Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 By Fawaz Alsaadi & Fahad Alsolami CS691 - Summer 2011.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 By Fawaz Alsaadi & Fahad Alsolami CS691 - Summer 2011."— Presentation transcript:

1 1 By Fawaz Alsaadi & Fahad Alsolami CS691 - Summer 2011

2 2

3  Secure information sharing across different organizations is an emerging issue for collaborative software development, product design.  The external threats are taken care of by using firewalls and mail filtering appliances.  For cross organizational security virtual domain is proposed.  Virtual domain is a collection of computer resources distributed across different organization. 3

4  Organizations A and B are collaborating on a software development project.  A project manager responsible for project management  including its information security.  Project members create documents for the project and share these documents using common services  How to enforce policy to common services? 4

5 One existing solution  A TVD is constructed as a cross organization workspace of the project by virtualizing every resource dedicated to a particular project.  Project manager can enforce given policies to all trusted resources in individual TVD.  Good: Allows project members to securely share project specific information even through the common services  Bad: In this model, all common services dedicated to a project need to be newly constructed apart from existing services. This require additional cost even if the resources are virtual. 5

6 For reducing such costs,  Domain virtualization using Content Oriented Virtual Domains (CoVD):  CoVD is a collection of computer resources that are connected via common services.  Allow leveraging existing common services from authorized resources.  Allows content-based policy enforcement such as encryption onto mails going through common mail services, and contents filtering for files shared in common file services 6

7  The CoVD comprises project members, authorized resources, and the project policies.  Existing common services can be leveraged without any modification.  CoVD model requires no additional costs for the common services 7

8  To make secure information sharing through the existing services, the policy is enforced not to the authorized resources, but to the project documents shared in common services. 8

9  Example of email:  A project member of organization A writes an e-mail attached with a specification document to his or her co- worker of organization B.  CoVD automatically encrypts the email with a project- specific shared key accordingly to the policies given by a project manager.  Because the project key is shared within the authorized resources of the CoVD, the specification documents are accessible by only the project members, even if the e-mail goes through the existing mail servers.  With this content based policy enforcement, the CoVD achieves secure information sharing through the existing common services 9

10  Requirements  Domain management a) Member management required for specifying the project members. b) Resource management is required for constructing and authenticating virtual resources used in the member environment. c) Policy management is required for specifying and distributing the project information sharing policies to the member environments.  Member environment in the workspace d) Resource virtualization is required for creating the project specific resources at low cost. e) Member authentication for allowing only the project members to use the virtual resources. f) Resource authorization for quarantine. g) The information sharing policy must be enforced on the project documents 10

11  Domain management server has  Member management component (A),  Resource management component (B),  Policy management component (C) 11

12  Domain management  Component (A) ▪ The manger registers the member accounts  Component (B) ▪ The manger constructs original images of virtual resources. Then, issues a signature to the virtual resource images and distributes a copy of the images to the virtualization platforms.  Component (C) ▪ The manger specifies the information sharing policies for the project, and distributes them to the enforcers. 12

13  Member environment in the workspace.  Each physical member environment uses a ▪ virtualization platform (D) ▪ member authentication component (E) ▪ Resource authorization component (F), ▪ Policy enforcer (G) 13

14  Member environment  virtualization platform (D) ▪ Receives a copy of the virtual resource image and creates the virtual resources for constructing a virtual member environment.  Member authentication component (E) ▪ Authenticates the members with the accounts 14

15  Member environment  Resource authorization component (F) ▪ Checks the signature of the authorized virtual resources to confirm whether the structure of the resources is as defined by the manager.  Policy enforcer (G) ▪ Monitors network communications ▪ Enforces the policy on the exchanged documents 15

16  Feasibility of the cross organizational policy enforcement was evaluated by implementing 2 core components of the CoVD architecture:  Policy management component to specify policies, and  Policy enforcers to control network data according to the policies  Widely available implementations used for other components such as:  Member management component: Microsoft Active Directory  Resource authentication component: TPM/TCG software stack  Virtualization platforms: Xen, VMWare, and Hyper-V 16

17  Allows the project manager to specify policies & consists of:  Policy editor: Allows to specify policies ▪ A cgi to provide a web interface  Policy repository to store the specified policies ▪ directory to store policies  Policy deployer distributes the policies to the policy enforcers on each client ▪ web server that publishes the directory to the policy enforcer 17

18 Retrieves the policies using an HTTP protocol.  Deployed in the management environment which is separated from the virtual member environment.  Xen is used  Policy enforcer in the deployed in Dom0 corresponding to the management environment. 18

19  Design an extensible structure that allows the manager to expand the policy expression capability by adding a plug-in module.  In Dom0, policy enforcer comprises of  context handler,  condition plug-in modules  obligation plug-in modules 19

20  Context handler is a  Policy interpreter, which  Hooks IP packets  Calls the condition plug-in modules and obligation plug-in modules  condition plug-in module ▪ Performs filtering according to the condition  Obligation plug-in modules according ▪ performs required content transformation to the policies 20

