1 / 19

Logics for Data and Knowledge Representation

Explore the new challenges in access control, including dynamic permissions, time and location-based access, and state-of-the-art models. Learn about the RelBAC model and logic for automated reasoning.

flanery
Download Presentation

Logics for Data and Knowledge Representation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Logics for Data and Knowledge Representation Application of DLs: RelBAC

  2. Outline • New Challenges for Access Control • Model and Logic • Automated Reasoning • Reasoning tasks • SoD

  3. New Challenges NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • Objects • Files, documents, pictures … • Various scales: eBusiness, eScience … • Various types: Blogs, Wiki, Flickr, Youtube … • Subjects • Social networks: MySpace, Facebook, Google+ • Permissions • Read, Write …

  4. Dynamic Permissions NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • Time • Access time, duration, frequency, etc. • Location • Physical address • System • System condition such as load, connection number, priority, etc.

  5. State of the Art NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • AC Models • AM • ACL • MAC, DAC • RBAC • TBAC • Formalisms • Non-logical • Logical - Request - Access - Use

  6. Motivations NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • Natural • Friendly to ordinary user • Automated tools for management • Flexible • Coverage of various domains • Extensible for new requests • Formal • Compact syntax and semantics • Security Analysis

  7. RelBAC Model NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • SUBJECT: Client, Friend, Programmer, Developer… • OBJECT: File, Email, Picture, Music, Video, Tags, … • PERMISSION: Read, Upload, Correct, Remove, … PERMIS-SION SUBJECT OBJECT

  8. Logic Language NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • ALCQI • ALC = AL with full concept negation • Q = Qualified number restrictions • I = inverse properties * a RelBAC rule may take the form of equality, but rarely used.

  9. The partial order NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING SUBJECT HIERARCHY: Coder ⊑ KnowDive OBJECT HIERARCHY: Video ⊑ Entertainment PERMISSION HIERARCHY: Write ⊑ Read

  10. Access Control Rules NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • Three kinds of axioms • General Access Control Rules • User-centric vs. Object-centric rules

  11. Access Control Rules: example NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING

  12. TAC (Total Access Control)Rule NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • All to all mapping “Close friends can read all the entertainment files.”Close ⊑∀Read.Entertain

  13. Correspondences to Motivations NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • Natural • permission  binary relation • partial order  subsumption axiom • rule  formula(e) • Flexible • hierarchy  partial order • attribute  binary relation • Formal • Description logics

  14. Reasoning Services NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • TBox ‘A business friend can update some entries.’ • ABox ‘Bob is a business friend.’ • ABox + TBox ‘Bob is a business friend so that he can update some entries.’ • Design vs. Run time Reasoning

  15. Reasoning Tasks: Design NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • Hierarchy IPod ⊑ DigitalDevice • Membership DigitalDevice(ipod-2g0903) • Separation of duties ‘customer and sales manager are to be separated.’ • High-level Concern ‘the 3 users to commit an order should include 1 customer, 1 sales agent and 1 sales manager.’

  16. Design Time Reasoning: Hierarchy NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING OBJECTS Alice’s online shop Digital Device Software Apple Lenovo Symantec IPod IPhone Norton AntiVirus

  17. Design Time Reasoning: Membership NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING SUBJECTS Alice’s Social Network Business Lesure Bob Supplyer Customer Sport Music Apple Lenovo VIP Soccer Hiking Jazz Jane

  18. Separation of Duties (from RBAC) NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • ‘For a task consisting of n steps, no one can complete all the steps to complete the task.’ ⊓i=1n ∃Pi.Oi ⊑ ⊥ • ‘…no one can complete more than one of the steps.’ ∃Pi.Oi ⊓ ∃Pi.Oj ⊑ ⊥ 1≤i<j≤n ‘To cash out a check, a check has to be signed by a customer and cashed out by a clear (in a bank).’ ∃Sign.Check ⊓ ∃Cashout.Check ⊑ ⊥

  19. Separation of Duties: High-level Concern NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING • Composition of the k users • Order ⊑ ≥1 Initiate-1.Customer ⊔ ≥1 Process-1.Agent ⊔ ≥1 Check-1.Manager Initiates an order Fulfill an order Customer Processes the order Checks the order Agent Manager

More Related