research-article

Enforcing access control in Web-based social networks

Authors:

Barbara Carminati,

Andrea PeregoAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 13, Issue 1

Article No.: 6, Pages 1 - 38

https://doi.org/10.1145/1609956.1609962

Published: 06 November 2009 Publication History

Abstract

In this article, we propose an access control mechanism for Web-based social networks, which adopts a rule-based approach for specifying access policies on the resources owned by network participants, and where authorized users are denoted in terms of the type, depth, and trust level of the relationships existing between nodes in the network. Different from traditional access control systems, our mechanism makes use of a semidecentralized architecture, where access control enforcement is carried out client-side. Access to a resource is granted when the requestor is able to demonstrate being authorized to do that by providing a proof. In the article, besides illustrating the main notions on which our access control model relies, we present all the protocols underlying our system and a performance study of the implemented prototype.

Supplementary Material

Carminati Appendix (a6-carminati-apndx.pdf)

Online appendix to enforcing access control in Web-based social networks. The appendix supports the information on article 6.

Download
1.74 MB

References

[1]

Adomavicius, G. and Tuzhilin, A. 2005. Toward the next generation of recommender systems: A survey of the state-of-the-art and possible extensions. IEEE Trans. Knowl. Data Eng. 17, 6, 734--749.

Digital Library

[2]

Ali, B., Villegas, W., and Maheswaran, M. 2007. A trust-based approach for protecting user data in social networks. In Proceedings of the Conference of the Center for Advanced Studies on Collaborative Research (CASCON'07). ACM Press, New York, 288--293.

Digital Library

[3]

Avesani, P., Massa, P., and Tiella, R. 2005. A trust-enhanced recommender system application: Moleskiing. In Proceedings of the ACM Symposium on Applied Computing (SAC'05). ACM Press, New York, 1589--1593.

Digital Library

[4]

Berners-Lee, T., Connolly, D., Kagal, L., Scharf, Y., and Hendler, J. 2008. N3Logic: A logical framework for the World Wide Web. Theory Pract. Log. Program. 8, 3, 249--269.

Digital Library

[5]

Berteau, S. 2007. Facebook's misrepresentation of Beacon's threat to privacy: Tracking users who opt out or are not logged in. CA Security Advisor Research Blog. http://community.ca.com/blogs/securityadvisor/archive/2007/11/29/facebook-s-isrepresentation-ofbeacon-s-threat-to-privacy-tracking-users-who-opt-out-or-are-not-logged-in.aspx.

[6]

Beth, T., Borcherding, M., and Klein, B. 1994. Valuation of trust in open networks. In Proceedings of the European Symposium on Research in Computer Security (ESORICS'94). Springer, Berlin, 3--18.

Digital Library

[7]

Blaze, M., Feigenbaum, J., Ioannidis, J., and Keromytis, A. D. 1999. The KeyNote trust management system version 2. IETF RFC 2704, Internet Engineering Task Force. http://www.ietf.org/rfc/rfc2704.txt.

[8]

Blaze, M., Feigenbaum, J., and Strauss, M. 1998. Compliance checking in the PolicyMaker trust management system. In Proceedings of the 2nd International Conference on Financial Cryptography (FC'98). Springer, Berlin, 1439--1456.

Digital Library

[9]

Brickley, D. and Miller, L. 2007. FOAF vocabulary specification 0.91. Namespace Document. http://xmlns.com/foaf/0.1.

[10]

Canadian Privacy Commission. 2007. Social Networking and Privacy. http://www.privcom.gc.ca/information/social/index_e.asp.

[11]

Carminati, B. and Ferrari, E. 2008. Access control and privacy in Web-based social networks. Int. J. Web Inf. Syst. 4, 4, 395--415.

[12]

Carminati, B., Ferrari, E., and Perego, A. 2006. Rule-based access control for social networks. In On the Move to Meaningful Internet Systems: OTM'06 Workshops. Springer, Berlin, 1734--1744.

