Service Outsourcing Character Oriented Privacy Conflict Detection Method in Cloud Computing

. Cloud computing has provided services for users as a software paradigm. However, it is difficult to ensure privacy information security because of its opening, virtualization, and service outsourcing features. Therefore how to protect user privacy information has become a research focus. In this paper, firstly, we model service privacy policy and user privacy preference with description logic. Secondly, we use the pellet reasonor to verify the consistency and satisfiability, so as to detect the privacy conflict between services and user. Thirdly, we present the algorithm of detecting privacy conflict in the process of cloud service composition and prove the correctness and feasibility of this method by case study and experiment analysis. Our method can reduce the risk of user sensitive privacy information being illegally used and propagated by outsourcing services. In the meantime, the method avoids the exception in the process of service composition by the privacy conflict, and improves the trust degree of cloud service providers.


Introduction
Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [1].With the character of service outsourcing, virtualization, distribution, and multitenancy, cloud computing has become a new computing paradigm and research focus.Such characters enhance the service quality and reduce the wastage of computing resources; for example, service outsourcing enhances the service capability and specialization through service composition [2].Because of the transparency of privacy information to the outsourcing service provider, users worry that it will be hard to prevent user privacy data from being illegally propagated and used.For example, Google is sued by many users in America because of its new unified privacy policy implemented from March 1st, 2012.In Europe, the implementation of this new privacy policy has been investigated by European Union and postponed.According to the analysis by America Electronic Privacy Information Center, Google's new privacy policies do not consider how to use privacy data in the product and to whom privacy data is propagated according to user privacy requirement and these policies may have conflicts with local laws.Therefore, privacy protection in cloud computing has become research focus in evolving computing paradigm.
Privacy was proposed as the human right to be let alone in the beginning [3].In the domain of information system and software engineering, privacy protection means the capability of preventing individual information from being collected, disclosed, and stored by others [4].The Platform for Privacy Preferences (P3P) [5] developed by World Wide Consortium (W3C) in 2002 provides a standard and machine-understandable privacy policy, which matches with user privacy preference.According to the matched results, user can select service that meets privacy preference.However, the described privacy requirement in P3P lacks semantic information and P3P only applies to web site,

Related Works
We classify the related works of privacy protection into two parts which are computing process oriented privacy protection and data oriented privacy protection.The first part is classified into five smaller parts, which are model and verification of privacy requirement, matching and negotiation of privacy policy, and disclosure and risk.The second part is classified into three smaller parts, which are obfuscation, encryption, and anonymity of privacy data.In the meantime, we organize the related works into tables and compare them from contributions, applied computing paradigm, whether supporting service composition and whether supporting semantics.We highlight our work in the tables in detailed contents as shown in Table 1.
Since our work is focusing on privacy policy matching, we majorly discuss the related works of this theme.Other related works are organized into tables without further discussion.Barth et al. [17] defined user and service provider privacy policy, respectively, on the basis of analyzing current privacy rules and proposed a privacy policy automatic matching method, which can check the type of privacy data, the objective of privacy data disclosure, the collector, and maintenance period of privacy data.Wei et al. [18] researched privacy data protection policy in application of pervasive computing, built privacy model, and privacy policy axiom by using manysorted logic and description logic and proposed a reason method of privacy policy which can check the inconsistency among policies.

Motivation
To explicitly clarify our research issue, we present an application scenario as follows.
Suppose Tom wants to buy commodity from seller  through service  in cloud computing; service  requires Tom to input his sensitive privacy information, like real name, bank account, mobile phone number, and detailed address.Without negotiation with service  for privacy agreement, Tom may worry about two aspects.
(1) Privacy information may be illegally used or propagated by service  or seller .Because of no privacy agreement, Tom cannot sue service  or seller  for recovering financial or spiritual losses.If Tom does not eagerly want this service, once he has privacy conflict with service provider, Tom will stop the service and select other services.Scenario is shown in Figure 1(a).
(2) If Tom eagerly wanted to obtain the service, he would provide sensitive privacy information to service .However, privacy information is disclosed causing financial or spiritual losses.Scenario is shown in Figure 1(b).
In this paper, our motivation is to build a service, which automatically provides conflict detection of privacy for both user and service provider in cloud computing.Through this service, services satisfying user privacy requirement are discovered, so as to protect user privacy information without being illegally used and propagated.  is decidable subset of first-order logic and formalism for representing knowledge.Description logic is also called term logic, terminology knowledge representation language, concept language, and term representation language.Description logic is composed of concepts, roles, and individuals.Complex concepts and roles can be described by simple concepts and roles.