21  Context handler  Monitors all network communication so that it enforces policies without fail.  Context handler implemented as a bridge driver that connects DomU and network interface card. 21

22  Context handler policy enforcement  Finds an appropriate policy by identifying the IP address and port number of IP packets  Context handler interprets the policy and calls condition plug-in modules and obligation plug-in modules  To call the plug-in modules, the context handler performs a Network Address Translation (NAT)  Each plug-in module has a virtual NIC and opens sockets on its virtual NIC.  Context handler hooks IP packets to/from the DomU and performs the NAT so that the network connection goes thorough plug-in modules 22

23  Context handler performs the NAT according to the policy  Step 1 (find out the policy) ▪ Monitors the IP packets and identifies the source/destination IP address and the source/destination port number. ▪ Context handler finds the policy according to the IP addresses and port numbers. ▪ If the IP addresses and the port numbers do not match any policies, the context handler drops the packet. 23

24  Context handler performs the NAT according to the policy  Step 2 (call condition functions) ▪ Context handler refers to the first condition plug-in module’s IP address. ▪ Context handler changes the destination IP address into the first module's IP address. ▪ Context handler hooks the packets from the first module ▪ Context handler transfers the packets to the next module. ▪ In the same way, the context handler repeats the NAT till the last condition module. 24

25  Context handler performs the NAT according to the policy  Step 3 (call obligation functions) ▪ The context handler transfers the packets to obligation plug-in modules. ▪ If the context handler hooks a packet from the last obligation module, the context handler changes the destination IP address into the server’s IP address. 25

26  Use case where there is an existing mail server  Project members share project documents using this server.  Used Thunderbird as the mailer and Postfix as the server. 26

27  Secure mail exchange  Assumed that project members should send mail only to other project members to prevent information leakage.  Mail is encrypted to prevent eavesdropping.  Used following policy for secure mail exchange: RecipientCheck (MailEncryption(*:*,,192.168.0.3:25) ) 27

28  Secure mail exchange  Project member sends a mail,  Recipient check module analyzes the SMTP protocol and identifies recipients.  Checks to see if the recipient is allowed using the allowable recipient list.  If the recipient is allowed, the module mediates the mail. Otherwise, the module drops the mail and closes the network connection to the server.  Mail encryption module also analyzes the SMTP protocol and identifies the mail body.  It encrypts the mail body using the project key 28

29  Efficiency of the context handler and the modules were measured using the time to download a file using a WebDAV client (cadaver version 0.23.0 with neon version 0.27.2)  Used two machines Pentium D 3.4GHz CPU, 3 GB memory with onboard Intel e1000 NIC.  The two were connected via a 100 Mbps hub,  One machine was used for a server, and the other was used for a client.  Downloaded files of different sizes (1 MB, 10 MB, 50 MB, 100 MB) and measured the download time in 2 cases  Used an unmodified Xen bridge driver in case (a)  In (b) case a context handler and a plug-in module with the plug-in interface was deployed  The module was implemented using Perl, and it had a dummy security function 29

30  The download time is proportional to file size  The overhead of case (b) is almost constant regardless of the file size.  In case (a), the regression line is time = 0.1562 * file size,  In case (b), time = 0.2166 * file size  The overhead was calculated using 0.21 66 / 0.1562 = 1.387 (38.7%)  Using system profiler (OProfile) it was identified that the overhead was caused by network communication between the context handler and the plug-in modules 30

31  VPN based approach  VPN approaches focus on document sharing within a single organization, while paper’s focus was on cross organizational document sharing.  Virtualization Based Policy Enforcement  The main difference in other approaches such as TVD is that this paper’s approach leverages public service to reduce the cost. 31

32  Proposed a method of constructing Content Oriented Virtual Domains, which leverages existing common services and enables a secure collaborative workspace.  CoVD monitors document exchange, checks conditions, and enforces obligations according to project policies.  Implemented the policy management component and the policy enforcer, which can expand policy description capability by adding a plug-in module.  Performance evaluation showed that CoVD allows sharing the project documents safely using existing services such as e-mail. 32

33 33

34 34

35  Role Based Multi-Agent System for providing effective and secure Bank transaction services  To provide seamless access to information present in the database  Negotiation agent to access and trust negotiations,  Database agent and Interface Agent to accept and display request service results. 35

36  Main Features of the system  Ease of use,  Effective communication between customers and service providers,  Isolation from resource specific details, changes in the system and internal complexity 36

37  Agents developed using Java Agent  Development Framework (JADE)  Java APIs  System provides features such as  The Login Validation or User Authentication  Service Registration,  Role Agent Identification, and  User Interface for an effective interaction between customer and the system.  The role agent retrieves the information from database and sends it to the customer through an interface agent. 37

38  System accepts the customer request by interface agent.  The facilitator is used to register the service of role agents.  The role agent has the ability to forward the request to negotiator for the validation of request and account details. 38

