International Technology Alliance In Network & Information Sciences International Technology Alliance In Network & Information Sciences 1 Policy Specification,

Slides:



Advertisements
Similar presentations
Requirements Engineering Processes – 2
Advertisements

Software Requirements
An Adaptive Policy-Based Framework for Network Service Management Leonidas Lymberopoulos Emil Lupu Morris Sloman Department of Computing Imperial College.
Institute for Cyber Security
Chapter 1: The Database Environment
Chapter 26 Legacy Systems.
Software Re-engineering
Chapter 26 Legacy Systems.
Chapter 7 System Models.
Requirements Engineering Process
Service Oriented Architecture Reference Model
Implementation of a Validated Statistical Computing Environment Presented by Jeff Schumack, Associate Director – Drug Development Information September.
Policy Specification, Analysis and Transformation International Technology Alliance in Network and Information Sciences A scenario based demo will illustrate.
Annual Conference of ITA ACITA 2009 Realising Management and Composition of Self-Managed Cells in Body Area Networks Alberto Schaeffer-Filho, Emil Lupu,
1 Service Oriented Architectures (SOA): What Users Need to Know. OGF 19: January 31, 2007 Charlotte, NC John Salasin, Ph.D, Visiting Researcher National.
Credit hours: 4 Contact hours: 50 (30 Theory, 20 Lab) Prerequisite: TB143 Introduction to Personal Computers.
Making the System Operational
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 14 Slide 1 Object-oriented Design 1.
EECE 310: Software Engineering Modular Decomposition, Abstraction and Specifications.
Configuration management
Software change management
TSpaces Services Suite: Automating the Development and Management of Web Services Presenter: Kevin McCurley IBM Almaden Research Center Contact: Marcus.
Legacy Systems Older software systems that remain vital to an organisation.
Software Requirements
Database System Concepts and Architecture
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software processes 2.
Lecture 5: Requirements Engineering
Introduction to Databases
Internal Control–Integrated Framework
Executional Architecture
2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.
Systems Analysis and Design in a Changing World, Fifth Edition
Chapter 11 Component-Level Design
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 13 Slide 1 Application architectures.
14-1 © Prentice Hall, 2004 Chapter 14: OOSAD Implementation and Operation (Adapted) Object-Oriented Systems Analysis and Design Joey F. George, Dinesh.
Chapter 12 User Interface Design
From Model-based to Model-driven Design of User Interfaces.
Database Systems: Design, Implementation, and Management Tenth Edition
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
Chapter 19: Network Management Business Data Communications, 4e.
Chapter 1 The Systems Development Environment 1.1 Modern Systems Analysis and Design Third Edition.
Overview of Software Requirements
Chapter 9: Moving to Design
Course Instructor: Aisha Azeem
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.
Chapter 6 System Engineering - Computer-based system - System engineering process - “Business process” engineering - Product engineering (Source: Pressman,
2 1 Chapter 2 Data Models Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 6 Slide 1 Requirements Engineering Processes l Processes used to discover, analyse and.
WSMX Execution Semantics Executable Software Specification Eyal Oren DERI
Enterprise Systems Architectures EGN 5621 Enterprise Systems Collaboration (Professional MSEM) Fall, 2012.
Software Engineering Prof. Ing. Ivo Vondrak, CSc. Dept. of Computer Science Technical University of Ostrava
1 What is OO Design? OO Design is a process of invention, where developers create the abstractions necessary to meet the system’s requirements OO Design.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
9 Systems Analysis and Design in a Changing World, Fourth Edition.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
9 Systems Analysis and Design in a Changing World, Fourth Edition.
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Policy Authoring Matthew Dunlop Usable Security – CS 6204 – Fall, 2009 – Dennis.
Dr. Ir. Yeffry Handoko Putra
Chapter 1 The Systems Development Environment
An Overview of Requirements Engineering Tools and Methodologies*
Chapter 1 The Systems Development Environment
Chapter 1 The Systems Development Environment
Designing Software for Ease of Extension and Contraction
Analysis models and design models
PLANNING A SECURE BASELINE INSTALLATION
Making Privacy Possible: Research on Organizational Privacy Technology
Chapter 1 The Systems Development Environment
System architecture, Def.
Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi
Presentation transcript:

International Technology Alliance In Network & Information Sciences International Technology Alliance In Network & Information Sciences 1 Policy Specification, Analysis and Transformation Mandis Beigi, Carolyn Brodie, Seraphin Calo, David George, Clare-Marie Karat, John Karat, Jorge Lobo, Dinesh Verma, and Xiping Wang

2 Policy Life Cycle Task 3 Task 1 Task 2 Author, Analyze & Transform NL Policies Mapping onto Network Security Mechanisms Policy Algebra Task 4

3 Security Policy Framework–TA2 P4 Policy Specification In Natural Language Subclasses (NLS) In a Formal Language (FL) System Side Algorithms & Tools User Side Author NL policies Convert NL policies to FL policies Author FL policies Convert FL policies to NL policies Abstract Policy Models Privacy / Security Ontologies Policy Transformation Policy Synchronization Goals, High Level Policies In System Context Concrete Policy Sets Executable Policies Information Control Flow Policy Ratification Policy Authoring Policy Ratification Databases, XML Stores, Rule Engines, State Machines, etc Global Principles and Goals Large Scale Analyses of NL and FL Policies Survey & Coding of Related Practices Policy Transformation Policy Synchronization Human Factors Based Design & Usability Studies Policy Presentation Processing & User Interaction User Preferences in a FL User-Level Paradigms for Preferences Preference Specification Tools AC & Audit Policies Data User Risk Choices & Model Model Model Consent

