Privacy-aware Access Control Model Research Articles

Towards a Fine-Grained Access Control Mechanism for Privacy Protection and Policy Conflict Resolution

Access control is a security technique that specifies access rights to resources in a computing environment. As information systems nowadays become more complex, it plays an important role in authenticating and authorizing users and preventing an attacker from targeting sensitive information. However, no proper consideration has been fully investigated so far in privacy protection. While many studies have acknowledged this issue, recent studies have not provided a fine-grained access control system for data privacy protection. As the data set becomes larger, we have to confront more privacy challenges. For example, the access control mechanism must be able to guarantee fine-grained access control, privacy protection, conflicts and redundancies between rules of the same policy or between different policies. In this paper, we propose a comprehensive framework for enforcing attribute-based security policies stored in the JSON document together with the feature of data privacy protection and incorporates a policy structure based on the prioritization of functions to resolve conflicts at a fine-grained level called “Privacy aware access control model for policy conflict resolution”. We also use Polish notation for modeling condi-tional expressions which are the combination of subject, action, resource, and environment attributes so that privacy policies are flexible, dynamic and fine-grained. Experiments are carried out to two aspects (i) illustrate the relationship between the processing time for access decision and the complexity of policies;(ii) illustrate the relationship between the processing time for the traditional approach (single policy, multi-policy without priority) and our approach (multi-policy with priority). Experimental results show that the evaluation performance satisfies the privacy requirements defined by the user.

Privacy-aware electronic society

Our electronic society is making fast progress for offering users greater comfort in their daily activities. Users can benefit from fast access to services; better reactivity of their physical, computing, and networking environments to their own needs and habits; and preselection of information flows and relationships in which they are interested. Our digital society is eager to collect and analyze information for serving users as best as possible. Profiling users is a usual marketing activity, but new lucrative applications exploiting the huge amount of available information are emerging. The trend of Big Data has been accompanied by concerns regarding the aggregation, dissemination, and re-identification of personal identifiable information. This special issue contributes to address these privacy issues, proposing privacy-enhancing technologies and solutions suited to the today’s electronic society. The majority of the selected papers in this issue propose techniques and/or models for supporting privacy preferences and privacy-aware access control. The special issue also includes a contribution illustrating how the web browsing history can uniquely identify users for profiling purpose. Finally, there is a usercentered study discussing how much privacy people are willing to lose in order to gain some utilities. Collectively, these papers consider diverse contexts, ranging from social networks and web browsing to medical/social environments and Internet of Things (IoT). Said Oulmakhzoune, Nora Cuppens-Boulahia, Frederic Cuppens, Stephane Morucci, Mahmoud Barhamgi, and Djamal Benslimane propose a lightweight vocabulary for the fine-grained definition of privacy preferences in the paper titled “Privacy Query Rewriting Algorithm Instrumented by a Privacy-Aware Access Control Model.” Data owners express their privacy requirements through the PrivOrBAC privacy-aware model, in terms of restrictions on consent, accuracy, purpose, and recipients. SPARQL queries submitted by users are then rewritten in such a way that the query results comply with data owners’ privacy preferences. This rewriting process exploits PrivOrBAC privacy-aware model by decomposing SPARQL queries into a set of PrivOrBAC web services representing privacy preferences that must be satisfied. An interesting use case is also illustrated, showing the applicability of the approach in a healthcare scenario. The paper “PriMa: A Comprehensive Approach to Privacy Protection in Social Network Sites” by Anna Squicciarini, Federica Paci, and Smitha Sundareswaran, proposes a privacy protection mechanism for social network (SN) users named “Privacy Manager” (PriMa). PriMa helps users, through dynamically generated access rules, to preserve the privacy of their traits, that is, their pieces of information exposed to other SN users. The rules are generated based on three criteria as follows: (1) the level of accessibility of the user’s traits, (2) the profile of the owner’s privacy preference for the specific trait or for the trait’s category, and (3) the risks of unwanted or uncontrolled leakage of traits resulting from connected users who are eligible to access the profile owner’s traits. PriMa is implemented and the performance evaluation demonstrates that access rule generation takes reasonable time less than 0.7 ms for 150 traits and 260 users. The paper “Improving the User Content Privacy on Social Networks Using Rights Management Systems,” by Joaquim Marques and Carlos Serrao, aims at protecting users’ privacy in SNs. To overcome privacy issues arising when users share M. Laurent (*) Telecom SudParis, Evry, France e-mail: maryline.laurent@telecom-sudparis.eu

Privacy query rewriting algorithm instrumented by a privacy-aware access control model

In this paper we present an approach to instrument a SPARQL query rewriting algorithm enforcing privacy preferences. The term instrument is used to mean supplying appropriate constraints. We show how to design a real and effective instrumentation process of a rewriting algorithm using an existing privacy aware access control model like PrivOrBAC. We take into account various dimensions of privacy preferences through the concepts of consent, accuracy, purpose and recipient. We implement and evaluate our process of privacy enforcement based on a healthcare scenario.

A privacy-aware access control model for distributed network monitoring

In this paper, we introduce a new access control model that aims at addressing the privacy implications surrounding network monitoring. In fact, despite its importance, network monitoring is natively leakage-prone and, moreover, this is exacerbated due to the complexity of the highly dynamic monitoring procedures and infrastructures, that may include multiple traffic observation points, distributed mitigation mechanisms and even inter-operator cooperation. Conceived on the basis of data protection legislation, the proposed approach is grounded on a rich in expressiveness information model, that captures all the underlying monitoring concepts along with their associations. The model enables the specification of contextual authorisation policies and expressive separation and binding of duty constraints. Finally, two key innovations of our work consist in the ability to define access control rules at any level of abstraction and in enabling a verification procedure, which results in inherently privacy-aware workflows, thus fostering the realisation of the Privacy by Design vision.

Privacy-aware access control with trust management in web service

With the significant development of mobile commerce, privacy becomes a major concern for both customers and enterprises. Although data generalization can provide significant protection of an individual's privacy, over-generalized data may render data of little value or useless. In this paper, we devise generalization boundary techniques to maximize data usability while, minimizing disclosure of privacy. Inspired by the fact that the permissible generalization level results in a much finer level access control, we propose a privacy-aware access control model in web service environments. We also analyze how to manage a valid access process through a trust-based decision and ongoing access control policies. The extensive experiments on both real-world and synthetic data sets show that the proposed privacy aware access control model is practical and effective.