CBDAC: Context-Based Dynamic Access Control Model Using Intuitive 5W1H for Ubiquitous Sensor Network

Currently, access control is facing many issues for information protection in the ubiquitous sensor network (USN) environment. In particular, dynamic access control is a central problem where context always changes because of volatile ubiquitous sensors. The use of context is important in USN. In this paper, we focus on the context-driven privacy protection model. In context-based access control research, the access permission technique that uses context is being intensely investigated because of the ease with which various dynamic access permissions can be assigned in accordance with the various changes in context. A key feature of this approach is dynamic access control. Therefore, we propose a model for privacy preservation that is context-based dynamic access control that uses intuitive 5W1H for USN. According to this model, the access control strategy can be determined dynamically based on context elements and subject attributes, in addition to objects and operations, using access control entities; therefore, it is relatively easy to infer the dynamic access control of context expressivity both accurately and efficiently.


Introduction
Ubiquitous computing is an environment unrestricted by spatiotemporal conditions [1].It allows computing among humans, objects, and information through the interaction of diverse sensors immersed in the ubiquitous sensor network (USN) environment [2].The context is information produced in the diverse ubiquitous sensors, and such information provides various services through an intersystem information exchange in various domains and interaction.Such context is volatile information strongly influenced by environmental elements, such as time and space.Therefore, in order to process such information, a dynamic processing technology is required in USN.Furthermore, because the access permission to entities that will perform the service according to the changing context is also volatile, an approach control model to accommodate the dynamic change is required.In other words, despite the fact that the same user gains access to a certain system, depending on the surrounding context (e.g., time, space, and user), the user access authorization can change dynamically.
There are already preexisting studies on various technologies and techniques to process context [3][4][5][6][7][8][9][10].Many of the studies offered ontological-modeling-based techniques for the processing of semantic context [7][8][9][10].The main issue of the ontology-based context-aware model is the maintenance of interoperability between the modeling level and context information.The modeling level for context recognition is divided into tightly and loosely coupled pervasive system modeling.Tightly coupled pervasive system modeling can provide high-performance services that can be specialized in certain domains, but additional time and cost are incurred for the additional processes necessary for analyzing the context information of different domains.Loosely coupled pervasive system modeling is advantageous in that it is independent of the domain and utilizes a variety of context information.However, it is less appealing because it is not adequate for processing inferences or providing the highperformance service required for processing context application (generating context B through context A) and context combination (context B + context C = context D in context A) processing.

International Journal of Distributed Sensor Networks
In order to remedy such problems, in a previous research [11] that we conducted, we proposed an intuitive ontologybased CA 5W1H Onto model that supports semantic context through the use of 5W1H.In [11], in order to express context information, ontological concepts and properties were utilized for defining the semantic context and a wide range of standardized relationships.Such applications are very advantageous in terms of adaptability and interoperability with the ontologies already developed in diverse domains.Because of these features, the CA 5W1H Onto model exhibits high levels of expandability and recyclability.
Role-based access control (RBAC) [12][13][14] is the most representative access control model.Recent studies proposed various extended RBAC (such as relationship-based, purposed-based, and context-based).The basic RBAC concept is as follows: permissions are assigned to functional roles within an enterprise or individual user, and then the necessary permissions are authorized by assigning them to a role or a set of roles [15].The role-based model grants (or denies) a subject access to data regardless of the request context.In addition, a privacy policy is mainly concerned with which data object is used for which purposes.Thus, purpose is a central concept in many privacy-protecting access control models [16][17][18][19].
Unfortunately, privacy protection cannot be readily conducted by traditional RBAC models.The first reason is that whereas traditional RBAC models focus on which user is performing which action on which data object, privacy policies are concerned with which data object is used [20].Another reason for the difficulty of privacy protection is that the comport level of data usage varies from individual to individual [15].In addition, in order to process the dynamic context change in role-and purpose-based research, conditions or constraints were defined to support the changing access control.Nevertheless, conditions or constraints are defined only in part by the developer; hence, they have limitations in covering/supporting the various context changes required in a ubiquitous computing environment.In this paper, we focus on the context-driven privacy protection model.In fact, context and access control are essentially interdependent.In context-based access control research, an access permission technique that uses context is being intensely investigated because of the ease with which various dynamic access permissions can be assigned in accordance with the various changes in context [21][22][23][24][25][26][27][28][29].
In this paper, we propose a CA 5W1H Onto-based dynamic access control (CBDAC) model for the USN environment.The proposed model makes use of the ontological concept using 5W1H to process the context information.Furthermore, the proposed model guarantees privacy protection when processing the context information in various domains and assigns access permission without any limitation to certain domains.In other words, access permission is assigned dynamically according to the change in context information such that, even for a subject with the same role, access permission is defined differently depending on the context information and access condition.Not only does the proposed model authorize access based on roles, which is the key concept of RBAC, but also dynamic access control is also possible because access permission is assigned based on context information, access condition, and intended goal.
Consequently, we address this goal by presenting a comprehensive approach to dynamic access control management, which is the fundamental problem on which context-aware access control can be developed.In our paper, the purpose term has been superseded by goal.Furthermore, our notion of role attributes is closely related to the notions presented in [30,31] in that it allows the specification and enforcement of context-based policies in RBAC.However, we build upon and further elaborate the existing notions with the presence of conditional roles with context-aware entities in order to achieve fine-grained administrative access control.
The remainder of this paper is organized as follows.Section 2 describes the background and related work; the model of the CBDAC that formally defines the notation of access permission is illustrated in Section 3; Section 4 describes its use case scenario and implementation.Finally, in Section 5, we suggest the conclusion and future work.

