Access Control Models for Online Social Networks

Access control is one of the crucial aspects in information systems security. Authorizing access to resources is a fundamental process to limit potential privacy violations and protect users. The nature of personal data in online social networks (OSNs) requires a high-level of security and privacy protection. Recently, OSN-specific access control models (ACMs) have been proposed to address the particular structure, functionality and the underlying privacy issues of OSNs. In this survey chapter, the essential aspects of access control and review the fundamental classical ACMs are introduced. The specific OSNs features and review the main categories of OSN-specific ACMs are highlighted. Within each category, the most prominent ACMs and their underlying mechanisms that contribute enhancing privacy of OSNs are surveyed. Toward the end, more advanced issues of access control in OSNs are discussed. Throughout the discussion, different models and highlight open problems are contrasted. Based on these problems, the chapter is concluded by proposing requirements for future ACMs.

[1]  Heather Richter Lipford,et al.  Moving beyond untagging: photo privacy in a tagged world , 2010, CHI.

[2]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[3]  Refik Molva,et al.  Safebook: A privacy-preserving online social network leveraging on real-life trust , 2009, IEEE Communications Magazine.

[4]  Smitha Sundareswaran,et al.  A3P: adaptive policy prediction for shared images over popular content sharing sites , 2011, HT '11.

[5]  E. H. Clarke Multipart pricing of public goods , 1971 .

[6]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[7]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[8]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[9]  Andreas Schaad Detecting conflicts in a role-based delegation model , 2001, Seventeenth Annual Computer Security Applications Conference.

[10]  Ho-fung Leung,et al.  A secure and private clarke tax voting protocol without trusted authorities , 2004, ICEC '04.

[11]  Roshan K. Thomas,et al.  Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments , 1997, RBAC '97.

[12]  Moni Naor,et al.  Revocation and Tracing Schemes for Stateless Receivers , 2001, CRYPTO.

[13]  Volker Kessler On the Chinese Wall Model , 1992, ESORICS.

[14]  Yuan Cheng,et al.  Relationship-Based Access Control for Online Social Networks: Beyond User-to-User Relationships , 2012, 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing.

[15]  Prateek Mittal,et al.  EASiER: encryption-based access control in social networks with efficient revocation , 2011, ASIACCS '11.

[16]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[17]  William J. Havlena,et al.  On the Measurement of Perceived Consumer Risk , 1991 .

[18]  Muthucumaru Maheswaran,et al.  An Access Control Scheme for Protecting Personal Data , 2008, 2008 Sixth Annual Conference on Privacy, Security and Trust.

[19]  Barbara Carminati,et al.  Rule-Based Access Control for Social Networks , 2006, OTM Workshops.

[20]  Seng-Phil Hong,et al.  Access control in collaborative systems , 2005, CSUR.

[21]  Carolyn Ball,et al.  What Is Transparency? , 2009 .

[22]  Eytan Adar,et al.  The PViz comprehension tool for social network privacy settings , 2012, SOUPS.

[23]  Wouter Joosen,et al.  Uniform application-level access control enforcement of organizationwide policies , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[24]  Ling Liu,et al.  PeerTrust: supporting reputation-based trust for peer-to-peer electronic communities , 2004, IEEE Transactions on Knowledge and Data Engineering.

[25]  Giovanni Di Crescenzo,et al.  Social Network Privacy via Evolving Access Control , 2009, WASA.

[26]  Sebastian Ryszard Kruk,et al.  D-FOAF: Distributed Identity Management with Access Rights Delegation , 2006, ASWC.

[27]  Theodore Groves,et al.  Incentives in Teams , 1973 .

[28]  Edward Y. Chang,et al.  Searching near-replicas of images via clustering , 1999, Optics East.

[29]  Tor Didriksen Rule based database access control—a practical approach , 1997, RBAC '97.

[30]  Fan Hong,et al.  An Attribute-Based Access Control Model for Web Services , 2006, PDCAT.

[31]  Jennifer Widom,et al.  The Lowell database research self-assessment , 2003, CACM.

[32]  Bettina Berendt,et al.  E-privacy in 2nd generation E-commerce: privacy preferences versus actual behavior , 2001, EC '01.

[33]  Daniel R. Horne,et al.  The Privacy Paradox: Personal Information Disclosure Intentions versus Behaviors , 2007 .

