Presentation is loading. Please wait.

Presentation is loading. Please wait.

International Technology Alliance In Network & Information Sciences International Technology Alliance In Network & Information Sciences 1 Policy Specification,

Published byJustin Miles Modified over 10 years ago

Similar presentations

Presentation on theme: "International Technology Alliance In Network & Information Sciences International Technology Alliance In Network & Information Sciences 1 Policy Specification,"— Presentation transcript:

1 International Technology Alliance In Network & Information Sciences International Technology Alliance In Network & Information Sciences 1 Policy Specification, Analysis and Transformation Mandis Beigi, Carolyn Brodie, Seraphin Calo, David George, Clare-Marie Karat, John Karat, Jorge Lobo, Dinesh Verma, and Xiping Wang

2 2 Policy Life Cycle Task 3 Task 1 Task 2 Author, Analyze & Transform NL Policies Mapping onto Network Security Mechanisms Policy Algebra Task 4

3 3 Security Policy Framework–TA2 P4 Policy Specification In Natural Language Subclasses (NLS) In a Formal Language (FL) System Side Algorithms & Tools User Side Author NL policies Convert NL policies to FL policies Author FL policies Convert FL policies to NL policies Abstract Policy Models Privacy / Security Ontologies Policy Transformation Policy Synchronization Goals, High Level Policies In System Context Concrete Policy Sets Executable Policies Information Control Flow Policy Ratification Policy Authoring Policy Ratification Databases, XML Stores, Rule Engines, State Machines, etc Global Principles and Goals Large Scale Analyses of NL and FL Policies Survey & Coding of Related Practices Policy Transformation Policy Synchronization Human Factors Based Design & Usability Studies Policy Presentation Processing & User Interaction User Preferences in a FL User-Level Paradigms for Preferences Preference Specification Tools AC & Audit Policies Data User Risk Choices & Model Model Model Consent

4 4 Demonstration Components Policy Specification In Natural Language Subclasses (NLS) In a Formal Language (FL) Abstract Policy Models Goals, High Level Policies In System Context Executable Policies Databases, XML Stores, Rule Engines, State Machines, etc Concrete Policy Sets Information Control Flow Domain Policies Data User Choices & Model Consent Policy Analysis Conflict/Dominance/Coverage Policy Transformation User defined transformation Management SPARCLE NLP Analysis & Transformation Policy Deployment Using Ponder 2 for implementation

5 5 SPARCLE Policy Workbench Motivation for SPARCLE: –Policies provide a powerful mechanism to manage many kinds of infrastructures including security and network management. –Currently, policy management methods (e.g., editing XML files) are not sufficient to address user skills of varying technical abilities. –There is a large, error-prone gap between high level policy specification and deployment. –Goal: Create a usable, integrated capability for policy management across heterogeneous systems.

6 6 SPARCLE Policy Workbench Project Scope: The SPARCLE (Server Privacy ARchitecture and CapabiLity Enablement) project will create a highly usable policy workbench that enables organizations to: –Create access control policies (Author, Analyze, and Transform) –Connect policy definition to system entities (Implement) –Check policy compliance (Audit) Authoring Tool Description: –Provides natural language analysis of textual policies, displays results for expert review, and generates the machine-readable XML version of the policies, with 94% parsing precision. –Provides analysis of conflicts and redundancies in access control policies at the structured language level. –Displays results for expert review. –Transforms the policy sets into machine-readable XML version of the policies.

7 7 Marketing employees name, address, and phone number for the purpose of direct advertising if the customer has opted-in. can collect and use User category ActionsData categories Purpose Condition SPARCLE Parsing Example

8 8 Policy Analysis Motivation: –Provides a formal process that allows policy administrators to certify the correctness of a policy before the policy is activated. –Demo highlights the use of advanced algorithms to systematically determine if a policy is problematic. –Analysis can be performed when a policy is authored and the whole process of analysis is automated.

9 9 Policy Analysis Types in Demo Conflict Identification: –Two policies are in conflict if they can be simultaneously applicable and prescribe incompatible actions. –This analysis method is used to determine if two policies are consistent. Dominance Analysis: –A policy is dominated by a set of one or more other policies when the addition of the first policy does not effect the behavior of the system governed by the set of policies. –This analysis method is used to discover redundant policies. Coverage Analysis: –A set of policies may (or may not) provide definition for a range of input parameters. This analysis method determines if there are gaps in the coverage. –This analysis method is used to examine the completeness of a set of policies.

