company logo geospatial database security nguyễn minh nhật nguyễn ngọc hương thảo lê...

Company

LOGO

Geospatial Database Security

Nguyễn Minh Nhật

Nguyễn Ngọc Hương Thảo

Lê Trần Hoài Thu

Nguyễn Minh Nhật

Nguyễn Ngọc Hương Thảo

Lê Trần Hoài Thu

ContentContent

PartPart0101

Basic Knowledge about GIS Is some basic information to know about GIS

Authorization in GIS DatabaseIs one of regular way to authorization about users and their privileges.

Some GIS Security ModelIs some of Security model common used.

PartPart0202

PartPart0303

2

GIS database structure

Introduction of GIS & Geospatial database

Contents of Contents of Basic GIS

3

What is GIS?

Application?

GISGeographical

Information Systems USER REAL WORLD

4

GIS: history background

This technology has developed from: Digital cartography and CAD Data Base Management Systems

1

2

3

CAD SystemCAD System DataBase Management SystemDataBase Management System

ID X,Y

123

ID ATTRIB

123

5

Geospatial Database

Database mapAttribute valuesDatabase map

Attribute values

6


Introduction of GIS & Geospatial database

Contents of Contents of Basic GIS

7

Representation of Geographical Information

Many spatial databases are partitioned internally: Partitions defined spatially Partitions defined thematically Both

Tile: a geographical partition of a database

Layer: a thematic partition

8

LAYER

!(

!(!(

!(!(

!(

!(

!(

!(

!(

!(

!( !(!( !(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(Thematic Map of the Continental United States

A layer: logical grouping of geographic feature, that can also be referred to as a coverage.

9

Maps are composed of

Layers

!(

!(!(

!(!(

!(

!(

!(

!(

!(

!(

!( !(!( !(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

States

Rivers

Lakes

Roads

!(

!(!(

!(!(

!(

!(

!(

!(

!(

!(

!( !(!( !(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

!(

Capitals

LAYER

10


Layers contain features or surfaces Layers are represented by:

Vector model Raster model TIN model

GIS database structure: Database map: spatial data Attribute map: non-spatial data

features

surfaces

11

Vector model: geometric objects: Points Lines Polygons

Spaghetti model and Topology model

Representing data with vector

Type Position

Point 3,2

Line 1,5; 3,5; 5,7; 8,8; 11,7

Polygon 5,3; 6,5; 7,4; 9,5; 11,3; 8,2; 5,3

12

Stores by x, y co-ordinate Represents relational

spatial data for each object Represents attribute data

Spaghetti model

13

Advantages: Simple , easy to represent

Disadvantages: Unable to represent relational spatial data

among these objects Polygons: boundary is stored twice

Spaghetti model

14

Topology model Spatial data Relational spatial data topology

Arc-Node topology Polygon-Arc topology

15

Representing data with vector

Advantage: Allowing precise representation of points,

boundaries, and linear features.

Disadvantage: The boundaries of the resultant map polygons

discrete, whereas in reality the map polygons may represent continuous gradation or gradual change

16

Representing data with raster

Raster model as image files: Composed of grid-cells (pixels)

A value attribute table (VAT) keeps track of your value classification. Add custom attributes by adding more

columns. Disadvantage?

Raster data has one or more bands. Each band has an identical grid layout

representing a different attribute.

17

Representing data with raster

Representing well indistinct boundaries Thematic information on soil types, soil moisture,

vegetation, ground temperatures

Being used as reconnaissance satellites and aerial surveys use raster-based scanners, the information (scanned images) can be directly incorporated into GIS

The higher the grid resolution, the larger the data file is going to be.

18

TIN: Triangulated Irregular Networks Representing continuous surfaces

Representing data with TIN

19

Network structure

Representing data with TIN

20

Attribute data

Features are stored in a database along with information describing them. Attributes of a street: name,

street type, length, street code, number of lanes, pavement type.

Attributes of a park: name, area, hours of operation, maintenance schedule.

