A Reachability Based Access Control Model for Online Social ... - Inria

5 downloads 5304 Views 225KB Size Report
social networks (e.g., Facebook, LinkedIn, Flickr, Twitter, etc.) ... way, Facebook is the most popular Web page [2]. ... In a tight job market, information that.
A Reachability Based Access Control Model for Online Social Networks Talel Abdessalem

Imen Ben Dhia

Institut Télécom; Télécom ParisTech 46 rue Barrault, 75634 Paris, France

Institut Télécom; Télécom ParisTech 46 rue Barrault, 75634 Paris, France

[email protected]

ABSTRACT As a result of the widespread use of social networking sites, millions of individuals can today easily share personal and confidential information with an incredible amount of (possibly unknown), other users. This raises the need of giving users more control on the distribution of their resources, which may be accessed by a community far wider than they expected. Our concern is how to decide which users are allowed to see information owned by other users. Our solution aims to support users when they wish to restrict the visibility of their resources to a smaller subset of their contacts. In this paper, we propose a reachability based access control model that allows users to express their privacy preferences as constraints on existing links with other users. Experimental results verify the effectiveness of our approach over real social networks datasets.

Categories and Subject Descriptors H.2.7 [Information System]: Security, integrity, and protection

General Terms Security

Keywords Access Control, Online Social Networks

1.

INTRODUCTION

With the development of web 2.0 technologies in the last few years, social networks (e.g., Facebook, LinkedIn, Flickr, Twitter, etc.) have become among the most successful services on the Web, exploited by an exponentially increasing number of users. By the way, Facebook is the most popular Web page [2]. Facebook now reports over 500 million active users [3] and Twitter has 200 million users [1]. These so-called Online Social Networks (OSNs) are online communities whose main goal is to make available an information space, where each social network participant can publish and share information (e.g. personal data, photos, videos, opinions, contacts, etc) as well as meet other people for a variety of purposes (e.g. business, entertainment, religion, or dating, etc.).

[email protected]

The availability of this information obviously raises privacy and confidentiality issues. Users typically do not want to share all of their information with everyone. Consequently, OSNs must provide the right mechanisms in order to give users more control on the distribution of their resources, which may be accessed by a community far wider than they expected. For example, many employers tend to search for their candidates on social networking sites before they hire them. In a tight job market, information that people share (e.g., political views, status updates, funny pictures, etc.) might be a deal breaker. The private information that is available on OSNs could endanger job candidates’ chances of future employment, even before the chance to have an interview. Most developed social networks provide only the most basic access control policies, e.g. a user can specify whether a piece of information shall be publicly available, private (no one can see it) or accessible only by direct contacts. This simple access control paradigm has the advantage of being simple, intuitive and easy to implement. However, it is not flexible enough to fit with the requirements of all users. It is either too loose because it grants access to all users (public), or it is too restrictive by limiting too much information sharing (private). Thus, social networking applications need mechanisms that support high-level policies. Facebook allows users to categorize their friends into lists and specify whether a specific piece of information should be available to all friends in a particular list. However, since the average friends number of facebook users is estimated to 130 [3], the process of categorizing friends into lists turns out to be tedious and time-consuming. Moreover, it may happen that users find themselves obliged to create a huge number of friend lists due to the fact that their privacy preferences may vary depending on the piece of information to share. It is clear that users should be provided with more flexible mechanisms to govern access to their own information. OSN members usually publish resources having in mind a specific audience consisting, for example, of their friends or colleagues. In an OSN context, relationships can be used as the basis for specifying authorizations, such as ’only my family and friends can access my personal photos’ or ’only my friends’ children can access my daily notes’. Based on such considerations, we propose in this paper a reachability-based access control model for OSNs where access control policies are expressed as reachability queries in terms of constraints on the type, direction, distance, and on the trust level according to a given utility between nodes. The remainder of this paper is organized as follows: Section 2 presents the social network model. Section 3 introduces the context and requirements of access control in social networks. In Section 4,

we discuss and present the proposed access control model. The access control enforcement is, then, detailed in Section 5, followed by experimental results in Section 6. In Section 7, we discuss some related work. Finally, Section 8 concludes the paper and discusses the future perspectives of this work.

2.