Basic Theories
In this paper, we build a model of the privacy negotiation between service provider and user by taking advantage of description logic, transforming the privacy conflict issue to be decidable issue of Tableau algorithm.Supposing  and  are atomic concept,  and  are concept description,  and   are atomic formula,  and  represent individuals, and  and  represent atomic roles.Basic constructors include atomic negation ¬, atomic intersection ⊓, value restriction ∀, and limited existential quantification ∃.This basic description logic is called ALC.All concept descriptions in ALC can be achieved through the following syntax rule: All formulas in ALC can be obtained through the following atomic formula: Syntax and semantics in (1) of ALC are shown in Table 2.
Tableau algorithm is an algorithm of detecting satisfiability among concepts in description logic.Since reasoning issue in description logic can be specified as satisfiability issue among concepts, most reasoners use Tableau algorithm, such as Pellet and Fact.Supposing that negative normal form of concept  is nnf(), notation [path] of each concept represents path of concept generated.The reasoning rule of Tableau algorithm is as follows.
(5) ∀ rule: supposing  = {   other information is omitted; for example, detailed information of profile and capability is not shown in Figure 2. We can express outsourcing service metamodel as follows: Outsourcing Service Metamodel = (∃has Profile.Profile) ⊓ (∃has Privacy.Privacy) ⊓ (∃has Capability.Capability).
Definition 2 (privacy in the outsourcing service).Privacy can be expressed as 2 tubes, namely, Privacy ⊑ {Input, Precondition}, in which mapping is TBox.We can express it as follows: Privacy ⊑ ∃has input (service-metamodel, input) ⊓ ∃has precondition (service-metamodel, precondition).

Service Trust Degree Metric
Definition 3 (trust degree ()).Trust degree is level of which service or service provider can be trusted.We can express it as  = Δ(, , Re), in which  represents security, certificating the truth and integrity of data and trustworthy of QOS,  represents capability of service or service provider to meet user security requirement, and Re represents reputation of service or service provider regarded by user [26].In the meantime, , , and Re are attributions of trust degree.
(1) Security evaluation mainly evaluates if service has encryption, digital signature, or WSLA security, defined as follows: In which en() represents that service has encryption, () represents that service has function of digital signature, and () represents that service has WSLA security.
(2) Capability evaluation is defined through the frequency of user accessing service: In which user represents those users who access service  during the period of , (  ) represents counts that service be accessed in period of  by user  ∈ user  .
(3) Reputation evaluation is evaluated by feedback from user and defined as follows: In which () represents user collection which evaluates service  in period of , (, , ) represents all evaluation information from user at time  to ,  −( time −) is time attenuation function while  is attenuation factor, and  time is current time.
From formulas (3), (4), and (5), we can obtain the formula calculating service trust degree: In which   is weight of different trust degree attribution in service and   is value of different trust degree attribution.Set  as threshold of user expected service trust degree.If  ≥ , user will accept all privacy attribution of service, no need for further privacy conflict detection by system, or else system has to detect privacy conflict to satisfy user privacy preference.

Privacy Conflict Detection
Definition 4 (sensitive degree).Sensitive privacy items are the items that set the level for privacy information according to user habit, scenario, and outsourcing service trust degree.Sensitive degree is a value of sensitive items.Therefore, user privacy information is classified as sensitive privacy information and nonsensitive privacy information on the basis of sensitive degree.
Definition 5 (user privacy preference).Constraint is expressed by user based on user privacy information sensitive degree and constraint is assertion that should be satisfied by outsourcing service.Assertion is represented by .User privacy preference is assertion collection and mapped into ABox.Namely, Example 6.When customer Tom sends request to outsourcing service  but trust degree of outsourcing service  or the provider of service  is equal or greater than threshold, namely,  ≥ , under this condition, Tom discloses his real name and mobile phone as the service input or precondition.Constraint can be obtained by using privacy preference editor and can be expressed as follows: Definition 9 (matching between user privacy preference and privacy item).There are two kinds of results for the matching.Detailed results are shown as follows.
(1) All services in outsourcing service collection satisfy user privacy preference.
As corresponding privacy items collection of outsourcing services to be composed, V = { 1 ,  2 ,  3 , . . .,   } is a programming that satisfies ABox  for   , namely, satisfying the following formula: In which V(  ) represents one outsourcing service in service collection to be composed, ⟨V⟩   represents the matching relationship between privacy item and privacy preference constraint, and Φ represents that all services satisfy user privacy preference; corresponding formula is V( 1 )  → ⟨ 1 ⟩ 1 ∧ ⋅ ⋅ ⋅ ∧ V(  )  → ⟨  ⟩  .
(2) Some but not all services in outsourcing service collection satisfy user privacy preference.

