Information Sharing over Collaborative Social Networks using XACML

Cheng Man Ma Faculty of Science and Technology

University of Macau Av. Padre Tomás Pereira, Taipa,

Macau, China ma96563@umac.mo

Yan Zhuang Faculty of Science and Technology

University of Macau Av. Padre Tomás Pereira, Taipa,

Macau, China syz@umac.mo

Simon Fong Faculty of Science and Technology

University of Macau Av. Padre Tomás Pereira, Taipa,

Macau, China ccfong@umac.mo

Abstract—Social networks have gained unprecedented popularity recently, and more social networks have emerged for specific purposes. People create information in social network. The process of information creation involves many human interactions such as tagging, selecting and grouping Human interacted data creation assigns abundant semantic to data. Multiple attributes have been added to data upon data creation. Some of these attributes are related to resource access control policy. A social network may not want its information open totally, therefore, each social network has to have its own resource access policy. This paper proposes an architecture for users to share information cross social networks in a secure, effective and efficient way. The proposed architecture also let social network decide which kind of information to be shared. The proposed architecture provides an attribute-based information sharing mechanism for collaborative social networks to share their information.

Keyword—Informative Social Network, Passive information sharing, Active information Sharing, Information Sharing Propagation, Attribute Base Access Control (ABAC), Extendable Mark Up Language (XACML).

I. INTRODUCTION

A social network is like a united nation; groups of members in a social network are from all over the world. They share their personal information like status, photos, events, activities etc. A person can join multiple social networks like Facebook, Linkedin, Myspace etc. Out of 10 billion accounts have signed up in social networks in cyber world, and more than 4.5 billion accounts are considered active as in 2011 [1]. Facebook now contains 500 million members [2]. If we count social network as a country and its members are the population of social network, the population of Facebook analogically makes it the third largest country over the world. MySpace has 63 million members [3]. People spend plenty of times daily in social network activities, hence a large amount of information is created by people and the information base is growing.

Information in social networks is abundant but the networks are lack of connectivity. Different social network has different goals and interests, thus, their information focuses in different areas. For example, YouTube shares video data, Linkedin focuses on working experience and recommendation. Some social networks are famous in some

cultures, and some are popular in other domains. Different social networks contain different kinds of information. Members in a social network may be interested in various areas of information out of their social networks. If a company wants to hire an employee, they would like to know an employee’s personal information, working experience, working attitude and characteristic. However, this information may have been distributed across different social networks. If these pieces of information are connected, it could be easy to collate a full profile of such a person. Collaboration of social network makes great effort for this kind of situation.

On the other hand, any type of information sharing must have the owner’s agreement. One of the problems is how to get the owner’s agreement? Even though we have the owner’s agreement on information sharing, we still have another problem, i.e. how to share resources.

It might be technically possible to move resources from one social network to another. Moving resources causes a lot of internet traffic in transferring data. Another problem of moving resources is of privacy issues, moving out data from the original social network may violate security policy because once out of social network, resources are no longer under control.

It is quite often that people inside a social network want to share their data like photos with their friends who reside in another social network, how to share those information to another social network? Microsoft let MSN Messenger users enter their Facebook account name and password; it disposes username and password of one social network to another social network. With username and password, Microsoft may access users’ Facebook account without users’ permission. Directly accessing the requested information may seem to be an easy mechanism, just like in peer-to-peer network. Interoperability because of non-standardized protocol and security issues still persists. There are no any standards or methods for cross social network information sharing which can guarantee information sharing in a secure and effective way.

Information sharing over social network involves security, performance and interoperability problems. Therefore, for those problems mentioned before, a secure information sharing architecture is needed. How information is distributed and shared in a social network is highly

2011 Eighth IEEE International Conference on e-Business Engineering

978-0-7695-4518-9/11 $26.00 © 2011 IEEE

DOI 10.1109/ICEBE.2011.51

161

depended on the social network itself. We could not unify the social network topology and natures. However we can attempt to provide a standard information sharing scheme across collaborative social networks.

II. EXISTING METHODS We investigated many methods for cross social network

information sharing, and observed that there has been no standard method for bridging information over different social networks. To compare with relevant works, here we look at two existing information sharing methods which are both group based information sharing methods.

