policy-attribute based access control approach for big ...infokara.com/gallery/102-dec-3393.pdf ·...
TRANSCRIPT
Policy-Attribute based Access Control Approach for Big
Data Architecture Security S. Regha #1, M. Manimekalai *2
#1 Research Scholar, Department of Computer Science, Shrimati Indira Gandhi College, Tiruchirappalli, India *2 Professor, Director, and Head, Department of Computer Science, Shrimati Indira Gandhi College, Tiruchirappalli, India
Abstract— Attribute-based encryption is a promising system that accomplishes adaptable, and fine-grained data access control over
encoded data, which is entirely appropriate for a secure data-sharing condition, for example, the at present well-known cloud
computing. Apache Hadoop is a transcendent programming system for circulated process and capacity with the ability to deal with
gigantic measures of data, ordinarily alluded to as Big Data. This data gathered from various ventures and government offices
frequently incorporate private and touchy data, which should be secured from unapproved access. Be that as it may, conventional
attribute-based encryption neglects to give a productive keyword-based inquiry on encoded data, which to some degree, debilitates
the intensity of this encryption strategy, as search is generally the most significant way to deal with rapidly acquire data of
enthusiasm from a considerable amount dataset. In this paper, Policy - Attribute-Based Access Control is proposed, which is based on
the out and out key-policy attribute-based encryption scheme.
Keywords— Attribute-based Access Control, Encryption, Hadoop Ecosystem, Key-Policy, Cloud computing
I. INTRODUCTION
Big Data has become a fundamental resource for endeavors, which are saddling its potential for
producing extra income, offering better client experience, and forming bits of knowledge into their plans
of action. The data created from different and fluctuated sources, including the Internet of Things, social
stages, medicinal services, system logs, bio-informatics, etc. contribute and characterize the ethos of Big
Data, which is volume, velocity, and variety [1][2]. Data lake framed by the amalgamation of data from
these sources requires incredible, adaptable, and strong, stockpiling, and preparing stages to uncover the
genuine worth covered up inside this data mine [3].
In the course, Apache Hadoop has developed as a dominating stage for taking care of Big Data.
Alongside center Hadoop 2.x segments including Hadoop Common, MapReduce, Hadoop Distributed File
System (HDFS), and Apache YARN, a few activities have added to settle on Hadoop ecosystem the prime
decision as a powerful, flexible and flaw tolerant Big Data handling system [4]. Open source ventures like
Apache HBase, Apache Hive, Apache Knox, Apache Storm, Spark, and so on have made this system
accessible and usable to business and non-specialized clients additionally, making it pervasive in
undertakings, the scholarly community and somewhere else. Such wide acknowledgment of this stage
propels specialists and researchers to make it progressively secure, considering the way that it handles the
most valuable resource of any endeavor, for example, Data. In the year 2017 alone, a few cases of data
ruptures were brought to the notification of the world, which intensifies and accentuates the requirement
for better digital security and protection instruments [5].
Hadoop system security is exceptionally testing, considering its conveyed nature and expansive
assault surface. This multi-occupant stage must be secure to anticipate unapproved access to delicate data
and group assets utilized inside this system. Since numerous clients would be running various applications
and employments on this stage, it is significant that no data rupture happens, and essential data is just
uncovered to approved clients [6]. The classification and honesty of data and assets can be undermined if
attacks like Hadoop administration daemons (HDFS NameNode, DataNode, YARN ResourceManager etc.)
pantomime, refusal of bunch assets, murdering or adjusting of client applications by the pernicious client,
unapproved data access in HDFS, etc. are organized. For instance, in the event of Hadoop daemons
disguising, when a malignant help is enrolled as a piece of the Hadoop bunch, unapproved clients can
access data squares dwelling on data hubs or even expend all group assets by running high asset requesting
occupations, hence, averting different clients to utilize the bunch. Such attacks can be sorted out from
ISSN NO: 1021-9056
http://infokara.com/1040
INFOKARA RESEARCH
Volume 8 Issue 12 2019
inside and outside of the association, which makes it progressively hard to distinguish and avoid them [7]
[15].
