Geospatial Authorizations, Efficient Enforcement
Enforcing security often incurs overheads, and as a result may degrade performance. The problem is exasperated more in geospatial data, which includes, among other things, geospatial image data and moving-object data. Uncontrolled dissemination of geospatial image data may have grave implications for national security and personal privacy. This is because high resolution satellite imagery may be used to identify vital national resources. As a result, this could encourage industrial espionage, terrorism, or cross-border military attacks, and combination of publicly available personal data pools with high resolution image data. This, coupled with the integration and analysis capabilities of modern geographic information systems, can result in a technological invasion of personal privacy. Similarly, the location and tracking of mobile users, required in effective delivery of location-based services, also raises a number of privacy and security issues, because disclosing the location information of mobile users has the potential to allow an adversary to physically locate a person for malicious purposes, and the location history can be used to identify the user’s private information such as health status, political affiliations and religious beliefs. Thus, it is essential to have appropriate access control mechanisms in place. Unlike conventional authorizations that can be managed and searched using access control lists, management and searching of geospatial authorizations require a suitable indexing structure since they possess spatiotemporal attributes. As such, serving an access request requires the searching of two indexes: the index for data objects and the index for authorizations. However, the response time can be improved by using a unified index to support the user access requests. Here, the recently proposed unified index schemes are introduced. Specifically, two types of unified index are presented: (1) unified index structures for geospatial images, the resolution-based matrix quadtree (RMX-quadtree) and the spatiotemporal-authorization-driven R-tree (STAR-tree), and (2) unified index structures for moving objects, the secure time-parameterized R-tree (STPR-tree) and the secure past, present and future tree (SPPF-tree).
Until recently, the access control model has not taken the spatial dimension into consideration. However, the need to control geographical information has increased because high-resolution satellite images have become readily available for public with reduced costs, and new context-aware applications such as location-based services have been developed due to the proliferation of mobile devices and wireless technologies. The Geospatial Data Authorization Model (GSAM) (Atluri and Chun 2004) is the first access-control model for geospatial data in the literature, and the model controls access to satellite images based on spatial extent, temporal duration, resolution, and other attributes of images. GSAM has been extended in two directions: one direction is support of vector-based spatial data (Belussi et al. 2004; Bertino et al. 2004), and the other is support of mobile data (Atluri et al. 2003; Youssef et al. 2005).
However, most of the proposed access-control models do not support the index structure of authorizations for efficient processing of geospatial access requests: for each access request, all the security policies that have been issued to the user of the access request are linearly searched and evaluated. Thus, in an environments where a high volume of user requests needs to be processed very fast, such as traffic management systems, the security enforcement process becomes the main bottleneck. Only a few authorization models that support the index scheme can be found in the context of a mobile database. An index scheme for moving-object data and user profiles has been proposed in Atluri et al. (2003). However, this does not consider authorization. An index structure has been proposed to index authorizations ensuring that the customer profile information be disclosed to the merchants based on the choice of the customers (Youssef et al. 2005). However, this provides separate index structures for data and authorizations.
The RMX-quadtree (Atluri and Mazzoleni 2002) is the first proposal in the literature that allows geospatial images to be indexed based on their resolutions as well as their spatial attributes. Although the performance of the RMX-quadtree is efficient, it has two limitations: (1) the shape of the images to be indexed is restricted to a square, and (2) it does not allow overlapping images for a given resolution. The STAR-tree (Atluri and Guo 2004) eliminates these limitations. It is a three dimensional variant of R-tree, and it allows any overlapped rectangular shapes of images to be indexed.
In terms of moving-object data, theSTPR-tree (Atluri and Guo 2005) is an extension of the TPR-tree (Saltenis et al. 2000), and it is the first proposed unified index structure in literature for both moving objects and authorizations. One main limitation of theSTPR-tree is that it can only support those security policies based on the current and near-future locations of moving objects. Because the security policies in mobile environment are based on the past, present and future statuses of moving objects,STPR-tree cannot fully handle security policies such as track because the past location of moving objects is not being stored. This limitation is resolved in the SPPF-tree (Atluri and Shin 2006).
