aum sai ram security for stream data modified from slides created by sujan pakala
TRANSCRIPT
![Page 1: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/1.jpg)
Aum Sai Ram
Security for
Stream Data
Modified from slides created by Sujan Pakala
![Page 2: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/2.jpg)
Relational Data Model
Set of unordered objects Relatively static Bounded data Pull access – query
![Page 3: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/3.jpg)
3
Data Streams
stanfordstreamdatamanager
Continuous, unbounded, rapid, time-varying streams of data elements
Data driven – push access Occur in a variety of modern applications
Network monitoring and traffic engineering Sensor networks, RFID tags Telecom call records Financial applications Web logs and click-streams Manufacturing processes
DSMS = Data Stream Management System
![Page 4: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/4.jpg)
4
DBMS versus DSMS
Persistent relations
One-time queries
Random access
Access plan determined by query processor and physical DB design
Transient streams (and persistent relations)
Continuous queries
Sequential access
Unpredictable data characteristics and arrival patterns
stanfordstreamdatamanager
![Page 5: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/5.jpg)
DSMS Overview (simplified)
stanfordstreamdatamanager5
DSMS
Scratch Store
Input streams
RegisterQuery
StreamedResult
StoredResult
Archive
StoredRelations
![Page 6: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/6.jpg)
Time stamp
Explicit source assigned Implicit, arrival based
Out of order arrival Part of data model?
![Page 7: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/7.jpg)
Windows
Time-decay, fading of data Window:
Direction of movement of end points Size Windows within windows Update interval; continuous, jumping
![Page 8: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/8.jpg)
Query processing over windows Sliding windows
Reevaluated periodically with specific frequency
Sub-windows (time-based, tuple-based) Window update
![Page 9: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/9.jpg)
Security for Stream Data Examples
Example 1: Protection against context-aware Spam/Adverts
Example 2: Personal Health Monitor Data
Example 3: Soldier/Transport-vehicle location and health
What do we protect?CIA model + ?
![Page 10: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/10.jpg)
(Traditional) Dimensions of Data Security
Protection• Authentication• Authorization (and
access control)• Confidentiality, Integrity• Availability• Privacy• Inference Security• Physical Hardware
Security• Operating System
Security
Access Control• (Policy) Let the
right user perform the right action on the right data object
• (Mechanisms) Views , Procedures, Grant & Revoke, Query Modification.
![Page 11: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/11.jpg)
AUM SAI RAM
A SECURITY PUNCTUATION FRAMEWORK FOR ENFORCING ACCESS CONTROL ON STREAMING DATA
Rimma V. Nehme, Elke A. Rundensteinerr, Elisa Bertino
Copyright: the following slides include material from this publication
![Page 12: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/12.jpg)
Security Punctuation Framework
Security Meta-Data interleaved with data tuples
SPs may be shared by multiple tuples with similar policies
![Page 13: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/13.jpg)
SPF Overview
![Page 14: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/14.jpg)
SPF Overview
Stream Security punctuations (SPs) generated based on user (data providers') specs.
SPs interleaved with Stream Data. Describe access control policy on upcoming
portion of stream. SP = a predicate = informs processor who
has access when to which streaming data. registered continuous queries inherit security
restrictions of the requester.
![Page 15: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/15.jpg)
SPF Overview
Stream data arrives to server Engine examines policy stored in sps,
checks if the queries conform to the policy
Discards data that no query has access to
![Page 16: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/16.jpg)
SPF – Assumptions
Data providers and users querying the data use same access control model.
Used Role-based access control model throughout. (but since framework is general, other AC models could deploy sps.)
Data transmitted securely to streaming database.
DSMS used = CAPE (in House)
![Page 17: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/17.jpg)
SPF – Claims
Proposed new AC enforcement mechanism suitable for streaming data
Investigated interaction with query processing Investigated query optimization Extended traditional query algebra to be
security-aware Presented a pipelined query execution model Describe security-aware query optimization SPF superior to alternate ACMs wrt processing
and memory.
![Page 18: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/18.jpg)
SPF – Components
Object - data entity (streams, tuples, tuple attributes).
Subject - entity requesting access, query specifiers. Rights - set of privileges for subjects to hold and
execute on an object.
Stipulations: Each Qspecifier belongs to "at least one" role. Assignment cannot change while s/he is registered
to receive results of any currently executing
![Page 19: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/19.jpg)
SPF Overview
![Page 20: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/20.jpg)
![Page 21: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/21.jpg)
Security Punctuations
Structure < DDP | SRP | Sign | Immutable | ts > Data Description part (DDP) = ACP on which
objects Security Restriction Part (SRP) = ACModel,
authorized subjects. (RBAC and some roles) Sign = + / - authorization Immutable? = N/Y = can/not be combined
with server-side policies. Time stamp.
![Page 22: Aum Sai Ram Security for Stream Data Modified from slides created by Sujan Pakala](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1e5503460f94c36442/html5/thumbnails/22.jpg)