05-11-2012, 03:25 PM
Security Challenges and Approaches in Online Social Networks: A Survey
Security Challenges.pdf (Size: 201.73 KB / Downloads: 88)
ABSTRACT
Social Networks (SN) Sites are becoming very popular and the
number of users is increasing rapidly. However, with that
increase there is also an increase in the security threats which
affect the users’ privacy, identity and confidentiality. Different
research groups highlighted the security threats in SN and
attempted to offer some solutions to these issues. In this paper we
survey several examples of this research and highlight the
approaches. All the models we surveyed were focusing on
protecting users’ information yet they failed to cover other
important issues. For example, none of the mechanisms provided
the users with control over what others can reveal about them;
and encryption of images is still not achieved properly. Generally
having higher security measures will affect the system’s
performance in terms of speed and response time. However, this
trade-off was not discussed or addressed in any of the models we
surveyed.
Introduction
SN sites are defined as interactive web-based
applications that provide users with the ability to
communicate with friends and family, meet new people,
join groups, chat, share photos, and organize events and
network with others in a similar-to-real-life manner. SN
functionalities are organized into three main categories:
Social Networks Services (SNS), Network Application
Services (NAS), and the communication Interface (CI).
SNS are used to establish social network relationships
between people who have the same activities and interests.
NAS provide network interaction services for users such
as psychological tests, social web games, fans groups, etc.
CI offers platforms to support users’ communication and
interaction. The privacy paradox is an interesting
phenomenon that takes place in SN websites, where people
are usually more protective of their personal information
when using different communication media (i.e. Personal
or Phone) compared to their readiness to provide this
information via the SN websites.
SN Security Requirements
As people are unaware of the dangers of the sociotechnical
attacks, they usually uncover everything about
themselves via the Internet thinking that this information
does not affect their privacy. The willingness to uncover
personal information on SN websites negatively affec
their professional and even their personal lives. The
security firm Sophos [18], Nagy and Pecho [15],
conducted a study on social network users to test their
awareness of protecting personal information. Both studies
showed profiles of midrange college educated users living
in a modern city. Sophos conducted the study in the
European region while Nagy and Pecho tested users in
USA. When comparing the results of both studies, it was
found that the understanding of what is considered as
critical information varies between Americans and
Europeans. Generally information about residence and
career got lower response from Americans.
P2P Based Social Networks
Social Networking Sites are web-based platforms
consisting of millions of users and participants in social
networks sites, and the P2P approach solves the load and
the cost issues but leads to new security issues and
challenges. SN supports security requirements in different
aspects such as the registration, authentication, access
control, and confidentiality.
Security framework for P2P-based platforms for SN [2]
supports the users’ registration and login process, where a
new user chooses a unique username and password to
generate an asymmetric key pair PrivA, PubA. In the login
process the user recreates the key pair after entering a
valid username and password. The user ID is used to
encrypt the communication to this node/user, only the
receiver can decrypt these messages. In addition, it
supports access control as different users have different
access rights such as reading shared items, creating new
shared items, and altering existing files. A shared item that
needs access control is encrypted with an object–specific
key. Moreover, in the case of instant messaging and chats,
each message is signed by the sender and verified by the
receiver. For example, user A sends an encrypted message
containing the symmetric key encrypted with the public
key of user B (the receiver) and signed with the sender’s
private key. The receiver (B) verifies that the message is
from user A using A’s public key. If user B accepts the
communication, the symmetric secret key is used for
consequent communications.
Privacy Protection issues in SN Sites
Nowadays, SN sites are attracting a huge number of
users, however; there are many security risks and threats
associated with them. The main purpose of SN sites is
sharing information and keeping in contact with users of
different relationship levels such as Best Friends, Normal
Friends, Casual Friends, and visitors. For each profile in a
SN different types of Users’ Data are included such as
identity, demographics, activities, and added content.
Different users have different privacy concerns for their
different kinds of information; therefore, four privacy
settings are being proposed for the users’ data according to
its impact on different users’ privacy preferences/settings
[4]. These are: healthy data (general information about
users), harmless data (demographic information), harmful
data (inappropriate posts that affect the user’s reputation
negatively), and poisonous data (very secure data for the
users). As a result, four levels of privacy have been
adapted on SN sites: no privacy, soft privacy, hard privacy,
and full privacy.