21

Attribute data

ID Att1 Att2 Att3

1 X X X

2 X X X

3 X X X

….

3 4

2

1

Attribute values in a GIS are stored as relational database table. Each feature within in

GIS layer will be represented as a record in a table

22

ContentContent

PartPart0101




PartPart0202

PartPart0303

23

Authorization control mechanism

The geographic access control model

Basic components of the model

Topological spatial data model (TSDM)

Why is authorization in GIS important?

Contents of Contents of Authorization in GIS

24

Why is authorization in GIS important?

Geographical data have a strategic relevance in a large variety of contexts Gathering and analyzing intelligence Protecting critical infrastructure Responding to complex emergencies Preparing for disease outbreaks and

bioterrorism Securing complex events

25

Geometric layer: Shape and location on the earth surface of

features Geometric value: set of points, set of simple

connected (or not) polylines, set of simple polygons

Topological layer: Describing the topological relations of the

feature with others features of the map Relation: {Disjoint, Touch, In, Contains, Equal,

Cross, Overlap}


26

Example of a geographical database the railway network


27

Topological relations among the features of the Region and the County feature types


28

Geometric layerTopological layerOperators:

Feature-based operators Map-based operators Mixed operators


29


Subject and object Subject: All users that interact with the system Object:

• Schema objects• Instance objects• Group objects

privileges Instances privileges Insertion privileges Schema privileges

30

Authorization sign and type Sign

• (+) A subject is authorized for a given privilege• (-) A subject is denied access to a given object under

a given privilege

Type: specifies whether an authorization can be overridden or not

• Weak authorizations• Strong authorizations

Queries and windowsGrant option: Only (+) authorizations can be delegated


31

AuthorizationAuthorization extensionCorrect authorization

The geographic access control model

32

Authorization

A tuple containing all the basic components of the model

The form: (u, p, pt, g, go, o ,t, w, q)Example:

Set A = {a8 = (Ted, selM(2,geo),+,Bob,false,M_rail,st,Milan, ┴),

a9 = (Ted, updF(0,space,+, Bod, false,Accident,wk, Milan, N=‘wrong manouevre’Name=‘X’(Accident))

}

33

Derivation over object relationshipsDerivation over privilege relationships

An authorization granting a privilege to objects with a certain dimension has to be propagated to objects with lower dimension

An authorization denying a privilege to objects with a certain dimension has to be propagated to objects with higher dimension

Derivation rule

34

Derivation rule

35

Derivation rule

36

Given an access request r = (u,p,o)An authorization: a = (u,p,pt,g,go,o,t,w,q)The access request can be satisfied if:

R depends on a strong positive authorization and on no strong negative authorization

R depends on a weak positive authorization, on no weak negative authorization and on no strong authorization.

Algorithms for access control

37

ContentContent

PartPart0101




PartPart0202

PartPart0303

38

Q&A

Access control model for spatial data on web

Secure Access Control in a Multi-User Geodatabase

Analysis of Access Control Mechanisms for Spatial DB

Aspects in Security of Database System

Contents of Contents of GIS Security Model

39


Privacy

Confidential

Secrecy

Integrity

Accuracy

Granularity

Availability

Privacy

Confidential

Secrecy

Integrity

Accuracy

Granularity

Availability

40

Privacy & Secrecy

Access limit control User private access right. GIS User-level based. Problems: Non module GIS database. Module GIS database.

Access limit control User private access right. GIS User-level based. Problems: Non module GIS database. Module GIS database.

GIS Database

Aspects in Security of Database System 41

Privacy & Secrecy (cont)

GIS Database

Change 01

Change 02

Change 03

Change 04

Change 05

Change 06

Change 07

Change ….

User 01

User 02

User 03

User 04

User 05

User 06

User 07

User ….


Availability

Storage Structure

Data

DataImage

ApplicationWeb ServiceWeb Users Operating System

Database Management

Database Management


Availability (cont)

Database Restore Loss of power Disconnect. Hardware or Software errors.