Background and Related Work
2.1.CA 51 Onto.Context refers to a special form of knowledge and, for this reason, it constitutes an important modeling requirement that is the tradeoff between expressiveness and complexity.To resolve the tradeoff issue that concerns context-aware modeling, ontology (i.e., OWL-DL) may be utilized.The ontological concept is an important component in determining the expressiveness of knowledge and reasoning capability for context awareness.Ontology amply expresses concepts and their relationships and automatic reasoning in processing context based on the expressive capacity.The model CA 5W1H Onto is a context-aware ontological model based on the five Ws and one H (5W1H) [11].Furthermore, CA 5W1H Onto is a method for interpreting and abstracting semantic context designed to support the intuitive integration of different context-aware schemas, to which the maxim (such as why, who, what, where, when, and how) is applied [11].
Figure 1 shows the key elements that constitute the CA 5W1H Onto model that consists of <Concept, Instance, Context> triples, where the first two elements of the triple set utilize the properties defined through the existing ontology.The Context element carries all six attributes of the maxim.The element of Context contains various contextual activities.In turn, the Context component helps define the basic characteristics of the maxim and the schemas utilized among ontological concepts.The CA 5W1H Onto model proffers services tailored for a specific time, space, and set of user preferences across different domains.The model performs modeling of the essential elements by defining, in accordance with the maxim, the context required for the integration and interoperability of the defined contextual information.
The CA 5W1H Onto model defines, in the unit of <Concept, Instance, Context>, the ontological elements (e.g., concept, instance, datatype, data property, and object property) for context-aware definition.By defining each in an independent component module, adaptability and independence are guaranteed when developing a context-aware model applicable to diverse domains.In other words, the maximapplied context-aware modeling technique is an intuitive model in nature and thereby allows interoperability between systems or models throughout integration and sharing of schemas that belong to diverse domains.Detailed explanation ensues hereunder as to how to map between the properties of the maxim and the context-aware elements defined by the CA 5W1H Onto model.One of the merits of ontologically modeling contextual information lies in its ability to automatically extract new knowledge on current context, in addition to providing ample formalism with streamlined expressiveness about the knowledge.Sandhu et al. in 1996 [32].The fundamental idea of RBAC is to authorize data access based on user role.Role means the function of the user or the organization, and such role and user have an N:N relationship.In other words, the user can have various different roles, and one role can be assigned to several users.The relationships among roles are defined through the role hierarchy.RBAC can be applied to various environments or applications through simple role-based access control, where the role attributes are associated with the roles in order to enforce global constraints such as the principle of the separation of duty [33].That is, there is a limitation to providing privacy protections by defining conditions flexibly based on the attributes of the role (e.g., conditional activation, role deactivation, and role membership qualification).RBAC can be divided into the more detailed attributes of roles, permissions, users, and sessions, and a more diverse definition of constraints is necessary [8,9].In addition, because the role hierarchy is a predefined static role, in dynamic environments such as context-aware, wireless computing, and ubiquitous computing environments, where a volatile context is produced, instead of determining the access control permission based on simply on role, dynamic access control is required for the process of such a volatile context.