THE SOCIAL NETWORK MODEL

In this section, we introduce our model of a social network. P arent

Colin

Fred Colleague

F riend F riend biology, 0.6

Alice

F riend P arent

George

David Colleague

F riend

F riend F riend F riend

Babysitting, 0.8 F riend

Elena

Bill

In our social network model, we consider that users can express trust information. Users can express their trust in others according to a specific topic. A trust level is then the trust level of a participant in another participant, with respect to a particular utility. The utility refers to the context of trust, i.e, repairing cars, baby-sitting, computer science, etc. As depicted in Figure 1, Bill trusts David for taking care of children up to 80%, and David trusts Alice up to 60% on the field of biology. The trust level beetwen two users connected by an indirect trust relationship (depth>1) can be inferred by taking into account the trust level of all edges belonging to paths corresponding to all the possible direct or indirect trust relationships between the two users according to a given utility. This is ensured by a trust computing function. In some research work, trust is inferred based on propagation [8], other work proposed to infer trust levels based on machine learning techniques [10]. There are many ways to express trust levels in a network of trust, i.e, using integer values, rational numbers or boolean values. In our model, we chose to represent trust values through rational numbers as shown in Figure 1.

F riend

Figure 1: An Online Social Network Subgraph

As depicted in Figure 1, a social network is a dynamic structure made of nodes, which are connected to each other through various relations. The nodes and the edges of the graph represent, respectively, the social network users and the relationships that exist between them. Labels describe the relationship type associated to each edge, i.e., Alice considers Bill her friend, Colin considers David his friend, and so on. In our framework, relationships are not symmetric, i.e., if Alice considers that Bill is her friend, it doesn’t mean that Bill considers Alice a friend too. Thus, rather than an undirected graph, our model considers a directed graph where the direction of edges facilitates the distinction between the user who declared the relationship and for whom the relationship has been declared. The former corresponds to the initial node and the latter corresponds to the terminal node. In facebook, friendship is symmetric. Our model is more general, because it can express symmetry by two mutual edges. We distinguish two types of relationships: direct and indirect relationships. More precisely, a direct relationship between users A and B is represented by means of an edge that starts from A and ends at B. For instance, Alice has a direct friend-typed relationship with Bill and a direct colleague-typed relationship with David. However, an indirect relationship is represented by means of a path that links A to B. This path consists of a finite number of edges, or direct relationships, of the same label, or type. For instance, Alice and Fred are not directly connected to each other but they are linked by the fact that Alice is a colleague of David and David is a colleague of Fred. Thus, Alice has an indirect colleague-typed relationship with Fred. The depth of a given relationship type between two users A and B is the length of the path relating A to B in the social network graph. More precisely, it corresponds to the shortest path relating A and B. This path consists in a finite number of edges labeled with the same relationship type. For instance, from Alice to George there exist three paths of type FriendOf : (Alice-David-George) of length equal to 2, (Alice-Bill-Elena-George) of length equal to 3, and (Alice-Colin-David-George) of length equal to 3.

3.

CHALLENGES

The design and implementation of a suitable access control model present a number challenges. We consider that the following requirements are keys to developing such a model: Dynamicity. In a social network, relationships between users are varied, numerous, and changing over time. Consequently, as a first requirement, an access control model should take into account relationships diversity and dynamicity. Suppose that Bill is authorized to access Alice’s holiday album because she considers him her friend. If Alice doesn’t consider Bill anymore her friend, he should no longer be able to access her holiday album. Relationship-based access control. Let’s say that Alice wants to share her resources with her direct friends (depth = 1) and some of her indirect friends (depth1). She wants to grant access to these resources to Colin and Bill, since they are direct friends of hers. She also wants to allow Elena to access her resources because she is a direct friend of Bill, even if she does not know her. However, Alice is not sure whether George is trustworthy or not because she does not know how Elena chooses her friends. Thus, she wants to prevent him from accessing her resources. This example shows that the type of relationship between users may influence access rights. It helps data owners to control the release of their personal information in the same manner they would do it in the real world. Fine-grained. Access control must be available in a fine-grained format, i.e., it should provide the granularity that a user might want. Thus, users are able to protect specific objects, e.g, particular personal information (age, hometown, relationship status, etc), particular photos, and so on. Users should, be able to restrict the access to particular persons based on their properties on the social network. Trust-based An access control model should consider trust levels between users (when they exist). It should provide users with the right trust inference mechanisms. For example, Alice should be able to to grant access to users that she trusts up to 80% at least.