Privacy Conflict Detection
Algorithm.Suppose atomic service collection of service provider is  = { 1 ,  2 , . . .,   }, its corresponding privacy item collection is privacy Items = { 1 ,  2 ,  3 , . . .,   }, and  is user privacy preference assertion.The process of privacy conflict detection is shown as follows.
In the process of service composition, firstly service input and precondition are obtained from service description document OWL-S, from which privacy items of service can also be obtained.Then keep detecting privacy conflict according to user privacy preference assertion , or extension of , until one service collection that satisfies user privacy preference assertion  is found.If there is no service collection to satisfy , then service composition is stopped.
The first and the second line of Algorithm 1 are input and output, respectively.From the third to fifth line, respectively, initiate queue of service sequence to be privacy detected, queue of privacy item collection, and queue of service sequence that meet user privacy preference after detection.From the sixth line to the tenth line, enter service sequence to be privacy detected into queue and obtain trust degree value and privacy item collection of each atomic service successively.From eleventh line to twenty-first line, bind privacy item collection and trust degree value; then enter it into queue of privacy item collection and get head of queue successively detecting privacy conflict with Tableau algorithm; if there is no conflict, enter service into service queue that satisfies user privacy preference strategy, or else, rebind new service.

Privacy Conflict Detection
Framework.There are two layers for privacy conflict detection framework.
Privacy Conflict Predetection Layer.The part with slash background in Figure 3 represents privacy conflict predetection layer.This part mainly implements three functions as follows.
(2) User comment information and Qos in service description document are evaluated by trust degree calculator, so as to obtain the trust degree value for services.
(3) The input and precondition in service description document are captured by Xpath, and input and precondition are refined into privacy items.
At last, the privacy preference assertion, trust degree, and privacy items are saved into privacy conflict detection knowledge base.
Privacy Conflict Detection Layer.The part with grid background in Figure 3 represents privacy conflict detection layer.
Privacy conflict detection layer contains knowledge base and privacy conflict reasoner, in which knowledge base is made up of privacy preference assertion, trust degree, and privacy items.In this layer, privacy conflict detection for knowledge base is implemented by privacy conflict reasoner and the detection result is returned to user.
Therefore, framework of privacy conflict detection is showed in Figure 3.

Case Study and Experiment Analysis
6.1.Case Study.We prove the feasibility and effectiveness of our method by taking online purchase as an example.Firstly we assume the following points.
(i) The less service required privacy items, the less probability of user privacy information to be disclosed.
(ii) The less atomic service in service composition, the less scope of user privacy information to be propagated and the less risk of disclosure.Therefore, in this example we make the payment terms to be cash on delivery to decrease the possibility of propagation or disclosure of user sensitive privacy information among atomic service provider, like Credit-Card-no., ID-Card-no., or Realname.
The online purchase service includes customer (Tom), cloud service composer (CSC), and three associate participants which are online purchase platform E-commerce service, seller (), and shipper.In Figure 4, we specially depict the foundation service of E-commerce service, like cryptographic service, operation system service, and infrastructure service.Name, address, postcode, and phone are customer personal privacy data.The purchase process is as follows.
When customer sends order request to seller through CSC and E-commerce Service, E-commerce service, seller, and shipper will send privacy data request to customer through CSC and the obtained privacy data will be worked as input and precondition.Once the privacy data is obtained, seller will send goods to customer through shipper.Shipper will collect the payment and return to seller.Considering that cloud computing has distributive character and all entities in cloud computing are service, we suppose that all privacy data are encrypted with cryptographic service before being transmitted to OS service and infrastructure service.Therefore, we just focus on the use and disclosure of privacy data in outsourcing service except OS service and infrastructure service.In this paper, we design a privacy conflict detection service between customer and CSC.This service will detect the conflict between the requested privacy data of each outsourcing service and customer privacy requirement and then send feedback to CSC and customer.Detailed process is showed in Figure 4  In this case, service composition participants include Ecommerce service, seller, and shipper.Since E-commerce service, seller, and shipper own the same user privacy data in the business process, we will just discuss the privacy  = ∃holdrealName (, realName) ⊓ ∀holdAddress (, addressWithoutCommunity) ⊓ holdofficePhone (, office-Phone).

