computers & security 30 (2011) 108e115 available at www.sciencedirect.com journal homepage: www.elsevier.com/locate/cose Semantic web-based social network access control Barbara Carminati a, Elena Ferrari a, Raymond Heatherly b,*, Murat Kantarcioglu b, Bhavani Thuraisingham b a The University of Insubria, Via Mazzini, 5 Varese, Italy b The University of Texas at Dallas, Computer Science, 800 W. Campbell Road, Richardson, Texas 75080, USA article info abstract Article history: The existence of online social networks that include person specific information creates Received 11 April 2010 interesting opportunities for various applications ranging from marketing to community Received in revised form organization. On the other hand, security and privacy concerns need to be addressed for 16 August 2010 creating such applications. Improving social network access control systems appears as Accepted 27 August 2010 the first step toward addressing the existing security and privacy concerns related to online social networks. To address some of the current limitations, we have created an experi- Keywords: mental social network using synthetic data which we then use to test the efficacy of the Social network semantic reasoning based approaches we have previously suggested. Access control ª 2010 Elsevier Ltd. All rights reserved. Semantic inference Experimentation Implementation 1. Introduction able to decide which personal information are accessible by other members by marking a given item as public, private, or On-line Social Networks (OSNs) are platforms that allow accessible by their direct contacts. In order to give more flex- people to publish details about themselves and to connect to ibility, some online social networks enforce variants of these other members of the network through links. Recently, the settings, but the principle is the same. For instance, besides popularity of OSNs is increasing significantly. For example, the basic settings, Bebo (http://bebo.com), Facebook (http:// Facebook now claims to have more than a hundred million facebook.com), and Multiply (http://multiply.com) support active users.1 The existence of OSNs that include person- the option “selected friends”; Last.fm (http://last.fm) the specific information creates both interesting opportunities option “neighbors” (i.e., the set of users having musical pref- and challenges. For example, social network data could be erences and tastes similar to mine); Facebook, Friendster used for marketing products to the right customers. At the (http://friendster.com), and Orkut (http://www.orkut.com) the same time, security and privacy concerns can prevent such option “friends of friends”; Xing (http://xing.com) the options efforts in practice (Berteau, 2007). Improving the OSN access “contacts of my contacts” (2nd degree contacts), and “3rd” and control systems appears as the first step toward addressing “4th degree contacts”. It is important to note that all these the existing security and privacy concerns related to online approaches have the advantage of being easy to be imple- social networks. However, most of current OSNs implement mented, but they lack flexibility. In fact, the available protec- very basic access control systems, by simply making a user tion settings do not allow users to easily specify their access * Corresponding author. E-mail addresses: [email protected] (B. Carminati), [email protected] (E. Ferrari), [email protected] (R. Heatherly), [email protected] (M. Kantarcioglu), [email protected] (B. Thuraisingham). 1 http://www.facebook.com/press/info.php?Fstatistics. 0167-4048/$ e see front matter ª 2010 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2010.08.003 computers & security 30 (2011) 108e115 109 control requirements, in that they are either too restrictive or 7 we discuss and provide the results of experiments using our too loose. Furthermore, existing solutions are platform- implementation of semantic web-based access control for specific and they are hard to be implemented for various social networks. Finally, we conclude the paper in Section 8. different online social networks. To address some of these limitations, we propose an extensible, fine-grained OSN access control model based on 2. Related work semantic web technologies. Our main idea is to encode social network-related information by means of an ontology. In Past research on OSN security has mainly focused on privacy- particular, we suggest to model the following five important preserving techniques to allow statistical analysis on social aspects of OSNs using semantic web ontologies: (1) user’s network data without compromising OSN members’ privacy profiles, (2) relationships among users (e.g., Bob is Alice’s close (see Carminati et al. (2008) for a survey on this topic). In friend), (3) resources (e.g., online photo albums), (4) relation- contrast, access control for OSNs is a relatively new research ships between users and resources (e.g., Bob is the owner of area. As far as we are aware, the only other proposals of an the photo album), (5) actions (e.g., post a message on some- access control mechanism for online social networks are one’s wall). By constructing such an ontology, we model the works by Kruk et al. (2006), Ali et al. (2007) and Carminati et al. Social Network Knowledge Base (SNKB). The main advantage (2008). The D-FOAF system (Kruk et al., 2006) is primarily for using an ontology for modeling OSN data is that relation- a Friend of a Friend (FOAF) ontology-based distributed identity ships among many different social network concepts can be management system for social networks, where access rights naturally represented using OWL. Furthermore, by using and trust delegation management are provided as additional reasoning, many inferences about such relationships could be services. In D-FOAF, relationships are associated with a trust done automatically. Our access control enforcement mecha- level, which denotes the level of friendship existing between nism is then implemented by exploiting this knowledge. In the users participating in a given relationship. Although the particular, the idea is to define security policies as rules (see work by Kruk et al. (2006) discusses only generic relationships, Section 3), whose antecedents state conditions on SNKB, and corresponding to the ones modeled by the foaf:knows RDF consequents specify the authorized actions. In particular, we property in the FOAF vocabulary (Brickley and Miller, 2007), propose to encode the authorizations implied by security another D-FOAF-related paper (Choi et al., 2006) considers also policies by means of an ontology, obtaining the Security the case of multiple relationship types. As far as access rights Authorization Knowledge Base (SAKB). Thus, security policies are concerned, they denote authorized users in terms of the have to be translated as rules whose antecedents and conse- minimum trust level and maximum length of the paths con- quents are expressed on the ontology. To achieve this goal, we necting the requester to the resource owner. In the work by Ali use the Semantic Web Rule Language (SWRL) (Horrocks et al., et al. (2007), authors adopt a multi-level security approach, 2004). As consequence, the access control policies can be where trust is the only parameter used to determine the enforced by simply querying the authorizations, that is, the security level of both users and resources. In the work by SAKB. The query can be easily directly implemented by the Carminati et al. (2009b), a semi-decentralized discretionary ontology reasoner by means of instance checking operations, access control model and a related enforcement mechanism or can be performed by an SPARQL query, if the ontology is for controlled sharing of information in OSNs is presented. serialized in RDF. In this paper, we focus on how to model The model allows the specification of access rules for online such a fine-grained social network access control system resources, where authorized users are denoted in terms of the using semantic web technologies. We also assume that relationship type, depth, and trust level existing between a centralized reference monitor hosted by the social network nodes in the network. manager will enforce the required policies. Since our proposed Compared to existing approaches, we use semantic web approach depends on extensible ontologies, it could be easily technologies to represent much richer forms of relationships adapted to various online social networks by modifying the among users, resources and actions. For example, we are able ontologies in our SNKB. Furthermore, as we discuss in details to represent access control rules that leverage relationship later in the paper, semantic web tools allow us to define more hierarchies and by using OWL reasoning tools, we can infer fine-grained access control policies than the ones provided by a “close friend” is also a “friend” and anything that is acces- current OSNs. sible by friend could be also accessible by a “close friend”. In The paper is organized as follows. In Section 2, we provide addition, our proposed solution could be easily adapted for a brief discussion of current security and privacy research very different online social networks by modifying the related to online social networks. In Section 3, we introduce underlying SNKB. A further discussion on the differences a high level overview of the security policies we support in our between the proposed framework and the access control framework. In addition to access control policies, we state mechanism in the work by Carminati et al. (2009b) is provided filtering policies that allow a user (or one of her supervisors) to in Section 3. customize the content she accesses. We also introduce Semantic web technologies have been recently used for administration policies, stating who is authorized to specify developing various policy and access control languages for access control and filtering policies. In Section 4, we discuss domains different from OSNs. For example, in the work by how security policies could be enforced. In Section 5, we give Tonti et al.