Preventing Sybil attacks by Privilege Attenuation: A design principle for Social Network Systems

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2011, Pages 263-278

  Fong, Philip W L ^a  

^a UNIVERSITY OF CALGARY   (Canada)

Author keywords

Access control; Policy analysis; Principle of Privilege Attenuation; Social Network Systems; Soundness and completeness of static analysis; Sybil attacks

Indexed keywords

AUTHORIZATION; COMPUTER CRIME; GRAPH THEORY; SOCIAL NETWORKING (ONLINE);

DESIGN PRINCIPLES; FACEBOOK; POLICY ANALYSIS; PRINCIPLE OF PRIVILEGE ATTENUATION; SOCIAL GRAPHS; SOCIAL NETWORK SYSTEMS; SOUNDNESS AND COMPLETENESS; SOUNDNESS AND COMPLETENESS OF STATIC ANALYSE; STAGE I; SYBIL ATTACK;

STATIC ANALYSIS;

EID: 80051972853     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2011.16     Document Type: Conference Paper

References (40)

1. J. A. Goguen and J. Meseguer, "Security policies and security models," in Proceedings of the 1982 IEEE Symposium on Security and Privacy (S&P'82), 1982, pp. 11-20.
2. J. Rushby, "Noninterference, transitivity, and channel-control security policies," Computer Science Laboratory, SRI International, Tech. Rep. CSL 92-02, 1992.
3. C. E. Gates, "Access control requirements for Web 2.0 security and privacy," in IEEE Web 2.0 privacy and security workship (W2SP'07), Oakland, California, USA, May 2007.
4. B. Carminati and E. Ferrari, "Enforcing relationships privacy through collaborative access control in web-based social networks," in Proceedings of the 5th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom'09), Washington DC, USA, Nov. 2009.
5. P. W. L. Fong, "Relationship-based access control: protection model and policy language," in Proceedings of the First ACM Conference on Data and Application Security and Privacy (CODASPY'11), San Antonio, TX, USA, Feb. 2011, pp. 191-202.
6. P. W. L. Fong and I. Siahaan, "Relationship-based access control policies and their policy languages," in Proceedings of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT'11), Innsbruck, Austria, Jun. 2011.
7. P. W. L. Fong, M. Anwar, and Z. Zhao, "A privacy preservation model for Facebook-style social network systems," in Proceedings of the 14th European Symposium on Research In Computer Security (ESORICS'09), ser. LNCS, vol. 5789. Saint Malo, France: Springer, Sep., pp. 303-320.
8. M. Anwar, Z. Zhao, and P. W. L. Fong, "An access control model for Facebook-style social network systems," Department of Computer Science, University of Calgary, Calgary, Alberta, Canada, Tech. Rep. 2010-959-08, Jul. 2010, submitted for review.
9. J. R. Douceur, "The Sybil attack," in Proceedings for the First International Workshop on Peer-to-Peer Systems (IPTPS'02), ser. LNCS, vol. 2429. Cambridge, MA, USA: Springer, Mar. 2002, pp. 251-260.
10. L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda, "All your contacts are belong to us: Automated identity theft attacks on social networks," in Proceedings of the 18th International Conference on World Wide Web (WWW'09), Madrid, Spain, Apr. 2009, pp. 551-560.
11. L. Jin, H. Takabi, and J. B. D. Joshi, "Towards active detection of identity clone attacks on online social networks," in Proceedings of the First ACM Conference on Data and Application Security and Privacy (CODASPY'11), San Antonio, TX, USA, Feb. 2011, pp. 27-38.
12. G. Kontaxis, I. Polakis, S. Ioannidis, and E. P. Markatos, "Detecting social network profile cloning," in Proceedings of the 3rd IEEE International Workshop on Security and Social Networking (SESOC'11), Seattle, WA, USA, Mar. 2011.
13. H. Yu, M. Kaminsky, P. B. Gibbons, and A. D. Flaxman, "SybilGuard: Defending against Sybil attacks via social networks," IEEE/ACM Transactions on Networking, vol. 16, no. 3, pp. 576-589, Jun. 2008.
14. H. Yu, P. B. Gibbons, M. Kaminsky, and F. Xiao, "SybilLimit: A near-optimal social network defense against Sybil attacks," in Proceedings of the 2008 IEEE Symposium on Security and Privacy (S&P'08), Oakland, CA, USA, May 2008, pp. 3-17.
15. A. Cheng and E. Friedman, "Sybilproof reputation mechanisms," in Proceedings of the 2005 ACM SIGCOMM Workshop on Economics of peer-to-peer systems (P2PEcon'05), Philadelphia, PA, USA, Aug. 2005, pp. 128-132. (Pubitemid 41832959)
16. H. Yu, C. Shi, M. Kaminsky, P. B. Gibbons, and F. Xiao, "DSybil: Optimal Sybil-resistance for recommendation systems," in Proceedings of the 2009 IEEE Symposium on Security and Privacy (S&P'09), Berkeley, CA, USA, May 2009, pp. 283-298.
17. J. B. Dennis and E. C. V. Horn, "Programming semantics for multipro-grammed computations," Communications of the ACM, vol. 9, no. 3, pp. 143-155, Mar. 1966.