4.

THE ACCESS CONTROL MODEL

In order to cope with the challenges outlined in Section 3, we propose a reachability based access control model for OSNs. The intuition for the design comes from the observation that real users conceive their privacy preferences based on the relationships that bind them to other users, i.e, which users should be able to see which information. Our model allows users to specify a certain number of access rules for their own resources. These access rules denote the profiles that are allowed to access a given resource.

Definition 1. Online Social Network (OSN) We formally define an Online Social Network as a tuple: (V, E, Σ, φ) V is the set of the graph nodes that represent the social network members. E = {(v1 , v2 )|v1 ∈ V, v2 ∈ V } is the set of edges that represent relationships between users. Σ is the function that assigns each edge e ∈ E a pair (r, t) such that Σ(e) = (r, t) ∈ Σ. r is a label (e.g. friend, colleague, etc.) and t ∈ [0, 1] is a value that represent a trust value. It may happen that t is not assigned a value, i.e. the user does not express trust information, but, he simply says that he has a relationship with another user. At this case, t will be assigned to null. Let’s consider now that p is a path that links v1 to v2 . φ : v1 × v2 × p → [0, 1] is a function assigning to each two indirectly related nodes a value t ∈ [0, 1] according to a given label r. This value may express how much user v1 trusts v2 according to the specified label. To protect their resources, users can specify a certain number of access rules for each one of these resources. Definition 2. Access Rule (AR) As defined in [4], an access rule expresses a set of access conditions that should be satisfied in order to access a given resource. An access rule is a tuple: (rid, ACS) rid is the identifier of the resource rsc and ACS={AC} is the set of access conditions expressing the requirements that should be satisfied by the requester in order to be allowed to access the resource rsc. Definition 3. Access Condition (AC) An access condition specifies the profiles of authorized users to access a given resource. An access condition is a tuple:

AR AC

= (r1, {AC}) = Alice/F riend+ [1, 2][city = P aris][BabySitting, 0.8]

AR is an access rule that contains only one access condition. Authorized members must be direct (distance = 1) or indirect (distance = 2) friends of Alice, live in Paris and Alice should trust them up to 80%. The path specified in the access condition could be expressed, more clearly, with the following two paths : Alice/FriendOf/ and Alice/FriendOf/FriendOf/. In order to be granted access, a requester must be related to Alice with a path that corresponds at least to one of the previous two paths. Let’s say that OSN members that are depicted in Figure 1 live in Paris and Alice trusts Colin trusts up to 85% for looking after children, i.e. babysitting. Based on such considerations, we can say that all of Bill, Colin, David, and Elena participate in relationships with the required type, direction, depth level and attributes, but only Colin satisfies the constraint on the minimum trust level. Consequenly, only Colin will be granted access to Alice’s resource, i.e., r1. The set of access conditions ACS within an access rule AC do not denote a set of alternative conditions, but all conditions should be satisfied. It may also be the case that more than one access rule is specified for the same resource. Suppose that two rules AR1 and AR2 are associated with a resource rsc. In such case, the two sets of access conditions ACS1 and ACS2 corresponding, respectively, to AR1 and AR2 are considered as two alternatives of access control requirements. Example 2. Let’s consider again the OSN depicted in Figure 1, and suppose that Alice owns a resource identified by r2 that she wishes to make available to the children and grand-children of her direct or indirect friends who live in Paris and whom she trusts up to 80% for baby-sitting. Such policy can be expressed through the following access rule:

