Semantic Web is an extension for the current Web which gives information a well–defined meaning, making machines capable of interpreting and processing the information. The shift from current Web to semantic aware environments such as the Semantic Web poses new security requirements [ 1, 2 ] specially in the field of access control. Access control is a mechanism that allows owners of resources to define, manage and enforce access conditions applicable to each resource [ 3 ]. A semantic aware access control mechanism should assure that only eligible users are authorized to be granted an access right and each eligible user must be able to access all the resources that s/he is authorized for [ 4 ]. Traditional access control models like MAC, DAC and RBAC fail to address these issues since they do not consider the rich semantic relations in the data model under the Semantic Web [ 5 ]. In other words, decision making based on isolated entities while ignoring the semantic interrelationships among them may result in illegal inferences by unauthorized users and incomplete granting of access rights. For an example of an illegal inference, consider a concept ‘Credit Card’ which is the union of concepts ‘Master Card’ and ‘VISA Card’. If a user is eligible to know about the latest transactions on credit cards issued by a bank while s/he is prevented from accessing the same information for VISA cards, then s/he can guess some information about them which is illegal. On the other hand, when a bank authority needs to know some information about the ‘Letter of Credit’ concept for some decision making then s/he should be also authorized for reading the information about an equal concept like ‘Documentary Credit’.

To overcome these challenges, there is a need for semantic aware access control systems. In this paper, we present a Semantic Based Access Control model (SBAC) that authenticates users based on the credentials they offer when requesting an access right. Ontologies are used for modeling entities along with their semantic interrelations in three domains of access control, namely subject domain, object domain and action domain. Decision making in SBAC for permitting or denying an access request is automated by inference engines. We show how semantic interrelations can be used in the authorization process; and for enhancing the expressiveness of authorization rules defined in SBAC, we show how rule languages like SWRL [ 6 ] can be applied. Since a general semantic relation called subsumption can facilitate the policy propagation, in SBAC we try to reduce different semantic interrelations to the subsumption problem.

The remainder of this paper is as follows: Section 2 describes the related works on this topic and section 3 states the fundamentals of SBAC. Semantic authorization flow of access rights in different levels of an ontology are described in section 4. In section 5, the formal definition of SBAC is presented and it is shown how the reasoning can be done in different domains of access control. Our proposed architecture for implementing the SBAC model is presented in section 6 and the experimental results and qualitative evaluations of the model are described in section 7. Finally, section 8 underlines some conclusions and future research lines. 2

Access control systems for protecting Web resources along with credential based approaches for authenticating users have been studied in recent years [ 3 ]. With the advent of Semantic Web, new security challenges were imposed on security systems. Bonatti et al in [ 2 ] have discussed open issues in the area of policy for Semantic Web community such as important requirements for access control policies. Developing security annotations to describe security requirements and capabilities of web services providers and requesting agents have been addressed in [ 7 ]. Fig. 1 shows the trend of developing security issues in the Semantic web.

Object-Oriented authorization models for databases were the first models that tried to consider the semantic relationships for authorization. Such models showed the effect of the semantic relationships like subclass/superclass in access decision making [ 8 ]. File–level access control systems were studied in [ 9 ] for protecting HTML resources. In the next layer, there are XML based approaches such as XACML (eXtensible Access Control Markup Language) [ 10 ] and XRBAC (XML Role-Based Access Control ) [ 11 ] that have attempted to express policies for controlling accesses to XML resources. Finin et al have proposed policy languages like Rei [ 12 ] based on Semantic Web languages like RDF and DAML+OIL and have developed a framework, Rein, based on Rei. In the ontology layer, Qin et. al. [ 4 ] proposed a concept level access control model which considers some semantic relationships in the level of concepts in the objects domain. In this paper, we present SBAC as an access control model based on OWL [ 13 ] ontology language that considers semantic relationships in different levels of an ontology (Concept, Property, Individual) and in all the domains of access control (Subject, Object, Action). For enhancing the expressiveness and inference abilities, SBAC uses SWRL, a Horn clause rule extension to OWL. 3

