640 likes | 871 Views
GEOSPATIAL DATABASE SECURITY. Group 3 : Nguyễn Văn Hai 51000798 Nguyễn Văn Nhàn 51002201 Dương Lưu Phương 51002501. Content Introduction Geospatial Data Models Geospatial Access Control Models GSAM: Geospatial DataAuthorization Model
E N D
GEOSPATIAL DATABASE SECURITY Group 3 : NguyễnVăn Hai 51000798 Nguyễn Văn Nhàn 51002201 Dương Lưu Phương 51002501 Geospatial Database Security
Content • Introduction • GeospatialDataModels • Geospatial AccessControlModels • GSAM:GeospatialDataAuthorizationModel • GEO-RBAC:GeospatialRole-basedAccessControl • LBAC:Location-basedAccessControl • GeospatialWebServicesAccessControl • ConclusionandFutureDirections Geospatial Database Security
INTRODUCTION & GEOSPATIAL MODELS Geospatial Database Security
I.Introduction CountyLookupviaGoogleMaps http://labs.silverbiology.com/countylookup/ LastModified:April4th,2012 Status:Beta - Geospatialdata,whichtypicallyincludesmaps,aerialand satelliteimages,isassociatedwithlocationinformation representedbylongitudeandlatitude. Geospatial Database Security
I.Introduction GoogleMaps https://maps.google.com/ Geospatial Database Security
I.Introduction Geospatialdatacanbecollected,analyzed,manipulated,and integratedandvisualizedwiththehelpof: -GeographicInformationSystem(GIS):ESRIArcView, ArcInfo,ENVIandInternetMapServer -GlobalPositioningSystem(GPS) Geospatial Database Security
I.Introduction http://www.esri.com/software/arcgis/arcgis- for-desktop Geospatial Database Security
I.Introduction Despitethesenumerousbenefits,duetoitseasyavailabilityandduetothe powerfulanalysistoolsforthe geospatialdata,itmayposeseriousthreatsto securityandprivacy. Geospatial Database Security
I.Introduction • Anotherchallengepertainingtosecuringgeospatialdataisdueto the increasinguseofthegeospatialWebservicetechnologytoeasily shareandin-tegratethegeospatialdataandapplicationsondemand • Inthischapter,wereviewtheaccesscontrolmodelspresentedinthe areasofgeospatialdatamaintainedbystandalonetraditionalsources aswellasthatobtainedviageospatialWebservices. Geospatial Database Security
I.Introduction • Content basic: Representation of Geographical Information • Many spatial databases are partitioned internally: • Partitions defined spatially • Partitions defined thematically • Both • Tile: a geographical partition of a database • Layer: a thematic partition • A layer: logical grouping of geographic feature, • that can also be referred to as a coverage. Thematic Map of the Continental United States Geospatial Database Security
States Rivers Lakes Roads Capitals I. INTRODUCTION Maps are composed of Layers
I.Introduction • GIS database structure • Layers contain features or surfaces • Layers are represented by: • Vector model • Raster model • TIN model • GIS database structure: • Database map: spatial data • Attribute map: non-spatial data features surfaces Geospatial Database Security
II.GEOSPATIAL MODELS Geospatial Database Security
II.GEOSPATIAL MODELS 1. Vectadata Thevectormodelrepresentsgeospatialdatawithtwo components:spatialattributesandnon-spatialattributes -First,thespatialattributesindicatethegeometricshapesuchaspoints,linesandpolygons -Thesecondcomponentinthevectordataisthenon-spatial attributes,alsocalledthematicattributes,thatrefertonon-spatial propertiesofgeospatialdata,suchasannualrainfall, vegetationtype,zoningtype,landuse,states,censustracts,etc Geospatial Database Security
II.GEOSPATIAL MODELS • 2. Rasterdata • Undertherasterdatamodel,thespatialdata,suchassatelliteimages,eleva-tion maps,ordigitizedmaps,isrepresentedasagridofcolumnsandrows,i.e.asa matrixofcells • Eachcellcarriesthenon-spatialdata,suchasrainfall,temperature, vegetation type,etc • - Spatialcoordinatesarenotusuallyexplicitlystoredforeachcell,butimplicitly representedwiththeorderingofthepixels • -Thespatialreso-lutionofarasteristhesizeofonethethepixelsontheground.For example,ifonepixelcorrespondsto3meterby3meterareaontheEarth,thedata has3meterresolution Geospatial Database Security
II.GEOSPATIAL MODELS 2. TIN TIN: Triangulated Irregular Networks Representing continuous surfaces Geospatial Database Security
GEOSPATIAL ACCESS CONTROL MODELS • GSAM: Geospatial Data Authorization Model The geospatial image access model needs to support the following types of ”spatio-temporal policies,” which are specified based on spatio-temporal characteristics of both the subject and object. Geospatial Database Security
