policy-attribute based access control approach for big ...infokara.com/gallery/102-dec-3393.pdf ·...

Policy-Attribute based Access Control Approach for Big

Data Architecture Security S. Regha #1, M. Manimekalai *2

#1 Research Scholar, Department of Computer Science, Shrimati Indira Gandhi College, Tiruchirappalli, India *2 Professor, Director, and Head, Department of Computer Science, Shrimati Indira Gandhi College, Tiruchirappalli, India

Abstract— Attribute-based encryption is a promising system that accomplishes adaptable, and fine-grained data access control over

encoded data, which is entirely appropriate for a secure data-sharing condition, for example, the at present well-known cloud

computing. Apache Hadoop is a transcendent programming system for circulated process and capacity with the ability to deal with

gigantic measures of data, ordinarily alluded to as Big Data. This data gathered from various ventures and government offices

frequently incorporate private and touchy data, which should be secured from unapproved access. Be that as it may, conventional

attribute-based encryption neglects to give a productive keyword-based inquiry on encoded data, which to some degree, debilitates

the intensity of this encryption strategy, as search is generally the most significant way to deal with rapidly acquire data of

enthusiasm from a considerable amount dataset. In this paper, Policy - Attribute-Based Access Control is proposed, which is based on

the out and out key-policy attribute-based encryption scheme.

Keywords— Attribute-based Access Control, Encryption, Hadoop Ecosystem, Key-Policy, Cloud computing

I. INTRODUCTION

Big Data has become a fundamental resource for endeavors, which are saddling its potential for

producing extra income, offering better client experience, and forming bits of knowledge into their plans

of action. The data created from different and fluctuated sources, including the Internet of Things, social

stages, medicinal services, system logs, bio-informatics, etc. contribute and characterize the ethos of Big

Data, which is volume, velocity, and variety [1][2]. Data lake framed by the amalgamation of data from

these sources requires incredible, adaptable, and strong, stockpiling, and preparing stages to uncover the

genuine worth covered up inside this data mine [3].

In the course, Apache Hadoop has developed as a dominating stage for taking care of Big Data.

Alongside center Hadoop 2.x segments including Hadoop Common, MapReduce, Hadoop Distributed File

System (HDFS), and Apache YARN, a few activities have added to settle on Hadoop ecosystem the prime

decision as a powerful, flexible and flaw tolerant Big Data handling system [4]. Open source ventures like

Apache HBase, Apache Hive, Apache Knox, Apache Storm, Spark, and so on have made this system

accessible and usable to business and non-specialized clients additionally, making it pervasive in

undertakings, the scholarly community and somewhere else. Such wide acknowledgment of this stage

propels specialists and researchers to make it progressively secure, considering the way that it handles the

most valuable resource of any endeavor, for example, Data. In the year 2017 alone, a few cases of data

ruptures were brought to the notification of the world, which intensifies and accentuates the requirement

for better digital security and protection instruments [5].

Hadoop system security is exceptionally testing, considering its conveyed nature and expansive

assault surface. This multi-occupant stage must be secure to anticipate unapproved access to delicate data

and group assets utilized inside this system. Since numerous clients would be running various applications

and employments on this stage, it is significant that no data rupture happens, and essential data is just

uncovered to approved clients [6]. The classification and honesty of data and assets can be undermined if

attacks like Hadoop administration daemons (HDFS NameNode, DataNode, YARN ResourceManager etc.)

pantomime, refusal of bunch assets, murdering or adjusting of client applications by the pernicious client,

unapproved data access in HDFS, etc. are organized. For instance, in the event of Hadoop daemons

disguising, when a malignant help is enrolled as a piece of the Hadoop bunch, unapproved clients can

access data squares dwelling on data hubs or even expend all group assets by running high asset requesting

occupations, hence, averting different clients to utilize the bunch. Such attacks can be sorted out from

ISSN NO: 1021-9056

http://infokara.com/1040

INFOKARA RESEARCH

Volume 8 Issue 12 2019

inside and outside of the association, which makes it progressively hard to distinguish and avoid them [7]

[15].

II. RELATED WORKS

Xie, Xingxing, et al. [8] proposed another ciphertext-policy ABE (CP-ABE) development with effective

attribute and client disavowal. Also, a proficient access control component is given based on the CP-ABE

development with a re-appropriating calculation specialist organization.