(O, p, T ) O is a starting node, e.g, the resource owner. p is a path in the social network graph. We consider it as a sequence of ordered steps si , such that p = s1 , s1 , ..., sn . A step si in p is represented by a tuple (r, dir, I, C). r is a relationship type, i.e. a label. dir denotes the direction of the relationship. dir = + (respectively dir = −) means that the relationship must be outgoing (respectively incoming). Other than that, the default value of dir is set to ∗, i.e, both incoming and outgoing relationships are authorized. I is the set of authorized depth levels. C = c1 , c2 , ..., cn is the set of claims, i.e, conditions on users properties. T is the trust condition associated to AC. T = (r, tmin ), where t is the label according to which t will be calculated. tmin is the threshold, i.e., the minimum t value that the requester must have with the the starting node O. In order to get access to a given resource, the requester must have a direct or an indirect relationship with the resource owner that matches with the specified path p. p is a sequence of ordered steps si . Each step indicates the relationship type r, direction dir and depth levels I that the requester must have with the starting node. The requester should satisfy the set of conditions C specified on his attributes. The requester should also satisfy the trust condition T . More precisely, the requester must be trusted by the starting node with a trust level greater or equal to the trust threshold tmin , according to the utility u specified in the trust condition. Example 1. Here is an example of an access rule specified by Alice in order to control access to a resource of her which is identified by r1:

AR1 = (rid,

Alice/F riend+ [1][ ][ ]/ Child− [1, 2][city = P aris][BabySitting, 0.8])

Now, suppose that the resource rsc should be accessed either by the children and grand-children of the direct or indirect friends of Alice, or by the children and grand-children of her direct colleagues. This can be achieved by specifying two distinct access rules, namely, AR1, and AR2, where: AR2 = (rid,

Alice/Colleague+ [1][ ][ ]/ Child− [1, 2][city = P aris][BabySitting, 0.8])

Finally, suppose that resource rsc should be accessed by users who are both children or grand-children of the direct or indirect friends of Alice, and children or grand-children of her direct colleagues. In such case, Alice can specify the following access rule: AR3 = (rid,

Alice/F riend+ [1][ ][ ]/ Child− [1, 2][city = P aris][BabySitting, 0.8], Alice/Colleague+ [1][ ][ ]/ Child− [1, 2][city = P aris][BabySitting, 0.8])

It is important to note that the proposed model considers authorization access rules only. Access rules specifying non authorized users will be developed in future work. Thus, we avoid access authorization-denial conflicts.

5.

THE ACCESS CONTROL PROTOCOL

Access Rules Subject

Allow/Deny Action

Ref. Monitor

Object

Figure 2: Access control architecture

Devising an access control model implies the specification of both the access control policy and the access control enforcement mechanism, which represent, respectively, the desired rules according to the high level requirements of the system and the implementation of this policy. In this section, we describe the access control protocol that implements the proposed model. As shown in Figure 2, the fundamental components of our access control model are: • The Subject, also called P rincipal, is a person who tries to get access to a particular resource, i.e, the object. • The Action is the operation that the subject wants to excute over the object. • The Object is the target resource, to which access may need to be controlled. • The Ref erenceM onitor is the component that implements users privacy preferences, i.e., access control policies. It takes as input a set of access rules according to which it will allow or deny access to a given object or resource. The access control enforcement mechanism is performed by the reference monitor, which is a trusted software module that intercepts each access request submitted by a subject to access an object and, on the basis of the specified access policy, determines whether access should be granted or denied to the requestor. In order to implement the access control mechanism of the reference monitor, we need to devise a protocol ensuring that access rules are not violated. Suppose that R is the node requesting a resource rsc where rid is the resource identifier and O is the node owning such a resource. The task of deciding whether to grant access or not is performed by Algorithm 1. When R submits to O a request to access the resource rsc, the system retrieves from its rule base the set of access rules ARS associated to the resource rsc (Line 1). If there are no access rules related to the requested resource, then, the system will apply the default access rule (Lines 2-3). The default access rule is defined by the user and applied whenever there are no access rules associated to the requested resource. It prevents the access control strategy from being too loose (by setting resources having no associated rules to public) or too restrictive (by setting resources having no associated rules to private). The system will, then, check if the requester is authorized access by evaluating the retrieved access rules (Lines 4-14). More precisely, the system evaluates the set of retrieved access rules one by one and stops, either when the requester satisfies one of these rules, or when all the rules were evaluated and the requester satisfies no rule. In the former case, the requester is authorized to access the resource that he requested for (Line 13). In the latter case, the requester is denied access because his profile is not consistent with the profiles of authorized users specified by the resource owner through access rules (Line 15).