Ram K. et al. suggested using stale information in a group-based information sharing system (g-SIS) [4]. g-SIS aims to share sensitive information among a group in distributed environment. g-SIS collects subject and object attributes when authorization decision has to be made. g-SIS contains three components:

1. Group Administrator (GA), GA manages group membership and policy, it handles adding and/or removing subject and object in a group.

2. Control Center (CC), CC is an authorization server. It maintains attributes of authorized subject and object and provides credentials to new comer in the group.

3. Access Machine, access machine is use to access group resource.

A subject wants to access an object; it has to access through an access machine. Any change of subject and object is updated by GA. GA updates CC and propagates new object content to subject’s access machines. g-SIS allows subject accesses resource and replicates resource from server to access machine after authentication. If a subject is authorized, its access machine could replicate object and store object to local. When object is replicated, subject can access object without authentication, g-SIS called this kind of access an offline access. There is an access threshold record how many times a subject accesses an object. Threshold is used to prevent a subject from leaving the group but it still has access to office replicated object. Access machine forces subject to connect to server after the access threshold is met. g-SIS also records timestamps of creation and deletion of subject and object. If a subject’s creation timestamp is later than object’s removal timestamp, it cannot access the removed object. g-SIS requires each object use access machine to access object, this may not very feasible if a new member wants to join the group. g-SIS only works for a single group at a time. Although it forces subject connect to server after several accesses, it may have a problem if a full copy of resource is made offline. If the access machine is placed in a local side, end-client may be able to alter the access machine and modify the timestamp data.

Asmidar et al suggested Group Based Access Control Scheme (GBAC) [5] for group-based information sharing. GBAC uses public key infrastructure (PKI) technique. Each group has its own central authority (CA) and Master Group (MG). Each object is digitally signed by the owner. This is a good method to guarantee information integrity and

ownership. If a group joins this model, it will have to assign a key to each subject. Subject uses the key to sign its own object. If applying in social network, key management will be a challenge. It is also not easy to adapt in social network since signing data requires a lot of data reprocessing.

Since social network users mainly use internet browser to access the social network, it is hard to change the way a user interact with social network. On the other hand, social network may have huge amount of data, it is very difficult to reprocess the stored data inside the network. The methods we fore-mentioned could not be applied to an existing social network easily. To the best of our knowledge, there has been no standard for information sharing across different social networks. We therefore propose in this paper such a standard that facilitates sharing information efficiently and systemically across different types of social networks.

III. UNDERLYING TECHNIQUES OF THE PROPOSED ARCHITECTURE

Information in social networks has different attributes and formats (e.g. Data type, access list, data owner, creation time etc.). Each one of these attributes involves users’ permission on data sharing. Hence the attributes characterize the access control decision of an object. A social network has its own policy for the users to decide which attributes they want to share and to what extent (e.g. A social network only allows user to share photo to other social network, which means an object is sharable only when its data type is “photo”). Our proposed architecture tries to make use of the attributes in a social network for regulating the sharing scheme.

Our proposed architecture is extended from Attribute Base Access Control and Extensible Access Control Markup Language. In this section, we introduce the background and the underlying techniques prior to the details of the proposed architecture.

A. Attribute Base Access Control (ABAC) In Attribute Base Access Control (ABAC), subject and

object have their own attributes. When a subject in ABAC wants to access an object, both attributes of subject and object will be compared. If the attribute of the subject is matched to the access attribute of the object, access right from the object is granted to the subject. E.g. Student information only allows instructors of University of Macau to access. Access attribute of object is “An instructor employed by the University of Macau”; subject's attribute has to fulfill this restriction. If subject's attribute meets “An instructor currently employed by University of Macau”, access will be granted. Attribute could be static or dynamic. A static attribute has a fixed value. E.g. A community only allows women to join. The static attribute gender could only be either “Men” or “Women”. Dynamic Attribute did not have a fixed value. Instead, it describes a group of qualified attributes by value. E.g., a job requires more than 3 years’ experience, the dynamic attribute is “experience years”, and it could be any number greater than 3 years.

162

Figure 1. XAMCL Architecture.

B. Extensible Access Control Markup Language (XACML) Extensible Access Control Markup Language (XACML)

[6] is an implementation of ABAC concept. XACML is a standard maintained by Advancing Open Standards for the Information Society (OASIS). The latest version 3.0 RFC was announced on 10 August 2010. XACML has several components.

