Extensible access control markup language integrated with Semantic Web technologies

Information Sciences 238 (2013) 33–51

Contents lists available at SciVerse ScienceDirect

Information Sciences

journal homepage: www.elsevier .com/locate / ins

Extensible access control markup language integratedwith Semantic Web technologies

0020-0255/$ - see front matter � 2013 Elsevier Inc. All rights reserved.http://dx.doi.org/10.1016/j.ins.2013.02.046

E-mail address: [email protected]

I. Ching HsuDepartment of Computer Science and Information Engineering, National Formosa University, 64, Wenhua Rd., Huwei Township, Yunlin County 632, Taiwan

a r t i c l e i n f o

Article history:Received 12 April 2011Received in revised form 4 February 2013Accepted 23 February 2013Available online 6 March 2013

Keywords:XACMLSemantic WebOntologySWRLAuthorization

a b s t r a c t

The eXtensible Access Control Markup Language (XACML) is a standard language forexpressing access control policies. The concept of authorization policy has been introducedin XACML-based Web security systems to reduce policy conflicts, enhance policy reusabil-ity, simplify policy analysis, and facilitate interoperability. Achieving these goals requiresintelligent dynamic authorization. Unfortunately, conventional XACML lacks the computerinterpretability needed to support knowledge representation. This study addresses theissue by defining a Multi-layer Semantic XACML Framework (MSACF) for integratingSemantic Web technologies in XACML. Based on the MSACF, this study also developsLAPAR, an intelligent XACML shell consisting of an Ontology Base, an XML-Based Reposi-tory, and an Inference Engine to enable different approaches for enhancing knowledgerepresentations. The feasibility of LAPAR is confirmed in a prototype java-based implemen-tation that can be associated with various domain ontologies and knowledge to enabledynamic authorization for different security applications.

� 2013 Elsevier Inc. All rights reserved.

1. Introduction

In recent years, the Internet has greatly changed approaches to resource sharing and information delivery. The main fea-ture of new-generation internet applications is the media used for sharing and exchanging resources. These new-generationinternet applications generally have several common features related to access authorization. First, they enable users to storeall their data on the Internet, including personal and/or sensitive information. Second, they support on-demand internet ac-cess to online resources. Third, they support virtualization techniques for using a shared infrastructure to deploy and manageservices. Based on these characteristics, whether resources are intelligently authorized before providing access is a currentchallenge in new-generation Internet environment. One potential solution is eXtensible Access Control Markup Language(XACML) [29], a widely used standard language for expressing access control policies. The XACML is developed by OASIS thatuses XML to describe a policy language and an access control decision request/response language. The policy language allowsadministrators to define the requirements for accessing their application resources in the information system. The request/response language describes request authorization queries and their responses. However, XACML lacks the knowledgerepresentations needed to address computer-interpretable effects.

Since XACML is an XML-based markup language, its main limitation is that it focuses on syntax and format rather thansemantics and knowledge. Hence, although XACML provides an exchangeable policy format and is human-readable, it lacksthe semantic metadata needed for reasoning and inference functions. These functions provide the computer-interpretabledescriptions needed for authorization policy reusability, autoexec authorization policy generation, dynamic authorizationpolicy evaluation, and heterogeneous authorization policies. Ontology technologies have been used for semantic and

http://dx.doi.org/10.1016/j.ins.2013.02.046

mailto:[email protected]

http://dx.doi.org/10.1016/j.ins.2013.02.046

http://www.sciencedirect.com/science/journal/00200255

http://www.elsevier.com/locate/ins

34 I. Ching Hsu / Information Sciences 238 (2013) 33–51

knowledge representation in many areas of the computer science [28,33,43]. Proposed solutions use web-based ontology forformal specification of a shared conceptualization of authorization policies, e.g., KAoS [5,40], Rei [23], Rein [24], EXAM-S [12]and Semantic Web Rule Language (SWRL) [17].

Web-based ontologies such as RDF Schema [6] and OWL (Web Ontology Language) [37,38] are designed to make state-ments about Web resources without requiring modification of the resource itself. This enables administrators to annotateand encode the semantic relationships among resources and subjects in the XACML-based documents. However, althoughweb-based ontologies can represent simple implications and class taxonomies, they have no mechanism for defining arbi-trary, multi-element antecedents [14,15]. The general Horn clause statements cannot be explicitly represented by usingprimitives in a web-based ontology. Therefore, a specification with improved flexibility for expressing rule-based policiesis needed. The semantic Web [7,35] is a potential solution to these problems.

For enhanced knowledge representation in XML-based markup language, the conventional Semantic Web approach is toupgrade the original XML-based markup language to ontology-based markup language. The upgrade from XML-based mark-up language to ontology-based markup language has been investigated in earlier studies [22,30]. However, a limitation ofthis approach is that the original XML-based markup language must be replaced with a new ontology-based markup lan-guage. Another approach is global-as-view [8,9,42], which can preserve the nesting structure of the XML document for map-ping XML schemas to local RDFS ontologies. The main limitation of this approach is that only part of the Semantic Webtechnology, i.e., the ontology, is used.

The novel integration approach proposed here combines the first four layers of the Semantic Web stack (see Section 2.1),i.e., the URI layer, XML (XACML) layer, ontology (OWL) layer, and rule (SWRL-based policy rule) layer. This integrationapproach is defined in a formal structure, called Multi-layer Semantic XACML Framework (MSACF), which is a specificsub-model of the Semantic Web stack for XACML-based security policy applications. The MSACF integrates Semantic Webtechnologies with XACML for enhanced computational reasoning. However, the original XACML can be retained to cooperatewith ontologies and rules. That is, since the MSACF does not change the original XACML schema, existing XACML-based doc-uments can still be used.

To confirm the feasibility of the MSACF for managing authorization decisions, this study developed LAPAR, an intelligentXACML shell based on this framework. The core components of LAPAR include the Inference Engine, XML-Based Repository,and Transformation Engine. It supports three different approaches for finding and deriving relevant authorization policies toevaluate a dynamic request, namely XACML-based document, ontology-based reasoning, and access rule inference. Dynamicevaluation is desirable for several reasons. Firstly, for each requester, it is customized according to the XACML-based docu-ment and ontology-based semantic requested so far. Secondly, because the content of an access request or policy may keepchanging, dynamic finding provides more up-to-date evaluations than a static design. Thirdly, it can be used at run-time todecide what authorization to deliver to the requester.

This study makes three main contributions. (1) It defines a common MSACF framework for integrating Semantic Webtechnologies into XACML to facilitate machine understanding. Because the access control rule is located on top of the ontol-ogy, administrators can modify authorization the policy by revising the semantics of the ontology without changing the ac-cess control rules. (2) An intelligent LAPAR is implemented to confirm the feasibility of MSACF. The LAPAR can be associatedwith various domain ontology and knowledge to offer dynamic authorization evaluation for different security applications.(3) The LAPAR is easily transplanted to XACML-based security applications.

The rest of this paper is organized as follows. The next section briefly reviews the current Semantic Web technologies andXACML applications. Section 3 defines the MSACF. Section 4 describes the LAPAR architecture. Section 5 gives a concreteexample of how XACML, OWL and SWRL integrated in MSACF facilitates intelligent access control. Section 6 demonstrateshow the prototype java-based LAPAR work. Finally, concluding remarks and future work are presented.

2. Related works

This section briefly discusses current Semantic Web technologies and access policy languages.