RBAC. RBAC was proposed by
Purpose-based Access Control (PBAC) [34] defines the access control model using not only an RBAC-based role, but also purpose as a key concept.Purpose describes the reasons for data collection and data access.PBAC defines the relationships among purposes with the purpose hierarchy (purpose tree) and, based on this, the intended and access purposes are specified.Access purpose specifies the purpose for the access when a request for data access is made.When the user makes a request for data access, the access control engine compares the access and intended purposes of the data requested by the user and then verifies whether the user has access authorization.However, the access purpose of the PBAC is declared by the users, which implies low flexibility, and the storage of privacy metadata is based on labeling schemes, which is triggered overhead.
Dynamic Purpose-based Access Control (DPBAC) [35] includes a dynamic concept in the PBAC model.In order to implement strengthened privacy preservation, DPBAC separates the access purpose authorization from the access decision.For the protection of privacy data, the data provider predefines the intended purpose (AIP or PIP).In contrast, the data owner holds the responsibility for the policy that manages the authorization of the access purpose.DPBAC defines the conditional role and supports the preexisting RBAC and other dynamic access controls.Because the conditional role compares the predefined static role based on subject attributes and context attributes of the system, it dynamically determines the access purpose and purpose compliance.
Conditional Purpose-based Access Control Model with Dynamic Role (CPBAC) [20] makes use of the preexisting PBAC and DPBAC to support the conditional role.In CPBAC, the conditional intended purpose is proposed so that data access is permitted only when a certain purpose satisfies some conditions.In order to fulfill such a requirement, the data provider should predefine the intended purpose for the protection of the privacy data and set the scope of the data to be made publicly.

Context-Based Access Control Models.
The concept of the basic RBAC model grants or denies role access to data regardless of the requested context.However, the requested context affects the decision to access objects or systems.In other words, context information provides significant access control parameters.For example, in mobile banking systems, environmental context such as location, time, and others could affect the access decision to grant or deny data access to International Journal of Distributed Sensor Networks the account or operating function of the banking system.For this reason, extended access control models based on RBAC were proposed to support context information [21][22][23][24][25][26][27][28][29].
CRBAC [21] is a contextual role-based access control authorization model for electronic patient records (EPRs).Contextual authorizations use the environmental information available at access time, such as user/patient relationship, in order to determine whether a user is allowed to access an EPR resource.This model extends RBAC by data-access rules for processing the context of large-scale healthcare.The data-access rules are defined by a five-tuple <Role, Privilege-Type, Operation, Object, Authorization-Type>.The five-tuple represents more expressions than the basic RBAC.However, a logical expression of CRBAC is difficult for the modeling that uses data-access rules.Another proposed contextual extension of RBAC is the Attribute-Based Access Control (ABAC) model [22].The ABAC model authorizes or denies service access based on the attributes communicated by the subject.In order to specify the attribute-based policies, a data structure that uses algebraic operations was proposed.Geo-RBAC is an access control model for processing spatial and location-based information by expanding RBAC [23].In Geo-RBAC, spatial entities are used for modeling objects, user positions, and geographically bounded roles.A physical position includes the information provided from mobile devices or smartphones and logical, device-independent position information such as roads, villages, buildings, or locations.Geo-RBAC is a flexible model for spatial information processing with high reusability.Generalized Temporal Role-Based Access Control (GTRBAC) [24] proposed the access control model to consider the time context and offered an extended RBAC model capable of expressing a wider range of temporal constraints.In particular, this model is designed possibly not only for period constraints, but also for the regular expressions of roles, user-role assignments, and role-permission assignments.The CAP model [25] is the access control model for resources in pervasive computing environments.This model consists of a two-step access control with the user session registering to the domain authority and the session agent self-governing access through the session permission assignment database.Dynamic Role-Based Access Control model (DRBAC) [26] extends the basic RBAC model to support the dynamic context information.This model dynamically adjusts the static role and permission assignments based on context information but depends on a central authorizer to change the active role of the user's agent according to context change.Carminati et al. [27] proposed an access control model for the purpose of controlling information sharing in a web-based social network.This model uses the rule-based approach to specify access policies.The context of the certified users is defined by the type, depth, and trust level of the relationship among the nodes in the network.The difference between such a model and the conventional access control system is that access control enforcement is conducted on the client side through semidecentralized architecture.RelBac [28] proposed permissions as being relationships between subjects and objects, where subjects and objects are entity sets, and permissions are a relationship set.The novel idea that this model presents is that, for the process of dynamic contexts, it formalizes the binary relationship between subjects and objects as permissions.SitBAC [29] is a model that utilizes those situations that define context elements and attributes for applying context to the access control.Furthermore, in this research, an inference is supported with OWL-DL and SWRL.However, SitBAC is specialized to a domain called healthcare; hence, it has limitations with respect to the processing context of other domains.

