Issues of privacy policy conflict in mobile social network

Privacy protection in mobile social networks is a hot issue in current research. Various privacy protection policies have been proposed. However, the conflict of privacy protection policies inevitably occurs. In this article, aiming at the personalized privacy protection model proposed in our published paper, we analyzed the possible conflict between privacy policies and comprehensively considered the policy conflict brought by the resource-level relationship; meanwhile, we proposed a scheme of consistency verification for privacy policy to improve the previous personalized privacy protection model. We also verified the practical effects of the improved model by experiments on synthetic data sets.


Introduction
With the wide application of mobile devices and Web 2.0 techniques, mobile social networks (MSNs) have experienced exponential growth in recent years. They provide users with a platform for communication, sharing information, and making friends. With the popularity and development of social networks, social networking sites store a large number of users' personal data, which brings much convenience to data analysis. At the same time, it also causes great threat and challenge to individuals' privacy, because MSN data may contain personal private information. Protecting the privacy of users against unwanted disclosure in such circumstance poses challenging problems. Issues on privacy disclosure are the greatest threat to the personal information security in the era of big data. [1][2][3][4][5][6][7][8][9] In recent years, the issues on privacy protection in MSN are deeply researched, and many effective privacy-preserving technologies have been developed. The existing researches on MSN privacy protection mainly concentrate on privacy-preserving data publishing, data mining, and access control, [10][11][12][13][14][15][16][17][18][19][20][21][22][23] in which anonymization is the main privacy-preserving technology for social network data release, so that the data released can meet the need of data analysis while user privacy is not compromised; and social network access control techniques mainly focus on designing social network access control model to solve the problem of social network data access authorization. 18,[24][25][26][27][28][29][30][31][32][33][34][35] However, the conflict of privacy protection policies of access control model inevitably occurs. In this article, we summarized the main access control models in MSN, analyzed their contribution, and point out their disadvantages. Especially, in view of the privacy protection model supporting personalized privacy preferences, we put forward in our published paper, 21  can meet the user's personalized privacy policy needs to a certain extent. However, due to the overlapping or hierarchical relationship among rules' subject attributes, resource attributes, and action attributes, there may be logical inconsistencies in the formulation of privacy policies, for example, both positive authorization and negative authorization may exist on the same subject and object in different strategies, which will result in the privacy policy conflict. Therefore, according to whether the cause of policy conflict is related to the specific data, we defined the relevant privacy rules and analyzed the possible conflict (such as logical conflict and instance conflict) between privacy policies and comprehensively considered the strategy conflict brought by the resource-level relationship, which could improve the privacy protection of MSN users; meanwhile, we verified the feasibility of the improved model by experiments on synthetic data sets.

The related work
Access control in MSN is one of the most common manners of users' privacy protection. The main access control model is described in the following.
Role-based access control model 18 implements access control according to a pre-set role and the corresponding access privilege; however, the method mainly aims at the determined user community and cannot solve the problem of access authorization to unknown users and dynamic resources.
Attribute-based access control model can provide a better solution to the above problem. 28,30 It realizes the dynamic access control in open environment using a set of attribute authorization rules based on the subject attribute, object attribute, and environment attribute constraints, but the model is only applied to the situation that the owner and manager of resource are integrated in the social network, which access control policy is developed by the manager of resource, so it is not suitable for the condition that the owner and manager of resource are separated, and it cannot satisfy the requirement of social network users' personalized privacy preferences.
Rule-based access control model 29 defines the relationship between the visitor and owner of resource, the maximum topological distance and minimum confidence, and other restrictions by rules so that the automatic and flexible access control is achieved based on rules reasoning. However, due to the large number of rules, it is prone to result in conflicted policy and cannot guarantee the consistency authorization and effective implementation of policies.
Authorization rules-based access control model 31 adds the concepts of user attributes and permissions allocation rules based on rule-based access control model. It achieves the dynamic role permission assignment, but the model does not meet the demand of userdefined privacy policies. Wang et al. 21 propose a practical privacy policy defined through authorization model supporting personalized privacy preferences.

Privacy policy conflict analysis
Due to the overlap or hierarchical relationship among the subject attributes, resource attributes, and action attributes of rules, there may be logic inconsistencies in the formulation of privacy policies. For example, in different policies, there are both positive authorization and negative authorization for the same subject and object, which results in privacy policy conflicts. According to whether the cause of policy conflict is related to the specific data, it can be divided into two aspects: logical conflict and instance conflict.

Logical conflict
Logical conflict refers to the logical inconsistency in the process of policy definition, such as role contradiction delegation, which refers to the logical conflict that the same role is assigned both positive and negative authorization.
Another typical logical conflict is the privilege inheritance conflict, which is the contradiction between authorization and explicit authorization caused by role hierarchy. As shown in Figure 2, the circle represents the role, the square represents the privilege, + P and 2P represent the positive and negative authorization to the same resource, respectively, the arrow represents the role hierarchy, and the solid line indicates an existing role-permission assignment relationship, the dashed line represents the newly added role-privilege assignment relationship. According to the inheritance relationship of permissions in the role hierarchy, when low-level roles are assigned positive authorization, high-level roles inherit positive authorization from lowlevel roles to high-level roles according to positive authorization. If negative authorization is added to high-level roles, it would conflict with the positive authorization of low-level roles and cause policy conflicts, such as Figure 1(a). When low-level roles are assigned negative authorization, the added positive authorization of high-level roles does not cause policy conflicts. When high-level roles are assigned negative authorization, the negative authorization of high-level roles to resources must imply negative authorization of low-level roles according to negative authorization propagation from high level to low level, and if the positive authorization of low-level roles is added, it would conflict with the positive authorization of high-level roles, resulting in policy conflicts, as shown in Figure  1(b); when high-level roles include multiple low-level roles and there are mutually exclusive privileges between low-level roles, and if a new negative authorization is added to high-level roles, it would conflict with the negative authorization of low-level roles and cause policy conflicts, as shown in Figure 1(c).

Instance conflict
Instance conflict means that there is no logical conflict on the policy definition itself, but there are policy conflicts caused by the instances in the database which trigger policy conflict conditions. In the authorization model that supports personalized privacy preference, users are authorized by VR-Rule and RP-Rule. In the process of defining two kinds of rules, there may be a user instance that satisfies two kinds of role constraints simultaneously, which leads to the application of two opposite strategies at the same time and results in policy conflicts.

Privacy policy consistency verification
In order to effectively analyze the contradiction of privacy policy, the verification method of logical programming is adopted. The user-defined privacy policy is transformed into logical form. The conflict of privacy policy is automatically detected by rule reasoning. The specific process is shown in Figure 2, which can be divided into the following steps: (1) users define personalized privacy policy; (2) design access authorization reasoning rules and policy conflict rules according to privacy policy; (3) realize user queries on policy permission assignment and policy conflict; (4) according to conflict query request, call logical transformer to convert data and privacy policies stored in relational databases into facts; (5) reasoning engine completes automatic reasoning of user authorization and policy conflict based on existing facts and reasoning rules; and (6) present the result of policy conflict, and the conflict strategy is corrected by interacting with users.

Build fact base
Facts refer to the relationship between existing entities, which consist of predicate names and variables. The relational data stored in database and policy library are transformed into factual statements through logic transformation program, which is the basis of logical reasoning. The transformation process is shown as follows: first, according to the user's query request and the content of different tables, the data are extracted  table, object label table,  object table, privilege table,

Design reasoning rules
Reasoning rules describe the dependencies between facts in the form of h:-b1, b2,..., bn, where h is the head of the rule, representing the conclusion of the rule, and b1, b2,..., bn is the body of the rule, indicating the conditions under which the rule is established. According to the authorization model supporting personalized privacy preference, the formal reasoning rules are designed as follows. Definition 4 (role-permission assignment rule). Role permission includes not only direct permission assignment but also permission inheritance caused by role hierarchy. Therefore, this rule mainly includes three parts: (1) direct permission assignment, permission_limit defines the object access privilege for a given label, object_tag and match query label matching object, assign_PER and permission grant eligible object access privilege to role Role; (2) low-level role Child is assigned positive authorization, according to positive authorization forward propagation, and high-level role Ancestor inherits low-level role positive authorization; (3) if high-level role Ancestor is assigned positive authorization, according to negative authorization reverse propagation, low-level role Child inherits high-level role negative authorization. The specific conversion rules are as follows.  limit(PermissionLimit,O_tag_name,O_tag_range, Actions,'deny').

Definition 5 (user-permission authorization rule). It involves user-permission authorization through visitor-role authorization
and role-permission assignment reasoning.
Definition 6 (matching rule). The custom internal function match is used to determine whether a numerical Value is within a given range Range. It can be divided into the following three situations. Definition 7 (logical conflict rules). Define mutually exclusive permission mutePermLimit, which has both ''grant'' and ''deny'' access authorization and rolepermission assignment rule role_has_pe on the same object, to determine whether a role has mutually exclusive permissions.