Fundamentally, SBAC consists of three basic components: Ontology Base, Authorization Base and Operations. Ontology Base is a set of ontologies: Subject– Ontology (SO), Object–Ontology (OO) and Action–Ontology (AO). These ontologies are described in the following: OO : is an Object Ontology for describing objects. Objects are entities which are accessed and/or modified. An Object–Ontology shows the structure in which the objects (Concepts, Individuals and Properties) are organized along with the semantic relationships among them. Fig. 2 is an example OO. It shows a part of a Bank-Service ontology. The ovals show concepts and individuals and labels on the directed arcs show axioms and properties. Individuals are represented by ovals that have arcs with ‘Is A’ labels to other ovals. SO : is the Subject Ontology where subjects are active entities which require access to objects. Subjects are represented using concepts or individuals in a Subject-Ontology. Fig. 3.a shows a Subject-Ontology which is based on credentials. Presenting credentials determine users eligibility for accessing a resource. AO : Actions depend on the type of the actions that subjects aim to execute on objects. Each action type is a concept in the action ontology. Fig. 3.b demonstrates an example of Action Ontology.

By modeling the access control domains using ontologies, SBAC aims at considering semantic relationships in different levels of an ontology to perform inferences to make decision about an access request. Authorization Base is a set of authorization rules in form of (s, o, ±a) in which s is an entity in SO , o is an entity defined in OO, and a is an action defined in AO. In other words, a rule determines whether a subject which presents a credential s can have the access right a on object o or not. Predefined access rights can be saved in Authorization Base in the form of authorization rules and for making decisions for incoming requests (permit/deny), inference is done based on the semantic relationships between the requested authorization and the explicit authorization rules in Authorization Base. In fact, inferences on the explicit authorization rules result in some implicit authorization rules. For example, if an explicit authorization rule states that a subject can read an object of type “Account”, then if s/he requests an access right to read a subobject of type “ShortTermDeposit”, then the latter can be inferred from the former without having its authorization rule explicitly. Since SBAC works based on inference, for preventing propagation of same decision (permit/deny) on all the inferred rules, it allows the definition of exception rules with higher priority. For example, an exception rule can be defined if the authority of a bank wants to prohibit the credit cards issued from a specific bank from settling money to any account in Bankx while there is another explicit authorization rule that lets all credit cards settle money in any account. 4

Different semantic relations in an ontology result in semantic authorization flow among entities in different levels of that ontology. OWL is the W3C recommendation for representing ontologies in a machine–processable format. To automate the inference process in SBAC, we used this language since its well–defined structure lets machines automatically process the knowledge described in it; besides it supports strong semantic relations among concepts. Based on OWL, we have identified three levels: concept–level, individual–level and property–level where the semantic authorization flow can occur in each level or between different levels. To simplify the effect of semantic authorization flow in decision making, first we classify the possible semantic inferences that can occur, and then we explain different types of inferences in each category. This classification is done based on the fundamental OWL structures [ 13 ] which are OWL Class Axioms, Individual Axioms, Property Characteristics and Property Restriction.

– Concept-Concept (C-C): Inference can be done in the level of concepts (between two concepts) in an ontology. Concept constructors in OWL result in new concepts with an intrinsic semantic authorization flow. For example, when the concept ‘Credit Card’ is defined as the union of ‘Master Card’ and ‘VISA Card’, then access rights such as eligibility of the owner of a credit card for checking an account will be propagated to both the owner of a ‘Master Card’ and the owner of a ‘VISA Card’. – Concept-Individual (C-I): All the individuals are influenced by the access conditions enforced on the concept they belong to. – Individual-Individual (I-I): Individual axioms cause this kind of authorization flow. For example the ‘same as’ axiom states that two individuals are semantically equal, hence the access conditions on each of them should be applied on the other one too. – Property-Concept (P-C): The semantic authorization flow from properties to concepts happens when an access right on a property is granted. A property is interpreted by a set of ordered pairs of individuals where the first individual is in the domain of the property and the latter is in the range of it. Therefore, any access right on a property can result in the same access right on the domain and range of the property. For example, when a subject can modify a property, s/he should be able to access the domain and range of that property. – Property-Property (P-P): Semantic relations between various properties can result in new properties which are necessary to decision making but are not explicitly mentioned in the ontology. For example, when a bank authority wants to prevent master cards supported by Asian banks from settling money in a special account by defining (AsianM asterCards, Accountx, −settelement), by having knowledge on two properties ‘Issued in’ and ‘Registered in’, the new property of ‘Supported by’ can be made. The related SWRL rule is as follows:

Registered in(Bankx, Asia) ∧ Issued in(M asterCard, Bankx)