[34]  Jeff Cain,et al.  Pharmacy students' Facebook activity and opinions regarding accountability and e-professionalism. , 2009, American journal of pharmaceutical education.

[35]  Barbara Carminati,et al.  Enforcing access control in Web-based social networks , 2009, TSEC.

[36]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[37]  Heather Richter Lipford,et al.  Understanding Privacy Settings in Facebook with an Audience View , 2008, UPSEC.

[38]  Muthucumaru Maheswaran,et al.  Towards a Gravity-Based Trust Model for Social Networking Systems , 2007, 27th International Conference on Distributed Computing Systems Workshops (ICDCSW'07).

[39]  Philip W. L. Fong Relationship-based access control: protection model and policy language , 2011, CODASPY '11.

[40]  Li Ding,et al.  Social Networking on the Semantic Web , 2005 .

[41]  Gail-Joon Ahn,et al.  Multiparty Access Control for Online Social Networks: Model and Mechanisms , 2013, IEEE Transactions on Knowledge and Data Engineering.

[42]  Lujo Bauer,et al.  Enforcing Non-safety Security Policies with Program Monitors , 2005, ESORICS.

[43]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[44]  Mohd Anwar,et al.  Simulating the effect of privacy concerns in online social networks , 2011, 2011 IEEE International Conference on Information Reuse & Integration.

[45]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[46]  Moni Naor,et al.  Efficient Trace and Revoke Schemes , 2000, Financial Cryptography.

[47]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[48]  Role Based Access Control for social network sites , 2009, 2009 Joint Conferences on Pervasive Computing (JCPC).

[49]  Sushil Jajodia,et al.  Access Control Policies and Languages in Open Environments , 2007, Secure Data Management in Decentralized Systems.

[50]  Joaquín Salvachúa,et al.  Tie-RBAC: An application of RBAC to Social Networks , 2012, ArXiv.

[51]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 1998, SIGCOMM '98.

[52]  Richard E. Ferdig,et al.  Exploring Technology for Writing and Writing Instruction , 2013 .

[53]  Lee Feigenbaum,et al.  The Semantic Web in action. , 2007, Scientific American.

[54]  Bhavani M. Thuraisingham,et al.  A semantic web based framework for social network access control , 2009, SACMAT '09.

[55]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[56]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[57]  Raph Levien,et al.  Attack-Resistant Trust Metrics , 2009, Computing with Social Trust.

[58]  R. Gulay Ozturk,et al.  FRIENDVERTISING: A New Advertising Strategy in Social Network Marketing , 2014 .

[59]  Anna Cinzia Squicciarini,et al.  Web-Traveler Policies for Images on Social Networks , 2009, World Wide Web.

[60]  Ravi S. Sandhu,et al.  Conceptual foundations for a model of task-based authorizations , 1994, Proceedings The Computer Security Foundations Workshop VII.

[61]  James C. Browne,et al.  On classifying access control implementations for distributed systems , 2006, SACMAT '06.

[62]  Alessandro Acquisti,et al.  Information revelation and privacy in online social networks , 2005, WPES '05.

[63]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[64]  Philip W. L. Fong,et al.  Relationship-based access control policies and their policy languages , 2011, SACMAT '11.

[65]  Ninghui Li,et al.  On the tradeoff between privacy and utility in data publishing , 2009, KDD.

[66]  Fausto Giunchiglia,et al.  RelBAC: Relation Based Access Control , 2008, 2008 Fourth International Conference on Semantics, Knowledge and Grid.

[67]  Anna Cinzia Squicciarini,et al.  Privacy policies for shared content in social network sites , 2010, The VLDB Journal.

[68]  Mary Madden and Aaron Smith,et al.  Reputation Management and Social Media , 2010 .

[69]  Bobby Bhattacharjee,et al.  Persona: an online social network with user-defined privacy , 2009, SIGCOMM '09.

[70]  Talel Abdessalem,et al.  A reachability-based access control model for online social networks , 2011, DBSocial '11.

[71]  Bernhard Debatin,et al.  Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences , 2009, J. Comput. Mediat. Commun..

[72]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[73]  J. P. Peter,et al.  A Comparative Analysis of Three Consumer Decision Strategies , 1975 .