Digital Library

[13]

Chen, L. 2006. Facebook's feeds cause privacy concerns. The Amherst Student. http://halogen.note.amherst.edu/~astudent/2006--2007/issue02/news/01.html.

[14]

Choi, H.-C., Kruk, S. R., Grzonkowski, S., Stankiewicz, K., Davis, B., and Breslin, J. G. 2006. Trust models for community-aware identity management. In Proceedings of the Identity, Reference, and the Web Workshop (IRW'06). http://www.ibiblio.org/hhalpin/irw2006/skruk.pdf.

[15]

Cwm. 2006. Cwm--A General Purpose Data Processor for the Semantic Web. http://www.w3.org/2000/10/swap/doc/cwm.html.

[16]

Davis, I. and Vitiello Jr, E. 2005. RELATIONSHIP: A vocabulary for describing relationships between people. Namespace Document. http://purl.org/vocab/relationship.

[17]

Ding, L., Zhou, L., Finin, T. W., and Joshi, A. 2005. How the Semantic Web is being used: An analysis of FOAF documents. In Proceedings of the 38th Annual Hawaii International Conference on System Sciences (HICSS'05). IEEE, Los Alamitos, CA, 113c.

Digital Library

[18]

Ellison, C. M., Frantz, B., Lampson, B., Rivest, R. L., Thomas, B. M., and Ylönen, T. 1999. SPKI certificate theory. IETF RFC 2693, Internet Engineering Task Force. http://www.ietf.org/rfc/rfc2693.txt.

[19]

EPIC. 2008a. Facebook Privacy Page. http://epic.org/privacy/facebook/.

[20]

EPIC. 2008b. Social Networking Privacy. http://epic.org/privacy/socialnet/default.html.

[21]

Federal Trade Commission. 2007. Social Networking Sites: A Parent's Guide. http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec13.shtm.

[22]

Ferrari, E. and Thuraisingham, B. 2000. Secure database systems. In Advanced Database Technology and Design, M. Piattini and O. Diaz, Eds. Artech House, Norwood, MA, 353--403.

[23]

Garfinkel, S. 1996. PGP: Pretty Good Privacy. O'Reilly&Associates, Sebastopol, CA.

Digital Library

[24]

Golbeck, J. A. 2005. Computing and applying trust in Web-based social networks. Ph.D. thesis, Graduate School of the University of Maryland, College Park.

Digital Library

[25]

Golbeck, J. A. and Hendler, J. 2006. Inferring binary trust relationships in Web-based social networks. ACM Trans. Inter. Tech. 6, 4, 497--529.

Digital Library

[26]

Hart, M., Johnson, R., and Stent, A. 2007. More content—less control: Access control in the Web 2.0. In Proceedings of the Web 2.0 Security&Privacy Workshop (W2SP'07). http://seclab.cs.rice.edu/w2sp/2007/papers/paper-193-z_6706.pdf.

[27]

Hogben, G. 2007. Security issues and recommendations for online social networks. ENISA Position Paper 1, European Network and Information Security Agency. http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf.

[28]

Horrocks, I., Patel-Schneider, P. F., Boley, H., Tabet, S., Grosof, B., and Dean, M. 2004. SWRL: A Semantic Web rule language combining OWL and RuleML. W3C Member Submission, World Wide Web Consortium. http://www.w3.org/Submission/SWRL.

[29]

Jøsang, A. 1999. An algebra for assessing trust in certification chains. In Proceedings of the Network and Distributed System Security Symposium (NDSS'99). http://www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/josang.pdf.

[30]

Jøsang, A., Gray, E., and Kinateder, M. 2006. Simplification and analysis of transitive trust networks. Web Intell. Agent Syst. 4, 2, 139--161.

Digital Library

[31]

Jøsang, A., Ismail, R., and Boyd, C. 2007. A survey of trust and reputation systems for online service provision. Decis. Support Syst. 43, 2, 618--644.