→ Supported by(M asterCard, AsianBank) – Property-Individual (P-I): All the individuals are influenced by the access conditions enforced on the property that they belong to. Moreover, property characteristics like being transitive or symmetric imply membership of some new individuals to the same property which are also affected by the access conditions defined on the property. For example, if we define the ‘Support Of’ property as a symmetric property then by having the knowledge that (Accountx, Accounty) is an individual of a property then it can be inferred that (Accounty, Accountx) is also an individual of that property. An SWRL rule like the following can be added for the inference: Support of (Accountx, Accounty) → Supported of (Accounty, Accountx) – Concept-Property (C-P): When an access right on a concept is granted, then there would be semantic authorization flows from this concept to the restricted concepts that are result of property restrictions on this concept. For example, when a subject is eligible to ‘Check Balance’ of some credit cards then s/he should be authorized to ‘Check Balance’ of any restricted concept like Issued In.Bankx which returns credit cards issued in the Bankx. It is worth noting that the ontology languages in the fourth layer of the Semantic Web stack are not expressive enough to support all of the inference classifications that should be performed in the machine level. Fig. 4 shows the degree of coverage of OWL DL and SWRL. As can be seen in this figure, using SWRL rules provide better expressivity. Different kinds of semantic relations and inference problems based on them motivated us to reduce the possible inferences on the semantic relationships in OWL DL to the general problem of Subsumption. Checking the subsumption property is the basic reasoning method of description logics [ 14 ]. Given two concepts C and D and a knowledge base Σ, the following expresses that D subsumes C in Σ: Σ |= C v D. This reasoning based on subsumption proves that D (the subsumer) is more general than C (the subsumee). In SBAC, we use a variant of the subsumption relation which is represented by and not only handles concepts but also considers individuals. It is defined as follows:

A

B = ( A v B, if A and B are concepts

A Is A B, if A is an individual and B is a concept

A sameAs B, if A and B are individuals

When there is A B relation between A and B, the authorization rules enforced on B should also be enforced on A. Table 1 shows the reduction based on OWL class axioms. Table 2 is for individual axioms and Table 3 shows the reductions for OWL Property Restrictions. Table 4 shows SWRL rule definition for OWL Property Characteristics. 5

This section presents a formal definition of the topics described informally in preceding sections. SBAC is defined by the triple (OB, AB, Oprs). OB stands P1 equivalentProperty P2 for Ontology Base which contains decision making ontologies (OO, SO, AO). AB stands for Authorization Base that includes explicit authorization rules. Oprs are the operations that can be performed on the Authorization Base. SBAC = (OB, AB, Oprs) OB = {Ont | Ont = SO ∨ Ont = OO ∨ Ont = AO} Ont = (C, T, ≤C , ≤T , R, A, σA, σR, ≤A, ≤R) AB = {(s, o, ±a) | s ∈ SO ∧ o ∈ OO ∧ a ∈ AO} Oprs = (CA, Grant, Revoke) In the definition of ontology (Ont), which is from [ 15 ], C is a set of concepts, ≤C is the subsumption relation between concepts. The other semantic relations are presented by σR : R → C × C. ≤R shows the hierarchy among Object Properties, meaning one property is subproperty of another property. T is a set of datatypes with a hierarchy of datatypes, ≤T . DataType Properties are presented by σA : A → C × T [ 13 ].

Access rights are stored in AB in the form of Authorization rules where:

AB ⊆ S × O × A

External Components: External components are subjects, ontological definitions of credentials, objects, and actions, Reputation system, and administration tools. Subjects are the ones that request for access rights. ontological definitions of credentials, objects, and actions are as described in previous sections. The reputation system is used for checking the validity of credentials that are provided by subjects. Administration tools are used for managing the Authorization Base. For example, adding or revoking rules in this base are performed using these tools.