Algorithm 1: Access Control Protocol Precondition: A requester R wants to get access to an object res of O. : A requester R and an object identifier rid. Input : Allow or Deny access. Output Begin 1 ARS ← getRules(rid); 2 if ARS= ∅ then 3 ARS ← default access rule; else 4 foreach AR ∈ ARS do 5 foreach AC ∈ AR do // AC=(O,p,T) 6 if (p = ∗) then 7 if (T =*) then 8 return Allow; else 9 if (traverse(O, R, T ) ≥ T.tmin ) then 10 Allow; else 11 Deny; else 12 if (checkPath(O, R, p)) then 13 Allow; else 14 Skip to next AR; 15 return Deny; End

The evaluation of access rules is an iterative process (Lines 4-13). For each access rule, the algorithm evaluates the associated access conditions. For each access condition, the checkP ath() function evaluates the access path p. If the access path p is set to the wildcard (*) (Line 6), i.e, no constraints were specified. At this case, the social graph will be browsed by the traverse() function to compute how much O trusts R. The traverse() function will traverse the social graph, without considering any constraints, until he reaches the requester R. Then, it calculates t, i.e., how much O trusts R. The requester R will be granted access to res if and only if he satisfies the specified trust condition T , i.e., t ≥ T.tmin . Otherwise, if p is not set to the wildcard (*), the algorithm performs its search beginning from the owner node and checks if the requester could be reached via a path p of the current access rule. If during the evaluation of the set of access conditions of an access rule, the system realizes that any node of the social network satisfies an access condition. Then, the current access rule is not satisfied and the system goes directly to the next rule (Line 14). Since we have to find only the shortest path, the search is performed using a breadth first search algorithm. The breadth-first search algorithm or BFS-algorithm is a classical graph search algorithm in graph theory. It starts searching from a root node and explores all the neighboring nodes. It returns only nodes that satisfy constraints on the relationship type, direction and attributes specified in the input access step s. The trust computation process between O and R is done at the same time, when the graph is explored. Our model focuses on access control given such a trust computing function. For simplicity, we consider that a trust value between two nodes v1 and v2 is the aver-

age of all trust values of a path that links these two nodes. We plan to consider a more elaborated trust computation function in future work.

Response time depending on the number of access rules

AR AC

= (r1, {AC}) = Alice/F riend+ [1, 2][city = P aris][BabySitting, 0.8]

To reply to this request, the system has then to explore the OSN in Figure 1 in order to to check if there exists a path between Alice and Elena that corresponds to one of the following forms: Friend (distance=1) and Friend/Friend (distance=2). The algorithm starts the search by considering the neighbors of Alice with respect to the relationship type Friend, i.e., Bill and Colin. Since Elena is not one of Alice’s neighbors, the neighbors of Bill and Colin are considered in turn. Seeing that Elena is a friend of Bill, the algorithm realizes that there exists a path of length 2 between Alice and Elena. Since a path of the form Friend/Friend has been found between Alice and Elena. The algorithm evaluates, then, how Alice trusts Elena in baby-sitting, according to the trust level that was computed during the graph exploration. Suppose that Alice trusts Elena up to 70% to take care of children. Consequently, Elena will not be granted access because the retrieved trust value is less than the trust threshold tmin specified in the trust condition. In this paragraph, we will focus on estimating the time complexity of the proposed algorithm in order to measure its efficiency. Let S be the sum of all the maximum depth levels among those specified in each set of authorized depth levels s.I: X S= s.Imax s∈ p

By assuming that, in real world scenarios, S is always less than the social graph diameter, the worst case occurs when p = ∗. More precisely, in such a case, we are called to discover all social graph nodes. Since we use a a breadth-first search algorithm, exploring the network graph requires (|V | + |E|) time complexity, where |V | and |E| denote, respectively, the OSN nodes and edges. After evaluating an access step, the algorithm will consider a new list of nodes statisfying the previous step s. In the worst case, this list will contain |V | nodes. Consequently, the social graph will be browsed |V | times, and the time complexity required to evaluate an access step s is of the order of: |V | × (|V | + |E|)

(1)

We can say that the time complexity required to evaluate an access path p, i.e, an access condition AC, is of the order of: N bs × |V | × (|V | + |E|)

(2)