CBDAC Model
In this section, we propose an overall structure and formalized definition for the CBDAC model, which is the extended form of RBAC, during the application of ontology technologies.It is ultimately aimed at guaranteeing the dynamic access condition of the data access control.
Based on the RBAC model, the CBDAC model extends mainly in the aspects described following Figure 2. Figure 2 shows The formalized definition of Role Assignment is as follows.
Definition 1 (role assignment).(i) Subject Assignment SA ⊆ Subject × Role is a many-to-many mapping relationship between subjects and their assigned roles.
(iii) Roles ⊆ Role × Role are set of roles that define the function and relationship between roles.
The formalized definition and simple scenario of CA 5W1H Onto is as follows.Simple Scenario.User A wants to transfer 100 dollars to friend B's account through the mobile banking system of bank C using a SmartPhone at 00:00 AM.The available time for credit transfer on the mobile banking system is from 00:10 AM to 11:50 PM.
By examining the above scenario, we can find that there are several contexts: the Object, that is, access objective, and the Status being mapped indicates the state of Object (such as What~Status).
Where indicates the location or spatial information of the context, whereas Location compares to determine whether access permission is within the permissible location (such as When implies the time when the context was produced, and Time compares to determine whether they are within the allowed time range (such as When~Time).Location, Status, and Time classes are subclasses of Action.For the Subject accesses the Object, Location, Status, and Time of access condition depend on acting range because the acting range is performed by context information.Table 1 defines and explains the mapping relationship between CA 5W1H Onto and AC in detail.

Dynamic Access Decision.
The important challenge for implementing role-based and PBAC models (not contextbased access control model) is that it may be difficult to infer the access purpose both accurately and efficiently.With our proposed CBDAC model, the access control strategy can be determined dynamically based on the context elements (such as 5W1H) and subject attributes, in addition to the objects and operations, using access control entities (such as goal, role, action, status, location, and time), and thus it is relatively easy to infer the dynamic access control of context expressivity both accurately and efficiently.Accordingly, we determine dynamic access control by means of Definitions 6, 7, and 8.  CHECK CONDITION (c i , ac j ) = <why i ~goal j , who i ~role j , how i ~action j , what i ~status j , where i ~location j , when i ~time j >.

