Translating Usage Control Policies to Semantic Rules: A Model using OrBAC and SWRL
Abstract
The increasing volume of data in various environments such as IoT and the need to maintain data privacy and security have led to the development of usage control models. Usage control policies are models that enable fine-grained access control over data by enforcing restrictions on how users can use the data. Semantic mechanisms, on the other hand, use context and meaning to identify potential security threats and prevent them from accessing sensitive information. Although not widely explored, merging these two techniques could create an efficient mechanism to help ensure the confidentiality, integrity, and availability of critical data and resources. This paper aims to encourage this research path by proposing a translation model that converts usage control rules into SWRL. In particular, we consider during our approach the notions of context, permission and prohibition. The proposition is validated by constructing a multi-layer proof of concept that use ontologies and OWL for implementing the translation model. Furthermore, to ascertain the practicality of our approach, a time processing evaluation is conducted, and the results are found to be satisfactory.
Keywords
usage control, semantic web rule language, security
(French version below)
OrBAC is a usage control model allowing the definition of dynamic security rules, that is to say which can be active (or not) depending on the context (a Boolean predicate) at the time they are verified. OrBAC also supports permission, prohibition or obligation rules. This model is also very interesting because it has a tool for editing and testing security policies: MotOrBAC. This tool also provides a Java API which therefore makes it possible to integrate the use of such security policies into any Java project.
In this article we present how to translate OrBAC rules into SWRL, thus allowing us to use the power of expression of OrBAC without using either the dedicated MotOrBAC tool or its API. Any semantic web tool or library supporting SWRL can do the job (e.g. SWRL API developed by the Protégé team).
OrBAC est un modèle de contrôle d’usage permettant de définir des règles de sécurité dynamiques, c’est-à-dire pouvant être actives (ou pas) selon le contexte (un prédicat booléen) au moment où elles sont vérifiées. OrBAC supporte en outre des règles de type permission, ìnterdiction ou obligation. Ce modèle est également très intéressant car il dispose d’un outil permettant d’éditer et de tester les politiques de sécurité: MotOrBAC. Cet outil fournit également une API Java qui permet donc d’intégrer l’utilisation de telles politiques de sécurité dans tout projet Java.
Dans cet article nous présentons comment traduire les règles OrBAC en SWRL, nous permettant ainsi d’utiliser le pouvoir d’expression d'OrBAC sans passer ni par l’outil dédié MotOrBAC ni par son API. Tout outil ou librairie du web sémantique supportant SWRL peut faire l’affaire (ex: SWRL API développée par l’équipe de Protégé).
Manuel Munier
Associate Professor in Computer Science
My research interests include information security, risk management, and privacy.