A Secure and Privacy-aware Cloud-based Architecture for Online Social Networks

Security of the Proposed Online Social Network

Trust Model of the Proposed Online Social Network

The following table compares the trust relationships of the proposed online social network with conventional online social networks and other alternative architectures proposed by different scholars. A "Yes" means that the online social network architecture trusts the given entity when it comes to security and privacy of users, and a "No" is the opposite of the same fact. Some conventional online social networks provide some adjustable privacy controls for users. However, the users must adjust their privacy settings to get the desired level of security and privacy. Based on users' preferences or knowledge about such controls, the level of trust placed on external entities can vary from user to user. Therefore, such scenarios are represented with a "Yes and No". In conventional online social networks, the indexing service provider and the data storage provider are the same, i.e. the social network operator, and by default the social network operator is a trusted entity in conventional online social networks. Other proposed alternative online social network architectures have not discussed providing an index service to search and add new friends.

Table: Trust Model Comparison
Architecture Friends External Entities Non-friend Users Indexing Service Provider Data Storage Provider(s)
Conventional online social networks Yes Yes & No Yes & No Yes, represents the social network operator Yes, represents the social network operator
Anderson et al.Yes No No Unknown No
Shakimov et al. - Vis-à-Vis Yes No No Unknown Yes
Baden et al. - PersonaYes No No Unknown No
Cutillo et al. - SafebookYes No No Unknown Yes
Seong et al. - PrPlYes No No Unknown Yes
Jahid et al. - DECENTYes No No Unknown No
Buchegger et al. - PeerSoNYes No No Unknown Yes
Aiello and Ruffo - LotusNetYes No No Unknown No
Nilizadeh et al. - CachetYes No No Unknown No
Proposed Architecture Yes No No No No

Security in Different Functionalities

ITU-T, in their X.800 standard, has defined fourteen security services under five categories. The table below shows how different functionalities adhere to these security services in the proposed online social network architecture. In this table, when a security service is not applicable to a particular functionality, it is mentioned as “N/A”. The security services that are not listed in this table are not relevant to all the functionalities. In other words, only the security services that have a relevance to at least one of the functionalities are shown in the table.

Table: Security compliance of different functionalities
Functionality Access Control Connectionless Confidentiality Data-origin Authentication Peer Entity Authentication Connectionless Integrity Nonrepudiation, Origin
User registration N/A N/A N/A
Creating a user profile N/A N/A
Accessing and updating a user profile N/A N/A N/A
Deleting a user profile N/A N/A N/A
Adding friends and contacts to the network N/A N/A
Removing friends and contacts from the network N/A N/A N/A
Accessing friends' profiles N/A N/A
Sharing information and content N/A N/A
Wall posting
Messaging

Security Against Identified Attacks

Cutillo et al. (Cutillo et al. 2010) present a spectrum of attacks that are common in OSN environments and their malicious intentions. Resiliency of the proposed online social network against these attacks is summarized in the table below.

Table: Resiliency of the prosposed online social network against different attacks
Attack Vulnerability
Plain impersonation Vulnerable.
Profile cloning Safe.
Profile porting Vulnerable.
Profile hijacking Safe.
Profiling Safe. Such an attack is only possible at the level of the user's public profile.
Secondary data collection Less vulnerable due to immunity against profiling.
Fake requests Vulnerable.
Crawling and harvesting Safe, and only vulnerable up to users' public profiles.
Image retrieval and analysis Safe.
Communication tracking Safe, and only vulnerable to the extent of leakage of information to CDCs, pertaining to how frequent the communications are.
Fake profiles and Sybil attacks Vulnerable.
Ballot stuffing Safe.
Defamation Safe.
Censorship No censorship at an social network operator level. Censorship is still possible at group levels by group moderators.
Collusion attacks Safe. However, a successful DoS attack to the Advertiser can block adding new friends.

Known Cloud Security Risks

Stallings and Brown (Stallings and Brown, 2011) have provided a list of known technical security risks in cloud computing environments. These security risks are listed below. However, it is important to note that the proposed architecture that relies on cloud datacenters to store user profiles, is still resilient against all these security risks.