10 10 Conflict Identification Security Level already existing policy new policy Teams Conflict: Applicability subspaces intersect. Variables can take values in spaces of different characteristics –We first find the policy hyper-space intersect –Then we check if the policy effects are incompatible

11 11 Dominance Analysis Battery capacity Draining rate Already existing policy 100 mAmp 95 mAmp/h 30 mAmp/h Dominance check: –A subspace is inside another subspace –Subspaces might not be convex A policy is dominated if its hyper-space is completely contained in the hyper-space of the existing policies new policy

12 12 Coverage Analysis Battery capacity Draining rate 10 35 P2 40 100 350 P4 P3 Uncovered area Device space (dashed line) Coverage check: –A subspace is contained by another subspace (the space to be covered) –Subspaces might not be convex A device space is covered if it is completely covered by the hyper- space of a set of policies To cover the device space the lower bound of draining rate of P4 can be changed to 35

13 13 Policy Transformation Motivation and Explanation: –Transform high level policies into low level policies –Rule based transformation –Modify condition and action sections of the policies –Simple search and replace –Transformation rules are written in an XML format by an expert user

14 14 Transformation Example Input policy If user is from U.S. Then provide high security Transformation rules 1.Replace U.S. with subnet 9.2.x.x 2.Replace high security with 256 bit encryption and DES encryption Output Policy If user is from subnet 9.2.x.x Then use 256 bit encryption and DES encryption

15 15 Policy Deployment The last step is to deploy policies into managed resources This is done in two sub-steps: –A last translation of the policies into the executable commands or policies understood by each resource –Transmission of the policy to the resource In our scenario we are working with Self- Managed Cells (SMC) resources –SMCs are agents built using the Ponder2 policy framework developed at Imperial College

16 08/13/2007 Security Management in Dynamic Communities 16 Policy Deployment SMC policy service - Ponder2 framework –Cater for two types of policies Obligation policies (event-condition-action) define management actions that are performed in response to events Authorization policies specify which actions are permitted on which resources and services –Managed objects to which policies apply can be Internal resources Adapters for external services Policies themselves resource Domain structure policy … … … remote –Policies can be added, removed, enabled and disabled to change SMC behavior Without interrupting its functioning –Managed objects kept in domain structure that implements hierarchical namespace Use domains as subject/target of policies

17 08/13/2007 Security Management in Dynamic Communities 17 Backup and Alternative Slides

18 18 Demonstration A scenario based demo will illustrate the research concepts in the security policy management area.

19 19 Visualization Of Policy Policy Analysis Module Transform Policy Author Policy Ponder Managed Resource Policy Transformations Policy Deployment Ponder Managed Resource Ponder Managed Resource Demo Architecture

20 08/13/2007 Security Management in Dynamic Communities 20 Policy Deployment Self-managed cell (SMC) –Consists of hardware and software components –Do not rely on human intervention nor central coordination –Implements a local feedback control-loop Architectural pattern –Basic building block of a pervasive environment Core services –Discovery service –Event service –Policy service

Download ppt "International Technology Alliance In Network & Information Sciences International Technology Alliance In Network & Information Sciences 1 Policy Specification,"

Similar presentations

Requirements Engineering Processes – 2

Requirements Engineering Processes – 2
Software Requirements

Software Requirements
An Adaptive Policy-Based Framework for Network Service Management Leonidas Lymberopoulos Emil Lupu Morris Sloman Department of Computing Imperial College.

An Adaptive Policy-Based Framework for Network Service Management Leonidas Lymberopoulos Emil Lupu Morris Sloman Department of Computing Imperial College.
Institute for Cyber Security

Institute for Cyber Security
Chapter 1: The Database Environment

Chapter 1: The Database Environment
Chapter 26 Legacy Systems.

Chapter 26 Legacy Systems.
Software Re-engineering

Software Re-engineering
Chapter 26 Legacy Systems.

Chapter 26 Legacy Systems.
Chapter 7 System Models.

Chapter 7 System Models.
Requirements Engineering Process

Requirements Engineering Process
Service Oriented Architecture Reference Model

Service Oriented Architecture Reference Model
Implementation of a Validated Statistical Computing Environment Presented by Jeff Schumack, Associate Director – Drug Development Information September.

Implementation of a Validated Statistical Computing Environment Presented by Jeff Schumack, Associate Director – Drug Development Information September.
Policy Specification, Analysis and Transformation International Technology Alliance in Network and Information Sciences A scenario based demo will illustrate.

Policy Specification, Analysis and Transformation International Technology Alliance in Network and Information Sciences A scenario based demo will illustrate.
Annual Conference of ITA ACITA 2009 Realising Management and Composition of Self-Managed Cells in Body Area Networks Alberto Schaeffer-Filho, Emil Lupu,

Annual Conference of ITA ACITA 2009 Realising Management and Composition of Self-Managed Cells in Body Area Networks Alberto Schaeffer-Filho, Emil Lupu,
1 Service Oriented Architectures (SOA): What Users Need to Know. OGF 19: January 31, 2007 Charlotte, NC John Salasin, Ph.D, Visiting Researcher National.

1 Service Oriented Architectures (SOA): What Users Need to Know. OGF 19: January 31, 2007 Charlotte, NC John Salasin, Ph.D, Visiting Researcher National.
Credit hours: 4 Contact hours: 50 (30 Theory, 20 Lab) Prerequisite: TB143 Introduction to Personal Computers.

Credit hours: 4 Contact hours: 50 (30 Theory, 20 Lab) Prerequisite: TB143 Introduction to Personal Computers.
Making the System Operational

Making the System Operational
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 14 Slide 1 Object-oriented Design 1.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 14 Slide 1 Object-oriented Design 1.
EECE 310: Software Engineering Modular Decomposition, Abstraction and Specifications.

EECE 310: Software Engineering Modular Decomposition, Abstraction and Specifications.
Configuration management

Configuration management

Similar presentations

Ads by Google