Digital Library

[32]

Kamvar, S. D., Schlosser, M. T., and Garcia-Molina, H. 2003. The Eigentrust algorithm for reputation management in P2P networks. In Proceedings of 12th International Conference on World Wide Web (WWW'03). ACM, New York, 640--651.

Digital Library

[33]

Kleinberg, J. 2000. The small-world phenomenon: An algorithmic perspective. In Proceedings of the 32nd Annual ACM Symposium on Theory of Computing (STOC'00). ACM, New York, 163--170.

Digital Library

[34]

Kruk, S. R., Grzonkowski, S., Choi, H.-C., Woroniecki, T., and Gzella, A. 2006. D-FOAF: Distributed identity management with access rights delegation. In Proceedings of the Asian Semantic Web Conference (ASWC'06). Springer, Berlin, 140--154.

Digital Library

[35]

Martel, C. and Nguyen, V. 2004. Analyzing Kleinberg's (and other) small-world models. In Proceedings of the 23rd Annual ACM Symposium on Principles of Distributed Computing (PODC'04). ACM, 179--188.

Digital Library

[36]

Reiter, M. K. and Stubblebine, S. G. 1997. Toward acceptable metrics of authentication. In Proceedings of the IEEE Symposium on Security and Privacy (SP'97). IEEE, Los Alamitos, CA, 10--20.

Digital Library

[37]

Shamir, A. 1979. How to share a secret. Comm. ACM 22, 11, 612--613.

Digital Library

[38]

Watts, D. J. 2003. Small Worlds: The Dynamics of Networks between Order and Randomness. Princeton University Press, Princeton, NJ.

Digital Library

[39]

Weitzner, D. J., Hendler, J., Berners-Lee, T., and Connolly, D. 2006. Creating a policy-aware Web: Discretionary, rule-based access for the World Wide Web. In Web&Information Security, E. Ferrari and B. Thuraisingham, Eds. IDEA Group Publishing, Hershey, PA, 1--31.

[40]

Xiong, L. and Liu, L. 2004. PeerTrust: Supporting reputation-based trust for peer-to-peer electronic communities. IEEE Trans. Knowl. Data Eng. 16, 7, 843--857.

Digital Library

Cited By

Bertolissi CMartinez Anton AZannone NRanise SCarbone RTakabi D(2023)Data Sharing in Social NetworksProceedings of the 28th ACM Symposium on Access Control Models and Technologies10.1145/3589608.3593833(181-192)Online publication date: 24-May-2023
https://dl.acm.org/doi/10.1145/3589608.3593833
Yi YZhu NHe JJurcut AMa XLuo Y(2023)A privacy-dependent condition-based privacy-preserving information sharing scheme in online social networksComputer Communications10.1016/j.comcom.2023.01.010200:C(149-160)Online publication date: 15-Feb-2023
https://dl.acm.org/doi/10.1016/j.comcom.2023.01.010
Su ZBiennier FLv ZPeng YSong HMiao J(2022)Toward Architectural and Protocol-Level Foundation for End-to-End Trustworthiness in Cloud/Fog ComputingIEEE Transactions on Big Data10.1109/TBDATA.2017.27054188:1(35-47)Online publication date: 1-Feb-2022
https://doi.org/10.1109/TBDATA.2017.2705418
Show More Cited By

Index Terms

Enforcing access control in Web-based social networks

Recommendations

Attribute-Aware Relationship-Based Access Control for Online Social Networks
DBSec 2014: Proceedings of the 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy XXVIII - Volume 8566

Relationship-based access control ReBAC has been adopted as themost prominent approach for access control in online social networks OSNs, where authorization policies are typically specified in terms of relationships of certain types and/or depth ...
Relationship-Based Access Control for Online Social Networks: Beyond User-to-User Relationships
SOCIALCOM-PASSAT '12: Proceedings of the 2012 ASE/IEEE International Conference on Social Computing and 2012 ASE/IEEE International Conference on Privacy, Security, Risk and Trust

