Title: An Access Control Model for Video Database Systems As a joint work of: Elisa Bertino1, Ahmed K. Elmagarmid 2 and Moustafa M. Hammad2 1Dipartimento di Scienze dell'Informazione. Universit degli Studi di Milano. Via Comelico, 39/41 20135 Milano,
1An Access Control Model for Video Database
SystemsAs a joint work of Elisa Bertino1,
Ahmed K. Elmagarmid 2 and Moustafa M.
Hammad21Dipartimento di Scienze
dell'Informazione. Universit degli Studi di
Milano. Via Comelico, 39/41 20135 Milano, Italy.
bertino_at_dsi.unimi.it. 2Computer Science
Department, Purdue University. 1398 Computer
Science Bld., West Lafayette IN 47907.
ake,mhammad_at_cs.purdue.edu.
2Introduction
- Video data possess unique features that
distinguished them from other data types. ( e.g.
different media types - visual, audio and text-,
schemaless, massive volume, time and
space-variant, rich semantic contents - a picture
worth 1000 words, what about video????) - Different approaches to model video data like
- Segmentation-based, physical features oriented
color histogram, textures, audio, text. - Annotation-based, semantic features oriented.
Video description is used to access video. - Large amount of digital video gt 1.8 M Gbytes, and
a large investments, MPEG-2 has created the
entirely new digital television industry worth
30 billion . - Hence a need to provide secure and organized
access to video database !!!! or access control. - Is Access Control based on physical or semantic
content? - Our work is focused on access control based
on video semantics to exploit the expressive
power in video.
3Topics of Discussion
- Video data model.
- Authorization model for video database.
- Access control techniques.
- System architecture.
- Conclusion and future work.
4Video Data Model
Physical video segment
Physical video stream
Hot Object
Life time interval or logical video segment
John plying with his bicycle
5Authorization Model
- Closed system access control ( no access
permission unless explicitly specified in the
system). - User access requests are checked against
authorization rules. - Authorization rule specification entails
- Subject Specification,
- Object Specification, and
- Mode Specification.
Access request
Authorization rules
Request satisfies authorization rules
Yes
No
Grant
Deny
6Subject Specification
- Use of credential
- Characteristic and attributes of users (user
profiles) instead of only user identifiers. - Example (Name John, Age 8, Job student,).
- Suitable for video data.
- Credential type (schema), credential and
credential expression. - We specify a simple language for credential
expressions. - Examples of credential expressions
- Student(x) representing all users that are
students. - x.age lt 18 denoting all users having age lt 18.
- Student(x) AND x.age lt 18 Students with age lt
18. - Credential expression is finally evaluated to a
set of user identifiers. - Subject is specified as either
- list of users identifiers or credential
expression.
7Object Specification
- We base our access model on logical video level
to - be easy to apply and modify, and
- allow specification of access based on semantic
video contents. - Video objects possess more than just physical
characteristic (semantic contents). - Annotations describe video semantic and one can
extract concepts from video annotation. (e.g.
FIAT and MAZDA are CARS). - In its simplest form concepts represent just
annotation keywords. - We use concepts that describe video semantics to
specify video security.
8Object Specification (Cont.)
- Concept expression involves one or more concepts
with video operators between them. Video
operators are either spatial, temporal,
spatio-temporal or Boolean operators. - Concept expression
- The set CPE of concept expressions is built from
atoms and operation ? , video operation. - Atoms can be of the following types
- c , where c ? set of concepts.
- c1 ? c2 , where c1, c2 are concepts and ? ? set
of video operations. - Then the set CPE of concept expressions is
recursively defined as follows - Every atom is a concept expression.
- If CpE1 and CpE2 are concept expressions, then
CpE1 ? CpE1, CpE1 ? CpE1, ? CpE1 , (CpE1) are
also concept expressions.
9Object Specification (Cont.)
- Concepts expression finally evaluates to set of
logical video segments that contain concepts
satisfying the expression. - Examples of concept expressions
- World War II ? Digol denotes all frame
intervals that have General Digol as a hot object
and deal with World War II. - Ortiga DURING drug trial denotes all frame
intervals that have former Colombian president
Ortiga during the drug trial in court video. - DISCOVERY CLOSE spying satellite denotes all
frame intervals that have DISCOVERY space shuttle
fixing or close to a spying satellite in NASA
video library. - Video Object can be specified either
- by providing a set of logical video elements.
- by providing concept expression.
10Authorized Object
- Consists of two parts
- protected objects (po) which represent video
elements user wants to access, and - restricted objects (ro) which represent video
elements user is restricted to access. - Authorized objects (ao) is defined as the
following expression - ao po ro, where is defined as the
exclusion of restricted object from protected
ones.
Restricted object
Protected object
Authorized Object
11Relations Between Different Object Specification
Terms
12Mode Specification
- low level operations like (read and write) are
not suitable in video access control. - More abstract level operations are used to
specify different access modes - View (annotations), View(Rframes), Play(period,
quality), Edit(annotation), Edit(logical-video),
Edit(Physical-video). - Those operations are in increasing power, the
successor subsumes the predecessor.
13Access Control Mechanism
- A user submits a request to access video element,
- The access control routine checks the
authorization rule repository for an
authorization rule satisfies - User is one of the subjects,
- The accessed object is one of the protected
objects, - The operation is equal or less than the specified
mode. - If not found, user is unauthorized.
- Else If the object is a restricted one
- Then apply operator and authorize the
subject to
the new object. - Else authorize the subject.
14System Architecture
15Conclusion and future work
- Provide access control based on video semantic
not only physical features. - Support for different video granularity access
control. - Not a dump guard but smart manager (apply filter
effects). - Provide categories of video privileges.
- Use of credentials instead of just identifiers.
- Providing modular access control architecture.
- The model can be adapted to video models that
provide content description mechanisms (MPEG-7).
16Conclusion and future work (cont.)
- Real time provision of access control.
- Distributed implementation.
- PICS (Platform for Internet Content Selection).