Scalable and E cient Reasoning for Enforcing Role Based Access Control Tyrone Cadenhead Email thc071000 utdallas edu Advisors Murat Kantarcioglu and Bhavani Thuraisingham Overview Motivation Contributions Approach Theoretical Background RBAC TRBAC Description Logics SWRL Detailed Overview of Approach and Optimizations Example Experimental Results Motivation 1 Organizations tend to generate large amount of data 2 Users need only partial access to resources 3 nu users and nr roles at most nu nr mappings 4 Scalable access control model and easy management 5 Handle heterogeneity in information system Motivation cont d RBAC simplifies Security Management But Roles are statically defined TRBAC extends RBAC Roles are dynamically defined and have a temporal dimension Does not address Heterogeneity inherent in organization information systems Ontology has a Common Vocabulary Conforms to a Description Logic DL formalism As a result ontology Knowledge Bases KBs has a Description Logic DL Reasoning Service Can be Distributed as different Knowledge Bases Main Contributions TRBAC Implementation using existing semantic technologies Reasoning Service access control over large numbers of data instances in DL Knowledge Bases KBs E ciently and accurately reason about access rights Approach Transform the access control policies into the semantic web rule language SWRL Partitioning the Knowledge Base into a set of smaller Knowledge Bases which have the same TBox but a subset of the original Abox A Knowledge Base consists of a TBox and ABox Approach cont d Achieves 1 Scalability support many users roles sessions permissions combinations w r t access control policies 2 E ciency determines the response time to make a decision in milliseconds 3 Correct reasoning ensures that all the data assertions are available when applying the security policies Theoretical Background RBAC TRBAC Description Logic Language ALCQ SWRL RBAC TRBAC An extension of RBAC models that supports temporal constraints on the enabling disabling of roles Supports periodic role enabling and disabling and temporal dependencies among such actions Such dependencies are expressed by means of role triggers that can also be used to constrain the set of roles that a particular user can activate at a given time instant The ring of a trigger may cause a role to be enabled disabled either immediately or after an explicitly speci ed amount of time The enabling disabling actions may be given a priority that may help in solving con icts such as the simultaneous enabling and disabling of a role Description Logics SWRL Also the Semantic Web Rule language SWRL is a W3C recommendation A SWRL rule has the form are atoms of the form C i or atoms of the form P i j Detailed Overview Step 1 Step 2 Step 3 Inference Stage When there is an access request for a speci c patient start executing steps 2 and 3 Steps 2 and 3 are our inferencing stages where we enforce the security policies These can also be executed concurrently for many patients as desired Advantages Adding SWRL rules to KBinf does not have a huge impact on the reasoning time as indicated by our experimental results This is due to the fact that we are only retrieving a small subset of triples which reduces the number of symbols in the ABox when the rules are applied Advantages cont d Definition of a Knowledge Base KB Mapping Function Connects two domain modules so that we have RBAC assignments the mappings user role role user role permission permission role usersession role role and role session Hospital extensions the mappings patient user user patient and patient session Patient Record constraint the one to one mappings patient record and record patient Home Partition P link Policy Query Example Trace Optimization Two types of indexing 1 indexing the assertions 2 to find a triple by a subject s a predicate p or an object o without the cost of a linear search over all the triples in a partition creating a high level index points to the location of the partitions on disk At most linear with respect to the number of partitions Experiments Experiments
View Full Document
Unlocking...