Download - Logics for Data and Knowledge Representation
![Page 1: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/1.jpg)
Logics for Data and Knowledge Representation
Application of DLs: RelBAC
![Page 2: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/2.jpg)
Outline
2
New Challenges for Access Control Model and Logic Automated Reasoning
Reasoning tasks SoD
![Page 3: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/3.jpg)
New Challenges
3
Objects Files, documents, pictures … Various scales: eBusiness, eScience … Various types: Blogs, Wiki, Flickr, Youtube …
Subjects Social networks: MySpace, Facebook, Google+
Permissions Read, Write …
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 4: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/4.jpg)
Dynamic Permissions
4
Time Access time, duration, frequency, etc.
Location Physical address
System System condition such as load, connection number,
priority, etc.
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 5: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/5.jpg)
State of the Art
5
AC Models AM ACL
MAC, DAC RBAC TBAC
Formalisms Non-logical Logical
Right Pencil Pen
Einstein Use -Use
- Request- Access- Use
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 6: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/6.jpg)
Motivations
6
Natural Friendly to ordinary user Automated tools for management
Flexible Coverage of various domains Extensible for new requests
Formal Compact syntax and semantics Security Analysis
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 7: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/7.jpg)
RelBAC Model
7
SUBJECT: Anna, Bob, Client 001, Friends, …
OBJECT: File, Email, Picture, Music, Video, Tags, …
PERMISSION: Read, Upload, Correct, Remove, …
SUBJECT OBJECTPERMIS-SION
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 8: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/8.jpg)
Logic Language
8
ALCQI ALC = AL with full concept negation Q = Qualified number restrictions I = inverse properties
* a RelBAC rule may take the form of equality, but rarely used.
ER Model DL Formalization
SUBJECT Concept
OJBECT Concept
PERMISSION Role
PARTIAL ORDER Subsumption
RULE Subsumption *
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 9: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/9.jpg)
The partial order
9
A1≥A2 iff A1⊑A2
S1≥S2 iff S1⊑S2
O1≥O2 iff O1⊑O2
P1≥P2 iff P1⊑P2
SUBJECT HIERARCHY: Coder KnowDive⊑
OBJECT HIERARCHY: Video Entertainment⊑
PERMISSION HIERARCHY: Write Read⊑
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 10: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/10.jpg)
Access Control Rules
10
Three kinds of axioms
General Access Control Rules
User-centric vs. Object-centric rules
C≡D C D⊑ C D⊒
S⊑∃P.O (1) S⊑≥n P.O (5)
O⊑∃P-1.S (2) O⊑≥n P-1.S (6)
S⊑∀P.O (3) S⊑≤n P.O (7)
O⊑∀P-1.S (4) O⊑≤n P-1.S (8)
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 11: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/11.jpg)
Access Control Rules: example
11
Policy RelBAC Representation
All friends can download some music
Friend ⊑ ∃Download.Music
Music can be downloaded by some friend
Music ⊑ ∃Download-1.Friend
All friends can download only music
Friend ⊑ ∀Download.Music
Music can be downloaded by only friend
Music ⊑ ∀Download-1.Friend
KnowDive members should program at least one project code
KnowDive ⊑ ≥1 Program.Code
Each project code should be programmed by at most 2 KnowDive members
Code ⊑ ≤2 Program-
1.KnowDive
Each manager should manage exactly 3 project codes
Manager ⊑ ≤3 Manage.Code ⊓≥3 Manage.Code
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 12: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/12.jpg)
All to all mapping
TAC (Total Access Control) Rule
12
{P(u1,o1),…,P(um,o1),…,P(um,on)}
∀ O.P ≡ ∀¬P. ¬O
(∀ O.P)I = {u User∈ I | o O(o)→ P(u,o) }∀
= {u User∈ I | o ∀ ¬P(u,o) →¬O(o)}
= (∀¬P. ¬O)I
“Close friends can read all the entertainment files.”Close ⊑∀ Entertain.Read
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 13: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/13.jpg)
Correspondences to Motivations
13
Natural permission binary relation partial order subsumption axiom rule formula(e)
Flexible hierarchy partial order attribute binary relation
Formal Description logics
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 14: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/14.jpg)
Reasoning Services
14
TBox‘A business friend can update some entries.’
ABox‘Bob is a business friend.’
ABox + TBox‘Bob is a business friend so that he can update some entries.’
Design vs. Run time Reasoning
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 15: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/15.jpg)
Reasoning Tasks: Design
15
HierarchyIPod ⊑ DigitalDevice
MembershipDigitalDevice(ipod-2g0903)
Separation of duties‘customer and sales manager are to be separated.’
High-level Concern
‘the 3 users to commit an order should include 1 customer, 1 sales agent and 1 sales manager.’
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 16: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/16.jpg)
Design Time Reasoning: Hierarchy
16
IPod
Apple
Digital Device
IPhone
Software
Alice’s online shop
SymantecLenovo
Norton AntiVirus
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
OBJECTS
![Page 17: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/17.jpg)
Design Time Reasoning: Membership
17
Apple
Supplyer
Business
Lenovo
Lesure
Alice’s Social Network
SportCustomer
Soccer
Music
JazzVIP Hiking
Bob
Jane
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
SUBJECTS
![Page 18: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/18.jpg)
Separation of Duties (from RBAC)
18
‘For a task consisting of n steps, no one can complete all the steps to complete the task.’
⊓i=1n ∃Pi.Oi ⊑ ⊥
‘…no one can complete more than one of the steps.’
∃Pi.Oi ⊓ ∃Pi.Oj ⊑ ⊥ 1≤i<j≤n
‘To cash out a check, a check has to be signed by a customer and cashed out by a clear (in a bank).’
∃Sign.Check Cashout.Check ⊓ ∃ ⊑ ⊥
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING
![Page 19: Logics for Data and Knowledge Representation](https://reader035.vdocument.in/reader035/viewer/2022070404/56813bf4550346895da53645/html5/thumbnails/19.jpg)
Separation of Duties: High-level Concern
19
Composition of the k users
Order ⊑ ≥1 Initiate-1.Customer ⊔ ≥1 Process-1.Agent ⊔ ≥1 Check-1.Manager
Fulfill an order
Manager
Customer
Agent
Initiates an order
Checks the order
Processes the order
NEW CHALLENGES FOR ACCESS CONTROL :: MODEL AND LOGIC :: AUTOMATED REASONING