2.1. Semantic Web technologies

The Semantic Web is an extension of the current web in which information is given well defined meaning, better enablingcomputers and people to work in cooperation [4]. Many studies [1,19,20,36,41] adopt Semantic Web to build intelligentapplications in various domains. This study primarily focuses on the first four layers of Semantic Web Stack, includingURI, XML, Ontology, and Rules layers. The first layer (including Unicode and URI) and the second layer (including XML,Namespace, and XML Schema) represent current web technology. The URI enables identification of any web-based resource.Unicode provides the basic character set for web-based resources. The XML and XML Schema provide a surface syntax forstructured documents but impose no semantic constraints on the meaning of these documents.

The third layer is the ontology vocabulary, which is now being widely adopted along with the development of ontologymarkup languages such as RDF [25], RDF Schema, DAML+OIL [16], and OWL. Definition 1 is the formal definition of web-based ontology.

I. Ching Hsu / Information Sciences 238 (2013) 33–51 35

Definition 1 (Ontology). A web-based ontology O 2 K is a tuple O = hC,P,a,b,c,R,Pi, where C denotes a set of conceptsrepresenting classes in an ontology; P denotes a set of relations representation properties in an ontology; a denotes thehierarchical relation function for classes. a: C ? C, where a(c1) = c2 means that c1 is a subclass of c2; b denotes thehierarchical relation function for properties. b: P ? P, where b(p1) = p2 means that p1 is a sub-property of p2; c denotesthe attribute relation function between classes. c: P ? C � C, where c(p1) = (c1,c2) means that domain of p1 is c1 and range ofp1 is c2; R denotes a set of ontology axioms, expressed in an appropriate description logic; P denotes a set of RDF-basedontology language, such as RDF schema, DAML+OIL, or OWL.

These RDF-based ontology languages can be used to create arbitrary domain ontologies that unambiguously describe webcontent. The RDF and RDF Schema are languages for describing resources and their types. Therefore, these languages are ba-sic building blocks for the Semantic Web. The OWL, which is essentially an XML encoding of an expressive Description Logic,builds upon the RDF by including an RDF-Schema. Compared to RDF and RDFS, OWL has more facilities for expressing mean-ing and semantics. Therefore, it is superior for representing machine-readable content on the Web. Unfortunately, theseontology markup languages do not adequately describe the conditions under which specific relations might hold. Therefore,implications must be explicitly represented, e.g., by logic programs such as rules. The broad consensus that has evolved inthe Semantic Web community is that the Semantic Web should specifically include both rules and ontologies. The rules inthe fourth layer of the W3C Semantic Web stack reflect this consensual perspective. Formal definition for rule is described inDefinition 2.

Definition 2 (Rule). A rule RL 2 R is a tuple RL = hC,P,H,B,Exp,RLPi, where H denotes the head of the rule. H � C [ P; Bdenotes the body of the rule. B � C [ P; Exp denotes the rule of the form ‘if b1 andb2 and . . .andbn then h0, whereh 2 H; b1; b2; . . . ; bn 2 B; RLP denotes a set of rule logic programs, such as RuleML, XRML [26], SRML[39] or SWRL.

To build a rule layer on top of the ontology layer of the Semantic Web, the use of rule formalisms originally introduced inthe Logic Programming field has been proposed. The Rule Markup Language (RuleML) provides a natural mark-up for Datalogrules and uses XML tags, such as hheadi, hbodyi, and hatomi. Along with other tools, this language is mainly used for standardrule markup during translation in and out. The eXtensible Rule Markup Language (XRML) is composed of rule identification,rule structure, and rule triggering markup languages. The XRML is applicable for automated form processing, preventiveauditing, rule exchange and integration, and agent-based e-commerce. The Simple Rule Markup Language (SRML) is a gen-eric rule language with a subset of language constructs common to the popular forward-chaining rule engines. Another rulemarkup approach is the Semantic Web Rule Language (SWRL), a member submission to the W3C. It is a combination of OWLDescription Logic (DL) and OWL Lite sublanguages of the OWL. The SWRL includes an abstract syntax for Horn-like rules inboth of its sublanguages.

2.2. Access policy language

Access policy is a major privacy issue in the recent literature. Current non-semantic access policy frameworks includePonder [10], XRBAC [21] and XACML [29]. Ponder is an object-oriented policy language, supports specifications for the man-agement policies used in distributed systems. The XRBAC is an XML-based access control specification language for manag-ing access to information systems. The XRBAC uses an extension of the popular RBAC architecture to address policyspecifications [34]. The XACML language is an OASIS standard that adopts XML to describe a policy language and an accesscontrol decision request/response language. However, it cannot provide the semantic knowledge representations needed toauthorize applications. These non-semantic access policy frameworks cannot manage descriptions of policy content. Onesolution is adopting a semantic web language that uses ontology to describe the policy content.

Policy languages based on Semantic Web technologies can describe policies for heterogeneous domain data and can en-hance the knowledge representation needed for common understanding. For distributed policy management, enforcement,and conflict resolution, the KAoS platform [5,40] uses DAML to define KAoS Policy Ontologies for describing various conceptsrelated to access control polices, including actions, actors, groups, places, conditions, and policies. For a specific applicationdomain, an ontology is expected to be extendable to additional classes, properties, and instances. The Rei [23] policy frame-work integrates support for policy specification, analysis and reasoning. It adopts ontology technologies such as RDFS, DAM-L+OIL, and OWL to represent concepts such as the rights and obligations relevant to a policy. Like KAoS, Rei allows users toextend the basic ontology by adding domain-dependent ontologies to express concepts and resources for specific domains.Rein [24] is a policy framework based on Semantic Web technologies to provide web-based policy management. It definesthe Rein policy network ontology and the Rein request ontology for modeling information used to develop domain and policylanguages for specific security systems. Based on the Rein framework, the existing policy languages such as XACML, Platformfor KAoS, and Rei can be considered domain-specific policy languages.

The XACML+OWL [13] shows that OWL-based ontologies are sufficiently powerful to represent a hierarchical RBAC. TheOWL-based ontologies are integrated with XACML as a two-layer framework in which access control is modeled by anOWL-based ontology whereas policy is specified by the XACML. The EXAM-S [12] supports a comprehensive environmentfor analyzing and managing XACML-based access control policies. The EXAM-S has an XACML extension for dealing withontology-based access control models and a policy similarity measure that can be used for filtering during policy


comparison. The KAoS, Rei, XACML+OWL, EXAM-S, and Rein approaches, however, rely purely on ontology capabilities.Therefore, they have difficulty defining certain policies such as those requiring definition of variables. In the architectureproposed in [31], XACML was extended by using SWRL to infer attributes. However, SWRL is only a general rule forauthorization decisions, not a policy rule.

The main limitation of the above studies is that they only consider ontology-based knowledge representation. Althoughan ontology can represent the semantic implications needed to support decidable reasoning, it cannot provide a mechanismfor defining arbitrary, multi-element antecedents. For example, the description logic of an ontology cannot represent com-plex non-monotonic rules. The solution proposed in this study is a novel Multi-layer Semantic XACML Framework (MSACF)that uses four layers of the semantic Web stack, including the URI layer, XML (XACML) layer, ontology (OWL) layer and rule(SWRL-based policy rule) layer, for integrating Semantic Web technologies into XACML. The proposed MSACF is used to de-velop LAPAR, an intelligent XACML shell that provides three different approaches for finding and deriving relevant authori-zation policies to evaluate a dynamic request, including XACML-based document, ontology-based reasoning, and access ruleinference.

