Policy Description & Enforcement Languages Anis Yousefi

Slides:



Advertisements
Similar presentations
Ontology-Based Computing Kenneth Baclawski Northeastern University and Jarg.
Advertisements

ROWLBAC – Representing Role Based Access Control in OWL
1 Ontolog OOR Use Case Review Todd Schneider 1 April 2010 (v 1.2)
TU e technische universiteit eindhoven / department of mathematics and computer science Modeling User Input and Hypermedia Dynamics in Hera Databases and.
CH-4 Ontologies, Querying and Data Integration. Introduction to RDF(S) RDF stands for Resource Description Framework. RDF is a standard for describing.
Semantic Web Thanks to folks at LAIT lab Sources include :
1 UIM with DAML-S Service Description Team Members: Jean-Yves Ouellet Kevin Lam Yun Xu.
A Cooperative Approach to Support Software Deployment Using the Software Dock by R. Hall, D. Heimbigner, A. Wolf Sachin Chouksey Ebru Dincel.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 2.
Introduction to Databases
Interoperability of Distributed Component Systems Bryan Bentz, Jason Hayden, Upsorn Praphamontripong, Paul Vandal.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
KAoS Semantic Policy and Domain Services An Application of DAML/OWL to a Web-Services Based Grid Architecture.
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
File Systems and Databases
UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.
Community Manager A Dynamic Collaboration Solution on Heterogeneous Environment Hyeonsook Kim  2006 CUS. All rights reserved.
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
Semantic Web Technologies Lecture # 2 Faculty of Computer Science, IBA.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
Pranam Kolari – Policy 2005 Enhancing Web Privacy Protection Through Declarative Policies Pranam Kolari 1 Li Ding 1, Lalana Kagal 2, Shashi Ganjugunte.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 12 Slide 1 Distributed Systems Architectures.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 19 Slide 1 Component-based software engineering 1.
Intelligent Agents Meet the Semantic Web in Smart Spaces Harry Chen,Tim Finin, Anupam Joshi, and Lalana Kagal University of Maryland, Baltimore County.
An Introduction to Software Architecture
Deploying Trust Policies on the Semantic Web Brian Matthews and Theo Dimitrakos.
The Semantic Web Service Shuying Wang Outline Semantic Web vision Core technologies XML, RDF, Ontology, Agent… Web services DAML-S.
MITREMITRE Coalition Security Policy Language Project 11 December 2000.
Introduction to MDA (Model Driven Architecture) CYT.
Copyright 2002 Prentice-Hall, Inc. Modern Systems Analysis and Design Third Edition Jeffrey A. Hoffer Joey F. George Joseph S. Valacich Chapter 20 Object-Oriented.
Integrated Development Environment for Policies Anjali B Shah Department of Computer Science and Electrical Engineering University of Maryland Baltimore.
Ontology-based and Rule-based Policies: Toward a Hybrid Approach to Control Agents in Pervasive Environments The Semantic Web and Policy Workshop – ISWC.
POSTECH DP & NM Lab. (1)(1) POWER Prototype (1)(1) POWER Prototype : Towards Integrated Policy-based Management Mi-Joung Choi
Network Ontology Ramesh Subbaraman Soumya Sen UPENN, TCOM 799.
Adaptive Hypermedia Tutorial System Based on AHA Jing Zhai Dublin City University.
POSTECH DP & NM Lab. (1)(1) Policy Driven Management (1)(1) Policy Driven Management for Distributed Systems Mi-Joung Choi
Rei and Rules Tim Finin, UMBC Lalana Kagal, MIT Tim Finin, UMBC Lalana Kagal, MIT.
1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.
An Ontological Framework for Web Service Processes By Claus Pahl and Ronan Barrett.
Modeling Component-based Software Systems with UML 2.0 George T. Edwards Jaiganesh Balasubramanian Arvind S. Krishna Vanderbilt University Nashville, TN.
A Context Model based on Ontological Languages: a Proposal for Information Visualization School of Informatics Castilla-La Mancha University Ramón Hervás.
A Policy Based Approach to Security for the Semantic Web Lalana Kagal, Tim Finin and Anupam Joshi.
Dr. Bhavani Thuraisingham The University of Texas at Dallas Trustworthy Semantic Webs March 25, 2011 Data and Applications Security Developments and Directions.
Ontology-Based Computing Kenneth Baclawski Northeastern University and Jarg.
Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.
Of 33 lecture 1: introduction. of 33 the semantic web vision today’s web (1) web content – for human consumption (no structural information) people search.
MODEL-BASED SOFTWARE ARCHITECTURES.  Models of software are used in an increasing number of projects to handle the complexity of application domains.
16/11/ Semantic Web Services Language Requirements Presenter: Emilia Cimpian
Computational Policies in a Need to Share Environment Tim Finin University of Maryland, Baltimore County SemGrail workshop, Redmond WA, 21 June 2007.
1 Technical & Business Writing (ENG-715) Muhammad Bilal Bashir UIIT, Rawalpindi.
1 Unified Modeling Language, Version 2.0 Chapter 2.
Chapter 5 System Modeling. What is System modeling? System modeling is the process of developing abstract models of a system, with each model presenting.
An Ontology-based Approach to Context Modeling and Reasoning in Pervasive Computing Dejene Ejigu, Marian Scuturici, Lionel Brunie Laboratoire INSA de Lyon,
A Portrait of the Semantic Web in Action Jeff Heflin and James Hendler IEEE Intelligent Systems December 6, 2010 Hyewon Lim.
1 T. Hill Review of: ROWLBAC – Representing Role Based Access Control in OWL T. Finin, A. Joshi L. Kagal, B. Thuraisingham, J. Niu, R. Sandhu, W. Winsborough.
NSF Cyber Trust Annual Principal Investigator Meeting September 2005 Newport Beach, California UMBC an Honors University in Maryland Trust and Security.
Selected Semantic Web UMBC CoBrA – Context Broker Architecture  Using OWL to define ontologies for context modeling and reasoning  Taking.
Anupam Joshi University of Maryland, Baltimore County Joint work with Tim Finin and several students Computational/Declarative Policies.
Building Trustworthy Semantic Webs
XML QUESTIONS AND ANSWERS
Model-Driven Analysis Frameworks for Embedded Systems
Chapter 20 Object-Oriented Analysis and Design
An Introduction to Software Architecture
AT2AI-4 Fourth International Symposium "From Agent Theory to Agent Implementation" An Ontological Approach to Harmonising Security Models for Open Services.
Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi
Presentation transcript:

Policy Description & Enforcement Languages Anis Yousefi

sharif university of technology2 Outline  Motivation and background  Related work Rei: A RDF Schema-based language for policy specification. KAoS: A policy representation language based on OWL. Ponder: An object-oriented policy language for the management of distributed systems and networks.  Some issues

sharif university of technology3 Motivation  A key need for the vision of the Semantic Web and Pervasive Computing to succeed is the ability to handle security and privacy and the ability to automate these protocols.  A good approach: Policy based security and privacy protection  Until recently: semantic web languages representing web content & services  Our goal: to find suitable semantic web languages to describe and reason about policies

sharif university of technology4 Policy Advantages  Automated system management & Controlling the behavior of complex systems  Allowing administrators to modify system behavior without changing source code or requiring the consent or cooperation of the components being governed  separation of rules that govern the behavior of a system from the functionality provided by that system

sharif university of technology5 Benefits of policy-based approaches  Reusability  Efficiency  Extensibility  Context sensitivity  Verifiability  Support for both simple & sophisticated components  Protection from poorly designed, buggy or malicious components  Reasoning about component behavior

sharif university of technology6 Approach  It is not feasible to expect all entities to use the same terminology to represent security protocols and information.  This forces the use of a semantic language like RDF-S, DAML+OIL or OWL whose constructs help entities better understand the meaning of the security information.  A security framework for the Semantic Web and PerCompEnv needs to be flexible, semantically rich and simple enough to automate.

sharif university of technology7 Possible Representation of polices on each layer  Object-Oriented language Ponder  XML XACML, P3P  RDF + RDF Schema Rei  OWL (DAML + OIL) KAoS  Rules (logic) …

sharif university of technology8 KAoS  Collection of componentized agent services compatible with several agent frameworks : Corba, Nomads, …  KAoS domain services provide the capability for groups of software components, people, resources, and other entities to be organized into domains and subdomains to facilitate agent-agent collaboration and external policy administration.  KAoS policy services allow for the specification, management, conflict resolution, and enforcement of policies within domains. Policies are currently represented in DAML+OIL as ontologies. (soon OWL)

sharif university of technology9 KAoS Policy Ontology  KPO (KAos Policy Ontology): distinguish between authorizations & obligations  Obligations: constraints that require some action to be performed or else serve to waive such a requirement  Authorizations: constraints that permit or forbid some action  Policy type: Positive|negative Obligation|Authorization  Policy: instance of policy type  Properties & Property restrictions

sharif university of technology10 Example of DAML policy representation in KAoS  Members of domain A are permitted to communicate to the outside of its domain using encrypted communication

sharif university of technology11 features  Work with arbitrary written components  Dynamic runtime policy changes  Extensible to a variety of execution platforms which policy enforcement mechanisms may be written  Robust & Adaptable – attack or failure of components  Easy-to-use policy-based administration tools: GUI for monitoring, visualizing & dynamically modifying policies at runtime

sharif university of technology12 KPAT  KAos Policy Administration Tool  Graphical tool for policy specification, revision & application, brows and load ontologies, deconflict newly defined policies.  Policy templates: high level, domain specific abstraction  Rich set of queries

sharif university of technology13 Conflict detection - KAoS  At specification time: add new policy to dirctory service  Three types of conflict positive vs. negative authorization positive vs. negative obligation positive obligation vs. negative authorization  The algorithms rely on Stanford ’ s Java Theorem Prover (JTP)

sharif university of technology14 Policy deployment Model-KAos  Domain manager: management of domains of agents and assures policy consistency at all the levels of the domain hierarchy  Directory Service: overall policy management  Gaurds: interpret policies and pass them on to enforcers  Enforcers: platform-specific components

sharif university of technology15 Rei: A policy language  Policy framework: specification, analysis & reasoning in PerComp  The Rei deontic concept-based policy language allows users to express and represent the concepts of rights, prohibitions, obligations, and dispensations. (+,- A,O in KAoS & Ponder)  Rei relies on an application-independent ontology to represent the concepts of rights, prohibitions, obligations, dispensations, and policy rules.