Use Case Scenario and Implementation
In this section, we describe a use case scenario of the CBDAC model to ensure the ability to provide responses for dynamic access control applying the mobile banking system.In addition, we describe an implementation that the CBDAC model is defined using ontology.
The DyAC is the triple set <Subject, Object, AP>.Using a use case scenario, we find that Subject becomes User, which generates Context in mobile Banking System, whereas Object is assigned to the Mobile Banking System as an access objective for the Context.The access permission of AP is determined by the Context element of the CA 5W1H Onto, as well as AC and IG.AP is an important entity that allows dynamic access control and notices the change in the context (AC).
The Goal of AC is the goal that the context is attempting to perform, which is Credit Transfer, and the accessible Role is allocated only to user and System Admin.Action is the Transfer Process in Mobile Banking System of Bank C, and Status is only accessible when the system is in the Activation state.Location indicates the scope of the accessible spatial information, which is defined by GPS, SmartPhone, or IP Address.Time indicates the system-accessible time slot from 00:10 AM to 11:50 PM.The access to an object is only permitted if six elements of the contexts defined by AC have been satisfied.IG signifies the predetermined intended goal.It determines an access privilege based on the Subject and Context.
The following shows an example of DyAC based on scenario described above:  Credit Transfer in Mobile Banking System of Bank C using SmartPhone at 00:00 AM.
Figure 5 shows the CBDAC model by ontological concepts including classes, instances, and their relationship.Yellow circle represents each class, and the purple circle indicates each instance using the NavigOwl that is a visualization tool Ontology [37].Further, an arrow indicates each relationship.Our model can be applied and depicted in a real-life scenario using ontological concept.Therefore, we ensure the ability of the CBDAC model to provide correct responses by representing dynamic access decision with a real-life banking system scenario.

Conclusion
In this paper, we proposed an access control model for privacy protection based on context in USN named the CA 5W1H Onto-based dynamic access control (CBDAC) model.The CBDAC model makes use of the ontological concept using 5W1H to process context information; it guarantees privacy protection when processing context information in various domains and assigns access permission without any limitation to certain domains in USN.It is possible to process dynamic access control using DyAC.In other words, access permission is dynamically assigned according to the change in context information such that, even for a subject with the same role, access permission is defined differently depending on the context information and access condition.Consequently, not only does the CBDAC model authorize access based on roles, which is the key concept of role-based access control, but dynamic access control is also possible because access permission is assigned based on context information, access condition, and intended goal.We also described the algorithm that achieves compliance computation between the access condition and the intended goal.In addition, we showed an applicable use case scenario.To improve our current research, we plan to advance the dynamic access control through the definition of the contextaccess rule and reasoning method for supporting context inferences, and also a more adequate scenario for experiment and evaluation will be applied.

Definition 2 (
CA 5W1H Onto).CA 5W1H Onto = {<Concept, Instance, Context> | Concept ∈ Ontological Concepts, Instance ∈ Ontological Instances, Context} is context-aware modeling that processes context in Context Manager.(i) Concept = {<sub, obj> | sub ∈ Subject, obj ∈ Object} consists of subject and object.The concept is defined by ontological concepts.(ii) Instance = {<sub element, obj element> | sub element ∈ Subject Elements, obj element ∈ Object Elements} consists of sets of subject and object elements.(iii) Context = {5W1H <Why, Who, What, Where, When, How> | why ∈ Why, who ∈ Who, what ∈ What, where ∈ Where, when ∈ When, how ∈ How} is a set of contextaware elements: (a) Who: the subject assigned role, namely, an agent that may be a person, organization, or system involved in a context; (b) Why: the reason the context occurred; (c) How: the action leading to the context, namely, a context that may occur when it is acted upon by another entity that is often a human or software agent; (d) What: the access target (Object); (e) Where: the location of the subject (including spatial information); (f) When: the time when the context occurred.

Definition 6 (
context attribute).Context Attributes are defined as the set of 5W1H properties linked to the granting (or denial) of AC.Let ContextAttribute denote the set of context attributes that consist of the values {5W1H (Why, Who, What, How, Where, When)}.Every Context c ∈ Context is associated with a set of context attributes denoted by c n = {{why 1 , who 1 , what 1 , how 1 , where 1 , when 1 }, {wh 2 , . . ., he  }}.Let ContextAttribute denote the set of all possible values of context information.Definition 7 (access condition attribute).Access Condition Attributes are defined as the set of properties linked to DyAC = {Subject → User; Object → Mobile Banking System; AP}; AP = {Context → Credit Transfer; AC; IG → cig}; Context = {5W1H (Why, Who, How, What, Where, When)}; AC = {Goal, Role, Action, Status, Location, Time}: Goal → Functional Goal (Credit Transfer),

