Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Policy Based Approach to Security for the Semantic Web Lalana Kagal, Tim Finin and Anupam Joshi.

Published byMarianna Shaw Modified over 8 years ago

Similar presentations

Presentation on theme: "A Policy Based Approach to Security for the Semantic Web Lalana Kagal, Tim Finin and Anupam Joshi."— Presentation transcript:

1 A Policy Based Approach to Security for the Semantic Web Lalana Kagal, Tim Finin and Anupam Joshi

2 Outline Rei : A policy language Why is Rei needed ? Comparison with existing research Securing the Semantic Web Infrastructure for web resources Infrastructure for agents Infrastructure for web services Summary

3 Rei : A Policy Language : Japanese ‘Kanji’ character means ‘universal’ or ‘essence’ Kanji is a Japanese script A declarative policy language for describing policies over actions Represented in RDF-S + logic like variables Based on deontic concepts and speech acts Possible to write Rei policies over ontologies in other semantic web languages Rei policy engine + RDFS reasoner + other reasoners Different kinds of policies Security, privacy, conversation, etc. Example : All entities in the same group as John have the right to use any printer that John has the right to use Example : All entities in the same group as John have the right to use any printer that John has the right to use Right Prohibition Obligation Dispensation Delegation Revocation Request Cancel Delegation Revocation Request Cancel Example : John has the right to delegate the right to revoke the right to Print

4 Why is it needed ? Existing policy languages XACML : OASIS eXtensible Access Control Markup Language Ponder EPAL : IBM Enterprise Privacy Authorization Language KeyNote KAoS : Knowledgeable Agent-oriented System Disadvantages Limited by language used Not very expressive in terms of constraints Limited support for delegation Other speech acts not handled at all Rei RDFS Expressive Good delegation mng+ integrated support for other speech acts Rei RDFS Expressive Good delegation mng+ integrated support for other speech acts

5 Rei Specifications Policy Properties : Context, Default Policy, Grants Deontic objects Rights, Prohibitions, Obligations, Dispensations Properties : Actor, Action, Constraints Actions Properties : Actor, Target objects, PreConditions, Effects Composite actions : Seq, Choice, Once, Repetition Speech Acts Delegation, Revocation, Request, Cancel Properties : Sender, Receiver, Deontic object/Action Used to modify policies Dispensation/ Revocation Obligation/ Delegation Prohibition Right Example : No student can enter the faculty lounge after 4.30 on weekdays Example : John is prohibited from any action that causes radiation

6 Rei Specifications Meta Policies Setting priorities between policies or rules E.g. Federal policy overrides the State policy Setting modality precedence E.g. Negative modality holds for all students of UMBC

7 Security framework Provide security for three types of entities Web resources Agents Web services

8 Classification of entities Entities can be one of 3 types Private -- No other entity has the right to access a private service/agent/resource Secure -- Only entities that satisfy the associated policy of the secure agent/service/resource have the right to access it Open -- All entities have the right to access an open resource/service/agent

9 Framework for web resources User Web server http://www…../page.html + Rei policy in RDF/XML Agent Request for resource Reject OR Redirect to credentials page + policy requirements Resource

10 Framework for agents Framework based on FIPA specs Agents exist on platforms that provide middleware functionality AMS : Agent Management System (white page service) DF : Directory Facilitator (yellow page service) Main functions : registration and querying Two levels of security Platform AMS and DF use the platform policy and other policies to decide whether to provide services to the requesting agent Agent Agent uses its own policy to decide whether to honor requests from the platform or other agents

11 Security Module for AMS AMSDF Agent Platform Register + Policy (if sec-type is secure) Registration 1. Check platform policy 2. Update directory 3. (Save agent policy) Agent Accept OR Reject + Requirements

12 Security Module for AMS AMSDF Agent Platform Agent Request for agent ID List of IDs Querying 1. Check platform policy 2. Check requested agent’s policy 3. If requester meets policy, return ID

13 Security Module of DF Similar to that of AMS Functionality Register a service Checks if agent meets platform’s policy for registering a service Query for a service Checks if agent meets the platform’s policy for querying for services Finds all matching services (either open or secure) Retrieves associated policies of services registered as secure Returns all open services and those secure services whose policy requirements the requester meets

