In Web service environment, the interacting entities usually cannot be predetermined and may be in different security domains. To address the access authorization for unknown users across domain borders, access control of Web service should be implemented based on domain-independent access control information but not the identities. A context-based access control policy model which can be appropriate for Web service environment was proposed. The main idea of the model was that, various access control information was abstracted and represented as a concept of context which was adopted as the center to define and perform access control policies. The context concept here acted as an intermediary between requesters and the access permissions, which was similar to the role of Role-Based Access Control (RBAC) in a way. Context-based access control policy axioms were defined based on Description Logic (DL), on the basis of these axioms, the access control policy knowledge base with the capacity of reasoning about the access control policies was put forward. Finally, the effect of access control policy enforcement was verified in Racer reasoning system, and the experiment result proved the feasibility and validity of the presented method.

Web service greatly facilitates the application-to-application integration based on heterogeneous platform, but its core components are faced with threats of malicious attacks. Currently, the Intrusion Detection System (IDS) is usually used to prevent these attacks. However, the IDSs distributed throughout the network may be developed by different vendors and there is not a common vocabulary understandable among them. Therefore, the IDSs stopped people from cooperatively preventing the multi-phased and distributed attacks easily. In this paper, a new method based on ontology and OWL to classify and describe the Web services attack was presented. Through constructing a Web services attack ontology, the common understandable vocabulary could be provided for different IDSs. Then, an intrusion detection system based on the Web Service Attack ontology (called O-IDS) was presented as well, which could efficiently overcome the shortage of the existed IDS and enhance the ability to detect the multi-phased and distributed attacks.