Authorizations are typically implemented either as access-control lists or capabilities lists for traditional types of data. However, authorization specifications on geospatial data include a spatial dimension (such as authorized geospatial extents) and a temporal dimension (such as valid duration of time for access). Thus, in order to efficiently identify the authorizations that are relevant to an access request, an index structure can be used. Because geospatial data is also organized using index structures, a unified index structure that holds both geospatial data and authorizations can be created for efficient processing of user requests. The basic idea encompassing these unified index structures is to devise an appropriate index structure for the geospatial data, and then overlay authorizations on the relevant nodes of the tree. The construction of the tree and the overlaying process are performed in such a way that the cost of an access-control request is minimal. In the following, two types of unified indexing structures are presented: one for geospatial images, and another for moving objects.
Unified Index Structures for Geospatial Images
RMX-quadtree is a variant of the matrix (MX) quadtree: the structure of the RMX-quadtree permits overlaying of geospatial authorizations over nodes of the MX-quadtree. Thus, access requests for geospatial images can be processed more efficiently because only one index is used for evaluation. In order to build RMX-quadtrees, the following assumptions are made: (1) the spatial region represented by each image is a square, (2) images with the same resolution level are non-overlapping, and (3) higher resolution images cover smaller spatial extents.
Images of the same resolution are stored at the same level.
Each index node includes fixed number of children nodes (NW, NE, SW, and SE).
Images can be stored in an index node as a result of merging different levels of images. Only the images with the highest resolution are stored in the leaf nodes.
Each geospatial image corresponds to a 1 × 1 square, and it can be the spatial extent of index nodes.
The depth of the quadtree is predefined and the structure is independent of the order of insertion operations.
Authorization specifications on geospatial data include spatial attributes and privilege modes containing geospatial operations. Therefore, to efficiently identify the authorizations relevant to an access request, an index structure is necessary. However, the index structure built based on authorizations would be unbalanced, because given two regions, if one region allows access only at lower resolution and the other region allows access at higher resolution, then the resultant index would be skewed due to the larger number of authorizations in the higher resolutions. Instead of trying to construct a tree for authorizations, RMX-quadtree chooses a different strategy, which is to overlay authorizations on top of the geospatial index tree, MX-quadtree. The overlaying means that the relevant authorization is stored on a node; thus, each node in the tree includes one additional field that points to the group of overlaid authorizations. This overlaying strategy guarantees the RMX-quadtree as a balanced tree because the base tree, the MX-quadtree, is balanced, and authorizations are simply stored on the relevant nodes of the tree; some of nodes may include more than one authorization, but this does not change the balance nature of the tree.
RMX-quadtrees are constructed by (1) creating MX-quadtrees for each resolution level of geospatial images, (2) merging them into one tree, and (3) overlaying authorizations on the tree. The first step is to build MX-quadtrees for each resolution level. Because MX-quadtrees are designed for storing only point data, an image is represented with its center location and edge length. Then, the MX-quadtree for the highest resolution level becomes the base tree, and other MX-quadtrees are merged with the base tree by adding the image data into the index node of the base tree. This is possible because the structure of the MX-quadtree is independent of the order of insertion operations, which becomes the property of the RMX-quadtree. Thus, the different levels of index nodes in the base tree refer to the same spatial region as the leaf nodes of other RMX-quadtrees. The last step is overlaying authorizations on the merged tree. An authorization is overlaid on a node when it applies to all the possible images in its subtrees. The reasoning for this overlaying process is that if a subject is allowed to access an area, it is also allowed to access all the regions at the same level of resolution within it. Representation of images using points creates a challenge for the overlaying process: an image stored in a node may not correspond to the area covered by the node. This is because the tree is constructed based on point information (center location of images) rather than geospatial regions that the image covers. In order to handle this situation, the area covered by a node N is expanded by (p∕2) where p is the edge length of N. The authorization is overlaid on N if, and only if, the spatial extent of the authorization fully encloses the expanded area of the node N. This overlaying process recursively traverses the tree and for each node, the above rule applies. The overlaying process halts when the traversal reaches the level of resolution of the authorization object or both of the spatial regions are disjoint. During the overlaying process, there are two possible cases. The first case is that an authorization is applicable to only parts of an image, and there exist no nodes in the tree that satisfy the overlaying rule; the second is that there is no spatial relationship between the authorization and the node, and thus, there is no reason to traverse down the tree further.