sharif university of technology16 Rei elements  Policy: rules, entities, domain, (rights, … )  Basic ontology include actions: unique action ID, target obj, pre- defined cond, effects  Speech acts: dynamically exchange rights & obligations between entities  Meta-policies: resolve policy conflicts

sharif university of technology17 Example of Rei policy specification  Rei ’ s concepts of rights, permissions, obligations, dispensations, and policy rules are represented as Prolog predicates.  NO GUI  Role-based access control policies

sharif university of technology18 Reasoning - Rei  The Rei framework provides a policy engine that reasons about the policy specifications. The engine accepts policy specification in both the Rei language and in RDF-S, consistent with the Rei ontology. RDF to (subject, predicate, object)  The engine is consistent and complete and allows queries according to the Prolog language about any policies, meta-policies, and domain dependent knowledge that have been loaded in its knowledge base.

sharif university of technology19 Conflict detection - Rei  Modality conflicts +overlap in subject, target & action  Meta Policies Setting priorities between policies or rules Setting modality precedence

sharif university of technology20 Policy deployment model-Rei  Policy engine: reason about policies & reply to queries  No enforcement model  No protection from malicious or non- compliant components or agents

sharif university of technology21 Ponder  Declarative object-oriented language  Specification of management policies for distributed object systems  Basic Policy: rules governing choices in system behavior Set of subjects and set of targets with management responsibility: have the authority to initiate a management decision  Composite Policy: grouping basic policies of organization Role: groups of policies governing the behavior of the same subject by specifying its rights & duties Relationship: right & duties of rules towards each other

sharif university of technology22 Ponder policy  Two fundamental policy types obligation authorization  obligation: the actions that policy subjects must perform on target entities when specific relevant events occurs  authorization: what operations a subject is authorized to do on target objects  Management domains: group of objects to which policies apply

sharif university of technology23 Policy specification  Type policy: user defined policy types  Parameterized : context specific  Policy instances  No default rules: permit or forbid action?

sharif university of technology24 An example of Ponder authorization policy The policy specifies that the professor principals have read access to all the exercise files of their students only during the opening hours of the school, i.e. from 7 am to 7 pm and from Monday to Friday.

sharif university of technology25 Ponder tools  Ponder provides various graphical tools for editing, updating, removing, and browsing Ponder policies.  There are also tools for syntactic and semantic analysis of policy specifications and for transforming Ponder language specifications directly into XML or Java code that can be interpreted at runtime.

sharif university of technology26 Conflict detection - Ponder  A prototype conflict detection tool to detect overlaps and conflicts between policies. Modality conflicts: policies with modalities of opposite signs that refer to the same subjects, targets & actions Ex: conflicts between permissions & prohibitions or between obligations and prohibitions Application specific conflicts: policy content & external criteria Ex: conflict between an obligation to access a resource and a limitation on the resource availability

sharif university of technology27 Policy deployment model- Ponder  Policy specification  Ponder compiler: java class, java object  Runtime changes not possible  Distribution and enforcement model: distinguish between authorization and obligation policies  Specification of the interfaces for enforcement agents but NO implementation  Some systems implement in application domain

sharif university of technology28 Issues  Choice should be driven by the characteristics of the application domain and by Simplicity, readability, analyzability scalability and enforceability requirements  Ontology advantages: Complex systems: multiple levels of abstraction Description of the environment using concepts: simplifying the description, facilitating analysis & reasoning, conflict detection Simplify the access to policy information: quering the ontology accotding its schema dynamically calculating relations between policies and environment Sharing: negotiate between entities and agree  Technical difficulties Complex syntax Long declarative description Hyperlinks & references to external resources (Ponder, DAML) Gap between specifiactionand implementation of policies

sharif university of technology29 References  G. Tonti, etc, "Semantic Web Languages for Policy Representation and Reasoning: A Comparison of KAos, Rei, and Ponder", ISWC'03, 2003  A. Uszok, etc, "KAoS Policy and Domain Services: Toward a Description-Logic Approach to Policy Representation, Deconfliction, and Enforcement", Policy'03, 2003  L. Kagal, etc, "A Policy Based Approach to Security for the Semantic Web", ISWC'03, 2003  N. Damianou, etc, "The Ponder Policy Specification Language", Policy'01, 2001  T. Finin, etc, "Agents, Trust, and Information Access on the Semantic Web", ACM SIGMOD Record, 2002  Y. Hu, etc, "Trust on the Semantic Web Pyramid: Some Issues and Challenges", ISWC'03, 2003  L. Kagal, etc, "Authorization and Privacy for Semantic Web Services", IEEE Computer Society, 2004