[74]  Judith Donath,et al.  Public Displays of Connection , 2004 .

[75]  Anna Cinzia Squicciarini,et al.  WWW 2009 MADRID! Track: Security and Privacy / Session: Web Privacy Collective Privacy Management in Social Networks , 2022 .

[76]  David Evans,et al.  Privacy Protection for Social Networking Platforms , 2008 .

[77]  Jennifer Golbeck,et al.  Combining Provenance with Trust in Social Networks for Semantic Web Content Filtering , 2006, IPAW.

[78]  Vitaly Shmatikov,et al.  The cost of privacy: destruction of data-mining utility in anonymized data publishing , 2008, KDD.

[79]  Hong Chen,et al.  Constraint generation for separation of duty , 2006, SACMAT '06.

[80]  Mauro Figueiredo,et al.  The AIDLET Model: A Framework for Selecting Games, Simulations and Augmented Reality Environments in Mobile Learning , 2013, Int. J. Web Based Learn. Teach. Technol..

[81]  Lujo Bauer,et al.  Composing security policies with polymer , 2005, PLDI '05.

[82]  Siani Pearson,et al.  Towards accountable management of identity and privacy: sticky policies and enforceable tracing services , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[83]  Oliver Günther,et al.  Privacy in e-commerce: stated preferences vs. actual behavior , 2005, CACM.

[84]  David S. Rosenblum,et al.  What Anyone Can Know: The Privacy Risks of Social Networking Sites , 2007, IEEE Security & Privacy.

[85]  Dana L. Grisham,et al.  Multimodal Composition for Teacher Candidates: Models for K-12 Classroom Writing Instruction , 2016 .

[86]  Jorge Lobo,et al.  Privacy-aware role-based access control , 2010 .

[87]  Fabio Massacci,et al.  Enhancing Java ME Security Support with Resource Usage Monitoring , 2008, ERCIM News.

[88]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[89]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[90]  Imen Ben Dhia Access control in social networks: a reachability-based approach , 2012, EDBT-ICDT '12.

[91]  Amirreza Masoumzadeh,et al.  OSNAC: An Ontology-based Access Control Model for Social Networking Systems , 2010, 2010 IEEE Second International Conference on Social Computing.

[92]  Ronald L. Rivest,et al.  Certificate Chain Discovery in SPKI/SDSI , 2002, J. Comput. Secur..

[93]  Ernesto Damiani,et al.  Fuzzy techniques for trust and reputation management in anonymous peer-to-peer systems , 2006, J. Assoc. Inf. Sci. Technol..

[94]  Muthucumaru Maheswaran,et al.  A trust based approach for protecting user data in social networks , 2007, CASCON.

[95]  Peter Mika Ontologies Are Us: A Unified Model of Social Networks and Semantics , 2005, International Semantic Web Conference.

[96]  Ken Thompson,et al.  Programming Techniques: Regular expression search algorithm , 1968, Commun. ACM.

[97]  Philip W. L. Fong,et al.  An Access Control Model for Facebook-Style Social Network Systems , 2010 .

[98]  Ken Barker,et al.  Comparison of Access Control Administration Models , 2009 .

[99]  Yuan Cheng,et al.  A User-to-User Relationship-Based Access Control Model for Online Social Networks , 2012, DBSec.

[100]  Ernesto Damiani,et al.  Fuzzy techniques for trust and reputation management in anonymous peer-to-peer systems: Special Topic Section on Soft Approaches to Information Retrieval and Information Access on the Web , 2006 .

[101]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[102]  Stephen Weeks,et al.  Understanding trust management systems , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[103]  Mark S. Granovetter The Strength of Weak Ties , 1973, American Journal of Sociology.

[104]  Gail-Joon Ahn,et al.  Multiparty Authorization Framework for Data Sharing in Online Social Networks , 2011, DBSec.

[105]  Hua Wang,et al.  Trust-Involved Access Control in Collaborative Open Social Networks , 2010, 2010 Fourth International Conference on Network and System Security.

[106]  Elisa Bertino,et al.  k-anonymous attribute-based access control , 2007 .

[107]  Gail-Joon Ahn,et al.  Detecting and resolving privacy conflicts for collaborative data sharing in online social networks , 2011, ACSAC '11.