N bs is the maximum number of access steps that an access path of a given access condition could contain. In the worst case, the evaluation of an access condition is iterated (N bAC ×N bAR ) times, where N bAC is the maximum number of access conditions that an access rule could contain and N bAR is the maximum number of access rules that may be associated to a resource. Thus, the required time complexity to evaluate the proposed algorithm is of the order of: N bAR × N bAC × [N bs × |V | × (|V | + |E|)]

(3)

Then, we can conclude that the problem for which we implemented Algorithm 1 can be solved in polynomial time depending on the

Response time (sec)

0.5

Example 3. Consider that Elena sends a request in order to access an object owned Alice and suppose that the requested object is associated with the following access rule:

0.4

subgraph 1 subgraph 2

0.3

0.2

0.1

0 1

1.5

2 2.5 3 3.5 4 Number of access rules to evaluate

4.5

5

Figure 3: Query processing time evolution depending the number of Access Rules

number of access rules, access conditions, access steps and the social graph size. Thus, the above equation still hold when we assume that S (detailed in the beginning of this paragraph) is always less than the social graph diameter. Otherwise, the time complexity of Algorithm 1 becomes of the order of: N bAR × N bAC × [N bs × I × |V | × (|V | + |E|)]

(4)

I is the maximum depth level value that could be specified in an access path p. More clearly, in this case, I could be greater than the social graph diameter. Given constraints on the type, direction and depth levels of the relationships that are specified in an access condition, we can reduce the size of the graph to be explored, and therefore the computational cost. The search can be terminated as soon as the specified depth levels are reached. Actually, we want to discover paths consisting of edges all labeled with relationship types R ={R1 , ..., Rn } specified in the input access condition set ACS ={AC1 , ..., ACn } with respect to the required directions associated to them. Therefore, we explore only the set of subgraphs consisting of all and only the edges labeled with the specified relationship types and the nodes connected by them. Generally, we are called to explore graphs of a size usually far lower than the one of the whole OSN.

6.

EXPERIMENTS

In this section, we perform experimental studies on real social graph datasets to study the performance of the proposed algorithm in terms of time required to evaluate an access request, namely Algorithm 1. The social graph is stored in a N eo4j database, which is an open source graph database that stores data structured as graphs, i.e., it relies on a graph-oriented model for data representation. Instead of static and rigid tables, rows and columns, it manipulates a flexible graph network consisting of nodes, relationships and properties. A N eo4j database can handle graphs of several billions of nodes on a single machine and can be sharded to scale out across multiple machines. It has a traversal framework for high-speed traversals in the node space. It is able to traverse one million nodes per second. We stored access rules as properties of the social graph nodes. We conducted our testing on a PC with a 2.34 GHz Intel processor, and 2 GB memory running Windows 7, a typical configuration that average OSN users might have. We performed our studies on a sample of 984K unique users that represents the groundtruth of the Facebook OSN, i.e., a truly uniform sample of Facebook anonymized user IDs [7]. This Facebook dataset provides the total

subgraph 1 subgraph 2 subgraph 3

|V| 8787 88971 -

|E| 8733 88268 -

Diameter 7 8 -

Table 1: Facebook Dataset Samples

number of friends each user has, his privacy settings, and his network membership. The dataset contains 984830 vertices (users). It has only one label, i.e, relationship type, which corresponds to friendship. Since relationships in Facebook are mutual (edges are undirected), we transform it into two directed edges. Before performing our experimentations, as depicted in Table 1, we made some staistics about the properties of the dataset samples that we used. We tested a large number of paths, i.e. access rules. In the following, the reported elapse time represents the query processing time. We have performed several experiments by varying the order of social subgraphs. For each subgraph, we varied the path distance from 1 to the graph diameter. The results are shown in Figure 3. When the path distance increases, the time required to traverse the social graph, i.e., to get the query result, increases. As confirmed in our complexity study, in the previous section, the response time depends on the number of access rules to evaluate. Experimental results have shown that the social graph nodes number, i.e., number of users, has no influence on the reference monitor performance.

7.