4 Demonstration Components Policy Specification In Natural Language Subclasses (NLS) In a Formal Language (FL) Abstract Policy Models Goals, High Level Policies In System Context Executable Policies Databases, XML Stores, Rule Engines, State Machines, etc Concrete Policy Sets Information Control Flow Domain Policies Data User Choices & Model Consent Policy Analysis Conflict/Dominance/Coverage Policy Transformation User defined transformation Management SPARCLE NLP Analysis & Transformation Policy Deployment Using Ponder 2 for implementation

5 SPARCLE Policy Workbench Motivation for SPARCLE: –Policies provide a powerful mechanism to manage many kinds of infrastructures including security and network management. –Currently, policy management methods (e.g., editing XML files) are not sufficient to address user skills of varying technical abilities. –There is a large, error-prone gap between high level policy specification and deployment. –Goal: Create a usable, integrated capability for policy management across heterogeneous systems.

6 SPARCLE Policy Workbench Project Scope: The SPARCLE (Server Privacy ARchitecture and CapabiLity Enablement) project will create a highly usable policy workbench that enables organizations to: –Create access control policies (Author, Analyze, and Transform) –Connect policy definition to system entities (Implement) –Check policy compliance (Audit) Authoring Tool Description: –Provides natural language analysis of textual policies, displays results for expert review, and generates the machine-readable XML version of the policies, with 94% parsing precision. –Provides analysis of conflicts and redundancies in access control policies at the structured language level. –Displays results for expert review. –Transforms the policy sets into machine-readable XML version of the policies.

7 Marketing employees name, address, and phone number for the purpose of direct advertising if the customer has opted-in. can collect and use User category ActionsData categories Purpose Condition SPARCLE Parsing Example

8 Policy Analysis Motivation: –Provides a formal process that allows policy administrators to certify the correctness of a policy before the policy is activated. –Demo highlights the use of advanced algorithms to systematically determine if a policy is problematic. –Analysis can be performed when a policy is authored and the whole process of analysis is automated.

9 Policy Analysis Types in Demo Conflict Identification: –Two policies are in conflict if they can be simultaneously applicable and prescribe incompatible actions. –This analysis method is used to determine if two policies are consistent. Dominance Analysis: –A policy is dominated by a set of one or more other policies when the addition of the first policy does not effect the behavior of the system governed by the set of policies. –This analysis method is used to discover redundant policies. Coverage Analysis: –A set of policies may (or may not) provide definition for a range of input parameters. This analysis method determines if there are gaps in the coverage. –This analysis method is used to examine the completeness of a set of policies.

10 Conflict Identification Security Level already existing policy new policy Teams Conflict: Applicability subspaces intersect. Variables can take values in spaces of different characteristics –We first find the policy hyper-space intersect –Then we check if the policy effects are incompatible

11 Dominance Analysis Battery capacity Draining rate Already existing policy 100 mAmp 95 mAmp/h 30 mAmp/h Dominance check: –A subspace is inside another subspace –Subspaces might not be convex A policy is dominated if its hyper-space is completely contained in the hyper-space of the existing policies new policy

12 Coverage Analysis Battery capacity Draining rate P P4 P3 Uncovered area Device space (dashed line) Coverage check: –A subspace is contained by another subspace (the space to be covered) –Subspaces might not be convex A device space is covered if it is completely covered by the hyper- space of a set of policies To cover the device space the lower bound of draining rate of P4 can be changed to 35

13 Policy Transformation Motivation and Explanation: –Transform high level policies into low level policies –Rule based transformation –Modify condition and action sections of the policies –Simple search and replace –Transformation rules are written in an XML format by an expert user

14 Transformation Example Input policy If user is from U.S. Then provide high security Transformation rules 1.Replace U.S. with subnet 9.2.x.x 2.Replace high security with 256 bit encryption and DES encryption Output Policy If user is from subnet 9.2.x.x Then use 256 bit encryption and DES encryption

15 Policy Deployment The last step is to deploy policies into managed resources This is done in two sub-steps: –A last translation of the policies into the executable commands or policies understood by each resource –Transmission of the policy to the resource In our scenario we are working with Self- Managed Cells (SMC) resources –SMCs are agents built using the Ponder2 policy framework developed at Imperial College

08/13/2007 Security Management in Dynamic Communities 16 Policy Deployment SMC policy service - Ponder2 framework –Cater for two types of policies Obligation policies (event-condition-action) define management actions that are performed in response to events Authorization policies specify which actions are permitted on which resources and services –Managed objects to which policies apply can be Internal resources Adapters for external services Policies themselves resource Domain structure policy … … … remote –Policies can be added, removed, enabled and disabled to change SMC behavior Without interrupting its functioning –Managed objects kept in domain structure that implements hierarchical namespace Use domains as subject/target of policies

08/13/2007 Security Management in Dynamic Communities 17 Backup and Alternative Slides

18 Demonstration A scenario based demo will illustrate the research concepts in the security policy management area.

19 Visualization Of Policy Policy Analysis Module Transform Policy Author Policy Ponder Managed Resource Policy Transformations Policy Deployment Ponder Managed Resource Ponder Managed Resource Demo Architecture

08/13/2007 Security Management in Dynamic Communities 20 Policy Deployment Self-managed cell (SMC) –Consists of hardware and software components –Do not rely on human intervention nor central coordination –Implements a local feedback control-loop Architectural pattern –Basic building block of a pervasive environment Core services –Discovery service –Event service –Policy service

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.