Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalable and E ffi cient Reasoning for Enforcing Role-Based Access Control Tyrone Cadenhead Advisors: Murat Kantarcioglu, and.

Published byPercival Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "Scalable and E ffi cient Reasoning for Enforcing Role-Based Access Control Tyrone Cadenhead Advisors: Murat Kantarcioglu, and."— Presentation transcript:

1 Scalable and E ffi cient Reasoning for Enforcing Role-Based Access Control Tyrone Cadenhead Email: thc071000@utdallas.edu Advisors: Murat Kantarcioglu, and Bhavani Thuraisingham

2 Overview  Motivation  Contributions  Approach  Theoretical Background: –RBAC, TRBAC, Description Logics, SWRL  Detailed Overview of Approach and Optimizations  Example  Experimental Results

3 Motivation 1.Organizations tend to generate large amount of data 2.Users need only partial access to resources 3.n u users and n r roles = at most n u ×n r mappings 4.Scalable access control model and easy management 5.Handle heterogeneity in information system

4 Motivation (cont’d)  RBAC simplifies Security Management –But Roles are statically defined  TRBAC extends RBAC –Roles are dynamically defined and have a temporal dimension –Does not address Heterogeneity inherent in organization information systems  Ontology has a Common Vocabulary –Conforms to a Description Logic (DL) formalism As a result, ontology Knowledge Bases (KBs) has a Description Logic (DL) Reasoning Service –Can be Distributed as different Knowledge Bases

5 Main Contributions  TRBAC Implementation using existing semantic technologies  Reasoning Service access control over large numbers of data instances in DL Knowledge Bases (KBs)  E ffi ciently and accurately reason about access rights

6 Approach  Transform the access control policies into the semantic web rule language (SWRL)  Partitioning the Knowledge Base into a set of smaller Knowledge Bases, which have the same TBox but a subset of the original Abox  A Knowledge Base consists of a TBox and ABox

7 Approach (cont’d)  Achieves: 1. Scalability – support many users, roles, sessions, permissions; combinations w.r.t access control policies 2. E ffi ciency - determines the response time to make a decision in milliseconds 3. Correct reasoning - ensures that all the data assertions are available when applying the security policies

8 Theoretical Background RBAC TRBAC Description Logic Language (ALCQ) SWRL

9 RBAC

10 TRBAC An extension of RBAC models that supports temporal constraints on the enabling/disabling of roles. Supports periodic role enabling and disabling, and temporal dependencies among such actions. Such dependencies are expressed by means of role triggers that can also be used to constrain the set of roles that a particular user can activate at a given time instant. The firing of a trigger may cause a role to be enabled/disabled either immediately, or after an explicitly specified amount of time. The enabling/disabling actions may be given a priority that may help in solving conflicts, such as the simultaneous enabling and disabling of a role

11 Description Logics

12 SWRL Also the Semantic Web Rule language (SWRL) is a W3C recommendation. A SWRL rule has the form are atoms of the form C(i) or atoms of the form P(i,j)

13 Detailed Overview

14 Step 1

15 Step 2

16 Step 3

17 Inference Stage When there is an access request for a specific patient, start executing steps 2 and 3. Steps 2 and 3 are our inferencing stages where we enforce the security policies. These can also be executed concurrently for many patients, as desired.

18 Advantages Adding SWRL rules to KBinf does not have a huge impact on the reasoning time as indicated by our experimental results. This is due to the fact that we are only retrieving a small subset of triples which reduces the number of symbols in the ABox when the rules are applied

19 Advantages (cont’d)

20 Definition of a Knowledge Base (KB)

21 (Mapping Function) Connects two domain modules so that we have: –RBAC assignments: the mappings user-role, role-user, role-permission, permission-role, user- session, role-role and role-session –Hospital extensions: the mappings patient-user, user-patient and patient-session –Patient-Record constraint: the one-to-one mappings patient-record and record-patient

22 Home Partition

23 (P-link)

24 Policy Query

25 Example

26 Trace

27 Optimization  Two types of indexing: 1.indexing the assertions to find a triple by a subject (s), a predicate (p) or an object (o), without the cost of a linear search over all the triples in a partition 2. creating a high level index. points to the location of the partitions on disk At most linear with respect to the number of partitions

28 Experiments

29

Download ppt "Scalable and E ffi cient Reasoning for Enforcing Role-Based Access Control Tyrone Cadenhead Advisors: Murat Kantarcioglu, and."