Database Restore Loss of power Disconnect. Hardware or Software errors.

Packet


Granularity

Metadata


Integrity & Accuracy


Integrity & Accuracy = Can’t be tampered (added, deleted, or altered) by illegal users.

46

Confidentialy

Data Network

Data

Data

Poison Data

Data Poison Data

Data


Confidentialy = only user knows data

47






Efficient Techniques for Realizing Geo-Spatial Access Control

48

Introduction

Two possible solution to restricting access to database: SDE-based access control mechanism. View-based access control mechanism.


SDE-based access control

mechanism

View-based access control

mechanism.

49

SDE-based access control mechanism

SDE (Spatial Data Engine). Function: manage unstructured spatial

data in structure RDBMS (Relational database management system)


http://en.wikipedia.org/wiki/Relational_database_management_system50



MAPProperty

Record

51

All geospatial objects in the same map layer are stored in a table.

Each geospatial object is represented by a record of the table.

The geometric property of a geospatial object is stored as a field of the record.



52



53



54



55



56

Authentication: System firstly ensure log-in users are legal

Authorize: Legal users are executting permit operations on spatial objects of interest.



57



58

SDE uses layers to store features (spatial objects)

Each layer contains one of: point, line or polygon.

Each layer is composed of business table, feature table, spatial index table, and point table


SDE – Spatial data organization

59


SDE – Spatial data LAYERs

60



61



62

Business table represents a feature and stores attribute properties of the feature


SDE – Spatial data – Business table

63

Feature table stores shape types and boundary boxes of features in feature tables.


SDE – Spatial data – Features table

64

Spatial index table contains information of the grid unit and boundary boxes of features.


SDE – Spatial data – Spatial index table

65

Point table stores coordinate values of each shape in a binary type of BLOB, which is translated into spatial meanings by SDE.


SDE – Spatial data – Point table

66

SDE-based access controlSDE-based access control

Authorization Map Layers FeaturesSpatial Context


67

Namely user information is stored in database and RDBMS is in charge of authenticating users

Spatial authorization must alter schemas of related tables to store authorization information (legal users and corresponding privileges) according to granularities of control


SDE-based access control FOR AUTHORIZATION

68

The schema of layer tables is added fields: user and privilege

According to User’ specific authorization requirements, the fields: user and privilege will be filled.


SDE-based access control FOR MAP LAYERS

69

The similar modification will be made to the schema of business tables, as each record of business tables stores properties of a single feature


SDE-based access control FOR FEATURES

70

As for spatial context, for example eatures in a rectangular window of certain privilege, the authorization information is filled in feature tables on the fly. Those features falling in the window are alculated with the window rectangle and the boundary boxes stored in the feature table.


SDE-based access control FOR SPATIAL CONTEXT

71

1. Certificated IDs

2. Read authorization information or intentd map layer

3. Compared legal users and privileges from layer table and intended operations

4. Decide authorizing access to the map layer or just rejecting

5. Make similar procedure to achieve permistion to specific features.



72

Introduction



mechanism

View-based access control

mechanism.

73

View-based access control mechanism.


GIS Database

View 01

View 02

View 03

View 04

View 05

View 06

View 07

View ….

User 01

User 02

User 03

User 04

User 05

User 06

User 07

User ….

74

4 component: Database acounts Database login (authentication) Privileges View


Analysis of Access Control Mechanisms for Spatial DB 75

Alternative method to grant Carol access to name and email columns:create view employee_public as select name,email from employee;

grant select on employee_public to carol;




Secure Access Control in a Multi-User GeodatabaseSecure Access Control in a Multi-User Geodatabase





78

Problem in multi-user access:Some information need to be secret.Some Users can view, Others can’t.Other:

• Fake Users.

• Virtual Users.

Secure Access Control in a Multi-user Geodatabase

79

Aspect to security of GeoDatabase:Privacy.Confidentialy.Secrecy.Integrity.AccuracyGranularity.Availability.


