Abstract
In this article, we propose an access control mechanism for Web-based social networks, which adopts a rule-based approach for specifying access policies on the resources owned by network participants, and where authorized users are denoted in terms of the type, depth, and trust level of the relationships existing between nodes in the network. Different from traditional access control systems, our mechanism makes use of a semidecentralized architecture, where access control enforcement is carried out client-side. Access to a resource is granted when the requestor is able to demonstrate being authorized to do that by providing a proof. In the article, besides illustrating the main notions on which our access control model relies, we present all the protocols underlying our system and a performance study of the implemented prototype.
Supplemental Material
Available for Download
Online appendix to enforcing access control in Web-based social networks. The appendix supports the information on article 6.
- Adomavicius, G. and Tuzhilin, A. 2005. Toward the next generation of recommender systems: A survey of the state-of-the-art and possible extensions. IEEE Trans. Knowl. Data Eng. 17, 6, 734--749. Google Scholar
Digital Library
- Ali, B., Villegas, W., and Maheswaran, M. 2007. A trust-based approach for protecting user data in social networks. In Proceedings of the Conference of the Center for Advanced Studies on Collaborative Research (CASCON'07). ACM Press, New York, 288--293. Google Scholar
Digital Library
- Avesani, P., Massa, P., and Tiella, R. 2005. A trust-enhanced recommender system application: Moleskiing. In Proceedings of the ACM Symposium on Applied Computing (SAC'05). ACM Press, New York, 1589--1593. Google Scholar
Digital Library
- Berners-Lee, T., Connolly, D., Kagal, L., Scharf, Y., and Hendler, J. 2008. N3Logic: A logical framework for the World Wide Web. Theory Pract. Log. Program. 8, 3, 249--269. Google Scholar
Digital Library
- Berteau, S. 2007. Facebook's misrepresentation of Beacon's threat to privacy: Tracking users who opt out or are not logged in. CA Security Advisor Research Blog. http://community.ca.com/blogs/securityadvisor/archive/2007/11/29/facebook-s-isrepresentation-ofbeacon-s-threat-to-privacy-tracking-users-who-opt-out-or-are-not-logged-in.aspx.Google Scholar
- Beth, T., Borcherding, M., and Klein, B. 1994. Valuation of trust in open networks. In Proceedings of the European Symposium on Research in Computer Security (ESORICS'94). Springer, Berlin, 3--18. Google Scholar
Digital Library
- Blaze, M., Feigenbaum, J., Ioannidis, J., and Keromytis, A. D. 1999. The KeyNote trust management system version 2. IETF RFC 2704, Internet Engineering Task Force. http://www.ietf.org/rfc/rfc2704.txt.Google Scholar
- Blaze, M., Feigenbaum, J., and Strauss, M. 1998. Compliance checking in the PolicyMaker trust management system. In Proceedings of the 2nd International Conference on Financial Cryptography (FC'98). Springer, Berlin, 1439--1456. Google Scholar
Digital Library
- Brickley, D. and Miller, L. 2007. FOAF vocabulary specification 0.91. Namespace Document. http://xmlns.com/foaf/0.1.Google Scholar
- Canadian Privacy Commission. 2007. Social Networking and Privacy. http://www.privcom.gc.ca/information/social/index_e.asp.Google Scholar
- Carminati, B. and Ferrari, E. 2008. Access control and privacy in Web-based social networks. Int. J. Web Inf. Syst. 4, 4, 395--415.Google Scholar
Cross Ref
- Carminati, B., Ferrari, E., and Perego, A. 2006. Rule-based access control for social networks. In On the Move to Meaningful Internet Systems: OTM'06 Workshops. Springer, Berlin, 1734--1744. Google Scholar
Digital Library
- Chen, L. 2006. Facebook's feeds cause privacy concerns. The Amherst Student. http://halogen.note.amherst.edu/~astudent/2006--2007/issue02/news/01.html.Google Scholar
- Choi, H.-C., Kruk, S. R., Grzonkowski, S., Stankiewicz, K., Davis, B., and Breslin, J. G. 2006. Trust models for community-aware identity management. In Proceedings of the Identity, Reference, and the Web Workshop (IRW'06). http://www.ibiblio.org/hhalpin/irw2006/skruk.pdf.Google Scholar
- Cwm. 2006. Cwm--A General Purpose Data Processor for the Semantic Web. http://www.w3.org/2000/10/swap/doc/cwm.html.Google Scholar
- Davis, I. and Vitiello Jr, E. 2005. RELATIONSHIP: A vocabulary for describing relationships between people. Namespace Document. http://purl.org/vocab/relationship.Google Scholar
- Ding, L., Zhou, L., Finin, T. W., and Joshi, A. 2005. How the Semantic Web is being used: An analysis of FOAF documents. In Proceedings of the 38th Annual Hawaii International Conference on System Sciences (HICSS'05). IEEE, Los Alamitos, CA, 113c. Google Scholar
Digital Library
- Ellison, C. M., Frantz, B., Lampson, B., Rivest, R. L., Thomas, B. M., and Ylönen, T. 1999. SPKI certificate theory. IETF RFC 2693, Internet Engineering Task Force. http://www.ietf.org/rfc/rfc2693.txt.Google Scholar
- EPIC. 2008a. Facebook Privacy Page. http://epic.org/privacy/facebook/.Google Scholar
- EPIC. 2008b. Social Networking Privacy. http://epic.org/privacy/socialnet/default.html.Google Scholar