In the XACML-based document approach, policies such as the XACML request/response policy are mapped to the XACMLlayer. The ontology-based reasoning approach offers OWL-based ontologies based on description logics to provide sound anddecidable reasoning to subjects and resources in XACML, and is mapped to Ontology layer. In contrast, the access rule infer-ence approach supports dynamic inference capabilities complementary to those of an ontology-based reasoning approach.By building rules on top of ontologies, this approach can add intelligence based on logic programs. The access rule inferenceapproach is developed on top of the Ontology layer and is mapped to the Rule layer rather than general application layer. TheMSACF differs from other approaches mainly in its support of intelligent access control by integrating different knowledgerepresentations, including XACML-based documents, OWL-based ontologies, and SWRL-based policy rules.

3. Multi-layer Semantic XACML Framework

The section gives formal definitions to represent different layers of Multi-layer Semantic XACML Framework (MSACF),including entity, XACML, ontology, and rule. In particular, each layered component is formally described with respect toXACML. Fig. 1 schematically depicts an illustrative example of program-markup language interactions in accordance withthe framework, indicating how multi-layer semantic Web technologies are adopted.

Definition 3. (Multi-layer Semantic XACML Framework). This multi-layer semantic framework for XACML applications can beformally defined, and is called the Multi-layer Semantic XACML Framework (MSACF). The framework consists of a tupleMSACF = hL,X,K,SCM,Di where L denotes a collection of entities E in the URI layer (refer to Definition 4 for E). X denotes acollection of XACML-based documents in the XML layer (refer to Definition 5 for XACML-based documents). K denotes a

Fig. 1. Access control security application instance in the multi-layer semantic framework.


collection of ontologies O in the ontology layer (refer to Definition 1 for O). SCM denotes the semantic class-mappingannotation that defines how XACML can be combined with ontology-based knowledge (refer to Definition 6 for SCM). Ddenotes a collection of rules RL in the rule layer (refer to Definition 2 for RL).

Example 1. Consider the concrete example given in Fig. 1. L represents a set of entities, including Jack Pan, a teacher, For-mosa, a school, the ICT Journal, and an Information Management article. X is a set of request and policy documents that arecoded with XACML, including B13022, NFU, 0957-41XB, and doi:23.190.062. The JourSub ontology, K, is based on OWL and Drefers to the security policies, coded with SWRL.

Definition 4. An entity E 2 L is a tuple E = hEid,TP,AEi, where Eid denotes a unique entity identifier, e.g., URI. TP is the entitytype, which can be divided into two categories: subject and resource (refer to Definition 5 for Subject and Resource). AE

denotes a list of entity attributes.

Definition 5. The set of different XACML-based document, H = {Request,Policy,Response}, classifies document into XACMLRequest, XACML Policy, and XACML Response.

Request can be further defined as follows:Request = hSubject, Resource, Action, Otheri, where

Subject denotes a subject in XACML.Resource denotes a resource in XACML.Action denotes an action in XACML.Other denotes other metadata in the XACML request document.

Policy can be further defined as follows:Policy = hSubject, Resource, Action, Condition, Otheri, where

Condition denotes an expression of predicates in XACML and provides a function for evaluating whether they are ‘‘True’’,‘‘False’’ or Indeterminate’’.

Other denotes other metadata in the XACML policy document.

Response can be further defined as follows:Response = hRequest, Policy, Decision>, where

Decision denotes the evaluation results for the decision Request against the Policy. The Decision value may be ‘‘Permit’’,‘‘Deny’’, ‘‘NotApplicable’’ or ‘‘Indeterminate’’.

The XACML Information Model has three categories based on the definitions given in the XACML specifications. The threedocument categories are XACML request, XACML policy, and XACML response. The XACML request declares the access con-trol requests for a specific resource. The XACML policy describes general access control requirements for all resources in thecomputer system.A subject is defined as a user, but can be extended to include department, organization, machines, net-works, or software agents. Resources, which can include data, a file, a program, a service, or a system component, are dis-tributed on the Internet and are identified by URI.

Definition 6 (Semantic Class-Mapping Annotation). A semantic class-mapping mechanism is a tuple SCM = hXACMLD, Sub-ject,Resource,C,K,Yi, where XACMLD denotes an XACML-based request or policy document; Subject denotes a subject inXACML; Resource denotes a resource in XACML; C denotes a set of concepts representing classes in an ontology; Kdenotes arequest class-mapping function. K: {Subject [ Resource} ? C

The request class-mapping function enables use of the DataType attribute of the Attribute element to refer to an ontolog-ical class. Therefore, an additional semantic about the subjects or resources can be obtained.

Y denotes a policy class-mapping function. Y: {Subject [ Resource} ? C

By using the policy class-mapping function, the DataType attribute of the AttributeVaule element can be used to refer toan ontological class such that an additional semantic about the subjects or resources can be obtained.

In XACML, the DataType attribute of the Attribute element or the AttributeValue element can be used to obtain additionalsemantic information. The Attribute element can specify a feature of the request subject/resource, while the AttributeValueelement can elucidate the meaning of the policy subject/resource with which the request is concerned. The value of the Data-Type attribute is a URI reference that identifies the subject/resource of the intended property. In the semantic XACML frame-work, each subject/resource is associated with a classification metadata to acquire an additional semantic from a specificontology class. These ontologies are implemented in OWL that can be integrated into XACML, and as a result, the semanticcapabilities of AXCML were greatly improved.


Example 2. Fig. 1 shows an example of an instantiated request document. Here, Subject = B13022 subject object refers to aspecific ontology class when requesting a request class-mapping function such as, K(B13022) = Teacher. Additionally,Resource = doi:23.190.062 resource object refers to a specific ontology class when requesting a request class-mappingfunction such as, K(doi:23.190.062) = Article.

4. System architecture of LAPAR

The LAPAR can be associated with various domain ontologies and knowledge. The XACML is essentially a standard formatfor expressing access control policies. The LAPAR supports three different approaches for finding the dynamic correlation of acertain XACML-based request, including XACML-based document, ontology-based reasoning and policy rule inference. TheLAPAR adopts OWL and SWRL to provide ontology-based reasoning and a rule-based inference for dynamic authorizationand evaluation, respectively.

The first approach, called XACML-based document, adopts XACML-based metadata to describe requests. This approach isused to develop existing XACML applications, but still cannot intelligently capture relevant semantic. The ontology-basedreasoning approach offers OWL-based ontologies based on description logics to provide sound and decidable reasoning toXACML, and therefore can enhance the semantic reasoning capabilities of XACML. The policy rule inference approach cansupport dynamic inference capabilities that are complementary to those of an ontology-based reasoning approach. By build-ing rules on top of ontologies, this approach can add intelligence based on logic programs.

The core components of XACML shell, LAPAR, include the XML-Based Repository, Inference Engine, and TransformationEngine. Fig. 2 depicts the dataflow-oriented LAPAR architecture.

4.1. XML-Based Repository

XML-Based Repository is composed of Ontology Base, SWRL Base, and Style Sheet Base. The Ontology Base corresponds tothe ontology layer of the multi-layer semantic framework and consists of OWL-based ontologies that provide semantic rea-soning based on a specific domain for security concerns. The SWRL Base, which is located in the rule layer of the multi-layersemantic framework, consists of SWRL-based rules to support a flexible and complex reasoning mechanism that is not in-cluded in OWL-based ontologies. Authorization policies are converted from annotated XACML-based rules to SWRL-basedrules. Style Sheet Base supports four different XSLT style sheets: OWL2JESS, SWRL2JESS, JESS2XACML, and XACML2SWRLstyle sheet. An XSLT style sheet is also an XML document that specifies the rules and templates to transform one documentinto another.

Fig. 2. The dataflow-oriented LAPAR architecture.