Stopping evaluation of authorizations: this occurs when the node contains an authorization that includes the resolution level that the user requests, which means that the user is allowed access to all the images in the node’s subtree, and therefore, no more authorizations need to be evaluated. However, the search process continues until it reaches the resolution level that the user requests, and returns the images that are enclosed in the spatial extent of the user request.
Continuing to traverse the tree and check for more authorizations until reaching the node that stores same resolution level as the user requests.
Halting the process; this happens when the geospatial region of the user request is disjoint with that of a node because all the images stored at the node are disjoint with the spatial region of the user request.
A STAR-tree is a 3D variant of R-tree (Guttman 1984), and it is a unified index structure for geospatial images and authorizations similar to the RMX-quadtree. R-tree data structure is similar to B-tree, but different in the sense that it is extended to multidimensional space. The spatial extent of each node of R-tree is approximated by the minimum bounding rectangle (MBR) that encloses all its entries’ spatial extents tightly, which implies that the spatial extent of the root node will enclose all the space that its children nodes embed. The node structure of R-tree can be summarized as follows: (1) a leaf node contains (a predefined number of) images and MBR, and (2) a non-leaf node contains (a predefined number of) child nodes (which can be another nonleaf nodes or leaf nodes) and MBR that tightly bounds all the MBRs of its child nodes.
By employing the capabilities of the R-tree, STAR-tree can index any rectangular shape of overlapping images, and therefore the native satellite images can be indexed without any preprocessing. In addition, it is capable of handling temporal attributes of the geospatial images: the capture time or the download time of images. Because STAR-tree can index spatiotemporal attributes of geospatial objects, security policies with a specific valid time interval for accessing the data can be supported.
To construct the STAR-tree, first the images of the same resolution are grouped together and a three-dimensional (3D) (x-, y-, and t-dimensions) R-tree is built for each group. Then, the tree with the highest resolution is taken as the base tree, and other trees are merged carefully in the order of their resolution, so that they do not violate the properties of the STAR-tree and until all the single-resolution trees are merged. Then authorizations are appropriately overlaid based on principles similar to those of the RMX-tree, essentially by comparing the bounding region of the node and the spatiotemporal region of authorizations. However, the process is more straightforward since STAR-tree is able to index 3D objects natively, and thus does not need to deal with the transformation between region and point as in the RMX-quadtree.
Unlike the RMX-quadtree, only leaf nodes store geospatial images.
Images with the same resolution level are stored at the same level in STAR-tree.
STAR-tree is an unbalanced tree, but this does not degrade performance because the tree operations (insert, delete, and search) will be processed only in the part of the tree from the root node to the leaf nodes with the specified resolution levels for tree operations, instead of the whole tree. This part of the tree is balanced with longer height compared to the R-tree for geospatial images for the specified resolution level.
The best case for tree operations is O(h), and O(hmh−1 + N) is the worst case where h is the height of the STAR-tree, m the maximum number of entries that each node holds, M the number of authorizations overlaid on the tree, and N the number of images. Note that, since the RMX-tree is a more rigid tree structure that does not allow overlapping images, the cost is O(k + M) where k is the height of the highest resolution and M the number of authorizations, which is not surprising.
Similar to the RMX-tree, the images stored at a higher level in the tree will have lower resolutions. This is because images of lower resolution would cover more spatial region than those with higher resolution when their graphical size is the same.
Compared to the R-tree, each node includes one additional field that points to the group of overlaid authorizations on the node.
To further improve the response time, authorizations can be preevaluated to compute the set of subjects involved in each authorization. Then the subjects associated with the authorizations overlaid on a node can be indexed using a B+-tree. As a result, each node would include the B+-tree whose key is a subject, and whose data is authorizations associated with the subject. This structure makes the evaluation process efficient because only the authorizations that are relevant to the user request would be evaluated instead of going through all the authorizations overlaid on the node.
