Reasoning with advanced policy rules and its application to access control

This paper presents a formal framework to represent and manage advanced policy rules, which incorporate the notions of provision and obligation. Provisions are those conditions that need to be satisfied or actions that must be performed by a user or an agent before a decision is rendered, while obligations are those conditions or actions that must be fulfilled by either the user or agent or by the system itself within a certain period of time after the decision. This paper proposes a specific formalism to express provisions and obligations within a policy and investigates a reasoning mechanism within this framework. A policy decision may be supported by more than one rule-based derivation, each associated with a potentially different set of provisions and obligations (called a global PO set). The reasoning mechanism can derive all the global PO sets for each specific policy decision and facilitates the selection of the best one based on numerical weights assigned to provisions and obligations as well as on semantic relationships among them. The formal results presented in the paper hold for many applications requiring the specification of policies, but this paper illustrates the use of the proposed policy framework in the security domain only.

[1]  Jorge Lobo,et al.  Monitors for History-Based Policies , 2001, POLICY.

[2]  Jorge Lobo,et al.  A Policy Description Language , 1999, AAAI/IAAI.

[3]  Roel Wieringa,et al.  Applications of deontic logic in computer science: a concise overview , 1994 .

[4]  Elisa Bertino,et al.  An access control model supporting periodicity constraints and temporal reasoning , 1998, TODS.

[5]  Michael R. Genesereth,et al.  Logical foundations of artificial intelligence , 1987 .

[6]  Sushil Jajodia,et al.  Solving multi-granularity temporal constraint networks , 2002, Artif. Intell..

[7]  Elisa Bertino,et al.  An Authorization Model for a Distributed Hypertext System , 1996, IEEE Trans. Knowl. Data Eng..

[8]  Rina Dechter,et al.  Temporal Constraint Networks , 1989, Artif. Intell..

[9]  Teodor C. Przymusinski On the Declarative Semantics of Deductive Databases and Logic Programs , 1988, Foundations of Deductive Databases and Logic Programming..

[10]  Bruce G. Lindsay,et al.  On Maintaining Priorities in a Production Rule System , 1991, VLDB.

[11]  Sushil Jajodia,et al.  Time Granularities in Databases, Data Mining, and Temporal Reasoning , 2000, Springer Berlin Heidelberg.

[12]  Tim Finin,et al.  A Security Architecture Based on Trust Management for Pervasive Computing Systems , 2002 .

[13]  Michiharu Kudo,et al.  XML document security based on provisional authorization , 2000, CCS.

[14]  Jeffrey D. Ullman,et al.  Principles of Database and Knowledge-Base Systems, Volume II , 1988, Principles of computer science series.

[15]  Sushil Jajodia,et al.  Enabling the sharing of neuroimaging data through well-defined intermediate levels of visibility , 2004, NeuroImage.

[16]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[17]  Simon S. Lam,et al.  Authorizations in Distributed Systems: A New Approach , 1993, J. Comput. Secur..

[18]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[19]  Joan Feigenbaum,et al.  Compliance Checking in the PolicyMaker Trust Management System , 1998, Financial Cryptography.

[20]  David Gries,et al.  The Science of Programming , 1981, Text and Monographs in Computer Science.

[21]  Sven Ove Hansson,et al.  Review of Deontic Logic in Computer Science: Normative System Specification, John-Jules Ch. Meyer and Roel J. Wieringa (eds.), John Wiley & Sons, Chichester 1993 , 1994, Bull. IGPL.

[22]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[23]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[24]  Karl Aberer,et al.  A language for information commerce processes , 2001, Proceedings Third International Workshop on Advanced Issues of E-Commerce and Web-Based Information Systems. WECWIS 2001.

[25]  Jorge Lobo,et al.  Policies for Distributed Systems and Networks , 2001, Lecture Notes in Computer Science.

[26]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[27]  Jeffrey D. Uuman Principles of database and knowledge- base systems , 1989 .

[28]  Sushil Jajodia,et al.  Provisional Authorizations , 2001, E-Commerce Security and Privacy.

[29]  Sushil Jajodia,et al.  Obligation monitoring in policy management , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[30]  Timothy W. Finin,et al.  Trust-Based Security in Pervasive Computing Environments , 2022 .