Research and Design of Privacy-Ontology-Based Personalized Access Control Model
|School||Shanghai Jiaotong University|
|Course||Communication and Information System|
The rise of network applications, such as E-Commerce, Internet of Things and cloud computing, reflects a new service mode. Users upload their data to service providers’databases, and service providers provide custom service to users. Users’data frequently flows in the network. This mode offers convenience to people, but also makes our privacy faced with unprecedented challenges. Due to lack of access control in their data, it is usual to collect and handle with users’data illegally. Privacy issues have become a stumbling block to futher expand the network applications.In the view of the above security situation in the network applications, a privacy-ontology-based personalized access control (PO-PAC) model is proposed in this paper, in order to resolve privacy issues from the perspective of access control and realize users’self-control of personal data. This model has three characteristics. First, it embodies the basic characteristics of privacy field. Second, it allows users to make privacy policies by themselves. Finally, it can satisfy users’personalized, fine-grained and flexible privacy requirements.Based on the analysis of relevant laws and the existing privacy protection techniques, ontology is introduced to refine the basic concepts in privacy field, and establish a common privacy-ontology. It embodies the basic characteristics of privacy field, and reflects users’basic privacy requirements, which has become the cornerstone of designing the access control model.The proposed PO-PAC model introduces the conception of object activation rules on the basis of RBAC model, which means that the object can be activated only if the activation condition is satisfied. The model adopts the chain activation rule of role activation, permission activation and data activation, and mixes the concepts of privacy-ontology into itself in the form of activation condition. Users can define activation rule about different objects to satisfy their coarse/fine-grained and flexible privacy requirements, and achieve safety based on multiple decisions. Meanwhile, the model combines common policies with personalized policies. Service providers define role and permission activation rules in the independent state to ensure basic requirements for privacy protection, and users define role, permission and data activation rules in the associated state to ensure personalized requirements.A PO-PAC model based privilege management system is designed and implemented on the basis of PMI. This system is composed of attribute authority, privacy authority and attribute query component. It stores visitors’permission in the form of PMI attribute certificate and stores activation rules in the form of XACML. Attribute authority is responsible for granting, querying, updating and revoking vistors’permission. Privacy authority is responsible for defining and maintaining activation rules and making access decision. Attribute query component is responsible for querying activation conditions. Users can use this system to make their privacy policies to manage access control of their data.