Ruj, Sushmita, and Amiya Nayak [9] propose a decentralized security system for savvy matrices that

supports data accumulation and access control. The proposed access control instrument utilizes Attribute-

Based Encryption (ABE), which gives unique access to buyer data put away in data storehouses and

utilized by various brilliant framework clients. RTUs and clients have attributes and cryptographic keys

circulated by a few key conveyances focuses.

Wang, Changji, and Jianfa Luo [10] proposed another Key-Policy Attribute-Based Encryption (KP-ABE)

development with consistent ciphertext size. In our development, the access policy can be communicated

as any monotone access structure. In the interim, the ciphertext size is free of the number of ciphertext

attributes, and the quantity of bilinear matching assessments is diminished to a steady.

Hu, Vincent C., et al. [11] This record furnishes Federal offices with a meaning of Attribute-Based

Access Control (ABAC). ABAC is a legitimate access control approach where approval to play out many

tasks is dictated by assessing attributes related to the subject, object, mentioned activities, and, at times,

condition conditions against the policy, rules, or connections that depict the suitable activities for a given

arrangement of attributes. This report likewise gives contemplations to utilizing ABAC to improve data

sharing inside associations and between associations while keeping up control of that data.

Choi, Chang, Junho Choi, and Pankoo Kim [12] proposed Onto-ACM (philosophy based access control

model), a semantic investigation model that can address the distinction in the allowed access control

between specialist co-ops and clients. The proposed model is a model of acute setting mindful access for

proactively applying the access level of asset access based on cosmology thinking and semantic

investigation technique.

Chen, Hongsong, Bharat Bhargava, and Fu Zhongchuan [13] proposed a multi labels-based access

control model that gives adaptable security assurance to big data. Our adaptable access control model uses

marks to give versatile granularity access security to a big data application in the human services region.

Su, Jinshu, et al. [14] portrayed ePASS, a novel ABS scheme that uses an attribute tree and

communicates any policy comprising of AND, OR limit entryways under the computational Diffie–

Hellman issue. Clients can't fashion signatures with attributes they don't have, and the signature furnishes

confirmation that lone a client with proper attributes fulfilling the policy can underwrite the message,

bringing about unforgeability. In any case, real endorsers stay mysterious and are vague among all clients

whose attributes fulfill the policy, which gives attribute protection to the underwriter.

III. PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL (PA-BAC) APPROACH

The proposed Policy Attribute-based Access Control approach composed of the following Algorithms:

Step 1: Initialization of the Parameters

Step 1.1: Input: Number of Authorities and security parameters.

Step 1.2: Output: The generation of Master key and Public Key – Equation (1) & (2).

Step 1.3: The authority chooses the master key as the secret key.

Step 1.4: The authority chooses the prime order and the bilinear group.

Step 1.5: The number of attributes in the authority are generated by the bilinear group.

Step 1.6: The cryptographic hash function is defined.

ISSN NO: 1021-9056


INFOKARA RESEARCH


Fig. 1.1: Initialization Algorithm in the proposed PA-BAC

Step 2: Encryption

Step 2.1: Input: Public Key, Access Structure, and Message.

Step 2.2: Output: Cipher Text of the Message.

Step 2.3: The rows of the message is considered as the attributes.

Step 2.4: The message is considered as the l3n Matrix.

Step 2.5: Then the random vector is chosen which is utilized to share the exponent for

encryption.

Fig. 1.2: Encryption Algorithm in the proposed PA-BAC

Step 3: Key Generation

Step 3.1: Input: Global Identifier, Master key, and the attributes set.

Step 3.2: Output: Generation of Private Key

Step 3.3: The equation (4) used to generate the private key with GID, attributes sets and

the master key.

ISSN NO: 1021-9056


INFOKARA RESEARCH


Fig. 1.3: Key Generation algorithm in the proposed PA-BAC

Step 4: Output Key Generation

Step 4.1: Input: In this step, the private key generated in the previous step 3 is considered as the

input.

Step 4.2: Output: The generations of the outsourced key and the retrieve key.

Step 4.3: In this step, the random values is chosen by the user.

Step 4.4: Using the random values, the retrieve key is generated using equation (5) and (6). Then

the outsourced key is also published.

Fig. 1.4: Output Key Generation Algorithm in the proposed PA-BAC

Step 5: Transform Key Generation

Step 5.1: Input: Step (3) key generation and Step (2) encryption.

Step 5.2: Output: The Generation of Transform key.

Step 5.3: The key generation algorithm is called by the authority to generate the key for new

attribute set.

Step 5.4: Then the encryption algorithm is used to encrypt the message with attribute sets and

with access structure, to generate the transform key.

Fig. 1.5: Transform Key Generation Algorithm in the proposed PA-BAC

Step 6: Re-Encryption

Step 6.1: Input: Cipher Text association with first access structure and Transformation

Key.

Step 6.2: Output: Generation of the Updated Cipher Text

ISSN NO: 1021-9056


INFOKARA RESEARCH


Step 6.3: The updation of the cipher text is done with the access structure which is

satisfied by the attribute set, and with the set of constants.

Step 6.4: The below equations (8),(9) and (10) are used to update the cipher text.

Fig. 1.6: Re-Encryption Algorithm in the proposed PA-BAC

Step 7: Decryption

Step 7.1: Input: The private key and the updated cipher text.

Step 7.2: Output: Plain text or symbol message.

Step 7.3: The decryption of the cipher text takes place if the access structure with the

cipher text is satisfied by the attribute key.

Step 7.4: The equation is used to check the correct authority. If the

verification is not passed, then the key is generated from the malicious authority, then the

process is stopped.

Step 7.5: The computation of the key is done with equation (11) in the figure 7.

Step 7.6: The equation (12) is used to decrypt the original message.

Fig. 1.7: Decryption Algorithm in the proposed PA-BAC

Step 8: Output Decryption

Step 8.1: Input: Cipher text, Outsourced key and the retrieve key.

Step 8.2: Output: Message or symbol.

Step 8.3: The Linear Secret Sharing Scheme (LSSS) is set as the threshold.

ISSN NO: 1021-9056


INFOKARA RESEARCH


Step 8.4: The outsourced key is send for a set and the cipher text for the given access

structure.

Fig. 1.8: Output Decryption Algorithm in the proposed PA-BAC

Step 9: Policy to Update

Step 9.1: When the data owner wants to change the access policy from previous policy A to a new

policy A, he first runs the update-key generation algorithm and then sends the updated keys

to the cloud server.

Step 9.2: After receiving update keys, the cloud server executes the ciphertext-update

algorithm to update the ciphertext.

IV. RESULT AND DISCUSSION

In this paper, we have exhibited a policy-attribute based access control system of the big data

design security for the cloud stockpiling systems, which is both effective and secure. Table 1 delineates

the Encryption computing time taken in seconds for the changing number of specialists engaged with the

policy-attribute based access control system. Figure 2 speaks to the graphical portrayal of the encryption

calculation time in seconds with several specialists utilizing proposed PA-BAC and existing A-BAC

systems. From table 1 and figure 2, the proposed PA-BAC plays out the encryption in less time than the

current A-BAC system.

TABLE 1: ENCRYPTION COMPUTATION TIME IN SECONDS BY THE PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND

EXISTING ATTRIBUTE-BASED ACCESS CONTROL SYSTEM FOR VARYING NUMBER OF AUTHORITIES

Number of Authorities

Encryption time in seconds

Proposed Policy-Attribute based

Access Control

Existing Attribute-based Access

control

2 12 22

3 18 30

4 22 41

5 25 52

6 29 63

7 38 81

8 52 97

9 64 105

10 78 128

11 85 146

ISSN NO: 1021-9056


INFOKARA RESEARCH


Fig. 2: Graphical Representation of the encryption computation time in seconds with several authorities using proposed PA-BAC and existing A-

BAC systems

Table 2 delineates the key age calculation time in seconds utilizing proposed PA-BAC and existing

A-BAC systems for the differing number of specialists. Figure 3 speaks to the graphical portrayal of the

key age calculation time in seconds with several specialists utilizing proposed PA-BAC and existing A-

BAC systems. From table 2 and figure 3, the proposed PA-BAC plays out the key age in less time than the

current A-BAC system.

TABLE 2: KEY GENERATION COMPUTATION TIME IN SECONDS BY THE PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND


Number of Authorities

Key Generation time in seconds


Access Control


control

2 18 25

3 28 39

4 37 51

5 49 78

6 54 89

7 65 99

8 72 108

9 78 122

10 85 131

11 92 139

Fig. 3: Graphical Representation of the Key Generation computation time in seconds with several authorities using proposed PA-BAC and existing

A-BAC systems

ISSN NO: 1021-9056


INFOKARA RESEARCH


Table 3 portrays the Decryption calculation time in seconds utilizing proposed PA-BAC and

existing A-BAC systems for a shifting number of specialists. Figure 4 speaks to the graphical portrayal of

the unscrambling calculation time in seconds with several specialists utilizing proposed PA-BAC and

existing A-BAC systems. From table 3 and figure 4, the proposed PA-BAC plays out the unscrambling in

less time than the current A-BAC system.