Privacy-Enabling SN
To remove the dependence on the social network
operator many approaches chose to distribute the system.
Privacy-Enabling SN [6] makes it possible to preserve the
simplicity and performance of the Client-Server model.
The model helps not only in protecting users’ information
from other users, but also protects users’ privacy against
the SN operator. Moreover, all previous work recommends
encryption to hide users’ information, but none approaches
the concept of hiding the links among users as a solution
as in this model. The model composes the client into four
layers, starting from the top there is Application Layer,
then the Data Structure Layer, the Cryptographic Layer
and finally the Network Layer. In the application layer,
applications run inside a secure sandbox that helps in
controlling the access to users’ data and all related
communication channels. The Data Structure layer
encapsulates the user content as a collection of discrete
blocks includes the links to other authorized blocks. The
privacy assurance takes place when hiding those links
between the blocks that is forced by the Cryptography
layer and provides confidentiality by preventing
unauthorized users to access and view users’ content.
Finally the Network Layer assures the simple interaction
between the client and the server.
Identity Server and Anonymous Identifier
Mobile phones are no more used just to make phone
calls. They have been promoted to Smart phones that can
handle most of the applications carried out by a computer
such as office applications, Internet browsing and online
SN access. Communicating wirelessly with SN sites or
any application over the Internet compromises users’
anonymity and make their information a victim to
eavesdropping, spoofing and wormhole attacks. Whether
the mobile device is a part of a Peer-to-Peer mobile SN
system or a client-Server mobile SN system, the identity of
the user is not anonymous. In P2P SN systems the user can
be tracked by collecting the login dates and times of a user
and creating a history of visited locations of the user. The
client-server SN system also compromises the users’
anonymity by exposing the user’s location since each
device that is connected to that system will have access to
the SN user names of nearby users.
Comparison and Discussions
We surveyed different existing SN Security
mechanisms and approaches. In addition, these approaches
will be evaluated with respect to the challenges and
constraints such as: flexibility, operator protection, user
anonymity, and dependency on the provider’s existence.
Virtual individual servers (VIS) [8] are virtual machines
that run on a computer infrastructure with high availability
utilities; VIS is used to upload contents to SN sites or any
other third-party service. VIS provides independence from
the Service provider because it provides users with the
ability to get a complete image of the information with the
service provider, which allows them to resume usage
whenever needed regardless of the providers’ existence.
Moreover, in VIS users’ are free to add or remove
functions at their convenience but they need to manage
their own machines and afford the cost for the computing
resources used by their VIS. Users’ Anonymity and
Protection from the service provider are not fully achieved
in the default situation, however, the user can install
arbitrary operating packages and set their own
configuration options to achieve their target of anonymity
and even security.
Open Research Issues
The main purpose of SN sites is to facilitate sharing
information and contacting people. Therefore, there is a
strong need for security mechanisms that operate as part of
the SN system to protect and secure user and provider
information and activities. Most of the security
mechanisms and approaches for SN we studied focus on
ensuring the users privacy in SN sites. However; there are
other issues that need to be addressed. For example, the
proxy-based Real-time protection mechanism needs an
additional improvement in terms of updating services and
software very rapidly and instantly. In addition, the
problem of not giving the control to users over what others
reveal about them is still not solved. For example, tagging
friends’ photos, sharing friends’ profiles are options
available in some SN sites where friends or other users can
simply tag other users in a certain picture or publish their
profile without their permission. There are no specific
mechanisms or privacy tools which allow users to control
what others may reveal about them through these tags or
shares. Furthermore, none of the approaches studied or
even just mentioned the impact of introducing the security
mechanisms on the performance of the system.
Conclusion
Social network sites are a major application driver with
millions of users all over the world relying on them in
keeping contacts and sharing information with others. This
huge involvement drives the need for setting the right
security measures that help in protecting users’ privacy. In
this paper, we discussed a number of mechanisms and
approaches that help in achieving acceptable levels of
security for the SN providers and users. However, many of
these mechanisms provided solution for a certain privacy
concern but missed others. Moreover when it comes to
setting higher security measures it seemed to compromise
the usability and flexibility of the system for the average
users. However, all surveyed projects failed to mention or
measure the tradeoffs between higher security measures
and the systems’ performance.