Content-Based Access Control: Use data content to assist access control for large-scale content-centric databases

In conventional database access control models, access control policies are explicitly specified for each role against each data object. In large-scale content-centric data sharing, it might be difficult to explicitly identify accessible records for each role/user, especially when the semantic conte...

Full description

Saved in:
Bibliographic Details
Published in2014 IEEE International Conference on Big Data (Big Data) pp. 701 - 710
Main Authors Wenrong Zeng, Yuhao Yang, Bo Luo
Format Conference Proceeding
LanguageEnglish
Published IEEE 01.10.2014
Subjects
Authorization
Awards activities
Content-based Access Control
Data models
Database Security
Semantics
Online AccessGet full text

Cover

More Information
Summary:In conventional database access control models, access control policies are explicitly specified for each role against each data object. In large-scale content-centric data sharing, it might be difficult to explicitly identify accessible records for each role/user, especially when the semantic content of data is expected to play a role in access decisions. As a result, users are often over-privileged, and ex post facto auditing is enforced to detect misuse of the privileges. Unfortunately, it is usually difficult to reverse the damage, as (large amount of) data has been disclosed already. In this paper, we introduce Content-Based Access Control (CBAC), an innovative access control model for content-centric information sharing. CBAC is expected to be deployed on top of Role-Based Access Control (RBAC) or Multi-level Security (MLS), in the application scenarios where RBAC and MLS will give excessive access rights. As a complement to conventional access control models, the CBAC model makes access control decisions based on the content similarity. In CBAC, each user is allowed by an MLS or RBAC rule to access a large set of data objects, while the CBAC rule imposes an additional layer of restrictions that the user could only access "a subset" of the designated records. The boundary of the subset is dynamically determined by the textual content of data objects. We then present an enforcement mechanism for CBAC that exploits Oracle's Virtual Private Database (VPD). To further improve the performance of the proposed approach, we introduce a content-based blocking mechanism to improve the efficiency of CBAC enforcement. We also develop a content annotation mechanism for more accurate textual content matching for short text snippets. Experimental results show that CBAC makes reasonable access control decisions with a small overhead.
DOI:10.1109/BigData.2014.7004294