User-to-user (U2U) relationship-based access control has become the most prevalent approach for modeling access control in online social networks (OSNs), where authorization is typically made by tracking the existence of a U2U relationship of particular ...
A flexible hierarchical access control mechanism enforcing extension policies

Some specific information or resources only can be accessed by authorized users. Discretionary access control DAC, mandatory access control MAC, and role-based access control RBAC are three main classes of access control policies. MAC and RBAC are more ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 13, Issue 1

October 2009

289 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/1609956

Issue’s Table of Contents

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 November 2009

Accepted: 01 August 2008

Revised: 01 April 2008

Received: 01 March 2007

Published in TISSEC Volume 13, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Ministero dell'Istruzione, dell'Università e della Ricerca

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

199
Total Citations
View Citations
2,375
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)3

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bertolissi CMartinez Anton AZannone NRanise SCarbone RTakabi D(2023)Data Sharing in Social NetworksProceedings of the 28th ACM Symposium on Access Control Models and Technologies10.1145/3589608.3593833(181-192)Online publication date: 24-May-2023
https://dl.acm.org/doi/10.1145/3589608.3593833
Yi YZhu NHe JJurcut AMa XLuo Y(2023)A privacy-dependent condition-based privacy-preserving information sharing scheme in online social networksComputer Communications10.1016/j.comcom.2023.01.010200:C(149-160)Online publication date: 15-Feb-2023
https://dl.acm.org/doi/10.1016/j.comcom.2023.01.010
Su ZBiennier FLv ZPeng YSong HMiao J(2022)Toward Architectural and Protocol-Level Foundation for End-to-End Trustworthiness in Cloud/Fog ComputingIEEE Transactions on Big Data10.1109/TBDATA.2017.27054188:1(35-47)Online publication date: 1-Feb-2022
https://doi.org/10.1109/TBDATA.2017.2705418
Praharaj LAmeer SGupta MSandhu R(2022)Attributes Aware Relationship-based Access Control for Smart IoT Systems2022 IEEE 8th International Conference on Collaboration and Internet Computing (CIC)10.1109/CIC56439.2022.00021(72-81)Online publication date: Dec-2022
https://doi.org/10.1109/CIC56439.2022.00021
Yi YHe JZhu NMa XLuo Y(2022)A Privacy-Preserving Mechanism Based on Privacy Situation Awareness for Information Sharing in OSNs2022 3rd International Conference on Electronics, Communications and Information Technology (CECIT)10.1109/CECIT58139.2022.00057(285-290)Online publication date: Dec-2022
https://doi.org/10.1109/CECIT58139.2022.00057
Clark SYakovets NFletcher GZannone N(2022)ReLOG: A Unified Framework for Relationship-Based Access Control over Graph DatabasesData and Applications Security and Privacy XXXVI10.1007/978-3-031-10684-2_17(303-315)Online publication date: 13-Jul-2022
https://doi.org/10.1007/978-3-031-10684-2_17
Marin RGallegos L(2021)A Survey on Privacy Approaches for Social Networks2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00204(1514-1521)Online publication date: Sep-2021
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00204
Asim YMalik A(2020)A Survey on Access Control Techniques for Social NetworksInformation Diffusion Management and Knowledge Sharing10.4018/978-1-7998-0417-8.ch016(319-342)Online publication date: 2020
https://doi.org/10.4018/978-1-7998-0417-8.ch016
Li SLee CEun Dd'Aquin MDietze SHauff CCurry ECudre Mauroux P(2020)Trapping Malicious Crawlers in Social NetworksProceedings of the 29th ACM International Conference on Information & Knowledge Management10.1145/3340531.3412004(775-784)Online publication date: 19-Oct-2020
https://dl.acm.org/doi/10.1145/3340531.3412004
Chen JHe JCai LPan J(2020)Disclose More and Risk Less: Privacy Preserving Online Social Network Data SharingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2018.286140317:6(1173-1187)Online publication date: 1-Nov-2020
https://doi.org/10.1109/TDSC.2018.2861403
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents