company logo geospatial database security nguyễn minh nhật nguyễn ngọc hương thảo lê...

Company

Geospatial Database Security

Nguyễn Minh Nhật

Nguyễn Ngọc Hương Thảo

Lê Trần Hoài Thu

Nguyễn Minh Nhật

Nguyễn Ngọc Hương Thảo

Lê Trần Hoài Thu

ContentContent

PartPart0101

Basic Knowledge about GIS Is some basic information to know about GIS

Authorization in GIS DatabaseIs one of regular way to authorization about users and their privileges.

Some GIS Security ModelIs some of Security model common used.

PartPart0202

PartPart0303

GIS database structure

Introduction of GIS & Geospatial database

Contents of Contents of Basic GIS

What is GIS?

Application?

GISGeographical

Information Systems USER REAL WORLD

GIS: history background

This technology has developed from: Digital cartography and CAD Data Base Management Systems

CAD SystemCAD System DataBase Management SystemDataBase Management System

ID X,Y

ID ATTRIB

Geospatial Database

Database mapAttribute valuesDatabase map

Attribute values

Introduction of GIS & Geospatial database

Contents of Contents of Basic GIS

Representation of Geographical Information

Many spatial databases are partitioned internally: Partitions defined spatially Partitions defined thematically Both

Tile: a geographical partition of a database

Layer: a thematic partition

!( !(!( !(

!(Thematic Map of the Continental United States

A layer: logical grouping of geographic feature, that can also be referred to as a coverage.

Maps are composed of

Layers

!( !(!( !(

States

Rivers

!( !(!( !(

Capitals

Layers contain features or surfaces Layers are represented by:

Vector model Raster model TIN model

GIS database structure: Database map: spatial data Attribute map: non-spatial data

features

surfaces

Vector model: geometric objects: Points Lines Polygons

Spaghetti model and Topology model

Representing data with vector

Type Position

Point 3,2

Line 1,5; 3,5; 5,7; 8,8; 11,7

Polygon 5,3; 6,5; 7,4; 9,5; 11,3; 8,2; 5,3

Stores by x, y co-ordinate Represents relational

spatial data for each object Represents attribute data

Spaghetti model

Advantages: Simple , easy to represent

Disadvantages: Unable to represent relational spatial data

among these objects Polygons: boundary is stored twice

Spaghetti model

Topology model Spatial data Relational spatial data topology

Arc-Node topology Polygon-Arc topology

Representing data with vector

Advantage: Allowing precise representation of points,

boundaries, and linear features.

Disadvantage: The boundaries of the resultant map polygons

discrete, whereas in reality the map polygons may represent continuous gradation or gradual change

Representing data with raster

Raster model as image files: Composed of grid-cells (pixels)

A value attribute table (VAT) keeps track of your value classification. Add custom attributes by adding more

columns. Disadvantage?

Raster data has one or more bands. Each band has an identical grid layout

representing a different attribute.

Representing data with raster

Representing well indistinct boundaries Thematic information on soil types, soil moisture,

vegetation, ground temperatures

Being used as reconnaissance satellites and aerial surveys use raster-based scanners, the information (scanned images) can be directly incorporated into GIS

The higher the grid resolution, the larger the data file is going to be.

TIN: Triangulated Irregular Networks Representing continuous surfaces

Representing data with TIN

Network structure

Representing data with TIN

Attribute data

Features are stored in a database along with information describing them. Attributes of a street: name,

street type, length, street code, number of lanes, pavement type.

Attributes of a park: name, area, hours of operation, maintenance schedule.

Attribute data

ID Att1 Att2 Att3

1 X X X

2 X X X

3 X X X

Attribute values in a GIS are stored as relational database table. Each feature within in

GIS layer will be represented as a record in a table

ContentContent

PartPart0101

PartPart0202

PartPart0303

Authorization control mechanism

The geographic access control model

Basic components of the model

Topological spatial data model (TSDM)

Why is authorization in GIS important?

Contents of Contents of Authorization in GIS

Why is authorization in GIS important?

Geographical data have a strategic relevance in a large variety of contexts Gathering and analyzing intelligence Protecting critical infrastructure Responding to complex emergencies Preparing for disease outbreaks and

bioterrorism Securing complex events

Geometric layer: Shape and location on the earth surface of

features Geometric value: set of points, set of simple

connected (or not) polylines, set of simple polygons

Topological layer: Describing the topological relations of the

feature with others features of the map Relation: {Disjoint, Touch, In, Contains, Equal,

Cross, Overlap}

Example of a geographical database the railway network

Topological relations among the features of the Region and the County feature types

Geometric layerTopological layerOperators:

Feature-based operators Map-based operators Mixed operators

Subject and object Subject: All users that interact with the system Object:

• Schema objects• Instance objects• Group objects

privileges Instances privileges Insertion privileges Schema privileges

Authorization sign and type Sign

• (+) A subject is authorized for a given privilege• (-) A subject is denied access to a given object under

a given privilege

Type: specifies whether an authorization can be overridden or not

• Weak authorizations• Strong authorizations

Queries and windowsGrant option: Only (+) authorizations can be delegated

AuthorizationAuthorization extensionCorrect authorization

The geographic access control model

Authorization

A tuple containing all the basic components of the model

The form: (u, p, pt, g, go, o ,t, w, q)Example:

Set A = {a8 = (Ted, selM(2,geo),+,Bob,false,M_rail,st,Milan, ┴),

a9 = (Ted, updF(0,space,+, Bod, false,Accident,wk, Milan, N=‘wrong manouevre’Name=‘X’(Accident))

Derivation over object relationshipsDerivation over privilege relationships

An authorization granting a privilege to objects with a certain dimension has to be propagated to objects with lower dimension

An authorization denying a privilege to objects with a certain dimension has to be propagated to objects with higher dimension

Derivation rule

Given an access request r = (u,p,o)An authorization: a = (u,p,pt,g,go,o,t,w,q)The access request can be satisfied if:

R depends on a strong positive authorization and on no strong negative authorization

R depends on a weak positive authorization, on no weak negative authorization and on no strong authorization.

Algorithms for access control

ContentContent

PartPart0101

PartPart0202

PartPart0303

Access control model for spatial data on web

Secure Access Control in a Multi-User Geodatabase

Analysis of Access Control Mechanisms for Spatial DB

Aspects in Security of Database System

Contents of Contents of GIS Security Model

Privacy

Confidential

Secrecy

Integrity

Accuracy

Granularity

Availability

Privacy

Confidential

Secrecy

Integrity

Accuracy

Granularity

Availability

Privacy & Secrecy

Access limit control User private access right. GIS User-level based. Problems: Non module GIS database. Module GIS database.

GIS Database

Aspects in Security of Database System 41

Privacy & Secrecy (cont)

GIS Database

Change 01

Change 02

Change 03

Change 04

Change 05

Change 06

Change 07

Change ….

User 01

User 02

User 03

User 04

User 05

User 06

User 07

User ….

Availability

Storage Structure

DataImage

ApplicationWeb ServiceWeb Users Operating System

Database Management

Availability (cont)

Database Restore Loss of power Disconnect. Hardware or Software errors.

Packet

Granularity

Metadata

Integrity & Accuracy

Integrity & Accuracy = Can’t be tampered (added, deleted, or altered) by illegal users.

Confidentialy

Data Network

Poison Data

Data Poison Data

Confidentialy = only user knows data

Efficient Techniques for Realizing Geo-Spatial Access Control

Introduction

Two possible solution to restricting access to database: SDE-based access control mechanism. View-based access control mechanism.

SDE-based access control

mechanism

View-based access control

mechanism.

SDE-based access control mechanism

SDE (Spatial Data Engine). Function: manage unstructured spatial

data in structure RDBMS (Relational database management system)

http://en.wikipedia.org/wiki/Relational_database_management_system50

MAPProperty

Record

All geospatial objects in the same map layer are stored in a table.

Each geospatial object is represented by a record of the table.

The geometric property of a geospatial object is stored as a field of the record.

Authentication: System firstly ensure log-in users are legal

Authorize: Legal users are executting permit operations on spatial objects of interest.

SDE uses layers to store features (spatial objects)

Each layer contains one of: point, line or polygon.

Each layer is composed of business table, feature table, spatial index table, and point table

SDE – Spatial data organization

SDE – Spatial data LAYERs

Business table represents a feature and stores attribute properties of the feature

SDE – Spatial data – Business table

Feature table stores shape types and boundary boxes of features in feature tables.

SDE – Spatial data – Features table

Spatial index table contains information of the grid unit and boundary boxes of features.

SDE – Spatial data – Spatial index table

Point table stores coordinate values of each shape in a binary type of BLOB, which is translated into spatial meanings by SDE.

SDE – Spatial data – Point table

SDE-based access controlSDE-based access control

Authorization Map Layers FeaturesSpatial Context

Namely user information is stored in database and RDBMS is in charge of authenticating users

Spatial authorization must alter schemas of related tables to store authorization information (legal users and corresponding privileges) according to granularities of control

SDE-based access control FOR AUTHORIZATION

The schema of layer tables is added fields: user and privilege

According to User’ specific authorization requirements, the fields: user and privilege will be filled.

SDE-based access control FOR MAP LAYERS

The similar modification will be made to the schema of business tables, as each record of business tables stores properties of a single feature

SDE-based access control FOR FEATURES

As for spatial context, for example eatures in a rectangular window of certain privilege, the authorization information is filled in feature tables on the fly. Those features falling in the window are alculated with the window rectangle and the boundary boxes stored in the feature table.

SDE-based access control FOR SPATIAL CONTEXT

1. Certificated IDs

2. Read authorization information or intentd map layer

3. Compared legal users and privileges from layer table and intended operations

4. Decide authorizing access to the map layer or just rejecting

5. Make similar procedure to achieve permistion to specific features.

Introduction

mechanism

View-based access control

mechanism.

View-based access control mechanism.

GIS Database

View ….

User 01

User 02

User 03

User 04

User 05

User 06

User 07

User ….

4 component: Database acounts Database login (authentication) Privileges View

Analysis of Access Control Mechanisms for Spatial DB 75

Alternative method to grant Carol access to name and email columns:create view employee_public as select name,email from employee;

grant select on employee_public to carol;

Secure Access Control in a Multi-User GeodatabaseSecure Access Control in a Multi-User Geodatabase

Problem in multi-user access:Some information need to be secret.Some Users can view, Others can’t.Other:

• Fake Users.

• Virtual Users.

Secure Access Control in a Multi-user Geodatabase

Aspect to security of GeoDatabase:Privacy.Confidentialy.Secrecy.Integrity.AccuracyGranularity.Availability.

Three main Access Control Models:Mandatory (label-based).Discretionary (User-based)Role-Based.

Mandatory (label-based).Different security levels -> users of

database have security clearances assigned.

Discretionary (User-based)Permission Access. Users can protect or

grant access rights.Role-BasedAccess control is enforced in terms of

roles.

Access Control Models for Geodatabase Allow view-based access control.Access predefined sets of views, based on

authorizations.Views are built from a multi-level

database, may be updated, according to users privileges.

Three new different security architectures:Single Multi-Level Database ( Multi-level

Relations).Replicated Multi-Level Database.Single Multi-level Database (Uni-level

Relations).

Single Multi-Level Database ( Multi-level Relations).

Replicated Multi-Level Database.

Single Multi-level Database (Uni-level Relations).

INTRODUCTION (1)

The use of map is crucial for correctly geo-processing data. Currently, several commercial map management systems support visualization and editing of spatial objects on Web.

Enforcing controlled access to spatial data has not been much investigated to ensure confidentiality and integrity of information.

INTRODUCTION (2)

Ensuring confidentiality means preventing improper disclosure of information to non-authorized users to see it.

Ensuring integrity means protecting data from unofficial modifications and thus preventing non-authorized users from inserting or modifying data in the database.

INTRODUCTION (3)

The model is based on the following assumptions :

Spatial data consist of objects with sharp boundaries located in a geographical space.Data are manipulated by remote users through the operations provided by a Web Map Management Service.

The goal of the system in to control the way data are accessed by users having different profiles.

The model is an extension of the classical access control model based on the notion of authorized rule.

INTRODUCTION (4)

The central idea is to assign an authorization a geographical scope, namely a bounded region in which the authorization is valid.

Therefore, operations that users may execute on spatial data may vary, depending on user identity and object position.

PRELIMINARY NOTIONS (1)

Spatial data model used is the vector model defined by the OpenGIS Consortium (OGC) based on the notion of simple spatial feature.

The architecture of Web map management applications is organized according to 3-tier architecture including Presentation, Application, Data Storage layers.

The Data Storage layer consists of files and database servers.

The Application layer implements the operations requested by the application.

The Presentation layer on the client side includes either HTML pages or specialized programs.

We assumed that features are transferred in a vector format and the geo-processing is distributed on both client and server.

The Application layer consists of 2 main services :

The Access Control Service implements the operations for authorization rules checking and administration.

The Application Service implements the application logic and access the application data.

Besides, it also includes the Authentication Service based on username/password, SSL or some complex services.

THE ACCESS CONTROL SYSTEM (1)

Data access is controlled through a set of authorization rules. Each authorization rule, in basic form, consist of a triple = <subject, object, privilege>.

The subject indicates who can access the data resource.

The object is a spatial feature class. The privilege is the kind of action that can be

performed by the subject on the given object.

THE ACCESS CONTROL SYSTEM (2)

In the model, it is not possible to define authorization rules for objects at a finer level of granularity, on single feature for example, or on feature class attributes.

Privileges used in the model :Notify : controls the execution of the operations for feature insertion and deletion.Analysis : controls the execution of the different querying operation.ViewGeometry : controls the single operation of GetFeature.ViewAttribute : controls the operation of GetFeatureInfo.

DEFINITIONS AND CONSTRAINTS (1)

Definition 1 (Basic authorization)

Let R be a set of roles, FC the set of feature classes, O the set of Web service operations, P the set of privileges defined as a partition over the set O. A basic authorization rule is defined as a triple <r, f, p> where r ∈ R, f ∈ FC, p ∈ P.

Example :

The rule authorizing a surveyor to notify illegal waste deposits can be expressed as follows:

<surveyor, illegal_waste_deposit, Notify>.

Constraint 1 (Constraint on privilege dependency)

Let r be a role, fc a feature class, p1, p2…, pn privileges.We say that p1 depends on p2…pn (written as p1 → p2… ˄ pn) iff the existence of the rule: a1 = <r, fc, p1> implies the existence of the rules: a2=<r, fc,p2>,...,an = <r, fc, pn>. The rule a1 is said to be dependent on a2...an (written a1 → a2… ˄ an).

Example :

The dependency discussed above can be expressed in a simple way as follows:

Notify → ViewGeometry ˄ ViewAttributes

Definition 2 (Authorization with window)Let Polygon denote the set of polygonal geometries. An authorization rule with window is a tuple <r,fc,p,w> where r ∈ R, fc ∈ FC, p ∈ P, w ∈ Polygon.

Constraint 2 (Constraint on authorization window)Let a1 = <r, fc, p1, w1> and a2 = <r, fc, p2, w2> be two authorizations rules defined for the same role r and feature class fc but on two different privileges p1 and p2. If p1→p2 then w1 ⊆ w2.

Definition 3 (Authorization rule with grant option)

Let R be a set of roles, FC the set of feature classes, P the set of privileges, W the set of Polygons. An authorization is defined as a tuple : <r,fc,p,w,gr,gr_op>, where r ∈ R, f ∈ FC, p ∈ P, w ∈ W, gr ∈ R, gr_op ∈{true, false}.

Constraint 3 (Constraint on authorization rule grant)

Let a = <r1, fc, p, w , gr, true> be an authorization granted to role r1. The privilege p on feature class fc can be granted by r1 to r2 through the authorization b = <r2, fc , p, wb , r1, _> iff the window of b is contained in the window of a, that is, wb ⊆ wa.

Definition 4 (Authorization rule consistency)

The authorization rule a = <r, fc, p, w, gr, gr_op> is consistent iff the following constraints are satisfied :

a) Constraint 1 and constraint 2 must hold, that is, for each privilege pi such that p → pi, the authorization ai = <r, fc, pi, wi , gr, _> must belong to the rule set and w ⊆ wi.

b) Constraint 3 must hold, that is, let b = <gr, fc, p, wb,_, true> be the corresponding authorization given to the grantor of a; then the relationship w ⊆ wb must hold.

SUMMARY (1)

Strong points :

Protect vector-based spatial data against requests issued through a Web service.

Authorizations on spatial objects can be applied on limited areas within the reference space.

SUMMARY (2)

Weak points :

Do not support topological representation.

Do not support multiple representation of the same feature (such as various object dimension).

Do not support both positive authorizations (giving permissions) and negative ones (specifying denials).

Summary of Summary of GIS Security Model

References[1] Jiayuan LIN, Yu FANG, Bin CHEN, Pengei WU – Analysis of access control mechanisms for spatial database.

[2] Elisa Bertino, Micheal Gertz – Security and Privacy for Geospatial Data: Concepts and Research Directions.

[3] Elisa Bertino, Maria Luisa Damiani - A Controlled Access to Spatial Data on Web

[4] MikhailJ.Atallah, MarinaBlanton, KeithB.Frikken - Efficient Techniques for Realizing Geo-Spatial Access Control

[5] Sahadeb De, Caroline M. Eastman, Csilla Farkas - Secure Access Control in a Multi-user Geodatabase.

[6] Zhu Tang, Shiguang Ju, Weihe Chen - Active Authorization Rules for Enforcing RBAC with Spatial Characteristics.

[7] A.Belussi, E.Bertino, B.Catania – An Authorization Model for Geographical Maps.

[8] www.gis.com

[9] www.esri.com/casestudies

References (cont.)

Question?

company logo geospatial database security nguyễn minh nhật nguyễn ngọc hương thảo lê...

raster data

data file

gis databaseis

attribute data spaghetti

attribute data features

gis database structure

gis security modelis

rasterraster model

Documents

distinguishing opinions from facts instructor: nguyễn...

qldt.cs2.ftu.edu.vnqldt.cs2.ftu.edu.vn/upload/file/hkii...

nguyễn vũ hưng: worldbank data visualization

public disclosure authorized - all documents | the world...

young marketers elite 2 - insight activation- ngân trần &...

[mobileday52012_vietnammobilevasmarket_vdec] nguyễn minh...

trƯỜng ĐẠi hỌc sƯ phẠm hÀ nỘi nĂm hỌc...

young marketers elite 2 - mobile marketing strategy - vân...

nguyễn vũ hưng: subversion best practices

finfisher- nguyễn chấn việt

· nguyỄn hiẾn lÊ – ĐẶc tÀi viẾt tỰa sÁch....

tbĐg- thiên hương lần 4

[nguyễn quỳnh như].[cv presentation]

intermediate econometrics nguyễn ngọc anh nguyễn hà...

kinh duy ma cẬ - thuvienhoasen.org · kinh duy ma cẬt...

flash - võ hoài nhân

marketing & training division reported by trƯƠng quẾ...

Đại nguyễn tấn

unit 1 students : phạm khánh minh – k34.701.042...

enhanced data models for advanced applications nguyễn...