1484 IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 17, NO. 9, SEPTEMBER 2015 A Framework for Composition and Enforcement of Privacy-Aware and Context-Driven Authorization Mechanism for Multimedia Big Data Arjmand Samuel, Muhammad I. Sarfraz, Student Member, IEEE, Hammad Haseeb, Saleh Basalamah, Senior Member, IEEE, and Arif Ghafoor, Fellow, IEEE Abstract—The proliferation of multimedia big data for dissemination and sharing of massive amounts of information raises important security and privacy concerns. One such concern is the composition and enforcement of privacy policies in order to securely manage access of multimedia big data. Several researchers have pointed out that for proper enforcement of privacy policies, the privacy requirements should be captured in access control systems. In this paper, we propose a hybrid approach where privacy requirements are captured in an access control system and present a framework for composition and enforcement of privacy policies. The focus is to allow a user, not a system or security administrator to compose conflict free policies for their online multimedia data. An additional requirement is that such a policy be context-aware. We also present a methodology for verifying the privacy policy in order to ensure correctness and logical consistency. The verification process is also used to ensure that sensitive security requirements are not violated when privacy rules are enforced. A prototype, named Intelligent Privacy Manager (iPM), has been implemented for sharing of multimedia big data in a secure and private manner. Index Terms—Access control, context, data privacy, formal verification, multimedia databases. I. INTRODUCTION T ODAY, an increasing number of users use the Internet to manage their multimedia data regarding health-care, e-business, social networking, intelligent transportation sys- tems, etc. [1]–[7]. This trend is further being fueled by an ever-growing number of companies and government agencies such as banks, hospitals and employers, managing users per- sonal data in some form of online applications and databases. The aim is to save time and money, by streamlining and fa- Manuscript received February 26, 2015; revised May 31, 2015 and July 02, 2015; accepted July 07, 2015. Date of publication July 20, 2015; date of current version August 10, 2015. This work was supported by the U.S. National Science Foundation under Grant IIS-0964639. The guest editor coordinating the review of this manuscript and approving it for publication was Dr. Shu-Ching Chen. A. Samuel is with the Microsoft Research, Redmond, WA 98052 USA (e-mail: arjmands@microsoft.com). M. I. Sarfraz, H. Haseeb, and A. Ghafoor are with the School of Elec- trical and Computer Engineering, Purdue University, West Lafayette, IN 47906 USA (e-mail: msarfraz@purdue.edu; hammad_pakistan@yahoo.com; ghafoor@purdue.edu). S. Basalamah is with the KACST GIS Technology Innovation Center, Umm Al-Qura University, Makkah 24381, Saudi Arabia (e-mail: smbasalamah@uqu. edu.sa). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/TMM.2015.2458299 cilitating access to and manipulation of online data using the Internet both in a static and mobile environment. However, theft of private information is a significant problem for on- line applications [8]. Hence, the overriding concern for using any internet-based service dealing with users personal data, especially multimedia data due to its sheer volume and rich semantics, is ensuring security and privacy of their personal information. An important security and privacy concern of online multi- media systems is the composition and enforcement of privacy policies in order to securely manage access of multimedia big data. The relation between multimedia big data and composi- tion of user-centered privacy policies is two fold. First, the large volume of multimedia data and large numbers of users desiring enforce/control distributed access to multimedia data assets (i.e. images, videos etc.) in applications such as healthcare and social networking introduces the problem of who should compose the policy. That is, should there be a unified/centralized policy for all users OR multimedia data owners (a user) should compose their own policy in order to grant or deny access. Second, it is more conducive and intuitive for a normal user with very little or no domain knowledge or expertise to compose a policy to manage privileges of multimedia data by simple drag and drop mechanism in comparison to structured data based on formal schema such as relational data or XML. Hence, this relation in- troduces the need for a comprehensive framework to allow for composition and enforcement of policies in order to have seam- less and context-driven secure access to multimedia big data that traditional multimedia systems cannot handle effectively. We describe a motivating scenario where an enterprise in the healthcare domain maintains multimedia patient data of pos- sibly tens of thousands of patients. The multimedia patient data pertaining to MRI, X-rays, sonograms etc. can be text, images, and/or videos as can be seen in Fig. 1 above. Moreover, the pa- tient data is stored locally but can be accessed nationwide as shown in Fig. 2(a) and explained below. The volume and va- riety of multimedia patient data as well as the distributed nature of its access introduces the problem of who should compose the privacy policies in order to allow/deny access to patient data. We argue that the volume, variety and distributed nature of multi- media patient data access poses big data security challenge and makes it unsuitable for an enterprise to compose a unified, broad privacy policy. The reason being that too broad and too bulky policy will be unable to accurately capture the access require- ments of potentially tens of thousands of users. Moreover, the 1520-9210 © 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.