Authorization Components: Authorization components are as follows:

Reputation System

Authorization System

Semantic Authorizer Inference Engine

Subjects

Authorization Base Request

Permit / Deny Reduced Ontologies

Administration

Tools Credentials

Ontology Base

Ontology Parser Actions

Objects The most obvious advantage of SBAC compared with other access control models is its Semantic–awareness property. But, besides Semantic-awareness SBAC has the following advantages: – Interoperability: Interoperating across administrative boundaries is achieved through exchanging authorizations for distributing and assembling authorization rules. The ontological modeling of authorization rules in SBAC results in a higher degree of interoperability compared with other approaches to access control. This is because of the nature of ontologies in providing semantic interoperability. – Expressivity: The expressiveness of the security policies directly depends on the expressiveness of the language using which the policies are described. SBAC authorization rules are defined using OWL DL which is based on an expressive description logic namely, SHOIN (D) [ 16 ]. For enhancing the expressiveness, SBAC also uses SWRL rules. – Ease of Implementation and Integration with Semantic Web technologies: Security models designed for Semantic Web should be compatible with the technology infrastructure under it. In other words, the implementation of security mechanisms should be possible based on the semantic expression models. SBAC is designed based on the widely accepted semantic web languages, OWL and SWRL, therefore its implementation can be easily achieved by existing tools designed for working with these languages. – Generality: Modeling different domains of access control has added a considerable generality to the model. In the subject domain, SBAC uses credentials which are going to be universally used for user authentication. In the domain of object, different kinds of resources such as web pages or web services can be modeled and can be identified by their URI in authorization rules. – Space Efficiency: Implicit authorization in SBAC results in a certain level of efficiency since it is not necessary to store all the authorizations rules explicitly when they can be inferred from other stored authorizations. Besides implicit authorizations allow continuous changing of semantic relations (ontology evolution).

On the other hand, as is shown in Fig. 6, for representing the expression C = C1 ∪ . . . ∪ Cn using RDF triples, 2n + 1 triples are required. While as is shown in Fig. 7 after reducing this expression using the subsumption relation, only n triples are required. This situation is valid for most of the other OWL constructors. In order to experimentally show this fact, we generated random ontologies and created a program called OntGenerator which receives three parameters, namely conceptCount, expCount, and expMaxSize, as input parameters and generates a random ontology based on the values of these parameters. conceptCount shows the number of atomic concepts and expCount shows the number of complex concepts in this ontology. expMaxSize shows the maximum number of concepts (whether atomic or complex) that are used for creating each complex concept.

Table 5 shows number of statements in standard and reduced ontologies for random ontologies generated for different values of conceptCount, expCount, expMaxSize. As can be seen in this table, the number of statements is reduced after applying the reduction algorithm on these ontologies. This shows that, SBAC needs to work with smaller ontologies and therefore it requires a lower space capacity.

unionOf

A0 first rest

A2 first rest rest

nil

B C D Fig. 6. Representing A = B ∪ C ∪ D using RDF triples

A1 first

A subClassOf subClassOf

subClassOf B – Low Response Time: most of the time complexity of decision making functions refers to the reasoning part. Since we have reduced reasoning problems to the subsumption problem and because of the existence of highly efficient subsumption reasoners, the response time of SBAC is very promising. For evaluating the reasoning time of SBAC, we designed an experiment. In our experiment, we used the PELLET reasoner which is a highly efficient OWL DL reasoner for reasoning on standard ontologies. On the other hand, since reduced ontologies only include subsumption relation between concepts, we designed and implemented a fast reasoning engine which can only handle the subsumption relation but in a better time period compared with reasoners such as PELLET. In fact, this point that SBAC can do its decision making using reasoning engines that only need to handle the subsumption relation is one of the biggest strengths of this model. Table 6 shows a comparison of reasoning time of the PELLET reasoner which must work with the standard ontology and the reasoning time of our reasoner which can work with the reduced ontology. As can be seen in this table, our reasoner can do the decision making process in a smaller time period. 8

In this paper, we presented SBAC as an access control model for protecting Semantic Web resources. SBAC takes into account semantic interrelations among entities in the domains of decision making of access control. Automated decision making in SBAC for permitting or denying an access request is done through inference processes based on the semantic relation among entities. We have shown that SBAC can provide space-efficient expression of rules with faster reasoning time than by using a standard ontology.

One of the useful features that is not addressed in SBAC is context-awareness. For example, currently a security administrator can not specify “(s,o,a) allowed only between 9am–5pm”. One of our future works is to extend SBAC to DSBAC (Dynamic SBAC) which uses context ontologies to capture the current context and use it for more expressive reasoning.

To enhance the expressiveness of the model for describing the authorization rules, more expressive logics in logic layer of Semantic Web stack can be applied. Since more expressive logics are less decidable, approaches like client based access control approaches [ 17 ] seems suitable for delegating some access control phases to the client side.