18. M. S. Miller, K.-P. Yee, and J. Shapiro, "Capability myths demolished," System Research Lab, Department of Computer Science, The John Hopkins University, Baltimore, Maryland, USA, Tech. Rep. SRL2003-02, 2003.
19. G. S. Graham and P. J. Denning, "Protection: Principles and practices," in Proceedings of the 1972 AFIPS Spring Joint Computer Conference, vol. 40, Alantic City, New Jersey, USA, May 1972, pp. 417-429.
20. N. Li and M. V. Tripunitara, "On safety in discretionary access control," in Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P'05), Oakland, California, USA, May 2005, pp. 96-109. (Pubitemid 41543649)
21. P. J. Denning, "Fault tolerant operating systems," ACM Computing Surveys, vol. 8, no. 4, pp. 359-389, Dec. 1976.
22. M. Bishop, Computer Security. Addison Wesley, 2002.
23. M. R. Clarkson and F. B. Schneider, "Hyperproperties," in Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF'08), Pittsburch, Pennsylvania, USA, Jun. 2008, pp. 51-65.
24. P. W. L. Fong, "Preventing Sybil attacks by privilege attenuation: A design principle for social network systems," Department of Computer Science, University of Calgary, Calgary, Alberta, Canada, Tech. Rep. 2011-995-07, Mar. 2011.
25. S. R. Kruk, S. Grzonkowski, A. Gzella, T. Woroniecki, and H.-C. Choi, "D-FOAF: Distributed identity management with access rights delegation," in Proceedings of the First Asian Semantic Web Conference (ASWC'06), ser. LNCS, vol. 4185. Beijing, China: Springer, Sep. 2006, pp. 140-154. (Pubitemid 44608591)
26. B. Carminati, E. Ferrari, and A. Perego, "Rule-based access control for social networks," in Proceedings of the OTM 2006 Workshops, ser. LNCS, vol. 4278. Springer, Oct. 2006, pp. 1734-1744. (Pubitemid 44891736)
27. -, "A decentralized security framework for web-based social networks," International Journal of Information Security and Privacy, vol. 2, no. 4, pp. 22-53, Oct. 2008.
28. -, "Private relationships in social networks," in Proceedings of Workshops in Conjunction with the International Conference on Data Engineering - ICDE'07, Istanbul, Turkey, Apr. 2007, pp. 163-171.
29. B. Carminati and E. Ferrari, "Privacy-aware collaborative access control in web-based social networks," in Proceedings of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DAS'08), ser. LNCS, vol. 5094. London, UK: Springer, Jul. 2008, pp. 81-96.
30. B. Carminati, E. Ferrari, and A. Perego, "Enforcing access control in web-based social networks," ACM Transactions on Information and System Security, vol. 13, no. 1, Oct. 2009.
31. B. Carminati, E. Ferrari, R. Heatherly, M. Kantarcioglu, and B. Thurainsingham, "A semantic web based framework for social network access control," in Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT'09), Stresa, Italy, Jun. 2009, pp. 177-186.
32. B. Carminati, E. Ferrari, R. Heatherly, M. Kantarcioglu, and B. Thuraisingham, "Semantic web-based social network access control," Computers and Security, vol. 30, no. 2-3, pp. 108-115, Mar. 2011.
33. A. Squicciarini, F. Paci, and S. Sundareswaran, "PriMa: An effective privacy protection mechanism for social networks," in Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS'10), Beijing, China, Apr. 2010, pp. 320-323.
34. A. C. Squicciarini, M. Shehab, and F. Paci, "Collective privacy management in social networks," in Proceedings of the 18th International Conference on World Wide Web (WWW'09), Madrid, Spain, Apr. 2009, pp. 521-530.
35. A. C. Squicciarini, M. Shehab, and J. Wede, "Privacy policies for shared content in social network sites," The VLDB Journal, 2010, to appear.
36. M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and D. S. Wallach, "Secure routing for structured peer-to-peer overlay networks," in Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation (OSDI'02), Boston, MA, USA, Dec. 2002.
37. N. Borisov, "Computational puzzles as sybil defenses," in Proceedings of the 6th IEEE International Conference on Peer-to-Peer Computing (P2P'06), Cambridge, UK, Sep. 2006, pp. 171-176.
38. H. Rowaihy, W. Enck, P. McDaniel, and T. L. Porta, "Limiting Sybil attacks in structured P2P networks," in Proceedings of the 26th IEEE International Conference on Computer Communications (INFOCOM'07), Anchorage, Alaska, USA, May 2007, pp. 2596-2600. (Pubitemid 47334528)
39. L. von Ahn, M. Blum, N. J. Hopper, and J. Langford, "CAPTCHA: Using hard AI problems for security," in Proceedings of the 22nd International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT'03), ser. LNCS, vol. 2656. Warsaw, Poland: Springer, May 2003, pp. 294-311.
40. L. Snyder, "Theft and conspiracy in the take-grant protection model," Journal of Computer and System Sciences, vol. 23, no. 3, pp. 333-347, 1981. (Pubitemid 12473231)