Scalable and Efficient Reasoning for Enforcing Role-Based Access Control

Slides:



Advertisements
Similar presentations
ROWLBAC – Representing Role Based Access Control in OWL
Advertisements

OWL - DL. DL System A knowledge base (KB) comprises two components, the TBox and the ABox The TBox introduces the terminology, i.e., the vocabulary of.
Chronos: A Tool for Handling Temporal Ontologies in Protégé
CPSC 322, Lecture 23Slide 1 Logic: TD as search, Datalog (variables) Computer Science cpsc322, Lecture 23 (Textbook Chpt 5.2 & some basic concepts from.
Ontologies and the Semantic Web by Ian Horrocks presented by Thomas Packer 1.
Xyleme A Dynamic Warehouse for XML Data of the Web.
Dynamic Ontologies on the Web Jeff Heflin, James Hendler.
CPSC 322, Lecture 23Slide 1 Logic: TD as search, Datalog (variables) Computer Science cpsc322, Lecture 23 (Textbook Chpt 5.2 & some basic concepts from.
Knowledge Acquisitioning. Definition The transfer and transformation of potential problem solving expertise from some knowledge source to a program.
COMP 6703 eScience Project Semantic Web for Museums Student : Lei Junran Client/Technical Supervisor : Tom Worthington Academic Supervisor : Peter Strazdins.
Kmi.open.ac.uk Semantic Execution Environments Service Engineering and Execution Barry Norton and Mick Kerrigan.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.
Managing Large RDF Graphs (Infinite Graph) Vaibhav Khadilkar Department of Computer Science, The University of Texas at Dallas FEARLESS engineering.
Chapter 4 The Relational Model.
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
AL-MAAREFA COLLEGE FOR SCIENCE AND TECHNOLOGY INFO 232: DATABASE SYSTEMS CHAPTER 1 DATABASE SYSTEMS (Cont’d) Instructor Ms. Arwa Binsaleh.
An Introduction to Description Logics. What Are Description Logics? A family of logic based Knowledge Representation formalisms –Descendants of semantic.
Ming Fang 6/12/2009. Outlines  Classical logics  Introduction to DL  Syntax of DL  Semantics of DL  KR in DL  Reasoning in DL  Applications.
An Algebra for Composing Access Control Policies (2002) Author: PIERO BONATTI, SABRINA DE CAPITANI DI, PIERANGELA SAMARATI Presenter: Siqing Du Date:
AMPol-Q: Adaptive Middleware Policy to support QoS Raja Afandi, Jianqing Zhang, Carl A. Gunter Computer Science Department, University of Illinois Urbana-Champaign.
Ontology Summit 2015 Track C Report-back Summit Synthesis Session 1, 19 Feb 2015.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham.
An Introduction to Description Logics (chapter 2 of DLHB)
Scalable and E ffi cient Reasoning for Enforcing Role-Based Access Control Tyrone Cadenhead Murat Kantarcioglu, and Bhavani Thuraisingham 1.
A Context Model based on Ontological Languages: a Proposal for Information Visualization School of Informatics Castilla-La Mancha University Ramón Hervás.
1 How to decide Query Containment under Constraints using a Description Logic Ian Horrocks, Ulrike Sattler, Sergio Tessaris, and Stephan Tobies presented.
Efficient RDF Storage and Retrieval in Jena2 Written by: Kevin Wilkinson, Craig Sayers, Harumi Kuno, Dave Reynolds Presented by: Umer Fareed 파리드.
Dr. Bhavani Thuraisingham The University of Texas at Dallas Trustworthy Semantic Webs March 25, 2011 Data and Applications Security Developments and Directions.
Ontology-Based Computing Kenneth Baclawski Northeastern University and Jarg.
Authorization in Trust Management Conditional Delegation and Attribute-Based Role Assignment using XACML and RBAC Brian Garback © Brian Garback 2005.
DL Overview Second Pass Ming Fang 06/19/2009. Outlines  Description Languages  Knowledge Representation in DL  Logical Inference in DL.
ece 627 intelligent web: ontology and beyond
A Portrait of the Semantic Web in Action Jeff Heflin and James Hendler IEEE Intelligent Systems December 6, 2010 Hyewon Lim.
Semantic Data Extraction for B2B Integration Syntactic-to-Semantic Middleware Bruno Silva 1, Jorge Cardoso 2 1 2
OWL Web Ontology Language Summary IHan HSIAO (Sharon)
Scalable and E ffi cient Reasoning for Enforcing Role-Based Access Control Tyrone Cadenhead Advisors: Murat Kantarcioglu, and.
LDK R Logics for Data and Knowledge Representation Description Logics: family of languages.
1 XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment Brian Garback © Brian Garback 2005.
Distributed Instance Retrieval over Heterogeneous Ontologies Andrei Tamilin (1,2) & Luciano Serafini (1) (1) ITC-IRST (2) DIT - University of Trento Trento,
Representing and Reasoning with Heterogeneous, Modular and Distributed ontologies UniTN/IRST contribution to KnowledgeWeb.WP 2.1.
QUANTIFYING INFORMATION LOSS AFTER REDACTING DATA PROVENANCE TEAM: AVINI SOGANI VAISHNAVI SUNKU VENUGOPAL BOPPA.
Composing semantic Web services under constraints E.Karakoc, P.Senkul Journal: Expert Systems with Applications 36 (2009)
Data Integrity & Indexes / Session 1/ 1 of 37 Session 1 Module 1: Introduction to Data Integrity Module 2: Introduction to Indexes.
Database Principles: Fundamentals of Design, Implementation, and Management Chapter 1 The Database Approach.
1 Representing and Reasoning on XML Documents: A Description Logic Approach D. Calvanese, G. D. Giacomo, M. Lenzerini Presented by Daisy Yutao Guo University.
OWL (Ontology Web Language and Applications) Maw-Sheng Horng Department of Mathematics and Information Education National Taipei University of Education.
Chapter 5 – System Modeling
Knowledge Representation Part II Description Logic & Introduction to Protégé Jan Pettersen Nytun.
Building Trustworthy Semantic Webs
SysML v2 Formalism: Requirements & Benefits
Software Security II Karl Lieberherr.
Logics for Data and Knowledge Representation
Data Warehouse—Subject‐Oriented
Web Ontology Language for Service (OWL-S)
Knowledge Representation
Database Management System (DBMS)
Database management concepts
Database Systems Chapter 1
Scalable and Efficient Reasoning for Enforcing Role-Based Access Control
Logics for Data and Knowledge Representation
Database Systems Instructor Name: Lecture-3.
Lecture #6: RDF and RDF Security Dr. Bhavani Thuraisingham
Database management concepts
Prof. Bhavani Thuraisingham The University of Texas at Dallas
Logics for Data and Knowledge Representation
Scalable and Efficient Reasoning for Enforcing Role-Based Access Control
Representations & Reasoning Systems (RRS) (2.2)
Presentation transcript:

