An Ontology-based Approach To Improve Access Policy Administration Of Attribute-Based Access Control

With the rapid development and popularization of Internet technologies,the scale of the electronic systems of enterprises and governments has grown at an extremely rapid rate.The previous access control models gradually become unable to meet the demands of existing access scale and frequency.Therefore,the attribute-based access control model came into being to solve the problem of confidential resource protection especially in a widely open network environment.Attribute-based access control model takes attributes as the key element and uses them to link visitors,resources,and access right.Attributes are derived from multiple sources,therefore the content of the attributes is highly diversified.Thus,the access control policies consisting of attributes are extremely complicated in terms of quantity and semantics.It is almost impossible to rely solely on manpower to complete policy management.In order to improve the efficiency of policy management in the attribute-based access control model,this paper intends to introduce ontology to the existing model.Ontology is capable of generalization and description of domain knowledge,and it is often used together with description logic to sort out a large number of knowledge concepts.This paper aims to introduce ontology and reasoners to model the attribute-based access control model,establish a hierarchical logic framework of attributes,and optimize policy management.In this paper,the functional structure and workflow of the attribute-based access control model are sorted out first.Referring to the fundamental concepts and properties of normal ABAC models,we established new model based on ontology--OABACM.Then,this paper summarized and listed several inherent logical properties in formal forms in OABACM.With these properties,the new model is able to directly eliminate policy redundancy and proactively detect conflicting policies.Finally,this paper conducted qualitative experiments on Protege and proved that OABACM has the ability to process policy semantics,eliminate redundancy and conduct warnings of conflicts.This paper also conducted quantitative experiments on Jena to prove that OABACM has significantly improved efficiency when dealing with the above tasks compared to the normal attribute-based access control models.