GEOSPATIAL ACCESS CONTROL MODELS • GSAM: Geospatial Data Authorization Model Example: • P1: All users can view 10 meter or lower resolution images. • P2: 1 meter resolution images of the parcel located in ”120 James Street,Newark, New Jersey” can be accessed only by the current owner of thisparcel. • P3: Only military personnel positioned in Afghanistan can zoom-in to 1meter resolution images over Afghanistan captured after September 11,2001. • P4: The police officers positioned in Bergen County are allowed to access 1 meter resolution images of the nuclear power plant located at [-81.37227,28.54623]. Geospatial Database Security
III.GSAM: Geospatial Data Authorization Model Geospatial Database Security
III.GSAM: Geospatial Data Authorization Model 1. Geotemporal Role - Geotemporal roles are used to specify a set of subjects possessing spatial and temporal credentials - Each role is associated with a certain valid region and temporal interval - Geotemporal roles are assigned to users depending on the context a user is in - Geotemporal role in a scene can be represented as a pair (r, sc) Geospatial Database Security
III.GSAM: Geospatial Data Authorization Model • 1. Geotemporal Role • -Each sc can be instantiated with a scene expression such as scene name, or a specific geotemporal extent, such as: • <label, lt, lg, h, w,[tb,te]> • label is a descriptive scene name, such as ”New York City”, • <lt, lg, h, w> denotes latitude, longitude, height and width • [tb,te] denotes the temporal period of the scene Geospatial Database Security
III.GSAM: Geospatial Data Authorization Model Geospatial Database Security
III.GSAM: Geospatial Data Authorization Model 2. Geotemporal Object - Each geotemporal object belongs to an object type, which can be organized into a geotemporal object type hierarchy - Each geotemporal object type is associated with a set of attributes - A geotemporalobject is specified with a geotemporal object expression ge that is a logical expression of object attributes and their values Geospatial Database Security
III.GSAM: Geospatial Data Authorization Model Geospatial Database Security
III.GSAM: Geospatial Data Authorization Model 3. Geotemporal Permissions Geospatial Database Security
III.GSAM: Geospatial Data Authorization Model • The maintenance modes include insert, delete, update and compose. • - The users with compose privilege can create and insert value-added images, using images in • the database Geospatial Database Security
III.GSAM: Geospatial Data Authorization Model • - Viewing modes include permissions such as : • view + view-thumbnail • view annotation + zoom-in • overlay + identify • animate + fly-by • - The copying modes, download and download data, allow source files to bedownloaded Geospatial Database Security
III.GSAM: Geospatial Data Authorization Model • 4. Geospatial Authorization • Authorization is represented as a 5-tuple: • re + ge • privilege + period • Sign • 5. Access Control Evaluation • - The user’s access request can be represented as a • tuple r = (gtc, gto, p) Geospatial Database Security
GEOSPATIALACCESS CONTROL MODELS • GEO-RBAC: Geospatial Role-based Access Control Geospatial Database Security
IV.GEO-RBAC: Geospatial Role-based Access Control • Geospatial Role-based Access Control • Example: Geospatial Database Security
IV.GEO-RBAC: Geospatial Role-based Access Control Spatial Object Geospatial Database Security
IV.GEO-RBAC: Geospatial Role-based Access Control Spatial Role - Positional Model • Spatial Role: <r , e> • r: role name • e: spatial extent • Ex: <surveyor , city of Rome> • Positional Model: • Real position • Logical position • Mapping function Geospatial Database Security
IV.GEO-RBAC: Geospatial Role-based Access Control • Role Schema • It defines the role name for a set of spatial roles • The spatial constraints where roles can be enabled specifies logical locations and real position for the users who may assume the role • Role Instance • It is a role fulfilling the constraints defined in the role schema Geospatial Database Security
IV.GEO-RBAC: Geospatial Role-based Access Control • Role instance: <r, ext, loc,m> • r: role name, ext: spatial extent. • loc: logical position, m: mapping function. • Permission: • These are operations performed on spatial objects. • Symbol: <operation, object> Geospatial Database Security
IV.GEO-RBAC: Geospatial Role-based Access Control • User-to-Spatial Role Assignment • Permission to Spatial role assignments Geospatial Database Security
IV.GEO-RBAC: Geospatial Role-based Access Control Access Request Evaluation • Access request: <s, rp, p, o> • the user of session s located at a real position rp wants to perform operation p on object o. • (p, o): permission assignment Geospatial Database Security