4.2. Transformation Engine

Transformation Engine is a transcoding agent that is an XSLT processor based on Xalan. The principal role of thetranscoding agent is to apply an XSLT style sheet to an XML-based document and generate a specific XML-baseddocument.

4.3. Inference Engine

Inference Engine is an intelligent agent that is implemented based on a JESS-based rule engine. It is composed of JESS-based Inference Engine, JESS-based facts, and JESS-based rules. JESS-based facts and rules are temporary data that are notstored on LAPAR. These JESS-based data are deleted from the memory at the end of the inference process.

In an XACML policy transformation, the data flow is as follows.

A. This manual annotation step creates annotated XACML-based policies. Policy Administration Point (PAP) performs thefollowing task to annotate the original XACML-based policies.
A1. The subject ID and resource ID of the original XACML-based policies are used to find relevant ontology classes byquerying the Ontology Base.A2. The DataType attribute value is assigned to an ontology class URL.
B. The Transformation Engine captures SWRL-based rules as follows:
B1. It receives annotated XACML-based policies from the PAP.B2. The XACML2SWRL.xsl XSLT style sheet is used to transform these annotated XACML-based policies into SWRL-based rules.
The data flow for authorization evaluation is as follows.

1. This step indicates the XACML-based document approach. The Transformation Engine performs three steps to captureJESS-based facts:1.1. Receive an annotated XACML-based request containing the subject, resource, and action from the Requester.1.2. Use the subject ID and resource ID to find all directly or indirectly relevant instances in the Ontology Base.1.3. The instances are converted into JESS-based facts.

2. This step is the ontology-based reasoning approach. The Transformation Engine performs three steps to capture JESS-based rules:2.1. Use the DataType attributes of the subject or resource element to find relevant ontologies by querying the Ontology

Base.2.2. The OWL2Jess.xsl XSLT style sheet is used to transform these semantics of OWL-based ontologies into JESS-based

rules.3. This step is the rule-based inference approach. The Transformation Engine conducts the following tasks to capture JESS-

based rules:3.1. Use the relevant ontologies mentioned in Step 2.1 to retrieve relevant SWRL-based rules by querying the SWRL

Base.3.2. Use the SWRL2JESS.xsl XSLT style sheet to transform these SWRL-based rules into JESS-based rules.

4. The JESS-based Inference Engine derives new JESS-based facts from these existing JESS-based facts and JESS-based rules.These new JESS-based facts are the authorization decision.

5. The Transformation Engine conducts the following tasks to capture inferred XACML-based response:5.1. Receive the new inferred JESS-based facts (Step 4) from the Inference Engine.5.2. Use the subject ID and resource ID to find the match JESS-based fact.5.3. Use the JESS2XACML.xsl XSLT style sheet to transform the JESS-based facts into an inferred XACML-based response.

6. Finally, Transformation Engine passes the XACML-based response to the Requester.

5. Domain knowledge and metadata development

This section discusses the example of an access control security system for an academic domain to demonstrate how theMSACF integrates the layers of a multilayer semantic Web stack (i.e., XACML, OWL and SWRL) to facilitate control of intel-ligent access. This access control security example is used throughout this study, which is used to illustrate the reasoningcapabilities of LAPAR in Section 5. Section 6 shows how the prototype java-based LAPAR supports XACML-based systemsin intelligent evaluation of access control based on semantic web technologies.

As described in Section 5.1, this study uses JourSub in the ontology layer to enhance semantic descriptions for XACML inthe specific academic domain. For the rule layer, Section 5.4 defines non-monotonic rules, which are coded in SWRL format,for the top of the JourSub ontology. These SWRL-based rules are used to set the authorization policies. Section 5.3 illustrateshow XACML-based request and XACML-based policy can be annotated using classes of JourSub ontology.

Fig. 3. The semantic structure of the JourSub ontology.


5.1. Ontology development

The JourSub ontology is used to capture the semantic-based knowledge in a widely adopted generic structure (e.g.,Journal, Archive, Article, School, Person, Teacher, Student class, etc.) involved in the academic domain. Fig. 3 showsthe semantic structure of the JourSub ontology with an UML class diagram. The UML class diagram provides a graphicaloverview of the domain concepts and their relationships. All entity classes and properties shown in the diagram havealready been described in detail. In addition to the model constraints shown in the diagram, the following Constraints1–9 are applicable.

The following six constraints present some partial code of the JourSub ontology to illustrate OWL-based descriptionlogics, including subclass, cardinal restriction, inverse property, transitive property, and symmetric property, respectively.

Constraint 1. SubclassOWL expression<owl:Class rdf:ID=’’Teacher’’>

<rdfs:subClassOf rdf:resource=’’#Person’’/></owl:Class>Semantic meaningThe Teacher is a subclass of the Person.Rule expressionif Teacher(x) then Person(x)

Constraint 2. Cardinal restrictionOWL expression<owl:Class rdf:ID=’’Archive’’>

<rdfs:subClassOf><owl:Restriction owl:mincardinality=’’1’’>

<owl:onProperty rdf:resource=’’#consistOf’’/></owl:Restriction>

</rdfs:subClassOf></owl:Class>Semantic meaningThe Archive class requires at least one consistOf property.Rule expressionif consistOf(x,y) and Archive(x) then cardinality(consistOf(x,y))>=1

Constraint 3. Inverse propertyOWL expression<owl:ObjectProperty rdf:ID=’’employer’’>

<owl:inverseOf rdf:resource=’’#employee’’/><rdfs:domain rdf:resource=’’#School’’/>


<rdfs:range rdf:resource=’’#Person’’/></owl:ObjectProperty>

Semantic meaningThere is an inverse relation between employer property and employee property.Rule expressionif employer(x,y) then employee(y,x)

Constraint 4. Inverse propertyOWL expression<owl:ObjectProperty rdf:ID=’’member’’>

<owl:inverseOf rdf:resource=’’#memberOf’’/><rdfs:domain rdf:resource=’’#Archive’’/><rdfs:range rdf:resource=’’#School’’/>

</owl:ObjectProperty>Semantic meaningThere is an inverse relation between member property and memberOf property.Rule expressionif member(x,y) then memberOf(y,x)

Constraint 5. Transitive propertyOWL expression<owl:TransitiveProperty rdf:ID=’’reference’’>

<rdfs:domain rdf:resource=’’#Article’’/><rdfs:range rdf:resource=’’#Article’’/>

</owl:TransitiveProperty>Semantic meaningIf article x refers to article y and y refers to article z, then x refers to z.Rule expressionif reference(x,y) and reference(y,z) then reference(x,z)

Constraint 6. Symmetric propertyOWL expression<owl:SymmetricProperty rdf:ID=’’overlap’’>

<rdfs:domain rdf:resource=’’#Archive’’/><rdfs:range rdf:resource=’’#Archive’’/>

</owl:SymmetricProperty>Semantic meaningThe overlap relation is symmetric.Rule expressionif overlap(x,y) then overlap(y,x)

5.2. Instances of JourSub ontology

The partial instances of the JourSub ontology shown in Fig. 1 are summarized in Table 1. The first four rows representinstances and the last three rows represent relations between these instances. For example, the entity ID ‘‘B13022’’ is an in-stance of Teacher class. Therefore, it can inherit semantic knowledge from Teacher class. The relation addresses the relation-ship (e.g., domain NFU, range, B13022) as an instance of the employer property. Since B13022 to NFU represents anemployee relationship, the relationship can inherit semantic knowledge from employee property.

Table 1The partial instances in JourSub ontology.

