Research On Rule-Based And Ontology-Based Policy In Application Security

Policies are being increasingly used for controlling the behavior of complex and largescale application systems. The use of policies allows administrator to regulate systembehavior without changing source code. Administrator can specify high-level rules to controland regulate low-level behavior of systems. Policy-based approach is much more flexible andadaptable than other non-policy approaches. But policy-based approach is still difficult todeal with large scale application systems with large number of users and resources.Especially recent years, with the scale-up of IT systems and the extension of scope ofusers, effective user and privilege administration is still a complex and challenging work,which is a major issue in large enterprises and organizations. For the service-providingenterprises which making their services available to their users via the Internet, the number ofusers can be in the hundreds of thousands or millions and large number of objects and arelatively high number of process can be found as well. The coherent complexity ofapplication security challenges the existed policy management approach.A model to automatically assign user with permissions becomes a perfect solution inlarge scale system. Rule-based authorization approaches were researched and preliminarilyapplied on supporting automatically user and permission managements in past few years.Although rule-based approaches have relatively high management efficiency, the dynamicityof rule makes it often difficult to foresee the impact of a new rule or the modification of anexisting rule. It is difficult to obtain an administration overview, which make it difficult tomaintain and audit. Thereby, it is difficult to specify and maintain authorization policies inapplication system implemented based on rule-based system without other supportingmechanisms.Semantically-rich representations for policy allow both structure and properties of theelements of a application system and the management operations themselves (e.g., policies)to be described at a high level of abstraction, thus enabling policy conflict detection andharmonization. Moreover, modeling policies at a high level of abstraction simplifies theirdescription and improves the analyzability of the system. In fact, semantically-richrepresentations ensure that there is a common understanding between previously unknownentities, which make heterogeneous systems to be interoperated with understandable policies.Recent research effort in the area of semantic web and OWL ontology language provides apowerful base for semantically-rich policy definition. Standard OWL is suitable to describesuch domain knowledge as entities and attributes in application security domain, but it stillhas limitations in describe authorization rules of policies. The specification ofsemantically-rich context-based policies to regulate system behavior in application securityenvironments is a complex task that requires appropriate representations to describe bothcontext information relevant to policy specification and the policies themselves. Currentapproaches to semantic context-based policy specification have outlined two main researchdirections: rule-based and ontology-based approach.We research on rule-based and ontology-based approach in application security policyrepresentation and reasoning, and proposed a policy specification framework integrated ruleand ontology approach to support specification and management of policies in large scaleapplications. Under this framework, we concentrate our work on knowledge expression ofapplication security domain, rule-based semantically-rich policy specification, constraintspecification, fine-grained authorization rule specification and so on. Based on inference taskof description logic, we research on access control reasoning, decision of relationship amongauthorization rules, conflict detection methods and conflict resolution algorithms aboutpolicy specification framework.The principal contributions and research results of this dissertation are summarized inthe following:Firstly, under the background of authorization problem in large scale application security,we analyze the most of access control models and summarize the state of arts in policyspecification language. We concentrate on context-based and semantic-based policy approach,and analyze and compare these approaches in specification methods and reasoning supports.The description logic and ontology language are surveyed as well. We point out thatrule-based approach and ontology-based approach are current research directions tocontext-based policy specification.Secondly, the overview and analysis of state of arts in rule-based authorizationtechnique is given. The international research works in rule-based automaticallyauthorization are summarized, which includes BPD-ACS, RB-RBAC, provisioning-basedRBAC, Kern' Meta model, according to such aspects as concept, rule expression, rulefunction and feature. The existent problems and further emphasizing research works are pointout.Thirdly, description logic and Web ontology language are introduced. We introduce thelanguage family of description logic and concrete domain extension used to integratenumerical and other domains in a schematic way into description logics. W3C standard webontology language-OWL is introduced in details and correspondence between OWL anddescription logic is given. We also point out the limitation of OWL in datatype support. Sowe introduce the OWL-E, a decidable extension of OWL DL, to overcome the limitation ofOWL. These introductions and analyses form the theory basis of further researches.Fourthly, representation of knowledge in application security domains is investigated.An OWL-E based description frame of domain knowledge is proposed to create extensibledomain entity and attribute to abstract and define context information of application securitydomain. All domain entities are specified with common entity-attribute structure, whichmakes it easy to divide system into finer grains or extend system by using new entities andattributes so as to adapt to evolutions of context and changes of authorization requirement.The representation of quasi-order of attribute values is researched and an ontology classbased representation is proposed.Fifthly, specification and representation of policies of application security is researched.We proposed a pure OWL style Policy Definition Framework. Policy Definition Frameworkuses subclass axiom of OWL to define the syntax of all kinds of authorization rules todescribe implicit authorizations, then the semantics of authorization rules can be interpreteddirectly based on OWL semantics. Thus, authorization rules can be interpreted separatelyfrom environment and reasoning engines. A rule constrain schema is proposed to representthe comparison relations between subject attribute and object attribute to specificationfine-grained content-based access control. Representation methods about static separate ofduty and number restriction constraints are illustrated as well.Sixthly, the thesis researches on description logic based reasoning about policy of PolicyDefinition Framework. Base on description logic inference service, some import reasoningsuch as access control decision, policy scope, relationship among rules and conflict detectionare studied. The decision approaches for seniority level and overlapped relation among rulesare proposed. We proposed some conflict detection methods, which include a conflictdetection method about related policies, a conflict detection method about overlappedpolicies, a conflict detection method based on unsatisfiable intersection of policies and aconflict detection method about separate of duty constraint. We also give an automaticconflict resolution algorithm. Our work provides an effective support and tool for policymanagement and analysis.Our work researches on integrated rule-based and ontology-based policy representationand reasoning. A combined approach is proposed to handle policy management in highdynamic, complex context and heterogenic system environment. The rule specification basedon OWL axiom semantic enhances the expressive power and common understanding onautomatic authorization rules. It can obtain rich relationships among policies and becomprehensively support by most of description reasoner.Our work enrich the research of ontology approaches applied in application securityarea, especially in the following aspect: Rule representation with pure ontology language,semantically-rich policy represent research, rule-based authorization, ontology modeling inapplication security, access control decision reasoning, conflict detection method and conflictresolution. The results of policy representation and reasoning researches can be of practicalvalue for the application security.To sum up, the study results of the thesis are of both theoretical and practical benefit tofurther researches in rule-based and ontology-based policy management.