Abstract
In this paper, we present an approach to instrument a Simple Protocol And RDF Query Language query rewriting algorithm enforcing privacy preferences. The term instrument is used to mean supplying appropriate constraints. We show how to design a real and effective instrumentation process of a rewriting algorithm using an existing privacy-aware access control model like PrivOrBAC. We take into account various dimensions of privacy preferences through the concepts of consent, accuracy, purpose, and recipient. We implement and evaluate our process of privacy enforcement based on a healthcare scenario.
Similar content being viewed by others
Notes
SOH: SPARQL Over HTTP
References
Apache jena. (2012) http://jena.apache.org/
Abou ElKalam A, El Baida R, Balbiani P, Benferhat S, Cuppens F, Deswarte Y, Miège A, Saurel C, Trouessin G (2003) Organization based access control. In: Proceedings of IEEE 8th international workshop on policies for distributed systems and networks (POLICY 2003), Lake Come, Italy
Ajam N, Cuppens-Boulahia N, Cuppens F (2010) Contextual privacy management in extended role based access control mode. Data Priv Manag Auton Spontaneous Sec 121–135
Barhamgi M, Benslimane D, Medjahed B (2010) A query rewriting approach for web service composition. IEEE Trans Serv Comput 3(3):206–222
Bikakis N, Gioldasis N, Tsinaraki C, Christodoulakis S. (2009) Semantic based access over XML data. Visioning and engineering the knowledge society. A web science perspective. Springer Berlin Heidelberg, pp 259–267
Byun C, Park S (2006) An efficient yet secure xml access control enforcement by safe and correct query modification. In: Proceedings of the 17th international conference on database and expert systems applications. Springer, pp 276–285
Cranor L, Hogben G, Langheinrich M, Marchiori M, Presler-Marshall M, Reagle J, Schunter M (2006) The platform for privacy preference 1.1(p3p 1.1) specification. Tech. Rep. Note 13
Cuppens F, Cuppens-Boulahia N (2007), vol 7, Modelling contextual security policies
Cuppens F, Cuppens-Boulahia N, Ghorbel MB (2007) High level conflict management strategies in advanced access control models. Electron Notes Theor Comput Sci 186:3–26
Damiani E, Fansi M, Gabillon A, Marrara S (2008) A general approach to securely querying xml. Comput Stand Interact 30(6):379–389
Damiani E, De Capitani di Vimercati S, Paraboschi S, Samarati P (2002) A fine-grained access control system for xml documents. ACM Trans Inf Syst Secur (TISSEC) 5(2):169–202
Damiani E, di Vimercati SDC, Paraboschi S, Samarati P (2000) Securing XML documents. In: Advances in database technology EDBT 2000. Springer, pp 121–135
European Commission: Directive 95/46 (1995) The processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML. Accessed at July 2012
European Commission: Directive 97/66 (1997) The processing of personal data and the protection of privacy in the telecommunications sector
European Commission: Directive 02/58 (2002) Privacy and electronic communications. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:201:0037:0047:EN:PDF. Accessed at July 2012
Fan W, Chan CY, Garofalakis M (2004) Secure XML querying with security views. In: Proceedings of the 2004 ACM SIGMOD international conference on management of data. ACM, pp 587–598
Ferraiolo DF, Sandhu R, Gavrila S, Kuhn DR, Chandramouli R (2001) Proposed NIST standard for role-based access control. ACM Trans Inf Syst Secur (TISSEC) 4(3)
Hilty M, Basin D, Pretschner A (2005) On obligations. 10th European symposium on research in computer security. 3679:98–117
Huey POracle database security guide : chapter 7, using oracle virtual private database to control data access. http://download.oracle.com/docs/cd/E14072_01/network.112/e10574.pdf. Accessed January2013
LeFevre K, Agrawal R, Ercegovac V, Ramakrishnan R, Xu Y, DeWitt D (2004) Limiting disclosure in hippocratic databases. In: Proceedings of the thirtieth international conference on very large data bases, vol 30. VLDB Endowment, pp 108–119
Luo B, Lee D, Lee W, Liu P (2004) Qfilter: fine-grained run-time XML access control via NFA-based query rewriting. In: Proceedings of the thirteenth ACM international conference on information and knowledge management. ACM, pp 543–552
Masoumzadeh A, Joshi J (2008) Purbac: purpose-aware role-based access control. On the move to meaningful internet systems: OTM. pp 1104–1121
Miklau G, Suciu D (2003) Controlling access to published data using cryptography. In: Proceedings of the 29th international conference on very large data bases, vol 29. VLDB Endowment, pp 898–909
Mohan S, Sengupta A, Wu Y (2005) Access control for XML: a dynamic query rewriting approach. In: Proceedings of the 14th ACM international conference on information and knowledge management. ACM, pp 251–252
Murata M, Tozawa A, Kudo M, Hada S (2006) Xml access control using static analysis. ACM Trans Inf Syst Secur (TISSEC) 9(3):292–324
Ni Q, Trombetta A, Bertino E, Lobo J (2007) Privacy-aware role based access control. In: Proceedings of the 12th ACM symposium on Access control models and technologies. ACM, pp 41–50
OECD (1980) Organisation for economic co-operation and development. Protection of privacy and transborder flows of personal data
Oulmakhzoune S, Cuppens-Boulahia N, Cuppens F, Morucci S (2010) fQuery: SPARQL query rewriting to enforce data confidentiality. In: Proceedings of the 24th IFIP WG11.3 working conference on data and applications security and privacy. Rome, Italy
Oulmakhzoune S, Cuppens-Boulahia N, Cuppens F, Morucci S (2010) Rewriting of sparql/update queries for securing data access. International Conference on Information and Communications Security, pp 4–15
Oulmakhzoune S, Cuppens-Boulahia N, Cuppens F, Morucci S (2011) SPARQL query rewriting instrumented by access control model. In: 1st international symposium on data-driven process discovery and analysis
Oulmakhzoune S, Cuppens-Boulahia N, Cuppens F, Morucci S (2012) Privacy policy preferences enforced by SPARQL query rewriting. In: 7th international workshop on frontiers in availability, reliability and security (FARES 2012)
Samarati P (2001) Protecting respondents identities in microdata release. IEEE Trans Knowl Data Eng 13(6):1010–1027
Stavrakantonakis I, Tsinaraki C, Bikakis N, Gioldasis N, Christodoulakis S (2010) SPARQL2XQuery 2.0: supporting semantic-based queries over XML data. In: Semantic media adaptation and personalization (SMAP), IEEE 5th international workshop on 2010. pp 76–84
De Capitani di Vimercati S, Marrara S, Samarati P (2005) An access control model for querying XML data. In: Proceedings of the 2005 workshop on secure web services. ACM, pp 36–42
Wang Q, Yu T, Li N, Lobo J, Bertino E, Irwin K, Byun J (2007) On the correctness criteria of fine-grained access control in relational databases. In: Proceedings of the 33rd international conference on very large data bases. VLDB Endowment, pp 555–566
Yang N, Barringer H, Zhang N (2007) A purpose-based access control model. In: Information assurance and security, 2007. IEEE Third International Symposium on IAS 2007, pp 143–148
Acknowledgments
This research work is supported by the French National Research Agency project PAIRSE under grant number ANR-09-SEGI-008.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Oulmakhzoune, S., Cuppens-Boulahia, N., Cuppens, F. et al. Privacy query rewriting algorithm instrumented by a privacy-aware access control model. Ann. Telecommun. 69, 3–19 (2014). https://doi.org/10.1007/s12243-013-0365-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12243-013-0365-8