Modeling data flow in socio-information networks: a risk estimation approach

Information leakage via the networks formed by subjects (e.g., Facebook, Twitter) and objects (e.g., blogosphere) - some of whom may be controlled by malicious insiders - often leads to unpredicted access control risks. While it may be impossible to precisely quantify information flows between two entities (e.g., two friends in a social network), this paper presents a first attempt towards leveraging recent advances in modeling socio-information networks to develop a statistical risk estimation paradigm for quantifying such insider threats. In the context of socio-information networks, our models estimate the following likelihoods: prior flow - has a subject $s$ acquired covert access to object o via the networks? posterior flow - if s is granted access to o, what is its impact on information flows between subject s' and object o'? network evolution - how will a newly created social relationship between s and s' influence current risk estimates? Our goal is not to prescribe a one-size-fits-all solution; instead we develop a set of composable network-centric risk estimation operators, with implementations configurable to concrete socio-information networks. The efficacy of our solutions is empirically evaluated using real-life datasets collected from the IBM SmallBlue project and Twitter.

[1]  Michael Backes,et al.  Automatic Discovery and Quantification of Information Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[2]  Jimeng Sun,et al.  SmallBlue: Social Network Analysis for Expertise Search and Collective Intelligence , 2009, 2009 IEEE 25th International Conference on Data Engineering.

[3]  David B. Skillicorn,et al.  Detecting unusual email communication , 2005, CASCON.

[4]  Ting Wang,et al.  Network-centric Access Control: Models and Techniques , 2010 .

[5]  Yin Zhang,et al.  Scalable proximity estimation and link prediction in online social networks , 2009, IMC '09.

[6]  Stephen McCamant,et al.  Quantitative information flow as network flow capacity , 2008, PLDI '08.

[7]  Barbara Carminati,et al.  A probability-based approach to modeling the risk of unauthorized propagation of information in on-line social networks , 2011, CODASPY '11.

[8]  Christos Faloutsos,et al.  Fast Random Walk with Restart and Its Applications , 2006, Sixth International Conference on Data Mining (ICDM'06).

[9]  Yuichiro Kanzaki,et al.  Characterizing Dynamics of Information Leakage in Security-Sensitive Software Process , 2005, ACSW.

[10]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[11]  Ian Molloy,et al.  Trading in risk: using markets to improve access control , 2009, NSPW '08.

[12]  Jason Crampton Understanding and developing role-based administrative models , 2005, CCS '05.

[13]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[14]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[15]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[16]  Mudhakar Srivatsa,et al.  Securing information flows: A metadata framework , 2008, 2008 5th IEEE International Conference on Mobile Ad Hoc and Sensor Systems.

[17]  Mark S. Squillante,et al.  Efficiently serving dynamic data at highly accessed web sites , 2004, IEEE/ACM Transactions on Networking.

[18]  Elisa Bertino,et al.  TRBAC: a temporal role-based access control model , 2000, RBAC '00.

[19]  Imad M. Abbadi,et al.  Preventing Insider Information Leakage for Enterprises , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[20]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[21]  O. Haggstrom Reversible Markov chains , 2002 .

[22]  Jure Leskovec,et al.  Microscopic evolution of social networks , 2008, KDD.

[23]  Richard M. Karp,et al.  Theoretical Improvements in Algorithmic Efficiency for Network Flow Problems , 1972, Combinatorial Optimization.

[24]  Kenneth G. Paterson,et al.  Trust management for secure information flows , 2008, CCS.

[25]  Dániel Fogaras,et al.  Towards Scaling Fully Personalized PageRank: Algorithms, Lower Bounds, and Experiments , 2005, Internet Math..

[26]  Mudhakar Srivatsa,et al.  A metadata calculus for secure information sharing , 2009, CCS.

[27]  E. Todeva Networks , 2007 .

[28]  E. David,et al.  Networks, Crowds, and Markets: Reasoning about a Highly Connected World , 2010 .

[29]  Christopher M. Bishop,et al.  Pattern Recognition and Machine Learning (Information Science and Statistics) , 2006 .