skip to main content
research-article

A framework to enforce access control over data streams

Published:30 July 2010Publication History
Skip Abstract Section

Abstract

Although access control is currently a key component of any computational system, it is only recently that mechanisms to guard against unauthorized access to streaming data have started to be investigated. To cope with this lack, in this article, we propose a general framework to protect streaming data, which is, as much as possible, independent from the target stream engine. Differently from RDBMSs, up to now a standard query language for data streams has not yet emerged and this makes the development of a general solution to access control enforcement more difficult. The framework we propose in this article is based on an expressive role-based access control model proposed by us. It exploits a query rewriting mechanism, which rewrites user queries in such a way that they do not return tuples/attributes that should not be accessed according to the specified access control policies. Furthermore, the framework contains a deployment module able to translate the rewritten query in such a way that it can be executed by different stream engines, therefore, overcoming the lack of standardization. In the article, besides presenting all the components of our framework, we prove the correctness and completeness of the query rewriting algorithm, and we present some experiments that show the feasibility of the developed techniques.

References

  1. Abadi, D., Ahmad, Y., Balazinska, M., Cetintemel, U., Cherniack, M., Hwang, J., Lindner, W., Maskey, A., Rasin, A., et al. 2005. The design of the borealis stream processing engine. In Proceedings of the Conference on Innovative Data System Research (CIDR'05). Online Proceedings, 277--289.Google ScholarGoogle Scholar
  2. Abadi, D., Carney, D., Cetintemel, U., Cherniack, M., Convey, C., Lee, S., Stonebraker, M., Tatbul, N., and Zdonik., S. 2003. Aurora: A new model and architecture for data stream management. VLDB J. 12, 2, 120--139. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Aggarwal, C. C., Han, J., Wang, J., and Yu, P. S. 2003. A framework for clustering evolving data streams. In Proceedings of the 29th International Conference on Very Large Data Bases (VLDB'03). Morgan Kaufmann, San Francisco, CA, 81--92. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Aggarwal, C. C., Han, J., Wang, J., and Yu, P. S. 2004. On demand classification of data streams. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD '04). ACM, New York, 503--508. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Ali, M., ElTabakh, M., and Nita-Rotaru, C. 2005. FT-RC4: A robust security mechanism for data stream systems. Tech. rep. TR-05-024, Purdue University.Google ScholarGoogle Scholar
  6. Arasu, A., Babcock, B., Babu, S., Datar, M., K. Ito, I. N., Rosenstein, J., and Widom., J. 2003. Stream: The stanford stream data manager. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD '03). ACM, New York, 665. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Babcock, B., Babu, S., Datar, M., Motwani, R., and Thomas, D. 2004. Operator scheduling in data stream systems. VLDB J. 13, 4, 333--353. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Babcock, B., Babu, S., Datar, M., Motwani, R., and Widom, J. 2002. Models and issues in data stream systems. In Proceedings of the 21st ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems (PODS'02). ACM, New York, 1--16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Bai, Y. and Zaniolo, C. 2008. Minimizing latency and memory in dsms: a unified approach to quasi-optimal scheduling. In Proceedings of the 2nd International Workshop on Scalable Stream Processing System (SSPS'08). ACM, New York, 58--67. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Biskup, J. and Lochner, J.-H. 2007. Enforcing confidentiality in relational databases by reducing inference control to access control. In Proceedings of the 10th International Conference on Super Computing (ISC'07). ACM, New York, 407--422. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Brinkhoff, T. 2002. A framework for generating network-based moving objects. GeoInformatica 6, 2, 153--180. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Cao, J., Carminati, B., Ferrari, E., and Tan, K.-L. 2009. Acstream: Enforcing access control over data streams, demo. In Proceedings of the International Conference on Data Engineering (ICDE'09). IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Carminati, B., Ferrari, E., and Tan, K. 2007a. Enforcing access control policies on data streams. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT'07). ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Carminati, B., Ferrari, E., and Tan, K.-L. 2007b. Specifying access control policies on data streams. In Proceedings of the 12th International Conference on Database Systems for Advanced Applications (DASFAA '07). Springer, Berlin, 410--421. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Carminati, B., Ferrari, E., Tan, K.-L., and Cao, J. 2008. A framework to enforce access control over data streams. Tech. rep., University of Insubria. http://www.dicom.uninsubria.it/~barbara.carminati/TR/TR_Framework_AC_stream.pdf.Google ScholarGoogle Scholar
  16. Chandrasekaran, S., Cooper, O., A. Deshpande, M. F., Hellerstein, J., W. Hong, S. K., Madden, S., V.Raman, Reiss, F., and Shah., M. 2003. Telegraphcq: Continuous dataflow processing for an uncertain world. In Proceedings of the Conference of Innovative Data System Research (CIDR'03). Online Proceedings.Google ScholarGoogle Scholar