Policy conflict query
Through the analysis of query requests for policy conflict rules, the policy consistency verification is completed, including direct conflict query and personalized customized query. Direct conflict queries refer to queries that do not set the limits of queries and directly conduct policy conflict queries according to the inference rules of policy conflict. This query not only provides the results of policy conflict detection but does not list the reasons for policy conflict. In order to help users find the causes of policy conflict and achieve the revision of policy conflict, the query of the following two rules is provided: 1. Logical conflict path rule: give the complete authorization path of user-role authorization conflict so that users can get the authorization path of logical conflict.
2. Instance conflict path rule: give the complete authorization path of user-permission authorization conflict so that users can get the authorization path of instance conflict.
Because direct conflict query uses enumeration method, it is inefficient to execute when there are a large number of rules. Therefore, by adding personalized customized query, users can customize the scope of query restriction, and achieve rapid verification and accurate location of the cause of policy conflict.
3. User authorization path rule: giving the complete path of visitor authorization, users can restrict certain variables according to their own needs, implement personalized customized queries, and find possible policy conflicts in the whole authorization. Given the user's role, query_policy_trace (User,? Role,_,_,_) queries all the roles assumed by the user User, and determines whether which contains a role Role that user User does not satisfy the constraints of the subject attributes so as to determine whether the user-role authorization rule is complete.
Given the role's permission, query_policy_trace(, Role,?PermissionLimit,_,_) queries all permissions authorized to the role Role, including two aspects: (1) direct permission authorization; (2) inheritance of permission caused by the role hierarchy so as to determine whether there is a logical conflict. Given the role of the object, query_policy_trace (,?Role, _, Object, Action) queries all roles that can perform action Action for resource Object and determines whether the permission \Object, Action. that does not satisfy the object label constraints is assigned to role Role so as to determine whether the role-permission assignment rule is complete. Given the user's permission, query_policy_trace (User,_,?PermissionLimit,_,_) queries all user's permission authorized to user User and realizes the analysis of user's authorization results so as to determine whether there is an instance conflict.

Experimental result analysis
To integrate the authorization model supporting personalized privacy preference into the existing social network system, we designed a personalized privacy policy management system, which allows users to define personalized privacy policies and implement access control based on privacy policy.
Experiments have been carried on synthetic data sets. The experimental results show that the proposed privacy protecting model with privacy policy consistency verification could effectively improve the security of the MSN while keeping high execution efficiency. The system experimental environment is described as follows. CPU: Intel Ò Coreä i7-6500U @2.50GHz, RAM: 8 GB, software environment: Windows 7, development language: Anaconda 3, Database System: SQL-Server 2012.
Aiming at different ways of conflict query, we first test the impact of the number of users on query performance. Suppose that the user information table has 10 attributes, according to each additional 10 users for a group of experiments, each group of queries carry on 50 tests, we calculate the average query time of 10 rounds. The experimental results are shown in Figure 3, where the direct conflict query refers to querying instance conflict rules directly without setting query restriction range, that is conflict (User, Object, Action), represented by dotted lines. Personalized query refers to restricting certain variables to query user authorization path rules, that is conflict (User, photo1, Action), restricting Object = photo1, which is expressed in a straight line. The experimental results show that with the increase in the number of users, the direct conflict query time increases linearly, because the direct conflict query is detected by enumeration, the number of users increases, and the enumeration query number increases correspondingly, which leads to the rapid growth of the query time; compared with the direct conflict query execution, the personalized query is more efficient than direct conflict query, because personalized queries limit some variables, which can quickly locate the causes of policy conflicts, and is less affected by the number of users.
Second, we test the impact of resource quantity on query performance. The number of selected users is 100. The experimental results are shown in Figure 4, where the direct conflict query is conflict (User, Object, Action), represented by dotted lines, and the personalized query named as query_per (User, Role, PermissionLimit, Object, Action) is restricted to User = ''Alice,'' represented by a straight line. The experimental results show that with the increase in the number of resources, the direct conflict query time increases linearly first and then gradually stabilizes, because the access authorization of the model is aimed at satisfying all the resources of the object label, not the authorization of a resource. Although the number of resources increases, the policy conflict query time is relatively stable when the resources satisfying the object label constraint are determined; personalized query is more efficient than direct conflict query and less affected by resource quantity.
Finally, we test the effect of the number of users on the performance of personalized queries under different conditions. The experimental results are shown in Figure 5. Queries with three variables, query_per ('Alice', Role, PermissionLimit, 'photo1','read'), are restricted by three query conditions: User = ''Alice,'' Object = ''photo1,''Action = ''read,'' whose query time is represented by a solid line. Queries restrict one query condition, that is query_per (User, Role, PermissionLimit, 'photo1', Action), which indicates that a query condition Object = ''photo1'' is restricted, and its query time is represented by a dotted line. The experimental results show that personalized query has high execution efficiency, and the more restrictive query conditions, the better query performance.

Conclusion and future work
In recent years, privacy protection has been widely concerned in academic and industrial fields. Many privacy protection techniques in MSN have been proposed. In this article, based on summarizing the main access control models in MSN, we analyzed the possible conflicts between privacy policies and comprehensively considered the policy conflict brought by the resource-level relationship; meanwhile, we proposed a scheme of privacy policy consistency verification so as to improve   the previous personalized privacy protection model. We also verified the practical effects of the improved model by experiments on synthetic data sets. In the next step, we would verify the feasibility of the model by experiments on real data sets and try to embed our model in real MSNs, for example, we can embed our systems in MSNs in the future.