II. RELATED WORKS
Xie, Xingxing, et al. [8] proposed another ciphertext-policy ABE (CP-ABE) development with effective
attribute and client disavowal. Also, a proficient access control component is given based on the CP-ABE
development with a re-appropriating calculation specialist organization.
Ruj, Sushmita, and Amiya Nayak [9] propose a decentralized security system for savvy matrices that
supports data accumulation and access control. The proposed access control instrument utilizes Attribute-
Based Encryption (ABE), which gives unique access to buyer data put away in data storehouses and
utilized by various brilliant framework clients. RTUs and clients have attributes and cryptographic keys
circulated by a few key conveyances focuses.
Wang, Changji, and Jianfa Luo [10] proposed another Key-Policy Attribute-Based Encryption (KP-ABE)
development with consistent ciphertext size. In our development, the access policy can be communicated
as any monotone access structure. In the interim, the ciphertext size is free of the number of ciphertext
attributes, and the quantity of bilinear matching assessments is diminished to a steady.
Hu, Vincent C., et al. [11] This record furnishes Federal offices with a meaning of Attribute-Based
Access Control (ABAC). ABAC is a legitimate access control approach where approval to play out many
tasks is dictated by assessing attributes related to the subject, object, mentioned activities, and, at times,
condition conditions against the policy, rules, or connections that depict the suitable activities for a given
arrangement of attributes. This report likewise gives contemplations to utilizing ABAC to improve data
sharing inside associations and between associations while keeping up control of that data.
Choi, Chang, Junho Choi, and Pankoo Kim [12] proposed Onto-ACM (philosophy based access control
model), a semantic investigation model that can address the distinction in the allowed access control
between specialist co-ops and clients. The proposed model is a model of acute setting mindful access for
proactively applying the access level of asset access based on cosmology thinking and semantic
investigation technique.
Chen, Hongsong, Bharat Bhargava, and Fu Zhongchuan [13] proposed a multi labels-based access
control model that gives adaptable security assurance to big data. Our adaptable access control model uses
marks to give versatile granularity access security to a big data application in the human services region.
Su, Jinshu, et al. [14] portrayed ePASS, a novel ABS scheme that uses an attribute tree and
communicates any policy comprising of AND, OR limit entryways under the computational Diffie–
Hellman issue. Clients can't fashion signatures with attributes they don't have, and the signature furnishes
confirmation that lone a client with proper attributes fulfilling the policy can underwrite the message,
bringing about unforgeability. In any case, real endorsers stay mysterious and are vague among all clients
whose attributes fulfill the policy, which gives attribute protection to the underwriter.
III. PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL (PA-BAC) APPROACH
The proposed Policy Attribute-based Access Control approach composed of the following Algorithms:
Step 1: Initialization of the Parameters
Step 1.1: Input: Number of Authorities and security parameters.
Step 1.2: Output: The generation of Master key and Public Key – Equation (1) & (2).
Step 1.3: The authority chooses the master key as the secret key.
Step 1.4: The authority chooses the prime order and the bilinear group.
Step 1.5: The number of attributes in the authority are generated by the bilinear group.
Step 1.6: The cryptographic hash function is defined.
ISSN NO: 1021-9056
http://infokara.com/1041
INFOKARA RESEARCH
Volume 8 Issue 12 2019
Fig. 1.1: Initialization Algorithm in the proposed PA-BAC
Step 2: Encryption
Step 2.1: Input: Public Key, Access Structure, and Message.
Step 2.2: Output: Cipher Text of the Message.
Step 2.3: The rows of the message is considered as the attributes.
Step 2.4: The message is considered as the l3n Matrix.
Step 2.5: Then the random vector is chosen which is utilized to share the exponent for
encryption.
