分布式环境中基于本体的RBAC策略研究-智能与分布计算实验室

分布式环境中基于本体的RBAC策略研究

姓名	王治纲
论文答辩日期	2006.05.09
论文提交日期	2006.05.23
论文级别	博士
中文题名	分布式环境中基于本体的RBAC策略研究
英文题名	The Study of Ontology-Based RBAC Policies in Distributed Environments
导师1	卢正鼎
导师2
中文关键词	分布式环境;基于角色的访问控制;本体;策略描述;策略集成;推理
英文关键词	Distributed environment;Role-based access control;Ontology;Policy specification;Policy integration;Reasoning 论文总页码 111
中文文摘	伴随网络与信息技术的快速发展，适普计算、语义Web、网格计算、多代理系统等等计算模式纷纷体现出了蓬勃的生命力。它们都处于开放、分布式的计算环境中，而要在这样的环境下实现安全互操作，则必须面临着如何解决在多个异构自治域之间安全信息的共享、交互以及集成的问题，这对于访问控制系统的研究来说是一项重大的挑战。已有的大部分研究往往侧重于解决访问控制在特定环境下所存在的某些具体问题，而缺乏对分布式环境整体上的考察。在对分布式环境作了细致的研究后，提出了利用本体这种新兴的技术，来完成对管理域内的各种实体进行描述与控制的一般性方法，从而满足系统从整体上的安全集成的目的。着眼于解决分布式访问控制策略框架中的描述、推理、集成等关键问题，在对基于角色访问控制策略进行充分抽象的基础上，提出了OntoRBAC??基于角色访问控制的本体模型族。将RBAC中的各种实体定义为策略本体中的各类概念，将授权定义为策略规则，用描述逻辑语言对之加以形式化的声明。从功能上看，该模型又由基础子模型、层次子模型、约束子模型、模态子模型和总体模型这五个方面构成，它对RBAC96模型提供了有力的支持，并在实体层次描述、约束描述以及模态授权等方面作了有益的扩展。本体描述了现实世界中的概念及其之间的关系，却无法表达概念之间的因果推理关系，语义网规则语言（SWRL）的诞生提供了对这种本体概念之间的推理规则的定义能力，然而它目前无法很好地与本体的描述逻辑推理结合到一起。因此需要引入SWRL的子集??描述Horn逻辑（DHL），在DHL的范围内可以实现从描述逻辑到在Horn逻辑的转换，这种转换被证明是具有语义保持性的，因此相应的描述逻辑的推理可以被Horn逻辑推理替代。从而借助于Horn逻辑中前向推理、后向推理以及混合推理这三种基于规则的推理方法，可以实现对本体以及本体规则的推理。另外，在DHL的范围内，对OntoRBAC中各个子模型的推理规则进行了具体的定义，所有的访问控制决策均在这些推理规则的基础上来完成。针对策略的描述与集成中可能存在的冲突问题，提出了超协调本体知识库中的两种推理算法??冲突即终止算法和最大一致性算法。这两种算法并没有直接引入非单调推理，而是试图在超协调的本体知识库中找到一个一致性的子集，而在这个子集的基础上提供单调性的推理，对于解决在非一致的本体库中实现单调性推理提供了很大的帮助，并可以将它们运用于OntoRBAC中的冲突消解问题。策略集成是安全互操作中的一项重要的需求。借助于前面的策略描述与推理，采用基于单本体的策略集成的主要思路和方法，对OntoRBAC的策略集成进行了形式上的定义，并给出了策略集成中的声明方法。这些声明包括跨域的授权规则定义、跨域的角色层次映射定义、实体层次映射定义和实体一致性声明，这些方法体现出了对一般RBAC策略集成方式的支持与扩展。 OntoRBAC需要一个策略服务器来实现集中式的策略管理，而这种方法对分布式授权的管理能力不强。在此讨论了如何在OntoRBAC的基础上，引入信任管理的机制，利用PMI和属性证书来实现分布式授权。将本体与信任这二者有机地结合到了分布式访问控制中，提出了TrustOntoRBAC的相应体系结构框架。基于上述理论和实验研究成果，研制和开发了一个OntoRBAC的原型系统，主要功能涵盖了策略定义、策略装载与推理、策略执行等方面，并通过系统的试验，给出算法实现的性能分析与评价。
英文文摘	Many emerging computational systems such as pervasive computing environments, the semantic web, grid computing, and multi-agent systems fit the paradigm of open, dynamic distributed systems. These systems have to accommodate a wide range of domain knowledge due to diverse organizational boundaries, adapt to heterogeneous, and autonomous domains, and manage variations caused by the movement of users, ambiguous boundaries, and permutable services, which have been large challenges to access control systems. While a lot of past researches have focused on some problems of special situations-- in distributed environments that were fairly static, issues relating to regulating constantly evolving domains have not been as thoroughly explored. The new techniques are required to govern the behavior of entities in these environments so that even though each entity takes individual decisions, the overall system objectives are also satisfied. In particular, the goal is to develop a policy framework that: an ontology declarative policy-based approach is proposed to be used, where the norms or rules of ideal behavior of entities in RBAC of these environments are described in a machine-understandable specification language. The primary contribution is OntoRBAC, a family of ontology-based policy specification models for building RBAC policy-directed architectures. OntoRBAC allows policies to be described in terms of attributes of users, actions, and other context and supports greater extensibility as policies can be described over domain knowledge at different levels of abstractions. And it describes policy rules to express the authorizations in autonomy domains. These policies describe what an entity can or must do in a certain context and how to deduce the behavior of entities without affecting the underlying mechanisms and architecture. It is fully compatible with the RBAC96 model, which is accepted by most of researchers, and extends the model with its own ways. Along with providing the openness required in these environments, this approach also provides how to reason about these policies and application-special rules even with conflicts. Due to the limitation of ontology and description logic to express the logic in applications, the Semantic Web Rule Langugage (SWRL) is introduced to describe the reasoning rules of OntoRBAC. Description Horn Logic, DHL, a subset of SWRL is brought in to reason about rules based on ontologies. The transformation in DHL from Description Logic to Horn Logic is discussed, to enforce the reasoning with the ontology and rules. Three kind of rule-based reasoning arithmetic are also discussed. Correspondingly, the reasoning rules for OntoRBAC models are defined in DHL, which are used for policy decision now. There should be some ways to resolve the conflicts coming from the policies specification and integrations. So two kind of reasoning about inconsistent ontology knowledge base, cancel_while_conflict and max_consistency arithmetic, are discussed to provide meaningful monotonic deduction in these KBs. And these ways are used for elimination of the conflicts in OntoRBAC. The integration is another important issue in the policy framework. Based on the specification and reasoning mentioned above, approaches of integration by single global ontology are introduced to OntoRBAC. Some details are mentioned to support and extend the traditional policy integration approaches. Meanwhile, trust management is also present into the framework. PMI and X.509 attribute certificates are used for distributed authorization between autonomy domains based on the OntoRBAC policies, which combines trust and ontology into access control as a whole. The above theoretical principles and practical techniques are adopt for developing a prototype of OntoRBAC. The architecture and components are introduced. The evaluation of arithmetics and results of performance analysis are also reported.