A framework to enforce access control over data streams

Although access control is currently a key component of any computational system, it is only recently that mechanisms to guard against unauthorized access to streaming data have started to be investigated. To cope with this lack, in this article, we propose a general framework to protect streaming data, which is, as much as possible, independent from the target stream engine. Differently from RDBMSs, up to now a standard query language for data streams has not yet emerged and this makes the development of a general solution to access control enforcement more difficult. The framework we propose in this article is based on an expressive role-based access control model proposed by us. It exploits a query rewriting mechanism, which rewrites user queries in such a way that they do not return tuples/attributes that should not be accessed according to the specified access control policies. Furthermore, the framework contains a deployment module able to translate the rewritten query in such a way that it can be executed by different stream engines, therefore, overcoming the lack of standardization. In the article, besides presenting all the components of our framework, we prove the correctness and completeness of the query rewriting algorithm, and we present some experiments that show the feasibility of the developed techniques.

[1]  Walid G. Aref,et al.  Scheduling for shared window joins over data streams , 2003, VLDB.

[2]  Douglas B. Terry,et al.  Continuous queries over append-only databases , 1992, SIGMOD '92.

[3]  Theodore Johnson,et al.  Gigascope: a stream database for network applications , 2003, SIGMOD '03.

[4]  Mark Sullivan,et al.  Tribeca: A Stream Database Manager for Network Traffic Analysis , 1996, VLDB.

[5]  Sushil Jajodia,et al.  The inference problem: a survey , 2002, SKDD.

[6]  Yin Yang,et al.  CADS: Continuous Authentication on Data Streams , 2007, VLDB.

[7]  Shonali Krishnaswamy,et al.  Mining data streams: a review , 2005, SGMD.

[8]  Jennifer Widom,et al.  STREAM: the stanford stream data manager (demonstration description) , 2003, SIGMOD '03.

[9]  Calton Pu,et al.  Continual Queries for Internet Scale Event-Driven Information Delivery , 1999, IEEE Trans. Knowl. Data Eng..

[10]  Qiang Chen,et al.  Aurora : a new model and architecture for data stream management ) , 2006 .

[11]  Michael Stonebraker,et al.  Aurora: a new model and architecture for data stream management , 2003, The VLDB Journal.

[12]  Cristina Nita-Rotaru,et al.  FT-RC4: A Robust Security Mechanism for Data Stream Systems , 2005 .

[13]  David J. DeWitt,et al.  NiagaraCQ: a scalable continuous query system for Internet databases , 2000, SIGMOD '00.

[14]  TanKian Lee,et al.  A framework to enforce access control over data streams , 2010 .

[15]  S. Muthukrishnan,et al.  Surfing Wavelets on Streams: One-Pass Summaries for Approximate Aggregate Queries , 2001, VLDB.

[16]  Kian-Lee Tan,et al.  ACStream: Enforcing Access Control over Data Streams , 2009, 2009 IEEE 25th International Conference on Data Engineering.

[17]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[18]  Jennifer Widom,et al.  STREAM: The Stanford Stream Data Manager , 2003, IEEE Data Eng. Bull..

[19]  Joachim Biskup,et al.  Enforcing Confidentiality in Relational Databases by Reducing Inference Control to Access Control , 2007, ISC.

[20]  Thomas Brinkhoff,et al.  A Framework for Generating Network-Based Moving Objects , 2002, GeoInformatica.

[21]  Jennifer Widom,et al.  Models and issues in data stream systems , 2002, PODS.

[22]  Elisa Bertino,et al.  A Security Punctuation Framework for Enforcing Access Control on Streaming Data , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[23]  S. Sudarshan,et al.  Extending query rewriting techniques for fine-grained access control , 2004, SIGMOD '04.

[24]  Elke A. Rundensteiner,et al.  Dynamic plan migration for continuous queries over data streams , 2004, SIGMOD '04.

[25]  Frederick Reiss,et al.  TelegraphCQ: Continuous Dataflow Processing for an Uncertain World , 2003, CIDR.

[26]  Philip S. Yu,et al.  A Framework for Clustering Evolving Data Streams , 2003, VLDB.

[27]  Rajeev Motwani,et al.  Operator scheduling in data stream systems , 2004, VLDB 2004.

[28]  Kian-Lee Tan,et al.  Enforcing access control over data streams , 2007, SACMAT '07.

[29]  Philip S. Yu,et al.  On demand classification of data streams , 2004, KDD.

[30]  Kian-Lee Tan,et al.  Specifying Access Control Policies on Data Streams , 2007, DASFAA.

[31]  Hamid Pirahesh,et al.  Alert: An Architecture for Transforming a Passive DBMS into an Active DBMS , 1991, VLDB.

[32]  Carlo Zaniolo,et al.  Query Languages and Data Models for Database Sequences and Data Streams , 2004, VLDB.

[33]  Carlo Zaniolo,et al.  Minimizing latency and memory in DSMS: a unified approach to quasi-optimal scheduling , 2008, SSPS '08.

[34]  Jörg Meier,et al.  Securing the Borealis Data Stream Engine , 2006, 2006 10th International Database Engineering and Applications Symposium (IDEAS'06).

[35]  S. Muthukrishnan,et al.  Data streams: algorithms and applications , 2005, SODA '03.

[36]  Lukasz Golab,et al.  Issues in data stream management , 2003, SGMD.

[37]  David J. DeWitt,et al.  NiagaraCQ: a scalable continuous query system for Internet databases , 2000, SIGMOD 2000.

[38]  Ying Xing,et al.  The Design of the Borealis Stream Processing Engine , 2005, CIDR.