Fig. 1.2: Encryption Algorithm in the proposed PA-BAC
Step 3: Key Generation
Step 3.1: Input: Global Identifier, Master key, and the attributes set.
Step 3.2: Output: Generation of Private Key
Step 3.3: The equation (4) used to generate the private key with GID, attributes sets and
the master key.
ISSN NO: 1021-9056
http://infokara.com/1042
INFOKARA RESEARCH
Volume 8 Issue 12 2019
Fig. 1.3: Key Generation algorithm in the proposed PA-BAC
Step 4: Output Key Generation
Step 4.1: Input: In this step, the private key generated in the previous step 3 is considered as the
input.
Step 4.2: Output: The generations of the outsourced key and the retrieve key.
Step 4.3: In this step, the random values is chosen by the user.
Step 4.4: Using the random values, the retrieve key is generated using equation (5) and (6). Then
the outsourced key is also published.
Fig. 1.4: Output Key Generation Algorithm in the proposed PA-BAC
Step 5: Transform Key Generation
Step 5.1: Input: Step (3) key generation and Step (2) encryption.
Step 5.2: Output: The Generation of Transform key.
Step 5.3: The key generation algorithm is called by the authority to generate the key for new
attribute set.
Step 5.4: Then the encryption algorithm is used to encrypt the message with attribute sets and
with access structure, to generate the transform key.
Fig. 1.5: Transform Key Generation Algorithm in the proposed PA-BAC
Step 6: Re-Encryption
Step 6.1: Input: Cipher Text association with first access structure and Transformation
Key.
Step 6.2: Output: Generation of the Updated Cipher Text
ISSN NO: 1021-9056
http://infokara.com/1043
INFOKARA RESEARCH
Volume 8 Issue 12 2019
Step 6.3: The updation of the cipher text is done with the access structure which is
satisfied by the attribute set, and with the set of constants.
Step 6.4: The below equations (8),(9) and (10) are used to update the cipher text.
Fig. 1.6: Re-Encryption Algorithm in the proposed PA-BAC
Step 7: Decryption
Step 7.1: Input: The private key and the updated cipher text.
Step 7.2: Output: Plain text or symbol message.
Step 7.3: The decryption of the cipher text takes place if the access structure with the
cipher text is satisfied by the attribute key.
Step 7.4: The equation is used to check the correct authority. If the
verification is not passed, then the key is generated from the malicious authority, then the
process is stopped.
Step 7.5: The computation of the key is done with equation (11) in the figure 7.
Step 7.6: The equation (12) is used to decrypt the original message.
Fig. 1.7: Decryption Algorithm in the proposed PA-BAC
Step 8: Output Decryption
Step 8.1: Input: Cipher text, Outsourced key and the retrieve key.
Step 8.2: Output: Message or symbol.
Step 8.3: The Linear Secret Sharing Scheme (LSSS) is set as the threshold.
ISSN NO: 1021-9056
http://infokara.com/1044
INFOKARA RESEARCH
Volume 8 Issue 12 2019
Step 8.4: The outsourced key is send for a set and the cipher text for the given access
structure.
Fig. 1.8: Output Decryption Algorithm in the proposed PA-BAC
Step 9: Policy to Update
Step 9.1: When the data owner wants to change the access policy from previous policy A to a new
policy A, he first runs the update-key generation algorithm and then sends the updated keys
to the cloud server.
Step 9.2: After receiving update keys, the cloud server executes the ciphertext-update
algorithm to update the ciphertext.
IV. RESULT AND DISCUSSION
In this paper, we have exhibited a policy-attribute based access control system of the big data
design security for the cloud stockpiling systems, which is both effective and secure. Table 1 delineates
the Encryption computing time taken in seconds for the changing number of specialists engaged with the
policy-attribute based access control system. Figure 2 speaks to the graphical portrayal of the encryption
calculation time in seconds with several specialists utilizing proposed PA-BAC and existing A-BAC
systems. From table 1 and figure 2, the proposed PA-BAC plays out the encryption in less time than the
current A-BAC system.