Entity ID Domain Range Class Property

NFU SchoolB13022 Teacher0957-41XB Journaldoi:23.190.062 Article

NFU B13022 Employer0957-41XB NFU Member0957-41XB doi:23.190.062 Consistof

<Request>

<Subject><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"

DataType="http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#Teacher"><AttributeValue>B13022</AttributeValue></Attribute></Subject>

<Resource>

<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"

DataType="http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#Article"><AttributeValue>doi:23.190.062</AttributeValue></Attribute>

</Resource>

<Action>

<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"

DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>read</AttributeValue></Attribute>

</Action>

</Request>

Fig. 4. Partial Code of the annotated XACML-based request.


5.3. Annotations for XACML-based request/policy

Fig. 1 shows concrete examples of how JourSub ontology can be used to annotate entity classifications. Entities in theXACML layer are associated with an annotated XACML-based request and an XACML-based policy (Figs. 4 and 5,respectively). The XACML is an XML-based language for defining attribute-based access control policies. For this purpose,the request, response, and obligation of XACML provide Attribute elements to assign the data type and value of an attribute.In XACML, the data type of an attribute is a primitive data type defined in XACML, XML Schema [11] or XPath [3]. The pro-posed approach avoids this restriction by enabling the data type to be mapped to an ontology class to inherit semanticknowledge from a specific domain.

The annotated XACML-based request is explained as follows:

� A request in XACML is from a subject (e.g. a user or a process) to perform an action (e.g. read, write, delete) on a resource(e.g. an entity or a file). This study focuses on subjects and resources.� The subject-id identifier indicates the entity ‘‘B13022’’ is a subject and DataType attribute indicates ‘‘B13022’’ is an

instance of Teacher class.� The resource-id identifier indicates the entity ‘‘doi:23.190.062’’ is a resource and DataType attribute indicates

‘‘doi:23.190.062’’ is an instance of Article class.� The teacher ‘‘B13022’’ want to read the article ‘‘doi:23.190.062’’.

The annotated XACML-based policy is explained in the following:

� Two elements of the XACML policy rule, SubjectMatch and ResourceMatch, which are associated with SubjectAttribute-Designator and ResourceAttributeDesignator, are used to identify a particular subject and resource attribute, respectively.� The subject-id identifier indicates that entity ‘‘NFU’’ is a subject, and the DataType attribute indicates ‘‘NFU’’ is an instance

of School class.� The resource-id identifier indicates that entity ‘‘0957-41XB’’ is a resource, and the DataType attribute indicates that

‘‘0957-41XB’’ is an instance of Journal class.� If school ‘‘NFU’’ is a member of journal ‘‘0957-41XB’’, then ‘‘NFU’’ is permitted to read journal ‘‘0957-41XB’’.

5.4. Access control rule development

The section presents an actual example of how OWL ontologies are integrated in SWRL rules. The following commonsense constraints are expressed in non-monotonic rule format for a clear understanding of their use for controlling accessto articles.

<Policy><Rule RuleId="Rule:school:to:read:a:archive" Effect="Permit"><Target>

<Subjects><Subject>

<SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal">

<AttributeValueDataType="http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#School">

NFU

</AttributeValue>

<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id subject-id"

DataType="http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#School"/>

</SubjectMatch>

</Subject></Subjects>

<Resources><Resource>

<ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal">

<AttributeValueDataType="http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#Journal">

0957-41XB

</AttributeValue>

<ResourceAttributeDesignator AttributeId=" urn:oasis:names:tc:xacml:1.0:resource:resource-id"

DataType=""http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#Journal"/>

</ResourceMatch>

</Resource></Resources>

<Actions><Action>

<ActionMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>

<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"

DataType="http://www.w3.org/2001/XMLSchema#string"/>

</ActionMatch>

</Action></Actions>

</Target>

<Condition>

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">

<AttributeValueDataType="http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#Journal">

0957-41XB

</AttributeValue>

<SubjectAttributeDesignator

SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"

AttributeId="http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#memberOf"MustBePresent="true"

DataType="http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#Journal"/></Apply>

</Condition>

</Rule></Policy>

Fig. 5. Partial Code of the annotated XACML-based policy.


Constraint 7. If a school is a member of an archive, then the school can read the archive.PolicyRule-1If memberOf(School, Archive)Then read(School, Archive)

<ruleml:imp>

<ruleml:_rlab ruleml:href="#PolicyRule-1"/><ruleml:_body>

<swrlx:individualPropertyAtom

swrlx:property="http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#memberOf">

<ruleml:var>school</ruleml:var><ruleml:var>acrhive</ruleml:var>

</swrlx:individualPropertyAtom></ruleml:_body>

<ruleml:_head><swrlx:individualPropertyAtom swrlx:property="read">

<ruleml:var>school</ruleml:var><ruleml:var>archive</ruleml:var>

</swrlx:individualPropertyAtom></ruleml:_head>

</ruleml:imp>

Fig. 6. The SWRL-based policy.


Journal class is subclass of Archive class. Therefore, the above rule is true as long as Archive is replaced by Journal. Fig. 5shows the annotated XACML-based policy, which is an instance of PolicyRule-1. The transformation engine of LAPAR cantransform the annotated XACML-based policy into an SWRL-based rule (Fig. 6).

Constraint 8. If a school can read an archive consisting of articles, then the school can read these articles.PolicyRule-2If read(School, Archive) and consistOf(Archive, Article)Then read(School, Article)PolicyRule-2-1If memberOf(School, Archive) and consistOf(Archive, Article)Then read(School, Article)

The precondition of read(School, Archive) is memberOf(School, Archive) in PolicyRule-1. Hence, replacing read(School, Ar-chive) in PolicyRule-2 with memberOf(School, Archive) yields the equivalent rule PolicyRule-2-1. Since Journal is a subclassof Archive, the above rules are true whenever Archive is replaced by Journal.

In the PolicyRule-2-1, a non-monotonic rule is shown in the rule layer of Fig. 1. This rule requires the representation ofcomplex implications, a capability that goes beyond the simple implications that are available in OWL. Fig. 7 shows thatSWRL provides not only a general implication in the form of Horn clauses, but also an XML representation that makes it idealfor use with OWL. In the JourSub ontology defined in the section above, all classes and properties can be used as elements inthe SWRL-based policy rule. The complete content of the SWRL rules file is the SWRL base of LAPAR.

<ruleml:imp>

<ruleml:_rlab ruleml:href="#PolicyRule-2-1"/>

<ruleml:_body>


swrlx:property="http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#memberOf">

<ruleml:var>school</ruleml:var><ruleml:var>archive</ruleml:var>

</swrlx:individualPropertyAtom>


swrlx:property="http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#consistOf">

<ruleml:var>archive</ruleml:var><ruleml:var>article</ruleml:var>


</ruleml:_body>

<ruleml:_head>

<swrlx:individualPropertyAtom swrlx:property="read">

<ruleml:var>school</ruleml:var><ruleml:var>article</ruleml:var>


</ruleml:_head>

</ruleml:imp>

Fig. 7. The SWRL-based policy.

Fig. 8. The semantic structure of updated JourSub ontology.


The updated JourSub ontology, shown in Fig. 8, adds the following components: University class is a subclass of Schoolclass; Book class is a subclass of Archive class; Chapter class is a subclass of Article class, and composedOf property is a sub-property of consistOf property. PolicyRule-2-2 is automatically derived from the above semantic of added components andPolicyRule-2-1, implying that PolicyRule-2-2 is equivalent to PolicyRule-2-1. As the PolicyRule-2-1 is located on top of theJourSub ontology, allowing LAPAR infer to get the PolicyRule-2-2 by revising the semantic of the JourSub ontology withoutchanging the PolicyRule-2-1 itself.