TABLE 3: DECRYPTION COMPUTATION TIME IN SECONDS BY THE PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND


Number of

Authorities

Decryption time in seconds


Access Control


control

2 16 28

3 21 35

4 32 48

5 39 56

6 49 68

7 56 75

8 68 89

9 75 95

10 82 109

11 93 115

Fig. 4: Graphical Representation of the Decryption computation time in seconds with several authorities using proposed PA-BAC and existing A-

BAC systems

Table 4 portrays the Encryption calculation time in seconds utilizing proposed PA-BAC and

existing A-BAC systems for the differing number of attributes per authority. Figure 5 speaks to the

graphical portrayal of the encryption calculation time in seconds with several attributes per specialist

utilizing proposed PA-BAC and existing A-BAC systems. From table 4 and figure 5, the proposed PA-

BAC plays out the encryption in less time than the current A-BAC system for the shifting number of

attributes per authority.

TABLE 4: ENCRYPTION COMPUTATION TIME IN SECONDS BY THE PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND

EXISTING ATTRIBUTE-BASED ACCESS CONTROL SYSTEM FOR VARYING NUMBER OF ATTRIBUTES PER AUTHORITY

Number of attributes per

authority

Encryption time in seconds


Access Control


control

6 21 35

8 29 48

10 35 68

12 51 79

14 63 92

16 75 118

ISSN NO: 1021-9056


INFOKARA RESEARCH


18 89 129

20 97 135

22 101 147

24 112 163

Fig. 5: Graphical Representation of the encryption computation time in seconds with the number of attributes per authority using proposed PA-

BAC and existing A-BAC systems

Table 5 portrays the Key Generation calculation time in seconds utilizing proposed PA-BAC and

existing A-BAC systems for shifting several attributes per authority. Figure 6 speaks to the graphical

portrayal of the key age calculation time in seconds with several attributes per specialist utilizing proposed

PA-BAC and existing A-BAC systems. From table 5 and figure 6, the proposed PA-BAC plays out the

key age in less time than the current A-BAC system for the changing number of attributes per authority.

TABLE 5: KEY GENERATION COMPUTATION TIME IN SECONDS BY THE PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND

EXISTING ATTRIBUTE-BASED ACCESS CONTROL SYSTEM FOR VARYING NUMBER OF ATTRIBUTES PER AUTHORITY


authority

Key Generation Computation time in seconds


Access Control


control

6 21 38

8 32 54

10 46 71

12 59 92

14 70 105

16 89 118

18 97 126

20 101 138

22 119 145

24 121 167

Table 6 portrays the Decryption calculation time in seconds utilizing proposed PA-BAC and

existing A-BAC systems for changing several attributes per authority. Figure 6 speaks to the graphical

portrayal of the decoding calculation time in seconds with the number of attributes per specialist utilizing

proposed PA-BAC and existing A-BAC systems. From table 6 and figure 6, the proposed PA-BAC plays

out the unscrambling in less time than the current A-BAC system for the shifting number of attributes per

authority.

Table 7 delineates the calculation overhead by Proposed Policy-Attribute based Access Control,

and Existing Attribute-based Access Control. Figure 7 speaks to the graphical portrayal of the

Computational Overhead in (ms) for the Proposed PA-BAC and existing A-BAC strategy for a given

ISSN NO: 1021-9056


INFOKARA RESEARCH


number of solicitations. From table 7 and figure 7, unmistakably, the proposed P-ABC strategy takes less

computational time than the current ABC.

Fig. 6: Graphical Representation of the key generation computation time in seconds with the number of attributes per authority using proposed

PA-BAC and existing A-BAC systems

TABLE 6: DECRYPTION COMPUTATION TIME IN SECONDS BY THE PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND EXISTING ATTRIBUTE-BASED ACCESS CONTROL SYSTEM FOR VARYING NUMBER OF ATTRIBUTES PER AUTHORITY


authority

Decryption Computation time in seconds


Access Control


control

6 18 26

8 28 39

10 39 56

12 48 72

14 64 89

16 75 98

18 88 110

20 97 128

22 105 139

24 116 156

Fig. 7: Graphical Representation of the decryption computation time in seconds with the number of attributes per authority using proposed PA-