TABLE 1: ENCRYPTION COMPUTATION TIME IN SECONDS BY THE PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND
EXISTING ATTRIBUTE-BASED ACCESS CONTROL SYSTEM FOR VARYING NUMBER OF AUTHORITIES
Number of Authorities
Encryption time in seconds
Proposed Policy-Attribute based
Access Control
Existing Attribute-based Access
control
2 12 22
3 18 30
4 22 41
5 25 52
6 29 63
7 38 81
8 52 97
9 64 105
10 78 128
11 85 146
ISSN NO: 1021-9056
http://infokara.com/1045
INFOKARA RESEARCH
Volume 8 Issue 12 2019
Fig. 2: Graphical Representation of the encryption computation time in seconds with several authorities using proposed PA-BAC and existing A-
BAC systems
Table 2 delineates the key age calculation time in seconds utilizing proposed PA-BAC and existing
A-BAC systems for the differing number of specialists. Figure 3 speaks to the graphical portrayal of the
key age calculation time in seconds with several specialists utilizing proposed PA-BAC and existing A-
BAC systems. From table 2 and figure 3, the proposed PA-BAC plays out the key age in less time than the
current A-BAC system.
TABLE 2: KEY GENERATION COMPUTATION TIME IN SECONDS BY THE PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND
EXISTING ATTRIBUTE-BASED ACCESS CONTROL SYSTEM FOR VARYING NUMBER OF AUTHORITIES
Number of Authorities
Key Generation time in seconds
Proposed Policy-Attribute based
Access Control
Existing Attribute-based Access
control
2 18 25
3 28 39
4 37 51
5 49 78
6 54 89
7 65 99
8 72 108
9 78 122
10 85 131
11 92 139
Fig. 3: Graphical Representation of the Key Generation computation time in seconds with several authorities using proposed PA-BAC and existing
A-BAC systems
ISSN NO: 1021-9056
http://infokara.com/1046
INFOKARA RESEARCH
Volume 8 Issue 12 2019
Table 3 portrays the Decryption calculation time in seconds utilizing proposed PA-BAC and
existing A-BAC systems for a shifting number of specialists. Figure 4 speaks to the graphical portrayal of
the unscrambling calculation time in seconds with several specialists utilizing proposed PA-BAC and
existing A-BAC systems. From table 3 and figure 4, the proposed PA-BAC plays out the unscrambling in
less time than the current A-BAC system.
TABLE 3: DECRYPTION COMPUTATION TIME IN SECONDS BY THE PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND
EXISTING ATTRIBUTE-BASED ACCESS CONTROL SYSTEM FOR VARYING NUMBER OF AUTHORITIES
Number of
Authorities
Decryption time in seconds
Proposed Policy-Attribute based
Access Control
Existing Attribute-based Access
control
2 16 28
3 21 35
4 32 48
5 39 56
6 49 68
7 56 75
8 68 89
9 75 95
10 82 109
11 93 115
Fig. 4: Graphical Representation of the Decryption computation time in seconds with several authorities using proposed PA-BAC and existing A-
BAC systems
Table 4 portrays the Encryption calculation time in seconds utilizing proposed PA-BAC and
existing A-BAC systems for the differing number of attributes per authority. Figure 5 speaks to the
graphical portrayal of the encryption calculation time in seconds with several attributes per specialist
utilizing proposed PA-BAC and existing A-BAC systems. From table 4 and figure 5, the proposed PA-
BAC plays out the encryption in less time than the current A-BAC system for the shifting number of
attributes per authority.
