Scalable%20and%20E?cient%20Reasoning%20for%20Enforcing%20Role-Based%20Access%20Control - PowerPoint PPT Presentation

About This Presentation
Title:

Scalable%20and%20E?cient%20Reasoning%20for%20Enforcing%20Role-Based%20Access%20Control

Description:

Scalable and E cient Reasoning for Enforcing Role-Based Access Control Tyrone Cadenhead Email: thc071000_at_utdallas.edu Advisors: Murat Kantarcioglu, and Bhavani ... – PowerPoint PPT presentation

Number of Views:216
Avg rating:3.0/5.0
Slides: 30
Provided by: Murat63
Category:

less

Transcript and Presenter's Notes

Title: Scalable%20and%20E?cient%20Reasoning%20for%20Enforcing%20Role-Based%20Access%20Control


1
Scalable and E?cient Reasoning for Enforcing
Role-Based Access Control
  • Tyrone Cadenhead
  • Email thc071000_at_utdallas.edu
  • Advisors Murat Kantarcioglu, and Bhavani
    Thuraisingham

2
Overview
  • Motivation
  • Contributions
  • Approach
  • Theoretical Background
  • RBAC, TRBAC, Description Logics, SWRL
  • Detailed Overview of Approach and Optimizations
  • Example
  • Experimental Results

3
Motivation
  1. Organizations tend to generate large amount of
    data
  2. Users need only partial access to resources
  3. nu users and nr roles at most nu nr
    mappings
  4. Scalable access control model and easy management
  5. Handle heterogeneity in information system

4
Motivation (contd)
  • RBAC simplifies Security Management
  • But Roles are statically defined
  • TRBAC extends RBAC
  • Roles are dynamically defined and have a temporal
    dimension
  • Does not address Heterogeneity inherent in
    organization information systems
  • Ontology has a Common Vocabulary
  • Conforms to a Description Logic (DL) formalism
  • As a result, ontology Knowledge Bases (KBs) has
    a Description Logic (DL) Reasoning Service
  • Can be Distributed as different Knowledge Bases

5
Main Contributions
  • TRBAC Implementation using existing semantic
    technologies
  • Reasoning Service access control over large
    numbers of data instances in DL Knowledge Bases
    (KBs)
  • E?ciently and accurately reason about access
    rights

6
Approach
  • Transform the access control policies into the
    semantic web rule language (SWRL)
  • Partitioning the Knowledge Base into a set of
    smaller Knowledge Bases, which have the same TBox
    but a subset of the original Abox
  • A Knowledge Base consists of a TBox and ABox

7
Approach (contd)
  • Achieves
  • 1. Scalability support many users, roles,
    sessions, permissions combinations w.r.t access
    control policies
  • 2. E?ciency - determines the response time to
    make a decision in milliseconds
  • 3. Correct reasoning - ensures that all the data
    assertions are available when applying the
    security policies

8
Theoretical Background
  • RBAC
  • TRBAC
  • Description Logic Language (ALCQ)
  • SWRL

9
RBAC

10
TRBAC
  • An extension of RBAC models that supports
    temporal constraints on the enabling/disabling of
    roles.
  • Supports periodic role enabling and disabling,
    and temporal dependencies among such actions.
    Such dependencies are expressed by means of role
    triggers that can also be used to constrain the
    set of roles that a particular user can activate
    at a given time instant.
  • The ?ring of a trigger may cause a role to be
    enabled/disabled either immediately, or after an
    explicitly speci?ed amount of time.
  • The enabling/disabling actions may be given a
    priority that may help in solving con?icts, such
    as the simultaneous enabling and disabling of a
    role

11
Description Logics

12
SWRL
  • Also the Semantic Web Rule language (SWRL) is a
    W3C recommendation. A SWRL rule has the form
  • are atoms of the form C(i) or atoms of the form
    P(i,j)

13
Detailed Overview
14
Step 1

15
Step 2

16
Step 3

17
Inference Stage
  • When there is an access request for a speci?c
    patient, start executing steps 2 and 3.
  • Steps 2 and 3 are our inferencing stages where we
    enforce the security policies.
  • These can also be executed concurrently for many
    patients, as desired.

18
Advantages
  • Adding SWRL rules to KBinf does not have a huge
    impact on the reasoning time as indicated by our
    experimental results.
  • This is due to the fact that we are only
    retrieving a small subset of triples which
    reduces the number of symbols in the ABox when
    the rules are applied

19
Advantages (contd)

20
Definition of a Knowledge Base (KB)
21
(Mapping Function)
  • Connects two domain modules so that we have
  • RBAC assignments
  • the mappings user-role, role-user,
    role-permission, permission-role, user-session,
    role-role and role-session
  • Hospital extensions
  • the mappings patient-user, user-patient and
    patient-session
  • Patient-Record constraint
  • the one-to-one mappings patient-record and
    record-patient

22
Home Partition

23
(P-link)

24
Policy Query
25
Example

26
Trace
27
Optimization
  • Two types of indexing
  • indexing the assertions
  • to find a triple by a subject (s), a predicate
    (p) or an object (o),
  • without the cost of a linear search over all the
    triples in a partition
  • creating a high level index.
  • points to the location of the partitions on disk
  • At most linear with respect to the number of
    partitions

28
Experiments
29
Experiments
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Scalable%20and%20E?cient%20Reasoning%20for%20Enforcing%20Role-Based%20Access%20Control" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!