14 Agent security Security module in the agent is optional An agent can rely on the platform to provide authorization to its services May have additional policy requirements after initial filtering by AMS and DF

15 Framework for web services Webservice Directory Functional Desc + Policy http://orbtiz.com#Service123 Does service have the right to register ? Accept OR Reject + Requirements Registration

16 Framework for web services http://orbtiz.com#Service123 Request = Func desc of service + Credentials 1. Does requester have the right to query ? 2. Check that requester meets policy of matched service Reject + Requirements Query Webservice Directory List of (func + policy) matched services

17 Example Policy 1 Service123, of orbitz’s namespace, permits users who are in the same current project as an orbitz’s platinum club member to use it Logic Right(User, service123, Constraints). Constraints = currentProject(User,Project), currentProject(SomeUser, Project), member(SomeUser, orbitz-platinumClub)

18 Rei Example Policy 1 :x a rei:Variable. :y a rei:Variable. :p a rei:Variable. :R a rei:Right; rei:agent rei:x; rei:action [a orbitz:findtickets; rei:target orbitz:Service123]. :ws-policy a rei:Policy; rei:grants [a rei:granting; rei:to x; rei:deontic R; rei:oncondition [a rei:AndCondition; rei:First [a rei:SimpleCondition; rei:subject y; rei:predicate orbitz:member; rei:object orbitz:platinumclub]; rei:Second[a rei:AndCondition; rei:First[a rei:SimpleCondition; rei:subject y; rei:predicate foaf:currentproject; rei:object p]; rei:Second[a rei:SimpleCondition; rei:subject x; rei:predicate foaf:currentproject; rei:object p]]]].

19 Example Policy 2 All graduate students have the right to delegate a printing action on the HPPrinter in UMBC to any undergraduate student Logic Right(Grad, delegate(Grad, UnderGrad, right(UnderGrad, print(UnderGrad, umbc-hpprinter, _, _)_), _), Constraints). Constraints = student(Grad, graduateStudent), student(UnderGrad, undergraduateStudent)

20 Rei Example Policy 2 :s a rei:Variable. :r a rei:Variable. :R a rei:Right; rei:agent rei:s; rei:action [a rei:Delegate; rei:Sender s; rei:Receiver r; rei:Content [ a univ:PrintingAction; rei:target umbc:HPPrinter]; rei:constraints[a rei:SimpleCondition; rei:subject r; rei:predicate rdf:type; rei:object univ:UndergradStudent]. :policy a rei:Policy; rei:grants [a rei:granting; rei:to s; rei:deontic R; rei:oncondition [a rei:SimpleCondition; rei:subject s; rei:predicate rdf:type; rei:object univ:GradStudent]

21 Testbeds The past: Rei’s ancestor was used in The EECOMS supply chain management project to control access to information between enterprises The Vigil pervasive computing framework to control access to pervasive services The present: Rei is currently being used in An agent-based collaboration application (GENOA II) to control team formation and information access The Fujitsu Task Computing framework to control access to pervasive services The future: Rei will be used in The CoBrA pervasive computing system for privacy policies

22 Future Work Reimplementation in F-OWL We are in the process of reimplementing Rei using the F- OWL reasoning system Incorporating OWL rules We hope to use OWL rules in the RDF syntax for Rei if a consensus proposal appears soon Reasoning about policies We are extending the reasoner to be able to detect more inconsistencies in policies The Rei policy editor We are developing an IDE for Rei policies using the Eclipse framework

23 Summary Security Framework Policy based Distributed Every entity is responsible for its own policy Use of speech acts to modify policies Security is either part of the central directory or controlled by the individual web entity Similar framework for all entities Policy Language Based on RDFS + logic Speech acts are tightly coupled with the policies Mechanisms for conflict detection and resolution Can be used for security, management, privacy policies

24 For More Information http://rei.umbc.edu/

Download ppt "A Policy Based Approach to Security for the Semantic Web Lalana Kagal, Tim Finin and Anupam Joshi."

