SBAC: A Semantic Based Access Control Model - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

SBAC: A Semantic Based Access Control Model

Description:

OWL is an XML based ontology language and is now a W3C (World Wide Web ... A lot of different relationships can be defined between concepts in an OWL ontology: ... – PowerPoint PPT presentation

Number of Views:117
Avg rating:3.0/5.0
Slides: 41
Provided by: arnaudd
Category:

less

Transcript and Presenter's Notes

Title: SBAC: A Semantic Based Access Control Model


1
SBAC A Semantic Based Access Control Model
NordSec 2006
2
Motivation
  • Access Control is a mechanism that allows owners
    of resources define, manage and enforce access
    conditions applicable to each resource.
  • But, how powerful are the current access control
    models and mechanisms?
  • Are they able to express complex access control
    policies?

3
Motivation (cntd.)
  • A complex access control policy example
  • How to represent this policy in a computer?
  • How can a computer understand whether X is a
    friend of Y?
  • How can a computer decide whether to permit or
    deny X from settling money to the Z account of Y?
  • How computers can understand the Semantics of
    these kinds of policies?
  • How the computer can use these semantics to do
    inferences in making access control decisions.

A Bank authority is not allowed to settle money
to accounts of his friends in that bank.
4
Outline
  • Semantics representation mechanisms
  • SBAC
  • Introduction
  • Authorization rules
  • Semantic Authorization inference
  • Authorization Propagation
  • Using rules for better expressivity
  • Experimental results

5
Semantic-awareness
  • For semantic-aware access control, we need a
    means for representing semantics.

6
Vocabulary
7
Taxonomy
8
Ontology
9
SBAC
10
SBAC
  • Makes its decisions in three domains
  • Objects domain
  • Objects are entities that are accessed and/or
    modified.
  • Subjects domain
  • Subjects are active entities that require access
    to objects.
  • Actions domain
  • Actions are operations that subjects perform on
    objects.
  • Each domain is represented by an ontology
  • Subject Ontology (SO)
  • Object Ontology (OO)
  • Action Ontology (AO)

11
An Example Object Ontology
12
An Example Subject Ontology
13
An Example Action Ontology
14
Authorization Rules
  • An authorization rule is in the form of
    in which s is an entity defined in SO, o
    is an entity defined in OO, and a is an entity
    defined in AO.
  • This rule determines whether a subject which
    presents credential s can have the access right a
    on object o or not.
  • Authorization rules are stored in an
    Authorization Base (AB).

15
Implicit Authorization rules
(S, Account, read)

(S, Long Term Deposit, read)
16
Semantic Authorization Inference
17
Ontology Languages
  • Graphical notations
  • Semantic networks
  • Topic maps
  • UML
  • RDF
  • Logic based
  • Description Logics (e.g., OIL, DAMLOIL, OWL)
  • Rules (e.g., RuleML, Prolog)
  • First Order Logic

18
OWL (Ontology Web Language)
  • OWL is an XML based ontology language and is now
    a W3C (World Wide Web Consortium) Recommendation.

19
An Example OWL ontology
  • ltowlClass rdfIDPerson /gt
  • ltowlClass rdfIDMangt
  • ltrdfssubClassOf rdfresourcePerson /gt
  • ltowldisjointWith rdfresourceWoman /gt
  • lt/owlClassgt
  • ltowlClass rdfIDWomangt
  • ltrdfssubClassOf rdfresourcePerson /gt
  • ltowldisjointWith rdfresourceMan /gt
  • lt/owlClassgt
  • ltowlClass rdfIDFathergt
  • ltrdfssubClassOf rdfresourceMan /gt
  • lt/owlClassgt
  • ltowlClass rdfIDMothergt
  • ltrdfssubClassOf rdfresourceWoman /gt
  • lt/owlClassgt
  • ltowlClass rdfIDParentgt
  • ltowlunionOf rdfparseType"Collection"gt
  • ltowlClass rdfabout"Father"/gt
  • ltowlClass rdfabout"Mother"/gt

20
Inference on OWL Ontologies
  • A lot of different relationships can be defined
    between concepts in an OWL ontology
  • subClassOf
  • equivalentClass
  • disjointWith
  • intersectionOf
  • unionOf
  • complementOf
  • Therefore complex inference engines are required
    for reasoning on all of these relationships.
  • From an access control point of view all of these
    relationships can be reduced to the subClassOf
    relation.

21
Reduction to subClassOf
  • A equivalentClass B
  • A subClassOf B
  • B subClassOf A
  • A unionOf B,C,D
  • B subClassOf A
  • C subClassOf A
  • D subClassOf A

22
Authorization Propagation
  • Propagation in the subject domain

(Credit Card, Account, withdraw)
(Master Card, Account, withdraw)
23
Authorization Propagation
  • Propagation in the object domain

(Credit Card, Account, withdraw)
(Credit Card, Short Term Deposit, withdraw)
24
Authorization Propagation
  • Propagation in the action domain

(Credit Card, Account, FullAccess)
(Credit Card, Account, Withdraw)
25
Authorization Propagation
  • Propagation in the action domain

(Credit Card, Account, -Withdraw)
(Credit Card, Account, -FullAccess)
26
Using Rules for Better Expressivity
A Bank authority is not allowed to settle money
to accounts of his friends in that bank.
27
Using Rules for Better Expressivity
A Bank authority is not allowed to settle money
to accounts of his friends in that bank.
X is_A Person Y is_A Person X friendOf Y B is_A
Bank Y bankAuthorityOf B Z accountIn B X ownerOf Z
(Y,Z,-settlement)
Note that, e.g. if in your knowledge base you
have John is_A Parent, the computer itself must
deduce that John is_A Person.
28
Some Experimental Results
29
Smaller Ontologies
  • Triples are used for storing ontologies in
    memory
  • (Bob, is_A, Person)
  • (Alice, is_A, Person)
  • (Alice, friendOf, Bob)

30
Smaller Ontologies (cntd.)
  • More complex constructs such as unionOf are also
    translated to triples
  • A unionOf B,C,D
  • (A, unionOf, A0) (A0, first, B) (A0, rest,
    A1) (A1, first, C)
  • (A1, rest, A2) (A2, first, D) (A2, rest,
    nil)

31
Smaller Ontologies (cntd.)
Number of triples 2n1
Number of triples n
32
Smaller Ontologies (cntd.)
33
Lower reasoning time
Times are in milliseconds
34
Summary Conclusions
  • We showed how ontologies can be used in
    representing semantics of access control domains.
  • We showed how these semantics can be used for
    inferring new implicit rules.
  • We also showed how rules can be used for
    increasing the expressivity.
  • The experimental results showed better reasoning
    time when working with reduced ontologies.

35
Thanks for your attention!
  • Questions?

36
Definitions
  • Semantic Web is an extension of the current Web
    which gives information a well-defined meaning,
    makes machines capable of interpreting and
    processing the information.
  • An access control mechanism should assure that
  • Only eligible users are authorized to be granted
    an access right.
  • Each eligible user must be able to access all the
    resources that s/he is authorized for.

37
Reduction in the scope of OWL class axioms
38
Reduction in the scope of OWL individual axioms
39
Reduction in the scope of OWL property
restrictions
40
Actions in SBAC
Write a Comment
User Comments (0)
About PowerShow.com