Scalable and Efficient Reasoning for Enforcing Role-Based Access Control Tyrone Cadenhead Email: thc071000@utdallas.edu Advisors: Murat Kantarcioglu, and Bhavani Thuraisingham

Overview Motivation Contributions Approach Theoretical Background: RBAC, TRBAC, Description Logics, SWRL Detailed Overview of Approach and Optimizations Example Experimental Results

Motivation Organizations tend to generate large amount of data Users need only partial access to resources nu users and nr roles = at most nu ×nr mappings Scalable access control model and easy management Handle heterogeneity in information system

Motivation (cont’d) RBAC simplifies Security Management But Roles are statically defined TRBAC extends RBAC Roles are dynamically defined and have a temporal dimension Does not address Heterogeneity inherent in organization information systems Ontology has a Common Vocabulary Conforms to a Description Logic (DL) formalism As a result, ontology Knowledge Bases (KBs) has a Description Logic (DL) Reasoning Service Can be Distributed as different Knowledge Bases

Main Contributions TRBAC Implementation using existing semantic technologies Reasoning Service access control over large numbers of data instances in DL Knowledge Bases (KBs) Efficiently and accurately reason about access rights

Approach Transform the access control policies into the semantic web rule language (SWRL) Partitioning the Knowledge Base into a set of smaller Knowledge Bases, which have the same TBox but a subset of the original Abox A Knowledge Base consists of a TBox and ABox

Approach (cont’d) Achieves: 1. Scalability – support many users, roles, sessions, permissions; combinations w.r.t access control policies 2. Efficiency - determines the response time to make a decision in milliseconds 3. Correct reasoning - ensures that all the data assertions are available when applying the security policies

Theoretical Background RBAC TRBAC Description Logic Language (ALCQ) SWRL

RBAC

TRBAC An extension of RBAC models that supports temporal constraints on the enabling/disabling of roles. Supports periodic role enabling and disabling, and temporal dependencies among such actions. Such dependencies are expressed by means of role triggers that can also be used to constrain the set of roles that a particular user can activate at a given time instant. The firing of a trigger may cause a role to be enabled/disabled either immediately, or after an explicitly specified amount of time. The enabling/disabling actions may be given a priority that may help in solving conflicts, such as the simultaneous enabling and disabling of a role

Description Logics

SWRL Also the Semantic Web Rule language (SWRL) is a W3C recommendation. A SWRL rule has the form are atoms of the form C(i) or atoms of the form P(i,j)

Detailed Overview

Step 1

Step 2

Step 3

Inference Stage When there is an access request for a specific patient, start executing steps 2 and 3. Steps 2 and 3 are our inferencing stages where we enforce the security policies. These can also be executed concurrently for many patients, as desired.

Advantages Adding SWRL rules to KBinf does not have a huge impact on the reasoning time as indicated by our experimental results. This is due to the fact that we are only retrieving a small subset of triples which reduces the number of symbols in the ABox when the rules are applied

Advantages (cont’d)

Definition of a Knowledge Base (KB)

(Mapping Function) Connects two domain modules so that we have: RBAC assignments: the mappings user-role, role-user, role-permission, permission-role, user-session, role-role and role-session Hospital extensions: the mappings patient-user, user-patient and patient-session Patient-Record constraint: the one-to-one mappings patient-record and record-patient

Home Partition

(P-link)

Policy Query

Example

Trace

Optimization Two types of indexing: indexing the assertions to find a triple by a subject (s), a predicate (p) or an object (o), without the cost of a linear search over all the triples in a partition creating a high level index. points to the location of the partitions on disk At most linear with respect to the number of partitions

Experiments

Experiments

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.