RELATED WORK

Access control in social networks is a new research area. It has emerged with the growing popularity of OSNs which have become an important part of our daily digital life. Several recent papers have proposed automatic extraction of the communities that are forming the OSN, as a way to simplify privacy preferences specification. Danezis [5] proposed to partition users contacts into nonoverlapping lists, so that contacts of the same list can have only access to information that is shared by users of the same list. Additionally, Fang et al. [6] proposed a privacy wizard that considers real users privacy preferences as well as automatically extracted communities to build a privacy preference model that will be automatically applied and adapts whenever the social graph is changed. Most related to our work, is the proposal of Carminati et al. [4]. They also look to formalize an access control model which may be required in an online social network. For instance, the former proposed an access control model where policies are expressed as constraints on the type, depth and trust level between users. While related to our work, this proposal does not consider neither multiple relationships, nor distinct path lengths, when specifying users privacy preferences. Paci et al. [12] considered an additional problem, i.e, co-ownership. They proposed an automated collective privacy management solution where data may have multiple owners and each owner might have a different and possibly contradictory privacy preference. This model uses a game-theoretical algorithm to control access to resources that are owned by more that one OSN member. Some other research work has relied on cryptography techniques to protect users private information. For instance, NOYB [9] encrypts personal information using a pseudo-random substitution which replaces a personal information with a pseudo-randomly selected

substitution taken from a public dictionary. Another approach, i.e. flyByNight [11], present a Facebook application that stores sensitive data in an encrypted form. However, these two approaches does not support selective access control. In fact, NOYB assumes a shared secret key that is known to the social network user circle of friends and friends of friends and flyByNight requires the social network user to select one by one the users to which a message should be encrypted.

8.

CONCLUSION AND FUTURE WORK

In this paper, we developed an access control model for OSNs that enables a fine-grained description of privacy policies. These policies are specified in terms of constraints on the type, direction, depth of relationships and trust levels between users, as well as on the users properties. This model relies on a reachability-based approach, where a subject requesting to access an object must satisfy policies determined by the object owner. In the future, we plan to extend our mechanism along several directions. A first extension concerns the support of a more expressive policy language where it is possible to express positive and negative access rules. Another direction concerns the extension of our approach with a module that supports automatic access policies inferring.

9.

ACKNOWLEDGMENTS

The authors would like to thank Pierre Senellart for his help in devising the access control protocol, and his comments on earlier versions of the paper.

10. [1] [2] [3] [4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

REFERENCES http://en.wikipedia.org/wiki/twitter. http://toolbar.netcraft.com/stats/topsites. http://www.facebook.com/press/info.php?statistics. B. Carminati, E. Ferrari, and A. Perego. Rule-based access control for social networks. In On the Move to Meaningful Internet Systems 2006: OTM Workshops 2006, pages 1734–1744, 2006. G. Danezis. Inferring privacy policies for social networking services. In Proceedings of the 2nd ACM workshop on Security and artificial intelligence, AISec ’09, pages 5–10, New York, NY, USA, 2009. ACM. L. Fang and K. LeFevre. Privacy wizards for social networking sites. In Proceedings of the 19th international conference on World wide web, WWW ’10, pages 351–360, New York, NY, USA, 2010. ACM. M. Gjoka, M. Kurant, C. T. Butts, and A. Markopoulou. Walking in Facebook: A Case Study of Unbiased Sampling of OSNs. In Proceedings of IEEE INFOCOM ’10, San Diego, CA, March 2010. R. Guha, R. Kumar, P. Raghavan, and A. Tomkins. Propagation of trust and distrust. In WWW ’04: Proceedings of the 13th international conference on World Wide Web, pages 403–412, New York, NY, USA, 2004. ACM. S. Guha, K. Tang, and P. Francis. Noyb: privacy in online social networks. In Proceedings of the first workshop on Online social networks, WOSP ’08, pages 49–54, New York, NY, USA, 2008. ACM. H. Liu, E.-P. Lim, H. W. Lauw, M.-T. Le, A. Sun, J. Srivastava, and Y. A. Kim. Predicting trusts among users of online communities: an epinions case study. In EC ’08: Proceedings of the 9th ACM conference on Electronic commerce, pages 310–319, New York, NY, USA, 2008. ACM. M. Lucas and N. Borisov. flybynight: mitigating the privacy risks of social networking. In Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS ’09, pages 37:1–37:1, New York, NY, USA, 2009. ACM. A. C. Squicciarini, M. Shehab, and F. Paci. Collective privacy management in social networks. In WWW ’09: Proceedings of the 18th international conference on World wide web, pages 521–530, New York, NY, USA, 2009. ACM.