80

Three main Access Control Models:Mandatory (label-based).Discretionary (User-based)Role-Based.


81

Mandatory (label-based).Different security levels -> users of

database have security clearances assigned.

Discretionary (User-based)Permission Access. Users can protect or

grant access rights.Role-BasedAccess control is enforced in terms of

roles.


82

Access Control Models for Geodatabase Allow view-based access control.Access predefined sets of views, based on

authorizations.Views are built from a multi-level

database, may be updated, according to users privileges.


83

Three new different security architectures:Single Multi-Level Database ( Multi-level

Relations).Replicated Multi-Level Database.Single Multi-level Database (Uni-level

Relations).


84

Single Multi-Level Database ( Multi-level Relations).


85

Replicated Multi-Level Database.


86

Single Multi-level Database (Uni-level Relations).


87







88

INTRODUCTION (1)

The use of map is crucial for correctly geo-processing data. Currently, several commercial map management systems support visualization and editing of spatial objects on Web.

Enforcing controlled access to spatial data has not been much investigated to ensure confidentiality and integrity of information.

89

INTRODUCTION (2)

Ensuring confidentiality means preventing improper disclosure of information to non-authorized users to see it.

Ensuring integrity means protecting data from unofficial modifications and thus preventing non-authorized users from inserting or modifying data in the database.

90

INTRODUCTION (3)

The model is based on the following assumptions :

Spatial data consist of objects with sharp boundaries located in a geographical space.Data are manipulated by remote users through the operations provided by a Web Map Management Service.

The goal of the system in to control the way data are accessed by users having different profiles.

The model is an extension of the classical access control model based on the notion of authorized rule.

91

INTRODUCTION (4)

The central idea is to assign an authorization a geographical scope, namely a bounded region in which the authorization is valid.

Therefore, operations that users may execute on spatial data may vary, depending on user identity and object position.

92

PRELIMINARY NOTIONS (1)

Spatial data model used is the vector model defined by the OpenGIS Consortium (OGC) based on the notion of simple spatial feature.

The architecture of Web map management applications is organized according to 3-tier architecture including Presentation, Application, Data Storage layers.

93

The Data Storage layer consists of files and database servers.

The Application layer implements the operations requested by the application.

The Presentation layer on the client side includes either HTML pages or specialized programs.


94


We assumed that features are transferred in a vector format and the geo-processing is distributed on both client and server.

95


96


The Application layer consists of 2 main services :

The Access Control Service implements the operations for authorization rules checking and administration.

The Application Service implements the application logic and access the application data.

Besides, it also includes the Authentication Service based on username/password, SSL or some complex services.

97


98

THE ACCESS CONTROL SYSTEM (1)

Data access is controlled through a set of authorization rules. Each authorization rule, in basic form, consist of a triple = <subject, object, privilege>.

The subject indicates who can access the data resource.

The object is a spatial feature class. The privilege is the kind of action that can be

performed by the subject on the given object.

99

THE ACCESS CONTROL SYSTEM (2)

In the model, it is not possible to define authorization rules for objects at a finer level of granularity, on single feature for example, or on feature class attributes.

Privileges used in the model :Notify : controls the execution of the operations for feature insertion and deletion.Analysis : controls the execution of the different querying operation.ViewGeometry : controls the single operation of GetFeature.ViewAttribute : controls the operation of GetFeatureInfo.

100

DEFINITIONS AND CONSTRAINTS (1)

Definition 1 (Basic authorization)

Let R be a set of roles, FC the set of feature classes, O the set of Web service operations, P the set of privileges defined as a partition over the set O. A basic authorization rule is defined as a triple <r, f, p> where r ∈ R, f ∈ FC, p ∈ P.

Example :

The rule authorizing a surveyor to notify illegal waste deposits can be expressed as follows:

<surveyor, illegal_waste_deposit, Notify>.