TABLE 4: ENCRYPTION COMPUTATION TIME IN SECONDS BY THE PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND
EXISTING ATTRIBUTE-BASED ACCESS CONTROL SYSTEM FOR VARYING NUMBER OF ATTRIBUTES PER AUTHORITY
Number of attributes per
authority
Encryption time in seconds
Proposed Policy-Attribute based
Access Control
Existing Attribute-based Access
control
6 21 35
8 29 48
10 35 68
12 51 79
14 63 92
16 75 118
ISSN NO: 1021-9056
http://infokara.com/1047
INFOKARA RESEARCH
Volume 8 Issue 12 2019
18 89 129
20 97 135
22 101 147
24 112 163
Fig. 5: Graphical Representation of the encryption computation time in seconds with the number of attributes per authority using proposed PA-
BAC and existing A-BAC systems
Table 5 portrays the Key Generation calculation time in seconds utilizing proposed PA-BAC and
existing A-BAC systems for shifting several attributes per authority. Figure 6 speaks to the graphical
portrayal of the key age calculation time in seconds with several attributes per specialist utilizing proposed
PA-BAC and existing A-BAC systems. From table 5 and figure 6, the proposed PA-BAC plays out the
key age in less time than the current A-BAC system for the changing number of attributes per authority.
TABLE 5: KEY GENERATION COMPUTATION TIME IN SECONDS BY THE PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND
EXISTING ATTRIBUTE-BASED ACCESS CONTROL SYSTEM FOR VARYING NUMBER OF ATTRIBUTES PER AUTHORITY
Number of attributes per
authority
Key Generation Computation time in seconds
Proposed Policy-Attribute based
Access Control
Existing Attribute-based Access
control
6 21 38
8 32 54
10 46 71
12 59 92
14 70 105
16 89 118
18 97 126
20 101 138
22 119 145
24 121 167
Table 6 portrays the Decryption calculation time in seconds utilizing proposed PA-BAC and
existing A-BAC systems for changing several attributes per authority. Figure 6 speaks to the graphical
portrayal of the decoding calculation time in seconds with the number of attributes per specialist utilizing
proposed PA-BAC and existing A-BAC systems. From table 6 and figure 6, the proposed PA-BAC plays
out the unscrambling in less time than the current A-BAC system for the shifting number of attributes per
authority.
Table 7 delineates the calculation overhead by Proposed Policy-Attribute based Access Control,
and Existing Attribute-based Access Control. Figure 7 speaks to the graphical portrayal of the
Computational Overhead in (ms) for the Proposed PA-BAC and existing A-BAC strategy for a given
ISSN NO: 1021-9056
http://infokara.com/1048
INFOKARA RESEARCH
Volume 8 Issue 12 2019
number of solicitations. From table 7 and figure 7, unmistakably, the proposed P-ABC strategy takes less
computational time than the current ABC.
Fig. 6: Graphical Representation of the key generation computation time in seconds with the number of attributes per authority using proposed
PA-BAC and existing A-BAC systems
TABLE 6: DECRYPTION COMPUTATION TIME IN SECONDS BY THE PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND EXISTING ATTRIBUTE-BASED ACCESS CONTROL SYSTEM FOR VARYING NUMBER OF ATTRIBUTES PER AUTHORITY
Number of attributes per
authority
Decryption Computation time in seconds
Proposed Policy-Attribute based
Access Control
Existing Attribute-based Access
control
6 18 26
8 28 39
10 39 56
12 48 72
14 64 89
16 75 98
18 88 110
20 97 128
22 105 139
24 116 156
Fig. 7: Graphical Representation of the decryption computation time in seconds with the number of attributes per authority using proposed PA-
BAC and existing A-BAC systems
TABLE 7: COMPUTATION OVERHEAD IN (MILLISECONDS) USING PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND EXISTING ATTRIBUTE-BASED ACCESS CONTROL FOR VARYING NUMBER OF REQUESTS
Number of Requests
Computation Overhead in (ms)
Proposed Policy-Attribute based Access
Control (P-ABC)
Existing Attribute-based Access
Control (ABC)
1000 985 1021
2000 1041 1125
3000 1174 1257
ISSN NO: 1021-9056
http://infokara.com/1049
INFOKARA RESEARCH
Volume 8 Issue 12 2019
4000 1214 1384
5000 1374 1498
6000 1414 1532
7000 1574 1684
8000 1698 1725
9000 1702 1824
Fig. 8: Graphical representation of the Computational Overhead in (ms) for the Proposed PA-BAC and existing A-BAC method for a given
number of requests
V. CONCLUSIONS
In this examination work, Policy-Attribute based Access Control scheme is exhibited for the cloud
stockpiling systems, which is secure and proficient. Also, the proposed system doesn't require any focal
power and coordination among numerous specialists, consequently taking out the weight of secure
communication and the deferral of shared calculation. The proposed system acted in less calculation time
for the encryption, key age, and decoding with a differing number of specialists and changing several
attributes per specialist. The proposed system is progressively appropriate for handy access control since it
bolsters dynamic tasks. Also, it bolsters a huge universe of attributes.