Figure 5 :
Figure 5: A screenshot of the overall CBDAC model.
the proposed CBDAC model that consists of the Profile Manager, Ontological Concepts, Context Manager, Concepts, and Access Permission.In particular, at the research stage of privacy protection in the CBDAC model, the Access Conditions and Intended Goal (that consists of Allowable Intended Goal, Conditional Intended Goal, and Prohibited Intended Goal) into Access Permission are significant.
(i) Profile Manager defines and manages the information on Profile and Roles with regard to Subject in order to generate context.The key concept of the RBAC model is Role, which represents a certain specific job function in an organization.A Role is assigned to the Subject, such as RBAC, by the Profile Manager.In other words, the Role of the Subject represents a working position or working function of the user/system assigned within the Profile Manager.(ii) Ontological Concept is defined by the ontological elements (e.g., concept, instance, datatype, data property, and object property).It is utilized for managing context in the Context Manager.(iv) Concepts consist of Subject and Object by ontological concepts.The Subject can be a user, application, or agent; that is, the Subject is various context elements generated by ubiquitous sensors.Object is the target data, system, or services that the Subject requests.(v) Access Permission signifies the operation of a certain role of the Subject, whether access to a certain Object under certain Access Condition and Intended Goal is granted or denied.The Access Condition and Intended Goal are the constituent of the Access Permission.(vi) Access Condition consists of the six elements <Goal, Role, Action, Status, Location, Time>.The Access Condition is used to check whether the Context (5W1H) concepts of the CA 5W1H Onto are in accordance with the constituent of the Access Condition.

Table 1 :
Mapping definition.Mapping between  51  and AC Definition Why~Goal Compares the reason the context occurred (Why) with the purpose for Object access, and for performing context-based system (Goal).Its ingredients are Functional Goal, and NonFunctional Goal.Who~Role Compares the Subject that produced the context (Who) with the acceptable role set of Subject (Role).Its ingredients are Actor (User and System), and Profile.What~Status Compares the access target context (What) with the State of accessible Object (Status).Its ingredients are Atomic Status and Composite Status.Where~Location Compares the location of Subject (Where) with the range of accessible location (Location).Its ingredients are GPS, Atomic Location, and Composite Location.When~Time Compares the time the occurred (When) with the range of accessible time (Time).Its ingredients are Start Time, End Time, and Repetition Time.granting in the context of the access control system.Let AccessConditionAttributes denote the set of AC attributes that consist of the values {goal, role, status, action, location, time}.Every ac ∈ AC is associated with a set of access condition attributes denoted by ac n = {{goal 1 , role 1 , status 1 , action 1 , location 1 , time 1 }, {goa 2 , . . ., ime n }}.Each attribute ac n is associated with a finite domain of possible values, denoted as D n .We propose Algorithm 1 for dynamic access decision of the CBDAC model.The algorithm processes mapping between  51  and AC.The input comprises Context c, Access Condition ac, and Intended Goal ig.The output comprises an access decision such as grant access or deny access.During the mapping between Context attributes and AC attributes, as described in Definitions 6 and 7, we perform the CHECK INTENDED GOAL COMPLIANCE function that checks the intended goal compliance between Context attributes and AC attributes, as described in Definition 5.The CHECK CONDITION is a function to check whether the Context attribute corresponds to the AC attribute.The respective attributes of Context and AC are as follows: Definition 8 (access condition operation).As previously mentioned, the sets of Context and AC represent the set of defined context elements (5W1H) and AC elements (Goal, Role, Action, Status, Location, Time).Let the sets goal, role, action, status, location, and time represent the sets of predefined GoalAttribute, RoleAttribute, ActionAttribute, Sta-tusAttribute, LocationAttribute, and TimeAttribute.In addition, X = GoalAttribute ∪ RoleAttribute ∪ ActionAttribute ∪ StatusAttribute ∪ LocationAttribut ∪ imeAttribute.Each variable x ∈ X has a finite domain of possible values, denoted as Domain(X).Each Access Condition in ac is of the form <x, op, value>, where x ∈ X, value ∈ Domain(X), and op ∈ {=, ̸ =, <, >, ≤, ≥}.