Policy: Policy is use to describe object's access constrain. Policy is divided into five parts, a target, an effect, a condition, obligation expressions and advice expressions.

Policy Enforcement Point (PEP): A PEP receives request and enforce it to pass policy checking.

Policy Information Point (PIP): A PIP acts as the sources of objects’ attributes value pair.

Policy Decision Point (PDP): A PDP makes decision based on access request, attributes and policy.

Policy Administration Point (PAP): A PAP is the management role in this model, PAP assigns policy to PDP.

Context Handler: A context handler connects each component and transforms message format in XACML.

A policy is used to describe object's access constraint. A policy is divided into five parts: a target, an effect, a condition, obligation expressions and advice expressions.

Figure 1 [6] is the architecture of XACML, it show each step of XAMCL architecture.

1. PAP creates policy and sends policy to PDP. 2. PEP receives access request. 3. PEP sends the request to context handler. 4. Context handler sends a request notification to PDP. 5. Once PDP receives a request notification, it sends

attributes query to context handler. 6. Once Context handler receives the attribute queries,

it forward the attributes query to PIP.

7. PIP asks subject's attributes, resources attributes and environment attributes.

8. All gathered attributes in step 7 is sent to context handler.

9. Context handler also obtains resource context from resource.

10. Context handler sends the attributes to PDP 11. PDP bases on attributes, policy and requests to

make decision. When a decision is made, a response is sent back to context handler.

12. Content handler forwards the response to PEP. 13. Finally, an access decision is made. XACML uses attributes to make decision of access; it is

deemed fit for attribute-based access control of data in social networks. The schema could make use of data attributes in a social network to make an access decision. However, we could not adapt this schema directly because usually a social network does not want its information to be disclosed fully by another social network.

We assume that a social network shares certain information with other social networks only when two social networks have some kind of relationship. Social networks that have relationship with other social networks are analogue to users who have relationship with other users within a social network in a general sense.

A social network that accesses the information of another social network and they are sharing information directly if and only if these two social networks possess a relationship. When these two social networks have relationship, our proposed architecture suggests that to forward the access request from a local social network to the resource location.

163

Figure 2. An illustration of social networks connected by relationship for information sharing.

C. Terminology A collaborative social network was built up by social

networks. Social networks can build up relationship with other social networks and together form a collaborative social network. When the relationship of two social networks has been built, thus, a collaborative social network has been formed. The two original social networks become the member social networks of the collaborative social network, see figure 2.

There are many kinds of social networks; some of them only allow users to share unitary information. E.g., Twitter lets user share its status. Social networks like Twitter only allow users to share a sentence or a photo per post which are called Microblogs. Some of them allow users share large amount and different information, which usually have complex access control policies, e.g. Facebook, Linkedin and Myspace. Social networks like Facebook, Linkedin, and Myspace, and etc. have a common feature, that is, their information is rich, and their resources are usually associated with complex access control policies, which are created by social network user. For example, any friend of a friend of a user can see his personal information. In this example, the policy is “friend of a friend and resource is the personal information. This paper classifies and focuses on this kind of social networks which are called informative social networks. Informative social networks are those that contain a lot of user-generated information and its information creation must involve human interaction. In the proposed architecture, during information creation in an informative social network, user must also create information sharing policy together with resource.

Cross social network information sharing happens between members of collaborative social networks. Information sharing could be direct or indirect. Direct information sharing happens when members in social networks explicitly state with whom they would share their information.

This paper classifies information sharing as either active or passive, which correspond to direct or indirect sharing respectively.

Active information sharing: The decision of information sharing is directly decided by the data owner. User knows who can access the shared information. Active information sharing enables sharing directly from one to another. E.g., a photo album only allows limited friend’s access.

Passive information sharing: The decision of information sharing is not explicitly decided by the data owner. Data owner sets up several policies to allow data access. An

access request gains access of sharable information because of the requested information satisfies the policies.

Passive information is an indirect way to share personal information. For example, a photo album allows friend’s friend access.

Information Sharing Propagation: Information may be shared between social networks A and B that are connected by relationship. This information may in turn propagate to other social networks that have relationships with A or B. For example, in figure 3, social network C may receive information of A for it has relationship with B though it has no relationship with A. Information sharing propagation is a kind of passive information sharing, and should be controlled by defining how many hops the propagation takes. If the number of hops is infinite, the shared information will reach every connected network like flooding. Usually one hop is considered reasonable, as in the case of the policy "friends-of-friend". Users’ agreement must be sought in advance for information sharing propagation to take effect. If access requires more than one hop, the resource owner needs to agree on the information sharing propagation.