PolicyRule-2-2If memberOf(University, Book) and composedOf(Book, Chapter)Then read(University, Chapter)

Constraint 9. The employee has the same rights as the member. That is, if a school can access an archive (or article), itsemployees can access the archive (or article).PolicyRule-3If employee(Person, School) and read(School, Archive)Then read(Person, Archive)PolicyRule-4If employee(Person, School) and read(School, Article)Then read(Person, Article)

According to PolicyRule-2-1, the preconditions of read(School, Article) are memberOf(School, Archive) and consis-tOf(Archive, Article). Therefore, read(School, Article) in the PolicyRule-4 can be replaced by memberOf(School, Archive)and consistOf(Archive, Article) to get an equivalent rule, PolicyRule-4-1.

PolicyRule-4-1If employee(Person, School) and memberOf(School, Archive) and consistOf(Archive, Article)Then read(Person, Article)

Since Teacher class and Student class are subclasses of Person class, the above rules are true whenever Person is replaced byTeacher or Student. Journal is a subclass of Archive. The above rules are true whenever Archive is replaced by Journal.

6. Intelligent access control in LAPAR

In this section, the academic domain example described in Section 5 is used as a specific example of how LAPAR can beused for ontology-based reasoning and rule-based inference. In order to demonstrate the feasibility of LAPAR, a prototypejava-based LAPAR is implemented in this study. Fig. 9 shows the LAPAR user interface. After the Policy Enforcement Point(PEP) inputs an annotated XCAML-based request, the user presses the ‘‘Evaluate’’ button. Based on this request, LAPAR in-vokes intelligent evaluation to make an authorization decision.

Fig. 9. The LAPAR query interface.


6.1. XACML-based request

Assume that PEP passes the annotated XACML-based request, as shown in (A) of Fig. 9, to the transformation engine.Depending on the request received, the transformation engine process corresponds to the execution of an XPath query foreach subject element and resource element to find the DataType attribute value. This value, which is directly extracted fromthe annotated XACML-based request, is called the ‘XACML-based’ metadata. According to the subject ID (i.e., B13022) andresource ID (i.e., doi:23.190.062) received, the transformation engine finds all direct or indirect instances relevant to theJourSub ontology. Since all instances are actually XML-based fragments, this step corresponds to an XPath query used inthe JourSub ontology to find an instance of an identifier with the same value. The search result is converted to JESS-basedfacts, as shown in Fig. 10. The output result of XACML-based document is shown in (B) of Fig. 9.

6.2. Ontology-based reasoning

Depending on the semantics of the JourSub ontology, the inference engine reasons as follows:

1. The ‘‘B13022’’ is an instance of Teacher class (see row 3 of Table 1).2. An employer property is from ‘‘NFU’’ to ‘‘B13022’’ (see row 6 of Table 1).3. The property employer is the inverse of the property employee (see Constrain 3).4. After the transformation engine converts the above facts and semantics to JESS-based rules, the inference engine infers

that teacher ‘‘B13022’’ is an employee of ‘‘NFU’’ school.

(assert (triple (predicate "http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#employer") (subject "NFU") (object "B13022"))) (assert (triple (predicate "http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#member") (subject "0957-41XB") (object " NFU"))) (assert (triple (predicate "http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#consistOf") (subject "0957-41XB") (object "doi:23.190.062")))

Fig. 10. The XACML-based document are converted to JESS-based facts.

(assert (triple (predicate "http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#employee") (subject "B13022") (object " NFU"))) (assert (triple (predicate "http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#memberOf") (subject "NFU") (object "0957-41XB")))

Fig. 11. The ontology-based reasoning result are converted to JESS-based facts.

(defrule school_read_archive (triple (predicate "http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl #memberOf") (subject ?x) (object ?y)) => (assert (triple (predicate "read") (subject ?x) (object ?y))) )

Fig. 12. The SWRL rule RulePolicy-1 is transformed to JESS-based rule.

(defrule school_read_archive (triple (predicate "http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl #memberOf") (subject ?x) (object ?y)) (triple (predicate "http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl #consistOf") (subject ?y) (object ?z)) => (assert (triple (predicate "read") (subject ?x) (object ?z))) )

Fig. 13. The SWRL rule RulePolicy-2-1 is transformed to JESS-based rule.

(defruleschool_read_archive (triple (predicate "http://sparc.nfu.edu.tw/~hsuic/sw/xacml/subscription.owl#employee")

(subject ?x) (object ?y)) (triple (predicate"read")

(subject ?y) (object ?z))=> (assert (triple(predicate"read")(subject ?x) (object ?z))) )

Fig. 14. The SWRL rule RulePolicy-2-1 is transformed to JESS-based rule.



5. The ‘‘0957-41XB’’ is an instance of Journal class (see row 4 of Table 1).6. A member property from ‘‘0957-41XB’’ to ‘‘NFU’’ is present (see row 7 of Table 1).7. The member property is the inverse of the memberOf property (see Constrain 4).8. After the transformation engine converts the above facts and semantics to JESS-based rules, the inference engine infers

that school ‘‘NFU’’ is a member of ‘‘0957-41XB’’ journal.

Finally, Fig. 11 shows how the ontology-based reasoning result is converted to JESS-based facts. The output result ofontology-based reasoning is shown in (C) of Fig. 9.

6.3. Policy rule inference

The inference engine performs the following authorization decision tasks according to the previous inference results andSWRL rules (Constraints 7–9).

1. The transformation engine converts the SWRL rule (see RulePolicy-1 of Constraint 7) to a JESS-based rule (Fig. 12).According to the above JESS-based facts, NFU is a member of 0957-41XB. Therefore, it infers a read predicate fromNFU to 0957-41XB.

2. The transformation engine converts the SWRL rule (see the RulePolicy-2-1 of Constraint 8) to a JESS-based rule(Fig. 13). Based on the above JESS-based facts, NFU is a member of 0957-41XB, and 0957-41XB consists ofdoi:23.190.062. Therefore, it infers a read predicate from NFU to doi:23.190.062.

3. The transformation engine converts the SWRL rule (see the RulePolicy-3 and RulePolicy-4 of Constraint 9) to a JESS-based rule (Fig. 14). Based on the above JESS-based facts, B13022 is a employee of NFU, and NFU can read 0957-41XB and doi:23.190.062. Therefore, it infers a read predicate from B13022 to 0957-41XB and from B13022 todoi:23.190.062.

4. The output result of the rule-based inference is shown in (D) of Fig. 9. The four read predicates are equivalent. That is,the condition that B13022 can read doi:23.190.062 is identical to the condition that NFU can read 0957-41XB. Hence,four equivalent XACML-based requests are inferred. However, only one is true, and the others are all true. Finally, theinference result is converted to an XACML-based response, as shown in (E) of Fig. 9.

7. Experimental results

The XACML is a widely used standard language for expressing access control policies. Previous works on XACML associ-ated with ontology technologies have focused only on ontology-based knowledge representation. This study, however, pro-poses the use of MSACF for integrating Semantic Web technologies into XACML. The LAPAR, which is based on MSACF,provides three different approaches, including XACML-based document, ontology-based reasoning, and access rule infer-ence, to derive authorization policies relevant to evaluating a dynamic request. This implies at least two evaluation require-ments for LAPAR. The first is a transformation mechanism that uses XSLT to describe transcoding templates for transformingrelated documents, including XACML, JESS, SWRL documents. The second is an inference mechanism underlying the ontol-ogy-based reasoning and rule-based inference that calculates the increased computation time required by the LAPAR whenthe size of the dataset is increased. The experiments were performed on a 2.66 GHz Intel Xeon (Quad-Core) PC with 8G ofRAM running Windows 2008. In addition, each experiment was repeated 20 times to get the average computation time.