REFERENCES
[1] Tankard, Colin. "Big data security." Network security 2012.7 (2012): 5-8.
[2] Demchenko, Yuri, et al. "Addressing big data challenges for scientific data infrastructure." 4th IEEE International Conference on Cloud Computing Technology and Science Proceedings. IEEE, 2012.
[3] Islam, Md Rafiqul, and Md Ezazul Islam. "An approach to provide security to unstructured Big Data." The 8th International Conference on Software,
Knowledge, Information Management and Applications (SKIMA 2014). IEEE, 2014. [4] Lee, Myungcheol, et al. "Load adaptive and fault-tolerant distributed stream processing system for explosive stream data." 2016 18th International
Conference on Advanced Communication Technology (ICACT). IEEE, 2016.
[5] Demchenko, Yuri, et al. "Big security for big data: Addressing security challenges for the big data infrastructure." Workshop on Secure Data Management. Springer, Cham, 2013.
[6] Moustafa, Nour, et al. "Collaborative anomaly detection framework for handling big data of cloud computing." 2017 Military Communications and
Information Systems Conference (MilCIS). IEEE, 2017. [7] Zhao, Jiaqi, et al. "A security framework in G-Hadoop for big data computing across distributed Cloud data centers." Journal of Computer and System
Sciences 80.5 (2014): 994-1007.
[8] Xie, Xingxing, et al. "New ciphertext-policy attribute-based access control with efficient revocation." Information and Communication Technology-EurAsia Conference. Springer, Berlin, Heidelberg, 2013.
[9] Ruj, Sushmita, and Amiya Nayak. "A decentralized security framework for data aggregation and access control in smart grids." IEEE transactions on
smart grid 4.1 (2013): 196-205. [10] Wang, Changji, and Jianfa Luo. "An efficient key-policy attribute-based encryption scheme with constant ciphertext length." Mathematical Problems in
Engineering 2013 (2013).
[11] Hu, Vincent C., et al. "Guide to attribute-based access control (ABAC) definition and considerations (draft)." NIST special publication 800.162 (2013). [12] Choi, Chang, Junho Choi, and Pankoo Kim. "Ontology-based access control model for security policy reasoning in cloud computing." The Journal of
Supercomputing 67.3 (2014): 711-722.
[13] Chen, Hongsong, Bharat Bhargava, and Fu Zhongchuan. "Multilabels-based scalable access control for big data applications." IEEE Cloud Computing 1.3 (2014): 65-71.
[14] Su, Jinshu, et al. "ePASS: An expressive attribute-based signature scheme with privacy and a unforgeability guarantee for the Internet of Things." Future
Generation Computer Systems 33 (2014): 11-18. [15] Durairaj, M., and T. S. Poornappriya. "Importance of MapReduce for Big Data Applications: A Survey." Asian Journal of Computer Science and
Technology 7.1 (2018): 112-118.
ISSN NO: 1021-9056
http://infokara.com/1050
INFOKARA RESEARCH
Volume 8 Issue 12 2019