Unified Index Structures for Moving Objects
TheSTPR-tree is an extension of the TPR-tree (Saltenis et al. 2000), and it is the first proposed unified index structure for both moving objects and authorizations in the literature. TPR-tree is a variant of R-tree and is designed to answer the queries for supporting present and future locations of moving objects. Because the locations of moving objects are constantly updated, the main challenge for a moving-object database is to minimize the updating cost. For this purpose, in the TPR-tree the moving object is represented as its initial location and its constant velocity vector; thus, a moving object is updated only if it deviates more than the specified tolerance level. This will reduce the necessity for frequent updating.
In order to support the moving-objects queries, a time-parameterized rectangle (TPR) is used for the same purpose of MBR in R-tree: time is parameterized in MBR so that for a given time, all the trajectories of moving objects stay in TPR. Also, if it is required to insert a new moving object, TPR-tree finds the minimum volume enlargement of TPR between the insertion time and the predefined duration of time, called the time horizon, because as time elapses, the future locations of moving objects become less accurate. Thus, the time horizon guarantees the validity of query results. The node structure of a TPR-tree is similar to R-tree: a leaf node contains (a predefined number of) locations of moving objects (represented as the combination of reference position vector and velocity vector), and a nonleaf node contains (a predefined number of) child nodes, which can be other nonleaf nodes or leaf nodes.
The security policies specify the access control rules to profiles and location as well as movement trajectory information of mobile users, or to stationary resources based on the mobile user’s location. Thus, either a subject or an object in an authorization specification can be a moving object, which is being indexed.
TheSTPR-tree is constructed via a consecutive insertion operation into an initially empty tree, then overlaying of authorizations over the nodes of the tree. It employs the same overlaying and user request evaluation processes as that of STAR-tree except the facts that (1) it does not need to handle resolutions (it can be considered a STAR-tree with only one resolution), and (2) TPR is used instead of MBR for the overlaying procedure. The spatiotemporal extent of TPR is bounded because the valid time duration of the node is finite, i.e., from the current time to the future time by the time horizon. Therefore, the TPR of a node is considered similar to the MBR of STAR-tree for overlaying and user request evaluation processes, and thus, same procedures as those of STAR-tree can be used.
One main limitation of theSTPR-tree is that it can only support security policies based on the current and future locations of moving objects. Because the security policies in mobile environments are based on the past, present and future statuses of moving objects,STPR-tree cannot fully handle security policies such as tracking because the past status of moving objects is not being stored. This limitation is resolved in the SPPF-tree using the concept of partial persistence. Another limitation is that theSTPR-tree is capable of overlaying authorizations where either subjects or objects in an authorization are moving objects, but not at the same time. This is because mobile subjects and objects would be stored in different nodes of the index, and thus, supporting such authorizations’ overlaying may require splitting the subject and object components of the authorization.
The previously introducedSTPR-tree cannot support security policies based on tracking of mobile users. It is important to note that tracking information could also be sensitive and therefore security policies are often specified to reflect this. To efficiently enforce these policies, the tree must support this functionality in the sense that all the location history of moving objects is preserved. SPPF-tree, an extension ofSTPR-tree, can maintain past, present and future positions of moving objects along with authorizations, by employing partial persistent storage. Thus, it can support security policies based on tracking of mobile objects.
SPPF-tree is a variant of RPPF-tree (Pelanis et al. 2006), which applies the concept of the partial persistence to the TPR-tree in order to preserve the past location of moving objects as well. Partial persistence is the key concept of RPPF-tree, in order to keep past positions as well as present and future positions of moving objects. Observe that there are two kinds of moving objects: one is currently moving objects so that their final location is predicted but not decided (called alive moving objects), and another type is objects that have already stopped moving, or have changed their velocity or anticipated future location above the predefined deviation level (called dead moving objects). During update (insertion or deletion) of moving objects in the tree, the leaf node where the update occurs are evaluated to see if there still exists a prespecified range of alive moving objects. If the number is out of this specified range, alive objects in the node are copied into a new node (called time split). The original node is used for evaluating the past positions of moving objects; the newly created node is for the present and future positions of moving objects, as inSTPR-tree. A similar process is applied to index nodes: in this case, the number of alive children nodes is checked if it is within the predefined range.