7.1. Transformation mechanism experiment result

The Transformation Engine of LAPAR is a kind of template-based transcoder [18], which adopts XSLT to describe rules fortransforming XML-based document. The LAPAR Transformation Engine currently offers four XSLT style sheets,XACML2SWRL, OWL2JESS, SWRL2JESS, and JESS2XACML. Table 2 shows the execution times for different XSLT-based trans-formations. Tests of XACML2SWRL, OWL2JESS, SWRL2JESS, and JESS2XACML obtained average transformation times of 15.3,23.1, 19.5 and 13.8 ms, respectively. The experimental results indicated that the OWL2JESS.xsl had the slowest transforma-tion time for OWL-based ontology documents followed by SWRL2JESS.xsl, XACML2SWRL.xsl and JESS2XACML.xsl. These

Table 2Results of the transformation experiments.

XSLT style sheet Source format Target format Template modulesin the XSLT style sheet

Average transformationtime (ms/per document)

XACML2SWRL.xsl Annotated XACML policy SWRL-based policy 16 15.3OWL2JESS.xsl OWL-based ontology JESS-based rule 29 23.1SWRL2JESS.xsl SWRL-based rule JESS-based rule 21 19.5JESS2XACML.xsl JESS-based rule XACML-based response 10 13.8

Table 4The average time of dynamic authorization.

XACML-based request ontology-based reasoning Rule-based inference

Numbers 200 instances 466 relationships 10 policy rulesTimes (ms) 116 612 263

Table 3The number of different relationships.

Semantic relationship Number

Subclass–superclass relationship 148Symmetric relationship 66Transitive relationship 58Inverse relationship 42Part of relationship 152Total 466


experimental results indicate that the major factor in transformation time is the number of template modules in an XSLTstyle sheet.

7.2. Inference mechanism experiment result

In this section, a preliminary experiment is performed to evaluate the reasoning capabilities of LAPAR for dynamic autho-rization. The test dataset contained 200 instances distributed in different classes of the JourSub ontology. The test databaseincluded 466 relationships (Table 3) annotated among those instances. Ten policy rules were used to infer for the dynamicauthorization. The detailed workflow and a practical example of dynamic authorization are given in Sections 4 and 6, respec-tively. The average time required for dynamic authorization was about 1 s. The first stage, the XACML-based request, re-quired only 0.116 s. The remaining time was spent on ontology-based reasoning and policy rule inference. Table 4summarizes the test results. The experimental results showed that, because it considered a much larger set of relationships,ontology-based reasoning was much slower compared to policy rules inference.

To evaluate inference performance in dynamic authorization when using a different dataset scale, this study extended theJourSub ontology. Six datasets were used to process 200–1200 instances in increments of 200. The same ten policy ruleswere used to process each dataset. However, the numbers of relationships used in the six datasets to process the 200–1200 instances were 466, 980, 1548, 2072, 2610, and 3312. Fig. 15 shows the average time required for dynamic authoriza-tion of each dataset. Based on the test results and the data in Fig. 15, the following observations are noted.

1. The average time required for dynamic authorization includes the time required for the XACML-based request, ontology-based reasoning and rule-based inference. The experimental results showed that, for each dataset, the XACML-basedrequest had the shortest execution time followed by ontology-based reasoning and rule-based inference

2. The experimental results indicated that the 2000 instances dataset had the slowest dynamic authorization time followedby the datasets containing 1000 instances, 800 instances, 600 instances, 400 instances, and 200 instances. These exper-imental results indicate that the average dynamic authorization time is determined mainly by the number of instance.

Fig. 15. Execution times and relationship numbers vary with the number of instances.


3. The experimental results revealed a significant linear relationship between ontology-based reasoning time and relation-ship number, mainly because the increase in the number of instances is proportionate to the increase in the number ofsemantic properties. The rule-based inference was only slightly increased, mainly because the policy rule did notincrease.

8. Summary and concluding remarks

This study presents a multi-layer semantic framework for the first four layers of the Semantic Web stack, i.e., the URI,XACML, OWL-based ontology and SWRL-based policy rule layers. This multi-layer semantic framework enables XACML tosupport computer reasoning while maintaining the usability of the original XACML features. The LAPAR, an intelligentXACML shell based on the multi-layer semantic framework, is used to enhance the semantic and knowledge representationof XACML. The LAPAR provides dynamic authorization for different security applications based on domain knowledge. Whilethe original XACML only supports XACML-based documents, LAPAR supports of both ontology-based reasoning and rule-based inference. Therefore, it has the intelligence needed to facilitate dynamic authorization.

The main aim of this research was to investigate how intelligent authorization applications can be developed by integrat-ing Semantic Web technologies into XACML. The objective was achieved using a five-step approach:

1. Research the use of Semantic Web technologies and XACML to develop intelligent authorization applications.2. Develop a framework for supporting intelligent authorization applications using LAPAR.3. Demonstrate the potential of LAPAR and how an intelligent authorization application can be developed based on

LAPAR.4. Implement a prototype java-based LAPAR for an academic domain authorization application.5. Use a transformation mechanism and an inference mechanism to evaluate the performance of the LAPAR.

Novel Semantic Web solutions integrated with different high-level ontology-based metadata and XML-based rules candynamically tailor knowledge to user preferences. However, further studies are needed to evaluate the extension of LAPARto a context-sensitivity model for an individual-dependent dynamic requester in various application environments. A poten-tial solution is the use of the Environment element of XACML for describing environment attributes. Future works are neededto address several limitations of this study. First, this study did not investigate how to improve the capability of the systemadministrator in manually mapping the entity to the ontology class. Improving this capability would preclude the need formanual annotation of XACML. Automatic execution of the classification mapping function is not the most critical issue.Rather, future studies should first focus on increasing the accuracy of the classification mapping function. Another recom-mended direction for further study is upgrading LAPAR to support the use of cloud computing services in a cloud computingenvironment [2,27,32].

References

[1] C.J. Acuña, M. Minoli, E. Marcos, Integrating web portals with semantic web services: a case study, International Journal of Enterprise InformationSystems 6 (2010).

[2] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, M. Zaharia, A view of cloud computing,Communications of the ACM 53 (2010) 50–58.

[3] A. Berglund, S. Boag, D. Chamberlin, M.F. Fernandez, M. Kay, J. Robie, J. Simeon, XML Path Language (XPath) 2.0, in, W3C Recommendation 2007.[4] T. Berners-Lee, J. Hendler, O. Lassila, The Semantic Web – a new form of Web content that is meaningful to computers will unleash a revolution of new

possibilities, Scientific American 284 (2001) 34–43.[5] J.M. Bradshaw, A. Uszok, R. Jeffers, N. Suri, P.J. Hayes, M.H. Burstein, A. Acquisti, B. Benyo, M.R. Breedy, M.M. Carvalho, D.J. Diller, M. Johnson, S. Kulkarni,

J. Lott, M. Sierhuis, R.v. Hoof, Representation and reasoning for DAML-based policy and domain services in KAoS and nomads, in: The SecondInternational Joint Conference on Autonomous Agents & Multiagent Systems, ACM, Melbourne, Victoria, Australia, 2003, pp. 835–842.