Similar presentations

ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
Intelligent Technologies Module: Ontologies and their use in Information Systems Revision lecture Alex Poulovassilis November/December 2009.

Intelligent Technologies Module: Ontologies and their use in Information Systems Revision lecture Alex Poulovassilis November/December 2009.
OWL - DL. DL System A knowledge base (KB) comprises two components, the TBox and the ABox The TBox introduces the terminology, i.e., the vocabulary of.

OWL - DL. DL System A knowledge base (KB) comprises two components, the TBox and the ABox The TBox introduces the terminology, i.e., the vocabulary of.
Chronos: A Tool for Handling Temporal Ontologies in Protégé

Chronos: A Tool for Handling Temporal Ontologies in Protégé
CPSC 322, Lecture 23Slide 1 Logic: TD as search, Datalog (variables) Computer Science cpsc322, Lecture 23 (Textbook Chpt 5.2 & some basic concepts from.

CPSC 322, Lecture 23Slide 1 Logic: TD as search, Datalog (variables) Computer Science cpsc322, Lecture 23 (Textbook Chpt 5.2 & some basic concepts from.
Ontologies and the Semantic Web by Ian Horrocks presented by Thomas Packer 1.

Ontologies and the Semantic Web by Ian Horrocks presented by Thomas Packer 1.
Xyleme A Dynamic Warehouse for XML Data of the Web.

Xyleme A Dynamic Warehouse for XML Data of the Web.
Dynamic Ontologies on the Web Jeff Heflin, James Hendler.

Dynamic Ontologies on the Web Jeff Heflin, James Hendler.
CPSC 322, Lecture 23Slide 1 Logic: TD as search, Datalog (variables) Computer Science cpsc322, Lecture 23 (Textbook Chpt 5.2 & some basic concepts from.

CPSC 322, Lecture 23Slide 1 Logic: TD as search, Datalog (variables) Computer Science cpsc322, Lecture 23 (Textbook Chpt 5.2 & some basic concepts from.
Knowledge Acquisitioning. Definition The transfer and transformation of potential problem solving expertise from some knowledge source to a program.

Knowledge Acquisitioning. Definition The transfer and transformation of potential problem solving expertise from some knowledge source to a program.
Creating Architectural Descriptions. Outline Standardizing architectural descriptions: The IEEE has published, “Recommended Practice for Architectural.

Creating Architectural Descriptions. Outline Standardizing architectural descriptions: The IEEE has published, “Recommended Practice for Architectural.
Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.

Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.
Ontology translation: two approaches Xiangkui Yao OntoMorph: A Translation System for Symbolic Knowledge By: Hans Chalupsky Ontology Translation on the.

Ontology translation: two approaches Xiangkui Yao OntoMorph: A Translation System for Symbolic Knowledge By: Hans Chalupsky Ontology Translation on the.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense

Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.

Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.
Knowledge Mediation in the WWW based on Labelled DAGs with Attached Constraints Jutta Eusterbrock WebTechnology GmbH.

Knowledge Mediation in the WWW based on Labelled DAGs with Attached Constraints Jutta Eusterbrock WebTechnology GmbH.
Managing Large RDF Graphs (Infinite Graph) Vaibhav Khadilkar Department of Computer Science, The University of Texas at Dallas FEARLESS engineering.

Managing Large RDF Graphs (Infinite Graph) Vaibhav Khadilkar Department of Computer Science, The University of Texas at Dallas FEARLESS engineering.
Chapter 4 The Relational Model.

Chapter 4 The Relational Model.
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.

Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.

Similar presentations

Ads by Google