- Federal Trade Commission. 2007. Social Networking Sites: A Parent's Guide. http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec13.shtm.Google Scholar
- Ferrari, E. and Thuraisingham, B. 2000. Secure database systems. In Advanced Database Technology and Design, M. Piattini and O. Diaz, Eds. Artech House, Norwood, MA, 353--403.Google Scholar
- Garfinkel, S. 1996. PGP: Pretty Good Privacy. O'Reilly&Associates, Sebastopol, CA. Google Scholar
Digital Library
- Golbeck, J. A. 2005. Computing and applying trust in Web-based social networks. Ph.D. thesis, Graduate School of the University of Maryland, College Park. Google Scholar
Digital Library
- Golbeck, J. A. and Hendler, J. 2006. Inferring binary trust relationships in Web-based social networks. ACM Trans. Inter. Tech. 6, 4, 497--529. Google Scholar
Digital Library
- Hart, M., Johnson, R., and Stent, A. 2007. More content—less control: Access control in the Web 2.0. In Proceedings of the Web 2.0 Security&Privacy Workshop (W2SP'07). http://seclab.cs.rice.edu/w2sp/2007/papers/paper-193-z_6706.pdf.Google Scholar
- Hogben, G. 2007. Security issues and recommendations for online social networks. ENISA Position Paper 1, European Network and Information Security Agency. http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf.Google Scholar
- Horrocks, I., Patel-Schneider, P. F., Boley, H., Tabet, S., Grosof, B., and Dean, M. 2004. SWRL: A Semantic Web rule language combining OWL and RuleML. W3C Member Submission, World Wide Web Consortium. http://www.w3.org/Submission/SWRL.Google Scholar
- Jøsang, A. 1999. An algebra for assessing trust in certification chains. In Proceedings of the Network and Distributed System Security Symposium (NDSS'99). http://www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/josang.pdf.Google Scholar
- Jøsang, A., Gray, E., and Kinateder, M. 2006. Simplification and analysis of transitive trust networks. Web Intell. Agent Syst. 4, 2, 139--161. Google Scholar
Digital Library
- Jøsang, A., Ismail, R., and Boyd, C. 2007. A survey of trust and reputation systems for online service provision. Decis. Support Syst. 43, 2, 618--644. Google Scholar
Digital Library
- Kamvar, S. D., Schlosser, M. T., and Garcia-Molina, H. 2003. The Eigentrust algorithm for reputation management in P2P networks. In Proceedings of 12th International Conference on World Wide Web (WWW'03). ACM, New York, 640--651. Google Scholar
Digital Library
- Kleinberg, J. 2000. The small-world phenomenon: An algorithmic perspective. In Proceedings of the 32nd Annual ACM Symposium on Theory of Computing (STOC'00). ACM, New York, 163--170. Google Scholar
Digital Library
- Kruk, S. R., Grzonkowski, S., Choi, H.-C., Woroniecki, T., and Gzella, A. 2006. D-FOAF: Distributed identity management with access rights delegation. In Proceedings of the Asian Semantic Web Conference (ASWC'06). Springer, Berlin, 140--154. Google Scholar
Digital Library
- Martel, C. and Nguyen, V. 2004. Analyzing Kleinberg's (and other) small-world models. In Proceedings of the 23rd Annual ACM Symposium on Principles of Distributed Computing (PODC'04). ACM, 179--188. Google Scholar
Digital Library
- Reiter, M. K. and Stubblebine, S. G. 1997. Toward acceptable metrics of authentication. In Proceedings of the IEEE Symposium on Security and Privacy (SP'97). IEEE, Los Alamitos, CA, 10--20. Google Scholar
Digital Library
- Shamir, A. 1979. How to share a secret. Comm. ACM 22, 11, 612--613. Google Scholar
Digital Library
- Watts, D. J. 2003. Small Worlds: The Dynamics of Networks between Order and Randomness. Princeton University Press, Princeton, NJ. Google Scholar
Digital Library
- Weitzner, D. J., Hendler, J., Berners-Lee, T., and Connolly, D. 2006. Creating a policy-aware Web: Discretionary, rule-based access for the World Wide Web. In Web&Information Security, E. Ferrari and B. Thuraisingham, Eds. IDEA Group Publishing, Hershey, PA, 1--31.Google Scholar
- Xiong, L. and Liu, L. 2004. PeerTrust: Supporting reputation-based trust for peer-to-peer electronic communities. IEEE Trans. Knowl. Data Eng. 16, 7, 843--857. Google Scholar
Digital Library
Index Terms
Enforcing access control in Web-based social networks
Recommendations
Attribute-Aware Relationship-Based Access Control for Online Social Networks
DBSec 2014: Proceedings of the 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy XXVIII - Volume 8566Relationship-based access control ReBAC has been adopted as themost prominent approach for access control in online social networks OSNs, where authorization policies are typically specified in terms of relationships of certain types and/or depth ...
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Constraints-based access control
Das'01: Proceedings of the fifteenth annual working conference on Database and application securityThe most important aspect of security in a database after establishing the authenticity of the user is its access control mechanism. The ability of this access control mechanism to express the security policy can make or break the system.This paper ...






Comments