[6] D. Brickley, R.V. Guha, RDF Vocabulary Description Language 1.0: RDF Schema, in: W3C Recommendation, 2004.[7] D. Castellanos-Nieves, J.T. Fernández-Breis, R. Valencia-García, R. Martínez-Béjar, M. Iniesta-Moreno, Semantic Web technologies for supporting

learning assessment, Information Sciences 181 (2012) 1517–1537.[8] I.F. Cruz, H. Xiao, F. Hsu, An ontology-based framework for XML semantic integration, in: Database Engineering and Applications Symposium, 2004, pp.

217–226.[9] I.F. Cruz, H. Xiao, F. Hsu, Peer-to-Peer Semantic Integration of XML and RDF Data Sources, in: Agents and Peer-to-Peer, Computing, 2005, pp. 108–119.

[10] N. Damianou, N. Dulay, E. Lupu, M. Sloman, The Ponder policy specification language, in: M. Sloman, J. Lobo, E. Lupu (Eds.), Policies for DistributedSystems and Networks, International Workshop, POLICY 2001, Springer, Bristol, UK, 2001, pp. 18–38.

[11] D.C. Fallside, P. Walmsley, XML Schema Part 0: Primer Second Edition, in, W3C Recommendation, 2004.[12] R. Ferri, EXAM-S: An Analysis tool for Multi-Domain Policy Sets, Technical, Report UBLCS-2009-06, 2009.[13] R. Ferrini, E. Bertino, Supporting RBAC with XACML+OWL, in: SACMAT 2009, ACM, Stresa, Italy, 2009, pp. 145–154.[14] B.N. Grosof, I. Horrocks, R. Volz, S. Decker, Description logic programs: combining logic programs with description logic, in: Proceedings of the Twelfth

International World Wide Web Conference, WWW2003, ACM, Budapest, Hungary, 2003, pp. 48–57.[15] B.N. Grosof, T.C. Poon, SweetDeal: representing agent contracts with exceptions using XML rules, ontologies, and process descriptions, in: Proceedings

of the Twelfth International World Wide Web Conference, WWW2003, ACM, Budapest, Hungary, 2003, pp. 340–349.[16] I. Horrocks, P.F. Patel-Schneider, F.v. Harmelen, Reviewing the design of DAML+OIL: an ontology language for the Semantic Web, in: Proceedings of the

Eighteenth National Conference on Artificial Intelligence and Fourteenth Conference on Innovative Applications of Artificial Intelligence, AAAI Press,Edmonton, Alberta, Canada, 2002, pp. 792–797.

[17] I. Horrocks, P.F. Patel-Schneider, H. Boley, S. Tabet, B. Grosof, M. Dean, SWRL: A Semantic Web Rule Language Combining OWL and RuleML, 2003.[18] I.-C. Hsu, L.-P. Chi, S.-S. Bor, A platform for transcoding heterogeneous markup documents using ontology-based metadata, Journal of Network and

Computer Applications 32 (2009) 616–629.


[19] I.-C. Hsu, Intelligent discovery for learning objects using Semantic Web technologies, Educational Technology & Society 15 (2012) 298–312.[20] I.-C. Hsu, Semantic tag-based profile framework for social tagging systems, The Computer Journal 55 (2012) 1118–1129.[21] J. Joshi, R. Bhatti, E. Bertino, A. Ghafoor, Access-control language for multidomain environments, IEEE Internet Computing 6 (2004) 40–50.[22] R. Daniel Jr., Harvesting RDF Statements from XLinks Version 1.0, W3C Note.[23] L. Kagal, T.W. Finin, A. Joshi, A policy language for a pervasive computing environment, in: 4th IEEE International Workshop on Policies for Distributed

Systems and Networks (POLICY 2003), IEEE Computer Society, Lake Como, Italy, 2003, pp. 63–74.[24] L. Kagal, T. Berners-Lee, D. Connolly, D.J. Weitzner, Using Semantic Web technologies for policy management on the Web, in: AAAI 2006, AAAI, Boston,

Massachusetts, USA, 2006.[25] G. Klyne, J.J. Carroll, Resource description framework (RDF): concepts and abstract syntax, in: W3C Recommendation 2004.[26] J.K. Lee, M.M. Sohn, The eXtensible Rule Markup Language, Communications of the ACM (CACM) 46 (2003) 59–64.[27] J. Li, J. Huai, C. Hu, Y. Zhu, A secure collaboration service for dynamic virtual organizations, Information Sciences 180 (2010) 3086–3107.[28] G. Mansingh, K.-M. Osei-Bryson, H. Reichgelt, Using ontologies to facilitate post-processing of association rules by domain experts, Information

Sciences 181 (2011) 419–434.[29] T. Moses, eXtensible Access Control Markup Language (XACML), version 2.0, OASIS, 2005.[30] M. Nilssony, M. Palery, J. Brase, The LOM RDF binding - principles and implementation, in: in Proceedings of the Third Annual ARIADNE conference,

2003.[31] T. Priebe, W. Dobmeier, C. Schlager, Supporting attribute-based access control in authorization and authentication infrastructures with ontologies,

Journal of Software 2 (2007) 27–38.[32] J.J. Rehr, F.D. Vila, J.P. Gardner, L. Svec, M. Prange, Scientific computing in the cloud, Computing in Science & Engineering 12 (2010) 34–43.[33] M. Rubiolo, M.L. Caliusco, G. Stegmayer, M. Coronel, M.G. Fabrizi, Knowledge discovery through ontology matching: An approach based on an Artificial

Neural Network model, Information Sciences 194 (2012) 107–119.[34] R.S. Sandhu, D.F. Ferraiolo, D.R. Kuhn, The NIST model for role-based access control: towards a unified standard, in: Fifth ACM Workshop on Role-Based

Access Control, ACM, Berlin, Germany, 2000, pp. 47–63.[35] N. Shadbolt, T. Berners-Lee, W. Hall, The Semantic Web revisited, IEEE Intelligent Systems 21 (2006) 96–101.[36] L.M.d. Silva, R. Braga, F. Campos, Composer-science: a semantic service based framework for workflow composition in e-science projects, Information

Sciences 186 (2012) 186–208.[37] M.K. Smith, C. Welty, D.L. McGuinness, OWL Web Ontology Language Guide, in: W3C Recommendation 2004.[38] A.R. Tawil, M. Montebello, R. Bahsoon, W.A. Gray, N.J. Fiddian, Interschema correspondence establishment in a cooperative OWL-based multi-

information server grid environment, Information Sciences 178 (2008) 1011–1031.[39] M. Thorpe, C. Ke, Simple Rule Markup Language, 2003.[40] A. Uszok, J.M. Bradshaw, R. Jeffers, N. Suri, P.J. Hayes, M.R. Breedy, L. Bunch, M. Johnson, S. Kulkarni, J. Lott, KAoS Policy and domain services: toward a

description-logic approach to policy representation, deconfliction, and enforcement, in: 4th IEEE International Workshop on Policies for DistributedSystems and Networks (POLICY 2003), IEEE Computer Society, Lake Como, Italy, 2003, p. 93.

[41] V. Viswanathan, K. Ilango, Ranking semantic relationships between two entities using personalization in context specification, Information Sciences207 (2012) 35–49.

[42] H. Xiao, I.F. Cruz, Integrating and exchanging XML data using ontologies, Journal on Data Semantics VI (2006) 67–89.[43] H.-T. Zheng, J.-Y. Chen, Y. Jiang, An ontology-based approach to Chinese semantic advertising, Information Sciences 216 (2012) 138–154.

Documents

Extensible access control markup language integrated with Semantic Web technologies