BAC and existing A-BAC systems

TABLE 7: COMPUTATION OVERHEAD IN (MILLISECONDS) USING PROPOSED POLICY-ATTRIBUTE BASED ACCESS CONTROL AND EXISTING ATTRIBUTE-BASED ACCESS CONTROL FOR VARYING NUMBER OF REQUESTS

Number of Requests

Computation Overhead in (ms)

Proposed Policy-Attribute based Access

Control (P-ABC)


Control (ABC)

1000 985 1021

2000 1041 1125

3000 1174 1257

ISSN NO: 1021-9056


INFOKARA RESEARCH


4000 1214 1384

5000 1374 1498

6000 1414 1532

7000 1574 1684

8000 1698 1725

9000 1702 1824

Fig. 8: Graphical representation of the Computational Overhead in (ms) for the Proposed PA-BAC and existing A-BAC method for a given

number of requests

V. CONCLUSIONS

In this examination work, Policy-Attribute based Access Control scheme is exhibited for the cloud

stockpiling systems, which is secure and proficient. Also, the proposed system doesn't require any focal

power and coordination among numerous specialists, consequently taking out the weight of secure

communication and the deferral of shared calculation. The proposed system acted in less calculation time

for the encryption, key age, and decoding with a differing number of specialists and changing several

attributes per specialist. The proposed system is progressively appropriate for handy access control since it

bolsters dynamic tasks. Also, it bolsters a huge universe of attributes.

REFERENCES

[1] Tankard, Colin. "Big data security." Network security 2012.7 (2012): 5-8.

[2] Demchenko, Yuri, et al. "Addressing big data challenges for scientific data infrastructure." 4th IEEE International Conference on Cloud Computing Technology and Science Proceedings. IEEE, 2012.

[3] Islam, Md Rafiqul, and Md Ezazul Islam. "An approach to provide security to unstructured Big Data." The 8th International Conference on Software,

Knowledge, Information Management and Applications (SKIMA 2014). IEEE, 2014. [4] Lee, Myungcheol, et al. "Load adaptive and fault-tolerant distributed stream processing system for explosive stream data." 2016 18th International

Conference on Advanced Communication Technology (ICACT). IEEE, 2016.

[5] Demchenko, Yuri, et al. "Big security for big data: Addressing security challenges for the big data infrastructure." Workshop on Secure Data Management. Springer, Cham, 2013.

[6] Moustafa, Nour, et al. "Collaborative anomaly detection framework for handling big data of cloud computing." 2017 Military Communications and

Information Systems Conference (MilCIS). IEEE, 2017. [7] Zhao, Jiaqi, et al. "A security framework in G-Hadoop for big data computing across distributed Cloud data centers." Journal of Computer and System

Sciences 80.5 (2014): 994-1007.

[8] Xie, Xingxing, et al. "New ciphertext-policy attribute-based access control with efficient revocation." Information and Communication Technology-EurAsia Conference. Springer, Berlin, Heidelberg, 2013.

[9] Ruj, Sushmita, and Amiya Nayak. "A decentralized security framework for data aggregation and access control in smart grids." IEEE transactions on

smart grid 4.1 (2013): 196-205. [10] Wang, Changji, and Jianfa Luo. "An efficient key-policy attribute-based encryption scheme with constant ciphertext length." Mathematical Problems in

Engineering 2013 (2013).

[11] Hu, Vincent C., et al. "Guide to attribute-based access control (ABAC) definition and considerations (draft)." NIST special publication 800.162 (2013). [12] Choi, Chang, Junho Choi, and Pankoo Kim. "Ontology-based access control model for security policy reasoning in cloud computing." The Journal of

Supercomputing 67.3 (2014): 711-722.

[13] Chen, Hongsong, Bharat Bhargava, and Fu Zhongchuan. "Multilabels-based scalable access control for big data applications." IEEE Cloud Computing 1.3 (2014): 65-71.

[14] Su, Jinshu, et al. "ePASS: An expressive attribute-based signature scheme with privacy and a unforgeability guarantee for the Internet of Things." Future

Generation Computer Systems 33 (2014): 11-18. [15] Durairaj, M., and T. S. Poornappriya. "Importance of MapReduce for Big Data Applications: A Survey." Asian Journal of Computer Science and

Technology 7.1 (2018): 112-118.

ISSN NO: 1021-9056


INFOKARA RESEARCH


policy-attribute based access control approach for big ...infokara.com/gallery/102-dec-3393.pdf ·...

Documents