Third
Step.Detect privacy conflict, by taking advantage of privacy conflict reasoner.

Experiment Analysis.
We build the ontology file "privacyconflict-detection.owl" with Protégé, which is based on java language and developed by Stanford University.The conceptions and instants in the ontology are mapped into Tbox.Privacy preference assertions are defined with conceptions, items, and instants and are mapped into Abox.Tbox and Abox compose the privacy conflict detection knowledge base.We save the ontology file "privacy-conflict-detection.owl" to e disk test directory in local computer, then reason the ontology file with reasoner Pellet, which is developed by Mind Swap lab in University of Maryland.Pellet version number used in this experiment is V.2.3.0.
In ontology model, there are logical axioms 175 belonging to axioms 255, individuals 25, classes 33, object properties 21, and data properties 1, as shown in Figure 5 Firstly, we use command to detect the consistency of concept in ontology file.Command is pellet consistency e: \test\privacy-conflict-detection.owl.Running result is showed as red box in Figure 5, namely, consistent.It means that privacy items of service providers satisfy semantic consistency.
Secondly, we use command to detect the satisfiability between ontology concept and logic axiom in ontology file, namely, whether the relationship among ontology concepts satisfies logic axiom.Running result shown as green box in Figure 5, namely, found no unclassifiable concepts.This result means that privacy concept, owned by privacyHolder in ontology file, meets user privacy preference assertion .PrivacyHolder in ontology file is also service provider in privacy conflict detection knowledge base.Therefore, result shows that there is no conflict between user privacy preference and service provider privacy policy.

Conclusions and Future Work
In this paper, we firstly obtain input and precondition of service from service description document OWL-S in cloud computing, model service privacy item, and user privacy preference by taking advantage of knowledge base, verify the decidability of knowledge base with Tableau algorithm, and detect the conflict between service privacy item, and user privacy preference, so as to enable user to choose service collection that meets user privacy preference.We also provide privacy conflict detection algorithm.Through case study we prove the feasibility and effectiveness of our method.Further work is to negotiate between user and service provider privacy item, so as to meet both user and service provider privacy requirement.
Figure 1: (a) Service is terminated because of privacy conflict.(b) Service proceeded with privacy information disclosed.

Feedback I n p u t , p r e c o n d i t i oFeedbackFigure 4 :
Figure 4: Case of online shopping.

Figure 5 :
Figure 5: Checking results in privacy conflict detection ontology.

Table 1 :
Comparison of related works.
4.1.Description Logic Basis.Description logic is the basis of Ontology Web Language for Service (OWL-S), which

Table 2 :
Syntax and semantic of ALC.
,  2 ,  3 , . . .,   }.From perspective of set theory, privacy items are subset of outsourcing service input and precondition.Namely,   ⊆ (  ,   ), 0 ≤  ≤ .In which V is privacy data collection,  is privacy data requested to be disclosed, and  and , respectively, represent input and precondition of outsourcing services.
Tom) ⊓ holdmobilePhone (, 123456).Example 7.When customer Tom sends request to outsourcing service  but trust degree of outsourcing service  or the provider of service  is less than threshold, namely,  < , under this condition, Tom will use nickname and office phone as service input or precondition, not willing to disclose Take advantage of ∃ rule of Tableau algorithm; suppose  = { 1 ,  2 }; if ∃S ⋅ C ∈ A() and  does not have successor  of  that makes  ∈ A(), then add a node and assign value A(, ) =  and A() = {}.