Because SPPF-tree maintains past positions of moving objects as well, the overlaying process is more complicated than that of theSTPR-tree because authorizations are required to be maintained properly not only for present and future positions but also past positions: in the case ofSTPR-tree, the tree is reconstructed after some reasonable duration of time, and authorizations are batch-overlaid on the tree. Thus, there is no need to deal with maintenance of authorizations during the tree’s lifetime. Since the SPPF-tree handles all the history information as well, it is necessary to maintain the overlaid authorizations more carefully in order not to violate the overlaying strategy. An authorization log is introduced to handle this situation; whenever an authorization is applicable to the tree, the authorization log overlays the newly applicable authorization on the alive nodes, and relocates the authorizations from the alive nodes to the dead nodes if they are only applicable to the dead nodes. An authorization log is a data structure constructed by spreading all the authorizations on the time line. As time elapses, a new authorization becomes applicable to the tree when the valid time duration of the authorizations is overlapped with the tree’s valid time duration, i.e., between the current time and the time horizon. Then, the authorization log triggers an auth_begin event, which will overlay the authorization on the tree. On the other hand, certain overlaid authorizations become invalid when the valid time duration of the authorization is not applicable to the overlaid nodes. In this case, the authorization log triggers an auth_end event, which will remove the invalid authorizations from the overlaid nodes and reoverlay on the tree, because the removed ones may satisfy the overlaying conditions of other nodes in the tree. Also, an update must take care of the cases when the time-split occurs. Time-split creates a new node where some authorizations may be eligible to be overlaid on it. The authorization log supports a method, called find-auth, which computes all the authorizations overlapping with the valid interval of the newly created node. Then, the authorizations as a result of find-auth, will be overlaid on the new node if it meets the overlaying condition.
A user request evaluation is similar to that ofSTPR-tree except that it can now evaluate a user request that also includes the tracking of moving objects, due to the functionality of holding all the updates history. In this case, only the nodes for which initial creation time and the time when time-split occurs, if time-splitted (otherwise, this time can be considered as current time) are overlapped with the time interval of the user request are evaluated.
Mobile Commerce Marketing
Owing to technological advances in mobile devices with wireless networks and positioning devices such as global positioning systems (GPS), customers’ locations are used to provide customized services based on their current positions and movement histories. Mobile-targeted marketing or location-based advertising is one such example. Although there has been a general consensus that mobile-targeted marketing can provide more profits, most customers consider the advertised information spam unless they allow receiving advertisements. Therefore, the mobile service providers should employ a security scheme wherein users’ preferences can be specified properly. Because customers are mobile, and their security policies are based on their current locations, tracking the locations of customers and enforcing security policies must be handled efficiently. Unified index schemes such asSTPR-tree and SPPF-tree can handle the access request more efficiently than traditional approaches such as using two index structures (one for mobile customers and another for authorizations) because access-control requests are processed using just one index structure.
Selective Dissemination of High-Resolution Satellite Images
There are now more than 15 privately owned commercial satellites with resolutions from 1 to 30 m. For example, satellites such as IKONOS (launched in September 1999), ORBVIEW, EROS and QUICKBIRD are privately owned and provide images with resolution of 1 m or smaller. Uncontrolled dissemination of this information may have grave implications for national security and personal privacy, as some groups may exploit this information for aggressive purposes. Thus, formal policies for controlling the release of imagery based on geographical boundaries and resolutions of images have been proposed. However, the number of images being disseminated is tremendous. For example, in case of TerraServer-USA, the average daily image tiles transferred was 3,684,093 during 1998 and 2000. There is a need for effective and efficient schemes for facilitating controlled dissemination of satellite imagery. The proposed unified index schemes, such as RMX-quadtree and STAR-tree, can improve the response time because access requests can be processed more efficiently as only one index structure is used.