101


Constraint 1 (Constraint on privilege dependency)

Let r be a role, fc a feature class, p1, p2…, pn privileges.We say that p1 depends on p2…pn (written as p1 → p2… ˄ pn) iff the existence of the rule: a1 = <r, fc, p1> implies the existence of the rules: a2=<r, fc,p2>,...,an = <r, fc, pn>. The rule a1 is said to be dependent on a2...an (written a1 → a2… ˄ an).

Example :

The dependency discussed above can be expressed in a simple way as follows:

Notify → ViewGeometry ˄ ViewAttributes

102


Definition 2 (Authorization with window)Let Polygon denote the set of polygonal geometries. An authorization rule with window is a tuple <r,fc,p,w> where r ∈ R, fc ∈ FC, p ∈ P, w ∈ Polygon.

Constraint 2 (Constraint on authorization window)Let a1 = <r, fc, p1, w1> and a2 = <r, fc, p2, w2> be two authorizations rules defined for the same role r and feature class fc but on two different privileges p1 and p2. If p1→p2 then w1 ⊆ w2.

103


Definition 3 (Authorization rule with grant option)

Let R be a set of roles, FC the set of feature classes, P the set of privileges, W the set of Polygons. An authorization is defined as a tuple : <r,fc,p,w,gr,gr_op>, where r ∈ R, f ∈ FC, p ∈ P, w ∈ W, gr ∈ R, gr_op ∈{true, false}.

Constraint 3 (Constraint on authorization rule grant)

Let a = <r1, fc, p, w , gr, true> be an authorization granted to role r1. The privilege p on feature class fc can be granted by r1 to r2 through the authorization b = <r2, fc , p, wb , r1, _> iff the window of b is contained in the window of a, that is, wb ⊆ wa.

104


Definition 4 (Authorization rule consistency)

The authorization rule a = <r, fc, p, w, gr, gr_op> is consistent iff the following constraints are satisfied :

a) Constraint 1 and constraint 2 must hold, that is, for each privilege pi such that p → pi, the authorization ai = <r, fc, pi, wi , gr, _> must belong to the rule set and w ⊆ wi.

b) Constraint 3 must hold, that is, let b = <gr, fc, p, wb,_, true> be the corresponding authorization given to the grantor of a; then the relationship w ⊆ wb must hold.

105

SUMMARY (1)

Strong points :

Protect vector-based spatial data against requests issued through a Web service.

Authorizations on spatial objects can be applied on limited areas within the reference space.

106

SUMMARY (2)

Weak points :

Do not support topological representation.

Do not support multiple representation of the same feature (such as various object dimension).

Do not support both positive authorizations (giving permissions) and negative ones (specifying denials).

107

Q&A




Summary of Summary of GIS Security Model


108

References[1] Jiayuan LIN, Yu FANG, Bin CHEN, Pengei WU – Analysis of access control mechanisms for spatial database.

[2] Elisa Bertino, Micheal Gertz – Security and Privacy for Geospatial Data: Concepts and Research Directions.

[3] Elisa Bertino, Maria Luisa Damiani - A Controlled Access to Spatial Data on Web

[4] MikhailJ.Atallah, MarinaBlanton, KeithB.Frikken - Efficient Techniques for Realizing Geo-Spatial Access Control

109

[5] Sahadeb De, Caroline M. Eastman, Csilla Farkas - Secure Access Control in a Multi-user Geodatabase.

[6] Zhu Tang, Shiguang Ju, Weihe Chen - Active Authorization Rules for Enforcing RBAC with Spatial Characteristics.

[7] A.Belussi, E.Bertino, B.Catania – An Authorization Model for Geographical Maps.

[8] www.gis.com

[9] www.esri.com/casestudies

References (cont.)

110

Question?

111

company logo geospatial database security nguyễn minh nhật nguyễn ngọc hương thảo lê...

Documents

raster data

data file

gis databaseis

attribute data spaghetti

attribute data features

gis database structure

gis security modelis

rasterraster model