Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala.
-
Upload
nathaniel-robertson -
Category
Documents
-
view
212 -
download
0
Transcript of Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala.
Aum Sai Ram
Security for
Stream Data
Modified from slides created by Sujan Pakala
Relational Data Model
Set of unordered objects Relatively static Bounded data Pull access – query
3
Data Streams
stanfordstreamdatamanager
Continuous, unbounded, rapid, time-varying streams of data elements
Data driven – push access Occur in a variety of modern applications
Network monitoring and traffic engineering Sensor networks, RFID tags Telecom call records Financial applications Web logs and click-streams Manufacturing processes
DSMS = Data Stream Management System
4
DBMS versus DSMS
Persistent relations
One-time queries
Random access
Access plan determined by query processor and physical DB design
Transient streams (and persistent relations)
Continuous queries
Sequential access
Unpredictable data characteristics and arrival patterns
stanfordstreamdatamanager
DSMS Overview (simplified)
stanfordstreamdatamanager5
DSMS
Scratch Store
Input streams
RegisterQuery
StreamedResult
StoredResult
Archive
StoredRelations
Time stamp
Explicit source assigned Implicit, arrival based
Out of order arrival Part of data model?
Windows
Time-decay, fading of data Window:
Direction of movement of end points Size Windows within windows Update interval; continuous, jumping
Query processing over windows Sliding windows
Reevaluated periodically with specific frequency
Sub-windows (time-based, tuple-based) Window update
Security for Stream Data Examples
Example 1: Protection against context-aware Spam/Adverts
Example 2: Personal Health Monitor Data
Example 3: Soldier/Transport-vehicle location and health
What do we protect?CIA model + ?
(Traditional) Dimensions of Data Security
Protection• Authentication• Authorization (and
access control)• Confidentiality, Integrity• Availability• Privacy• Inference Security• Physical Hardware
Security• Operating System
Security
Access Control• (Policy) Let the
right user perform the right action on the right data object
• (Mechanisms) Views , Procedures, Grant & Revoke, Query Modification.
AUM SAI RAM
A SECURITY PUNCTUATION FRAMEWORK FOR ENFORCING ACCESS CONTROL ON STREAMING DATA
Rimma V. Nehme, Elke A. Rundensteinerr, Elisa Bertino
Copyright: the following slides include material from this publication
Security Punctuation Framework
Security Meta-Data interleaved with data tuples
SPs may be shared by multiple tuples with similar policies
SPF Overview
SPF Overview
Stream Security punctuations (SPs) generated based on user (data providers') specs.
SPs interleaved with Stream Data. Describe access control policy on upcoming
portion of stream. SP = a predicate = informs processor who
has access when to which streaming data. registered continuous queries inherit security
restrictions of the requester.
SPF Overview
Stream data arrives to server Engine examines policy stored in sps,
checks if the queries conform to the policy
Discards data that no query has access to
SPF – Assumptions
Data providers and users querying the data use same access control model.
Used Role-based access control model throughout. (but since framework is general, other AC models could deploy sps.)
Data transmitted securely to streaming database.
DSMS used = CAPE (in House)
SPF – Claims
Proposed new AC enforcement mechanism suitable for streaming data
Investigated interaction with query processing Investigated query optimization Extended traditional query algebra to be
security-aware Presented a pipelined query execution model Describe security-aware query optimization SPF superior to alternate ACMs wrt processing
and memory.
SPF – Components
Object - data entity (streams, tuples, tuple attributes).
Subject - entity requesting access, query specifiers. Rights - set of privileges for subjects to hold and
execute on an object.
Stipulations: Each Qspecifier belongs to "at least one" role. Assignment cannot change while s/he is registered
to receive results of any currently executing
SPF Overview
Security Punctuations
Structure < DDP | SRP | Sign | Immutable | ts > Data Description part (DDP) = ACP on which
objects Security Restriction Part (SRP) = ACModel,
authorized subjects. (RBAC and some roles) Sign = + / - authorization Immutable? = N/Y = can/not be combined
with server-side policies. Time stamp.