IV. PROPOSED SYSTEM ARCHITECTURE

Our proposed architecture is based on XACML. It makes use of object attributes to make access decision. It is mainly applicable to Informative social network. In our proposed architecture, every member social network contains a list of components listed below:

Request Monitor: It is a monitor that checks and verifies access request.

Attributes Mapper: Attributes Mapper is a component which associate attributes from one social network to another social network.

Policy Administration Point (PAP): A policy administration point creates polices and sends access policy to Information sharing decision point.

Remote Request Enforcement Point (RREP): A remote request enforcement point enforces remote request to pass the policy checking.

Context Handler: Context handler handles remote request dispatching and transfer message format between components.

Social Network Attributes Store (SNAS): Social network attributes store acts as source of attributes value in a social network. The attributes of resource and subject is stored in SNAS.

Information Sharing Decision Point (ISDP): Information sharing decision point makes decision of an access request base on attributes and policy.

164

Figure 3. Information sharing propagation by one hop.

Attributes Value Pair: There are three types of attributes: 1. Resource Attributes: The attributes of resources.

For example, photos’ creation date could be resource attributes.

2. Subject Attributes: The attributes of subject, which raises the access request. For example, a user’s age could be subject attributes.

3. Environment Attributes: Social network specific attributes. For example, allow to share photos to other social network only.

A Policy: It defines the access condition of object. It is a combination of rules. A policy contains:

1. A target: It is a shared object in a social network. 2. An effect: “Permit” or “deny” of an access request. 3. A condition: a statement to be evaluated for an

access request, which returns “True”, “False” or “Indeterminate”.

4. Obligation expressions: Operations that PEP should perform.

5. Advice expressions: Addition information provided to RREP.

When user creates an object, he also assigns policies to an object by tagging, entering information like resources description or granting access right to other users etc. Those assigned policies are seen as object's attributes. Object creation and/or alteration can only occur in a local social network. For simplicity in explanation, we only concern read/access request.

Different social networks have different attributes. Attributes mapping associate the same or similar attributes between two social networks. Any member social network who wants to share their information, it must have all the associated attributes mapped to the target social network. Attribute mapper supports attribute mapping in the background while information sharing is in progress.

In the proposed architecture, a local social network is the network that initiates an access request and a remote social network is the social network that responds to the access request. A social network could either be a local social network which raises access request or remote social network which answers requests.

Requests are either from the local social network or from other social networks. In the proposed architecture, local request is handled locally in a social network by the original mechanism. Each social network handles its access request verification by its original authentication mechanism. request can only be raised by an authorized object which is authenticated by the social network.

For cross social network access request, Figure 4 shows the steps.

1. PAP defines policies; a policy is a combination of rules, obligations, and/or, advice expressions.

2. Authentication of access request takes place at a local social network. If the request is valid, the request will be passed to RREP of the local social network.

3. RREP enforces remote request for policy checking. When RREP receives a remote request, it forwards the request to context handler.

4. Context handler of local social network forwards the remote request to the remote social network.

5. Upon arrival of the remote request, RREP of remote social network receives the remote request and enforces it to pass through the context handler for policy checking.

6. In remote social network, when context handler receives a remote request from other social network, it sends a notification to ISDP.

7. ISDP receives the notification and queries the context handler for gathering attributes of the requester and the requested objects in both local and remote social networks and gather subject and objects related attributes.

8. Context handler of remote social network receives the attributes query and asks both local social network and remote social network to respond the attributes query.

9. Subject is the requester. Local social network sends subject and its local social network environment attributes to SNAS. Remote social network sends resources and remote social network environment attributes to SNAS.

10. Both SNAS reply with the attributes to the context handler in remote social network. Context handler of remote social network receives reply from SNAS from local and remote social networks.

11. Context handler retrieves object content in remote social network.

12. After context handler gathers attributes and object content, it will send it to remote ISDP.

13. In remote social network, ISDP receives attributes form context handler and makes an access decision to be passed back to context handler.

14. Context handler insides remote social network sends the response to context handler in a local social network. If the response is permitted, the resource content is also sent to the local social network.

