Abstract
Although access control is currently a key component of any computational system, it is only recently that mechanisms to guard against unauthorized access to streaming data have started to be investigated. To cope with this lack, in this article, we propose a general framework to protect streaming data, which is, as much as possible, independent from the target stream engine. Differently from RDBMSs, up to now a standard query language for data streams has not yet emerged and this makes the development of a general solution to access control enforcement more difficult. The framework we propose in this article is based on an expressive role-based access control model proposed by us. It exploits a query rewriting mechanism, which rewrites user queries in such a way that they do not return tuples/attributes that should not be accessed according to the specified access control policies. Furthermore, the framework contains a deployment module able to translate the rewritten query in such a way that it can be executed by different stream engines, therefore, overcoming the lack of standardization. In the article, besides presenting all the components of our framework, we prove the correctness and completeness of the query rewriting algorithm, and we present some experiments that show the feasibility of the developed techniques.
- Abadi, D., Ahmad, Y., Balazinska, M., Cetintemel, U., Cherniack, M., Hwang, J., Lindner, W., Maskey, A., Rasin, A., et al. 2005. The design of the borealis stream processing engine. In Proceedings of the Conference on Innovative Data System Research (CIDR'05). Online Proceedings, 277--289.Google Scholar
- Abadi, D., Carney, D., Cetintemel, U., Cherniack, M., Convey, C., Lee, S., Stonebraker, M., Tatbul, N., and Zdonik., S. 2003. Aurora: A new model and architecture for data stream management. VLDB J. 12, 2, 120--139. Google Scholar
Digital Library
- Aggarwal, C. C., Han, J., Wang, J., and Yu, P. S. 2003. A framework for clustering evolving data streams. In Proceedings of the 29th International Conference on Very Large Data Bases (VLDB'03). Morgan Kaufmann, San Francisco, CA, 81--92. Google Scholar
Digital Library
- Aggarwal, C. C., Han, J., Wang, J., and Yu, P. S. 2004. On demand classification of data streams. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD '04). ACM, New York, 503--508. Google Scholar
Digital Library
- Ali, M., ElTabakh, M., and Nita-Rotaru, C. 2005. FT-RC4: A robust security mechanism for data stream systems. Tech. rep. TR-05-024, Purdue University.Google Scholar
- Arasu, A., Babcock, B., Babu, S., Datar, M., K. Ito, I. N., Rosenstein, J., and Widom., J. 2003. Stream: The stanford stream data manager. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD '03). ACM, New York, 665. Google Scholar
Digital Library
- Babcock, B., Babu, S., Datar, M., Motwani, R., and Thomas, D. 2004. Operator scheduling in data stream systems. VLDB J. 13, 4, 333--353. Google Scholar
Digital Library
- Babcock, B., Babu, S., Datar, M., Motwani, R., and Widom, J. 2002. Models and issues in data stream systems. In Proceedings of the 21st ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems (PODS'02). ACM, New York, 1--16. Google Scholar
Digital Library
- Bai, Y. and Zaniolo, C. 2008. Minimizing latency and memory in dsms: a unified approach to quasi-optimal scheduling. In Proceedings of the 2nd International Workshop on Scalable Stream Processing System (SSPS'08). ACM, New York, 58--67. Google Scholar
Digital Library
- Biskup, J. and Lochner, J.-H. 2007. Enforcing confidentiality in relational databases by reducing inference control to access control. In Proceedings of the 10th International Conference on Super Computing (ISC'07). ACM, New York, 407--422. Google Scholar
Digital Library
- Brinkhoff, T. 2002. A framework for generating network-based moving objects. GeoInformatica 6, 2, 153--180. Google Scholar
Digital Library
- Cao, J., Carminati, B., Ferrari, E., and Tan, K.-L. 2009. Acstream: Enforcing access control over data streams, demo. In Proceedings of the International Conference on Data Engineering (ICDE'09). IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Carminati, B., Ferrari, E., and Tan, K. 2007a. Enforcing access control policies on data streams. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT'07). ACM, New York. Google Scholar
Digital Library
- Carminati, B., Ferrari, E., and Tan, K.-L. 2007b. Specifying access control policies on data streams. In Proceedings of the 12th International Conference on Database Systems for Advanced Applications (DASFAA '07). Springer, Berlin, 410--421. Google Scholar
Digital Library
- Carminati, B., Ferrari, E., Tan, K.-L., and Cao, J. 2008. A framework to enforce access control over data streams. Tech. rep., University of Insubria. http://www.dicom.uninsubria.it/~barbara.carminati/TR/TR_Framework_AC_stream.pdf.Google Scholar
- Chandrasekaran, S., Cooper, O., A. Deshpande, M. F., Hellerstein, J., W. Hong, S. K., Madden, S., V.Raman, Reiss, F., and Shah., M. 2003. Telegraphcq: Continuous dataflow processing for an uncertain world. In Proceedings of the Conference of Innovative Data System Research (CIDR'03). Online Proceedings.Google Scholar
