1 / 30

Scalable and Efficient Reasoning for Enforcing Role-Based Access Control for Provenance Data

Scalable and Efficient Reasoning for Enforcing Role-Based Access Control for Provenance Data. Tyrone Cadenhead Email: thc071000@utdallas.edu Advisors: Murat Kantarcioglu , and Bhavani Thuraisingham. Overview. Motivation Contributions Approach Theoretical Background:

tessa
Download Presentation

Scalable and Efficient Reasoning for Enforcing Role-Based Access Control for Provenance Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scalable and Efficient Reasoning for Enforcing Role-Based Access Control for Provenance Data Tyrone Cadenhead Email: thc071000@utdallas.edu Advisors: Murat Kantarcioglu, and BhavaniThuraisingham

  2. Overview • Motivation • Contributions • Approach • Theoretical Background: • RBAC, TRBAC, Description Logics, SWRL • Detailed Overview of Approach and Optimizations • Example • Experimental Results

  3. Motivation • Organizations tend to generate large amount of data • Users need only partial access to resources • nu users and nr roles = at most nu ×nr mappings • Scalable access control model and easy management • Handle heterogeneity in information system

  4. Motivation (cont’d) • RBAC simplifies Security Management • But Roles are statically defined • TRBAC extends RBAC • Roles are dynamically defined and have a temporal dimension • Does not address Heterogeneity inherent in organization information systems • Ontology has a Common Vocabulary • Conforms to a Description Logic (DL) formalism • As a result, ontology Knowledge Bases (KBs) has a Description Logic (DL) Reasoning Service • Can be Distributed as different Knowledge Bases

  5. Main Contributions • TRBAC Implementation using existing semantic technologies • Reasoning Service access control over large numbers of data instances in DL Knowledge Bases (KBs) • Efficiently and accurately reason about access rights • We have applied our techniques to provenance data represented as RDF graphs

  6. Approach • Transform the access control policies into the semantic web rule language (SWRL) • Partitioning the Knowledge Base into a set of smaller Knowledge Bases, which have the same TBox but a subset of the original Abox • A Knowledge Base consists of a TBox and ABox

  7. Approach (cont’d) • Achieves: 1. Scalability – support many users, roles, sessions, permissions; combinations w.r.t access control policies 2. Efficiency - determines the response time to make a decision in milliseconds 3. Correct reasoning - ensures that all the data assertions are available when applying the security policies

  8. Theoretical Background • RBAC • TRBAC • Description Logic Language (ALCQ) • SWRL

  9. RBAC

  10. TRBAC • An extension of RBAC models that supports temporal constraints on the enabling/disabling of roles. • Supports periodic role enabling and disabling, and temporal dependencies among such actions. Such dependencies are expressed by means of role triggers that can also be used to constrain the set of roles that a particular user can activate at a given time instant. • The firing of a trigger may cause a role to be enabled/disabled either immediately, or after an explicitly specified amount of time. • The enabling/disabling actions may be given a priority that may help in solving conflicts, such as the simultaneous enabling and disabling of a role

  11. Description Logics

  12. SWRL Also the Semantic Web Rule language (SWRL) is a W3C recommendation. A SWRL rule has the form are atoms of the form C(i) or atoms of the form P(i,j)

  13. Detailed Overview

  14. Step 1

  15. Step 2

  16. Step 3

  17. Inference Stage • When there is an access request for a specific patient, start executing steps 2 and 3. • Steps 2 and 3 are our inferencing stages where we enforce the security policies. • These can also be executed concurrently for many patients, as desired.

  18. Advantages • Adding SWRL rules to KBinf does not have a huge impact on the reasoning time as indicated by our experimental results. • This is due to the fact that we are only retrieving a small subset of triples which reduces the number of symbols in the ABox when the rules are applied

  19. Advantages (cont’d)

  20. Definition of a Knowledge Base (KB)

  21. (Mapping Function) • Connects two domain modules so that we have: • RBAC assignments: • the mappings user-role, role-user, role-permission, permission-role, user-session, role-role and role-session • Hospital extensions: • the mappings patient-user, user-patient and patient-session • Patient-Record constraint: • the one-to-one mappings patient-record and record-patient

  22. Home Partition

  23. (P-link)

  24. Policy Query

  25. Example

  26. Trace

  27. Optimization • Two types of indexing: • indexing the assertions • to find a triple by a subject (s), a predicate (p) or an object (o), • without the cost of a linear search over all the triples in a partition • creating a high level index. • points to the location of the partitions on disk • At most linear with respect to the number of partitions

  28. Experiments

  29. Experiments

  30. Directions • Our research has been applied to provenance data • In addition to access control, we have also carried out work on inference problem for provenance data • Implementation on the cloud is the next step

More Related