15. In local social network, context handler forwards the remote response to RREP. Finally, an access is either permitted or denied by decision.

165

Active information sharing is a feature in the proposed architecture. In proposed architecture, user’s authentication is done in his local social network and resource is placed in a remote social network. For example, if a friend in social network A wants to share a photo with me, and my account is in social network B. Social network B will authenticate my account. Through the proposed architecture it sends an access request to remote social network A for verification. Remote social network A will decide based on the setting of my friend’s willingness whether to share the photo or not with me.

A user in a social network may allow to share his information to some business related social network. In this case, he1 did not directly allow people in another social network to access his shared information; however, his shared information is allowed to be accessed by business related social network by propagation. Passive information sharing causes information sharing propagated between member social networks. Nevertheless, information sharing propagation is totally up to users’ discretion and the agreement of member social networks.

V. PROS AND CONS

By our proposed architecture, information could be shared across different informative social networks. The proposed architecture is easy to adopt. For adopting the proposed architecture, any social network only need to follow the following three steps.

1. Define attribute mapping between social networks. 2. Build social network relationship by making

information sharing commitment. 3. Implement the components depicted in our

proposed architecture on the existing platform.

The proposed information sharing architecture can handle both active and passive information sharing as they propagate the policy to another social network. Resource owner decides access list of its own resources, allowing only certain people to see the resource, thus the proposed architecture is secure. The proposed architecture does not require any data reprocessing on the existing model, the access request is directly handled by the location at which the resource resides, and thus it is effective and efficient.

Although the proposed architecture could handle cross social network information sharing, it still has some problems to be solved. Shared information in a remote social network may be propagated to another remote social network afar, which this social network may not have any relationship to the original social network. In our proposed architecture, we require users to decide whether they want to propagate their information or not, and to propagate by how many hops. But at this stage of our work, there has been no central policy that regulates clearly which networks should be blocked and how the propagation route it should take.

VI. CONCLUSION AND FUTURE WORK

Users who own accounts across multiple and collaborative social networks indicate the presence of the subtle relationship between the social networks. Social networks that are based on such relationships can be viewed as a network of networks. Base on this concept, resource policy could be propagated to another social network by propagating the request and response thus facilitate distributed information sharing among the disparate social networks. The steps in our proposed architecture are as follow:

1. Authentication happens in local social network and resource is stored in remote social network.

Figure 4. Information Sharing Architecture.

1. For simplicity's sake, the paper use "he" to mean "he/she".

166

2. Local social network and remote social network possess relationship; meanwhile, they have commitment of authentication and trust each other.

3. In active information sharing, local social network identifies valid user and send user identity as an attribute to remote social network. Remote social network enforces policy checking.

4. In passive information sharing, remote social network considers both user attribute and environment attribute; only people in a specific social network which has identified itself could access the resource.

We propose architecture to share information by directly accessing the object. There is no need to reprocess data and replicate object. User of social network could use any device to access social network as usual.

Our proposed architecture shows an overall framework of information sharing over collaborative social networks but doesn’t provide details about information sharing propagation. Our next step is to investigate an efficient method to handle information sharing propagation especially the privacy issues are accounted for. A software prototype is being implemented for testing in the future.

References

[1] In-Stat Research Team. http://www.instat.com/newmk.asp?ID=3086&SourceID=00000652000000000000, last accessed 31-March-2011.

[2] Mark Zuckerberg. http://blog.facebook.com/blog.php?post=409753352130, last accessed 22-July-2010.

[3] Devina Divecha. http://www.t3.com/news/myspace-loses-10-million-users-in-one-month?=54801, Last accessed 27-March-2011.

[4] Ram Krishname, Ravi Sandhu, Jianwei Niu and William H. Winsborough. Stale-Safe Properties for Group-Based Secure Information Sharing. Available at FMSE’08 ACM 978-1-60558-288-7/08/10.

[5] Admidar Abu Bakar, Roslan Ismail, Abdul Rahim Ahmad, Jamalul-Lail Abdul manan, MIMOS Berhad, Malaysia, Riyadh. Group Based access Control Scheme (Gbac) Keeping Information sharing Secure in Mobile Ad-hoc network. Available at Digital Information Management, 2009. ICDIM 2009. Fourth International Conference.

[6] OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf. Last access 10-Auguest-2010.

167