  17. Chen, J., DeWitt, D. J., Tian, F., and Wang, Y. 2000. Niagaracq: a scalable continuous query system for internet databases. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'00). ACM, New York, 379--390. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Coral8. 2008. Coral8 homepage. http://www.coral8.com/.Google ScholarGoogle Scholar
  19. Cranor, C., Gao, Y., Johnson, T., Shkapenyuk, V., and Spatscheck, O. 2003. Gigascope: A stream database for network applications. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'03). ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Farkas, C. and Jajodia, S. 2002. The inference problem: A survey. SIGKDD Expl. Newsl. 4, 2, 6--11. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Gaber, M. M., Zaslavsky, A., and Krishnaswamy, S. 2005. Mining data streams: A review. SIGMOD Record 34, 2, 18--26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Gilbert, A. C., Kotidis, Y., Muthukrishnan, S., and Strauss, M. 2001. Surfing wavelets on streams: One-pass summaries for approximate aggregate queries. In Proceedings of the 27th International Conference on Very Large Data Bases (VLDB'01). Morgan Kaufmann, San Francisco, CA, 79--88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Golab, L. and Özsu, M. T. 2003. Issues in data stream management. SIGMOD Record 32, 2, 5--14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Hammad, M. A., Franklin, M. J., Aref, W. G., and Elmagarmid, A. K. 2003. Scheduling for shared window joins over data streams. In Proceedings of the 29th International Conference on Very Large Data Bases (VLDB'03:). Morgan Kaufmann, San Francisco, CA, 297--308. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Law, Y.-N., Wang, H., and Zaniolo, C. 2004. Query languages and data models for database sequences and data streams. In Proceedings of the 30th international Conference on Very Large Data Bases (VLDB'04). Morgan Kaufmann, San Francisco, CA, 492--503. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Lindner, W. and Meier, J. 2006. Securing the borealis data stream engine. In Proceedings of the International Database Engineering and Application Symposium (IDEAS'06). IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Liu, L., Pu, C., and Tang, W. 1999. Continual queries for internet scale event-driven information delivery. IEEE Trans. Knowl. Data Eng. 11, 4, 610--628. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Muthukrishnan, S. 2005. Data streams: algorithms and applications. Found. Trends Theor. Comput. Sci. 1, 2, 117--236. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Nehme, R. V., Rundensteiner, E. A., and Bertino, E. 2008. A security punctuation framework for enforcing access control on streaming data. In Proceedings of the 24th International Conference on Data Engineering (ICDE'08). IEEE, Los Alamitos, CA, 406--415. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Papadopoulos, S., Yang, Y., and Papadias, D. 2007. Cads: continuous authentication on data streams. In Proceedings of the 33rd International Conference on Very Large Data Bases (VLDB'07). Morgan Kaufmann, San Francisco, CA, 135--146. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Rizvi, S., Mendelzon, A., Sudarshan, S., and Roy, P. 2004. Extending query rewriting techniques for fine-grained access control. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'04). ACM, New York, 551--562. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Schreier, U., Pirahesh, H., Agrawal, R., and Mohan, C. 1991. Alert: An architecture for transforming a passive dbms into an active dbms. In Proceedings of the 17th International Conference on Very Large Data Bases (VLDB'91). Morgan Kaufmann, San Francisco, CA, 469--478. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. StreamBase. 2008. StreamBase homepage. http://www.streambase.com/.Google ScholarGoogle Scholar
  34. Sullivan, M. 1996. Tribeca: A stream database manager for network traffic analysis. In Proceedings of the 22th International Conference on Very Large Data Bases (VLDB'96). Morgan Kaufmann, San Francisco, CA, 594. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Terry, D., Goldberg, D., Nichols, D., and Oki, B. 1992. Continuous queries over append-only databases. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'92). ACM, New York, 321--330. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Truviso. 2008. Truviso homepage, http://www.truviso.com/.Google ScholarGoogle Scholar
  37. Zhu, Y., Rundensteiner, E. A., and Heineman, G. T. 2004. Dynamic plan migration for continuous queries over data streams. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'04). ACM, New York, 431--442. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. A framework to enforce access control over data streams

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Information and System Security
        ACM Transactions on Information and System Security  Volume 13, Issue 3
        July 2010
        253 pages
        ISSN:1094-9224
        EISSN:1557-7406
        DOI:10.1145/1805974
        Issue’s Table of Contents

        Copyright © 2010 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 30 July 2010
        • Accepted: 1 February 2009
        • Received: 1 January 2008
        Published in tissec Volume 13, Issue 3

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Research
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!