Securing Sensitive Resources
Physical location of individuals can be used to secure sensitive resources more effectively. For example, in order to gain the access to the secure repository room, an individual possessing relevant authorizations should be physically present in front of the room while she submits an access request. In order to do so, the location of mobile individuals and relevant security policies must be efficiently processed in large organizations. Unified index schemes such asSTPR-tree and SPPF-tree can efficiently enforce security policies on mobile objects.
Information on some traffic may be very sensitive knowledge to disclose because they are carrying dangerous materials. In this case, only an authorized group of people can locate and track the traffic. As the number of traffic and security policies increases, user requests must be handled efficiently. Unified index schemes such asSTPR-tree and SPPF-tree can efficiently enforce security policies on the traffic management.
None of the above proposed unified index trees support negative authorizations. Providing such support is not trivial since they give rise to conflicts among the authorizations. Moreover, it may require changes to the fundamental assumptions used in the construction and access request evaluation. The overlaying strategy assumes only positive authorizations. Thus, an authorization is overlaid at as high a level as possible in the tree because as long as there exists an authorization that allows the user to access the given region, there will not exist any conflicting negative authorization that will not allow the user to access some parts of the allowed region. Based on this assumption, authorization evaluation halts whenever a relevant authorization is located during the traversal from the root node towards the leaf level. However, if negative authorizations are supported, all the authorizations overlaid on the traversal path need to be evaluated due to the possibility of conflicts among the authorizations: although an authorization that allows a user to access a region is overlaid in an index node, it is possible that another negative authorization that prohibits the user to access a part of the region may exist in the leaf node. Therefore, in order to support negative authorizations, it is necessary to create another copy of the data index and overlay positive authorizations on one index tree and negative authorizations on the other. Then, during the user request process, the result set from the positive authorization index is filtered out by the result set of the second negative authorization index.
Moreover, theSTPR-tree and SPPF-tree cannot handle overlaying authorizations whose subjects and objects are both moving. As a result, supporting such authorizations’ overlaying may require splitting the subjects and objects components.
- Atluri V, Guo Q (2004) STAR-tree: an index structure for efficient evaluation of spatiotemporal authorizations. In: IFIP TC11/WG 11.3 eighteenth annual conference on data and applications security, Sitges, Catalonia, 25–28 2004Google Scholar
- Atluri V, Guo Q (2005) Unified index for mobile object data and authorizations. In: ESORICS, Milan, 12–14 2005Google Scholar
- Atluri V, Mazzoleni P (2002) Uniform indexing for geospatial data and authorizations. In: DBSec, Kings College, Cambridge, 28–31 July 2002Google Scholar
- Atluri V, Shin H (2006) Efficient enforcement of security policies based on tracking of mobile users. In: DBSec, Sophia, Antipolis, 31 Aug 2006Google Scholar
- Atluri V, Adam N, Youssef M (2003) Towards a unified index scheme for mobile data and customer profiles in a location-based service environment. In: Proceedings of the workshop on next generation geospatial information (NG2I’03), Cambridge, 19–21 Oct 2003Google Scholar
- Belussi A, Bertino E, Catania B, Damiani M, Nucita A (2004) An authorization model for geographical maps. In: GIS, Washington, DC, 12–13 Nov 2004Google Scholar
- Bertino E, Damiani M, Momini D (2004) An access control system for a web map management service. In: RIDE, Boston, 28–29 Mar 2004Google Scholar
- Guttman A (1984) R-trees a dynamic index structure for spatial searching. In: ACM SIGMOD conference, Boston, 18–21 1984Google Scholar
- Saltenis S, Jensen C, Leutenegger S, Lopez M (2000) Indexing the positions of continuously moving objects. In: Proceedings of the 2000 ACM SIGMOD international conference on management of data, Dallas, 14–19 2000Google Scholar
- Youssef M, Adam N, Atluri V (2005) Preserving mobile customer privacy: an access control system for moving objects and customer information. In: International conference on mobile data management, Ayia Napa, 9–13 May 2005. Lecture notes in computer scienceGoogle Scholar