Similar presentations

ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
DAML PI Meeting Status Briefing UMBC, JHU APL, MIT Sloan Tim Finin Jim Mayfield Benjamin Grosof February 12, 2002 tell register JHU APL Haircut retrieval.

DAML PI Meeting Status Briefing UMBC, JHU APL, MIT Sloan Tim Finin Jim Mayfield Benjamin Grosof February 12, 2002 tell register JHU APL Haircut retrieval.
FIPA Interaction Protocol. Request Interaction Protocol Summary –Request Interaction Protocol allows one agent to request another to perform some action.

FIPA Interaction Protocol. Request Interaction Protocol Summary –Request Interaction Protocol allows one agent to request another to perform some action.
Chronos: A Tool for Handling Temporal Ontologies in Protégé

Chronos: A Tool for Handling Temporal Ontologies in Protégé
ANDREA WESTERINEN CA TECHNOLOGIES APR 28, 2011 Policy Language Overview 1.

ANDREA WESTERINEN CA TECHNOLOGIES APR 28, 2011 Policy Language Overview 1.
Chapter 6: Modeling and Representation Service-Oriented Computing: Semantics, Processes, Agents – Munindar P. Singh and Michael N. Huhns, Wiley, 2005.

Chapter 6: Modeling and Representation Service-Oriented Computing: Semantics, Processes, Agents – Munindar P. Singh and Michael N. Huhns, Wiley, 2005.
1 UIM with DAML-S Service Description Team Members: Jean-Yves Ouellet Kevin Lam Yun Xu.

1 UIM with DAML-S Service Description Team Members: Jean-Yves Ouellet Kevin Lam Yun Xu.
:: Ebiquity Research Group :: CSEE :: UMBC :: :: :: An Ontology for Context-Aware Pervasive Computing Environments Harry Chen, Tim Finin, Anupam Joshi.

:: Ebiquity Research Group :: CSEE :: UMBC :: :: :: An Ontology for Context-Aware Pervasive Computing Environments Harry Chen, Tim Finin, Anupam Joshi.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Policy Description & Enforcement Languages Anis Yousefi

Policy Description & Enforcement Languages Anis Yousefi
KAoS Semantic Policy and Domain Services An Application of DAML/OWL to a Web-Services Based Grid Architecture.

KAoS Semantic Policy and Domain Services An Application of DAML/OWL to a Web-Services Based Grid Architecture.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
A Semantic e-Wallet to Reconcile Privacy and Context Awareness Fabien L. Gandon & Norman M. Sadeh Mobile Commerce Lab. – Carnegie Mellon University.

A Semantic e-Wallet to Reconcile Privacy and Context Awareness Fabien L. Gandon & Norman M. Sadeh Mobile Commerce Lab. – Carnegie Mellon University.
Pranam Kolari – Policy 2005 Enhancing Web Privacy Protection Through Declarative Policies Pranam Kolari 1 Li Ding 1, Lalana Kagal 2, Shashi Ganjugunte.

Pranam Kolari – Policy 2005 Enhancing Web Privacy Protection Through Declarative Policies Pranam Kolari 1 Li Ding 1, Lalana Kagal 2, Shashi Ganjugunte.
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense

Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
1 of 30 Declarative Policies for Describing Web Service Capabilities and Constraints Lalana Kagal Tim Finin Anupam Joshi University of Maryland Baltimore.

1 of 30 Declarative Policies for Describing Web Service Capabilities and Constraints Lalana Kagal Tim Finin Anupam Joshi University of Maryland Baltimore.
An OWL based schema for personal data protection policies Giles Hogben Joint Research Centre, European Commission.

An OWL based schema for personal data protection policies Giles Hogben Joint Research Centre, European Commission.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
An Intelligent Broker Architecture for Context-Aware Systems A PhD. Dissertation Proposal in Computer Science at the University of Maryland Baltimore County.

An Intelligent Broker Architecture for Context-Aware Systems A PhD. Dissertation Proposal in Computer Science at the University of Maryland Baltimore County.

Similar presentations

Ads by Google