the consuming. model (two-level of friends is almost the limit of graph- In addition, some researchers start to pay more attention based access control models). In this way, lattice-based to the protection of privacy in social networks. This is due access control can efficiently handle the requests in access to that some messages contain users’ private information control on social networks. (e.g., personal photos including several other users who may not want to post their photos online). So some researchers B. Case Study on Special Operations proposed frameworks to protect the shared messages. In the We show the capability of lattice based access control work [20], the authors proposed a multi-party authorization model. That is, it can handle the problem of complex framework to enable collaborative management of share operations. We use operation “forward” as an example here data, in which an access control model is used to capture the to illustrate. essence of multiparty authorization. In [10], the authors Suppose a user Alice defines an access control rule m3 = proposed a community-centric access control method called ( −, < 1000, −, SN,−,−, −,− > , forward, < 1360,− >, ≽, myCommunity, in which they use some heuristic methods Y , 10days). That means, any user having lattice element l ≽ to efficiently compute myCommunity and evaluate the < 1000, −, SN,−,−,−,− > can forward the resources with traces. B.Carminati et al. proposed a semantic web based rid > 1360. Suppose user David with lattice < 320000, framework [29], which improves the social network access −,−,−,−,−,− > forwards the message (this is allowed control system based on semantic web tools. The according to the rules). He defines an access control rule m7 authorization is based on trust relationship. = ( −, < 200, 10,−,−,−,−,− > , forward, < 1020,− >, ≽, All these methods do not pay enough attention to the Y , −). Then if Cathy wants to forward this message from fine-grained control across multiple users and cannot David, she must meet Alice’s policy m3 and David’s policy achieve high efficiency. In this paper, we propose a novel m7. However, Cathy with lattice <551,22, −,−,−,−,−> does model based on lattice to solve these problems. not satisfy the condition of Alice, so the request is rejected. Note that, in the graph-based access control methods, the VIII. CONCLUSION S requester Cathy has to compare the relationship graph with We propose a novel user-centric lattice-based access Alice and the graph with David, which is time-consuming. control model. By giving each requester a unified lattice But in our method, only two comparisons are needed even if element and construct a lattice structure for each user there are more than one rules here because these policies are according to the policies, we compare the two corresponding all appended to the lattice. This is the reason why LaBAC can elements when a requester wants to access a message. Based achieve high performance. on the inherent characteristics (partial order) of lattice, the judging process is high-efficient. Also it is suitable for operations which are related to multi-users (e.g., the “forward”) by comparing multi-times. Finally, we did some [12] B Carminati, E Ferrari, R Heatherly, et al, ”Semantic web-based experiments to verify the access control model. The results social network access control”, Computers And Security, Vol.30(2-3), show that this model is capable, flexible and efficient. pp.108- 115, 2011. [13] P W L Fong, ”Relationship-Based Access Control: Protection Model and Policy Language”, CODASPY’11, pp.191-201, 2011. ACKNOWLEDGMENT [14] G Bruns, P Fong, I Siahaan, M Huth, ”Relationship-Based Access This research was financially supported by the National Control: Its Expression and Enforcement Through Hybrid Logic”, Natural Science Foundation of China (NSFC) (Grant CODASPY’ 12, pp.117-124, 2012. No.U1536106, 61303248, 61402456), National High [15] M Anwar, P W L Fong, ”A Visualization Tool for Evaluating Access Technology Research and Development Program of China Control Policies in Facebook-style Social Network Systems”, (863 Program) (No. 2015AA016006), Youth Innovation Proceedings of the 27th ACM Symposium on Applied Computing (SAC’12), 2012. Promotion Association CAS, and strategic priority research [16] L.C.Freeman, D.R.White, ”Using Galois Lattices to represent program of CAS (XDA06010701). Key Lab of Information Network Data”, Sociological Methodology, Vol.23, pp.127-146,1993. Network Security, Ministry of Public Security (C15604). [17] Bertino E., Bonatti PA, Ferrari E. ”TRBAC: A temporal role based access control model”. ACM Trans on Information and System REFERENCES Security (TISSEC), 2001, 4(3):191-233. [1] Bell D.Elliott, La Padula, Leonard J, ”Secure computer systems: [18] Z.Chu, S.Gianvecchio, H.Wang, S.Jajodia. ”Who is Tweeting on unified exposition and multics interpretation”, DTIC Document, 1976. Twitter: Human, Bot or Cyborg?”. ACSAC, pp:21-30, 2010. [2] Sandhu R S, Coyne E J, Feinstein H L, et al, ”Role-based access [19] https://www.facebook.com/. control models”, Computer, 29(2), pp.38-47, 1995. [20] H.Hu, G.Ahn. Multiparty authorization framework for data sharing in [3] Zhang X, Li Y, NALLA D, ”An Attribute-based access matrix online social networks. IFIP, 2011. model”, Proceedings of the 2005 ACM Symposium on Applied [21] Gang Wang, Tristan Konolige, Christo Wilson, Xiao Wang, Haitao Computing, pp.359-363, 2005. Zheng and Ben Y. Zhao,“ You are How You Click: Clickstream [4] C Zhang, J Sun, X Zhu, et al, ”Privacy and Security for Online Social Analysis for Sybil Detection“, Proceedings of the 22nd USENIX Networks: Challenges and Opportunities”, IEEE Network, pp. 13-18, Security Symposium, 2013. July/August 2010. [22] http://abcnews.go.com/Business/twitter-ipo-filing-reveals-500- [5] S R Kruk, S Grzonkowski, A Gzella, et al, ”D-FOAF: Distributed milliontweets-day/story?id=20460493 . Identity Management with Access Rights Delegation”, ASWC 2006, [23] http://www.emarketer.com/Article/Social-Networking-Reaches- LNCS 4185, pp. 140-154, 2006. Nearly-One-Four-Around-World/1009976. [6] B Ali, W Villegas, M Maheswaran, ”A trust based approach for [24] http://venturebeat.com/2015/01/28/facebook-passes-1-39b- protecting user data in social networks”, Proceedings of the 2007 monthlyactive-users-and-890m-daily-active-users/. conference of the center for advanced studies on Collaborative research, pp.1-4 , 2007. [25] Trusted Computer System Evaluation Criteria,United States Department of Defense. December 1985. DoD Standard 5200.28- [7] R. S. Sandhu. Lattice-based access control models, STD. Computer,Volume:26 , Issue: 11,pp:9-19,1993. [26] Jun Panga,Yang Zhanga, ”A new access control scheme for [8] http://o.canada.com/news/facebook-now-has-1-39-billion-active- Facebookstyle social networks”,Computers and Security,2015. users-890-million-daily-users [27] D.E.Denning,”A Lattice Model of Secure Information [9] B Carminati, E Ferrari, A Perego, ”Rule-Based Access Control for Flow”,Operating System, 1975. Social Networks”, On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops, LNCS 4278, pp.1734-1744, 2006. [28] Jun Pang, Yang Zhang. “A new access control scheme for facebook- style social networks”, Computer and security,54 , pp.44-59, 2015. [10] A.Ranjbar, M.Maheswaran. A case for community-centric controls for information sharing on online social networks. IEEE Globecom [29] B.Carminati, E.Ferrari, et al. A semantic web based framework for 2010 workshop on complex and communication networks. social network access control. SACMAT’09. [11] B Carminati, E Ferrari, A Perego, ”Enforcing access conntrol in [30] http://yourescapefrom9to5.com/average-number-of-twitter-followers- webbased social networks”, ACM Transactions on Information and is-208-infographic. System Security, vol 13(1), pp. 1-38, 2009.