- Chen, J., DeWitt, D. J., Tian, F., and Wang, Y. 2000. Niagaracq: a scalable continuous query system for internet databases. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'00). ACM, New York, 379--390. Google Scholar
Digital Library
- Coral8. 2008. Coral8 homepage. http://www.coral8.com/.Google Scholar
- Cranor, C., Gao, Y., Johnson, T., Shkapenyuk, V., and Spatscheck, O. 2003. Gigascope: A stream database for network applications. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'03). ACM, New York. Google Scholar
Digital Library
- Farkas, C. and Jajodia, S. 2002. The inference problem: A survey. SIGKDD Expl. Newsl. 4, 2, 6--11. Google Scholar
Digital Library
- Gaber, M. M., Zaslavsky, A., and Krishnaswamy, S. 2005. Mining data streams: A review. SIGMOD Record 34, 2, 18--26. Google Scholar
Digital Library
- Gilbert, A. C., Kotidis, Y., Muthukrishnan, S., and Strauss, M. 2001. Surfing wavelets on streams: One-pass summaries for approximate aggregate queries. In Proceedings of the 27th International Conference on Very Large Data Bases (VLDB'01). Morgan Kaufmann, San Francisco, CA, 79--88. Google Scholar
Digital Library
- Golab, L. and Özsu, M. T. 2003. Issues in data stream management. SIGMOD Record 32, 2, 5--14. Google Scholar
Digital Library
- Hammad, M. A., Franklin, M. J., Aref, W. G., and Elmagarmid, A. K. 2003. Scheduling for shared window joins over data streams. In Proceedings of the 29th International Conference on Very Large Data Bases (VLDB'03:). Morgan Kaufmann, San Francisco, CA, 297--308. Google Scholar
Digital Library
- Law, Y.-N., Wang, H., and Zaniolo, C. 2004. Query languages and data models for database sequences and data streams. In Proceedings of the 30th international Conference on Very Large Data Bases (VLDB'04). Morgan Kaufmann, San Francisco, CA, 492--503. Google Scholar
Digital Library
- Lindner, W. and Meier, J. 2006. Securing the borealis data stream engine. In Proceedings of the International Database Engineering and Application Symposium (IDEAS'06). IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Liu, L., Pu, C., and Tang, W. 1999. Continual queries for internet scale event-driven information delivery. IEEE Trans. Knowl. Data Eng. 11, 4, 610--628. Google Scholar
Digital Library
- Muthukrishnan, S. 2005. Data streams: algorithms and applications. Found. Trends Theor. Comput. Sci. 1, 2, 117--236. Google Scholar
Digital Library
- Nehme, R. V., Rundensteiner, E. A., and Bertino, E. 2008. A security punctuation framework for enforcing access control on streaming data. In Proceedings of the 24th International Conference on Data Engineering (ICDE'08). IEEE, Los Alamitos, CA, 406--415. Google Scholar
Digital Library
- Papadopoulos, S., Yang, Y., and Papadias, D. 2007. Cads: continuous authentication on data streams. In Proceedings of the 33rd International Conference on Very Large Data Bases (VLDB'07). Morgan Kaufmann, San Francisco, CA, 135--146. Google Scholar
Digital Library
- Rizvi, S., Mendelzon, A., Sudarshan, S., and Roy, P. 2004. Extending query rewriting techniques for fine-grained access control. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'04). ACM, New York, 551--562. Google Scholar
Digital Library
- Schreier, U., Pirahesh, H., Agrawal, R., and Mohan, C. 1991. Alert: An architecture for transforming a passive dbms into an active dbms. In Proceedings of the 17th International Conference on Very Large Data Bases (VLDB'91). Morgan Kaufmann, San Francisco, CA, 469--478. Google Scholar
Digital Library
- StreamBase. 2008. StreamBase homepage. http://www.streambase.com/.Google Scholar
- Sullivan, M. 1996. Tribeca: A stream database manager for network traffic analysis. In Proceedings of the 22th International Conference on Very Large Data Bases (VLDB'96). Morgan Kaufmann, San Francisco, CA, 594. Google Scholar
Digital Library
- Terry, D., Goldberg, D., Nichols, D., and Oki, B. 1992. Continuous queries over append-only databases. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'92). ACM, New York, 321--330. Google Scholar
Digital Library
- Truviso. 2008. Truviso homepage, http://www.truviso.com/.Google Scholar
- Zhu, Y., Rundensteiner, E. A., and Heineman, G. T. 2004. Dynamic plan migration for continuous queries over data streams. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'04). ACM, New York, 431--442. Google Scholar
Digital Library
Index Terms
A framework to enforce access control over data streams
Recommendations
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Condensative stream query language for data streams
ADC '07: Proceedings of the eighteenth conference on Australasian database - Volume 63In contrast to traditional database queries, a query on stream data is continuous in that it is periodically evaluated over fractions (sliding windows) of the data stream. This introduces challenges beyond those encountered when processing traditional ...
Precision-Bounded Access Control Using Sliding-Window Query Views for Privacy-Preserving Data Streams
Access control mechanisms and Privacy Protection Mechanisms (PPM) have been proposed for data streams. The access control for a data stream allows roles access to tuples satisfying an authorized predicate sliding-window query. Sharing the sensitive stream ...






Comments