基于角色访问控制的策略冲突消解研究-智能与分布计算实验室

基于角色访问控制的策略冲突消解研究

姓名	杨黎
论文答辩日期	2007.01.26
论文提交日期	2007.02.06
论文级别	硕士
中文题名	基于角色访问控制的策略冲突消解研究
英文题名	Research on Policy Conflicts Solution of Role-based Access Control Model
导师1	卢正鼎
导师2
中文关键词	分布式系统;多域;基于角色访问控制;策略冲突;本体;描述逻辑
英文关键词	istributed system;Multi-domain;Role-based Access control;policy conflict;Ontology;Description Logic
中文文摘	多域间的安全互操作，需要集成、协同和统一的安全管理。解决多域互操作产生的策略冲突问题是多域集成的基础。本体是共享概念模型的形式化规范说明，是一种能在语义和知识层次上描述信息系统的概念模型的建模工具。借助本体工具对基于角色的访问控制（RBAC）域内的各种实体和策略进行描述与控制，通过本体推理来解决多域RBAC集成的策略冲突问题，从而达到系统的安全集成。给出了一种带有SWRL规则的本体的推理方法。为了解决SWRL的推理的不可判定性，将SWRL规则转换成DL-safe规则来获得可判定性。对于一个OWL-DL知识库KB和一个程序P，目标是找到一个π（KB）和P的通用的模型。将目标问题转化为ABox后，用Tableau方法检测目标ABox的一致性来获得原问题的解。采用描述逻辑对RBAC模型建立本体知识库。本体对自治域内各种实体提供统一的建模方法，实现语义上的安全互操作能力。将RBAC中的各种实体定义为本体中的概念。采用SWRL规则语言来描述多域RBAC中的策略规则。引入模态算子来表达授权策略和强制策略。对多域RBAC集成的策略冲突进行了总结，并进行了较全面的分类。对于冲突发生的原因进行了探讨。给出了策略冲突检测的本体形式化描述，采用带有SWRL规则的本体推理方法来检测冲突。针对策略冲突发生的不同原因，给出了相应的消解方法。最后，设计并实现了一个基于角色访问控制的策略冲突消解模拟系统。在该系统中，单自治域内的访问控制策略定义在知识库的实例集合（ABox）中。系统采用单一本体方法。提供装载TBox、策略库、ABox的功能，装载之后，进行推理集成，解决冲突检测和消解的问题。
英文文摘	Multi-domain secure interoperation needs an integrated, cooperative and uniform secure management. The solution of the conflicts on interoperation is a base of Multi-domain integration. Ontology is a formal, explicit specification of a shared conceptualization. It is a modeling tool that can describe the concept model of information system on the semantic and sciential level. With the help of Ontology, entites and policies in domains which is supported by RBAC model are described and controlled. For the goal of secure integration , ontology reasoning method is taken for solution of conflicts. A method for reasoning on SWRL-enabled ontology is proposed. SWRL is designed to be the rule language of the Semantic Web. For its undecidability, we introduce a decidable variant of SWRL, DL-safe rules. Our approach is to transform SWRL rules into DL-safe ones to make it decidable. To an OWL-DL knowledge base KB and a program P, the goal is to find a common model of π(KB) and P. With the goal transformed into an ABox, we can deal with it by detecting the consistency of the result ABox using Tableau method. We use Description Logic for the building of Ontology knowledge base on RBAC model. We define concepts in Ontology for entities in domain. The policy rule is described by Semantic Web Rule Language(SWRL) . We add modal operator to Description Logic to describe Authorization policies and Obligation policies. We study on conflicts in Multi-domain and sort them generally. The causation of conflicts are analyzed. We use reasoning method of SWRL-enabled Ontology to detect conflicts. Corresponding solutions are given to different causation of conflicts. Finally, a simulating system of solution on conflicts in the multi-domains supported by RBAC model is designed and implemented. In the system, the access control policies of the single domain are defined in the assertional(ABox). The system can load TBox, policy base and ABox. After it, we can reasoning ontology for the integration to detect and solute conflicts.