IV.GEO-RBAC: Geospatial Role-based Access Control • Access request: <s, rp, p, o> Geospatial Database Security
GEOSPATIALACCESS CONTROL MODELS • LBAC: Location-based Access Control Geospatial Database Security
V.LBAC: Location-based Access Control • 1. Introduction • For secure access to data by mobile users, we have to consider the user’s dymamic location to identify the roles allowed and denied. • In this model, we focuse on the access to resources based on the physical location of the user. Geospatial Database Security
V.LBAC: Location-based Access Control • 2. Some examples: • System administrators are authorized to configure the mobile network if they are in the server farm room, they are alone in such an area, and move at walking speed at most • The CEO is authorized to access mobile network statistics if there is nobody close by and she is not in a competitor location • Guests can read mobile network statistics if there is nobody close by and they are in a corporate location Geospatial Database Security
V.LBAC: Location-based Access Control • 3. Basics • LBAC considers the physical location and the credentials of the requester in determining to allow or deny access. • The context data about location and timing are provided by third-party so it has a degree of uncertainty due to technological limitations and possible environment effect. Geospatial Database Security
V.LBAC: Location-based Access Control Geospatial Database Security
V.LBAC: Location-based Access Control • 4. LBAC Policy Rules • An access control rule is represented with a triple <subj expr, obj expr, action>, • where: • subj-expr refers to the conditional expression for subjects (evaluated with the user’s profile) • obj-expr refers to the conditional expression for objects (object in categories) • action refers to a privilege mode Geospatial Database Security
V.LBAC: Location-based Access Control • 5. LBAC Policy Evaluation and Enforcement • A user’s access request is represented with <user id, SIM, action, object id>, • where: • user id is the optional identifier of the user who makes the request • SIM is user’s optional SIM card number • action is the action that is being requested • object id is the identifier of the object. Geospatial Database Security
V.LBAC: Location-based Access Control • The Location Service returns the results in the form of <Boolean value, confidence, timeout> • Confidence: level of reliability of the Location Service result according to accuracy • Timeout: represents the time validity of the location values that may change rapidly Geospatial Database Security
V.LBAC: Location-based Access Control • 6. Geospatial Web Services Access Control • Các dịch vụ Web tiêu chuẩn được phát triển bởiOGC (Open Geospatial Consortium) cho phéptương tác dữ liệu không gian địa lý , truy cập quathành phần và lời gọi dịch vụ của Geospatial WebServices. • Chúng cung cấp các chuẩn trên Web FeatureService (WFS), Web Map Service (WMS), WebCoverage Service (WCS) cũng như Web ImageClassification Service và Web CoordinateTransformation Services. Geospatial Database Security
GEOSPATIALACCESS CONTROL MODELS • Geospatial Web Services Access Control Geospatial Database Security
VI.Geospatial Web Services Access Control • Web service standards developed by OGC (Open Geospatial Consortium) allow the Geospatial data interoperability and access via discovery, composition and invocation of Geospatial Web Services. • It provides standards on Web Feature Service (WFS), Web Map Service (WMS), Web Coverage Service (WCS) as well as Web Image Classification Service và Web Coordinate Transformation Services. Geospatial Database Security
VI.Geospatial Web Services Access Control • 1. Geospatial Extensible Access Control Markup Language • Overview • - Support for the declaration and enforcement of (not only) geo-specific access rights • - Geospatial extension to the eXtensible Access Control Markup Language (XACML) • XACML is a standard by OASIS • - OASIS = Organization for the Advancement of Structured Information Standards Geospatial Database Security
VI.Geospatial Web Services Access Control • The geometry attribute values supported by geoXACML include: Point, LineString, LinearRing, Polygon, Multipoint • The functions for testing topological relations include : disjoint, touches, crosses, within, contains, overlaps, intersects, equals • The GeoXACML policy is expressed as a set of rules each of which is ex-pressed in a tuple (Grant-type, (Subjects, Resources, Actions), Condition) Geospatial Database Security