Research On Ontology-based Integration Of Multi-domain Access Control Policies

Multi-domain secure interoperation needs an integrated, cooperative and uniform secure management. The policy-based secure management is a landmark of the development in the secure management's field and fits the goal of the secure management of multi-domain distributed system. The secure policy is the core of the policy-based secure management. And it can construct the integrated environment. It guarantees the policy fitting the goal by formalizing and checking the secure policy. Ontology is a formal, explicit specification of a shared conceptualization. It is a modeling tool that can describe the concept model of information system on the semantic and sciential level. It can provide a new way to solve the multi-domain secure interoperation problem.In the single domain environment, in order to control the indirect information flow, a History-based BLP model(HBLP) employs the idea of the information flow model, and adds the memorial factor in the system states to record the read objects and to control the direction of information flow. In order to improve the availability and the information integrity of the model, the HBLP model also extends the security level of the subjects into separated reading and writing security level ranges. By using these methods, we develop the BLP(Bell La Padula) Model into a new Multi-level Security Model with memory ability.An important characteristic of Role Based Access Control (RBAC) model is that it is policy neutral. We analyze the method how RBAC can be configured to enforce the single domain models, including the HBLP and unify the various access control models into one RBAC model.We use ontology and its description language to describe the access control policy, and create an axiom aggregation(TBox) to include the concepts and properties. We use the ALCN (a type of description logic includes the number restrictions and negation concepts) to formalize the TBox. We also analyze and improve the Secure Interoperability Using Dynamic Role Translation(IRBAC2000) model, to solve and avoid the problems that are happened in the multi-domain integrated environment. Through the Rule-based Reasoning Technology, we define the serial reasoning rules(Rule) of multi-domain access control model and enforce the rule in the multi-domain access control environment.Finally, a simulating system of the multi-domains access control policy is designed and implemented. In the system, the access control policies of the single domain are defined in the assertional(ABox). By using the single ontology method, the system integrates the TBox, Rule and ABox into the global access control policies ontology.