39  The database agent possesses the capacity to retrieve the customer information.  The interface agent is used to display the customer details. 39

40  User Interface  Graphical User Interface  Mobile Agent Creation module  Server with appropriate resource is identified to process the customer request.  Facilitator coordinates the mobile agent to process customer request.  Facilitator registers the agent to access a particular service using its Agent ID.  After completion of the customer service the facilitator deregisters the service. 40

41  Loan Mobile Agent  System lists the available bank loan schemes to the customer  Checks the customer’s history  If the customer has sufficient balance, the loan is sanctioned  New loan is not entitled unless the customer pays the previous dues.  The customer balance amount gets updated when permitted to avail the loan. 41

42  Credit Card Agent  Provides access rights to the customer  Sends the customer information to interface agent.  Interface agent coordinates the Credit Card Agent to register its service with the facilitator.  Role of the agent is to process the customer request.  The role based agent checks the customer’s earlier due regarding cash or purchase.  If customer do not have due then the customer is permitted to use the credit card within the permitted limit.  If the customer has dues, credit card payment is barred 42

43  Insurance agent  Provides information to all customers about the insurance offers (i.e. access to polices, brochures and price list).  Describes the characteristics of different types of insurance and their attributes. 43

44 Payment of Insurance bill 1 Electronic bill generation 2. Payment order 3. Electronic notification for sufficient money 4. Electronic notification to Insurance agent 5. Verification of money transfer 44

45  Decision Agent  Makes the decision from the role based multiagents with the coordination of a data warehouse. 45

46  To achieve the individual objectives or dynamically coordinate the actions, software agents need to interact with one another.  Communication is at the basis of agents interactions  Foundation for Intelligent Physical Agent (FIPA)  Interaction Protocols for Agents Conversations 46

47  Foundation for Intelligent Physical Agent (FIPA)  Specifies standard components that can be used  Determination of valid sequences of messages called INteraction Protocols (INP) regulating specific interactions to be known by all the interacting entities 47

48  Foundation for Intelligent Physical Agent (FIPA)  Agent Communication Language (ACL) ▪ Enables the attitudes regarding the content of exchange to be expressed. ▪ e.g. whether the content of the communication is, an assertion, a request or some form of query ▪ Two most deployed ACL: FIPA-ACL and Knowledge Query Manipulation Language (KQML). 48

49  Foundation for Intelligent Physical Agent (FIPA)  FIPA-SL, Knowledge Interchange Format (KIF) content Languages (CLs) used for describing the content of the message  At the ontology level, a vocabulary and a set of agreed definitions is used to describe a specific domain in terms of objects, actions and functions 49

50  Interaction Protocols for Agents Conversations  Typical patterns of message exchange  Represent the highest abstraction component in the Agent Communication Stack  Standard fipa-request protocol is used when the Interface agent contacts the Role Based Agent for requesting the information of customer account  Identifies the specific kind of ACL messages which the agents are expected to exchangeas shown in Figure.  The standard FIPA- request interaction protocol 50

51  System was implemented with JADE 3.3, Java and Oracle 10g.  Java uses its database driver called JDBC (Java Database Connectivity) to connect the database.  The interface between Oracle and Java is provided by JDBC-ODBC protocol.  Bank application was implemented with Multi-Agent Role Based Access Control in distributed environment.  Processing time consumed was very less with respect to the number of transactions as compared to client server systems.  User can launch the agent in two ways:  GUI agent Wizard,  Via command line. 51

52  Account Information Agent  Role based multi-agent GUI is created using JADE and Swing.  The Account information agent gets the username through the interface agent.  Role of agent is registered with facilitator.  Now the user details are negotiated based on the behavior of the agent.  Based on the agreement the account number and customer account balance from the account table and branch name from the branch table are joined before displaying the information.  Results show that processing time is much less than for client server system. 52

53  Loan Agent  Authentication is checked  Lists the available bank loan schemes to the customers.  The user can select the options.  Before sanctioning the loan to the customer, this checks the customer dues.  The customer information is negotiated and if the customer has sufficient balance, the loan is sanctioned.  New loan is not entitled unless the previous dues are paid.  The customer balance is updated when permitted to avail the loan.  Results show that processing time is much less than for client server system. 53

54  Credit Card Agent  Credit card agent sends the customer information to interface agent.  Interface agent coordinates to register its service with the facilitator.  Role based agent checks the customer history.  If customer does not have any due the usage of credit card is permitted to a limit.  Results show that processing time is much less than that for client server system. 54

55  Insurance Agent  GUI displays the available Insurance details with coverage options.  Various scenarios are implemented with the purpose of evaluating the feasibility and the effectiveness of automated agent-based transactions.  Results show that processing time is much less than for client server system. 55

56  System architecture for Distributed Role Based Multi-Agent System was proposed.  This system is implemented with Banking Domain application  Accepts the user request,  Identifies the role and  Agent Facilitator creates the role base mobile agent, transmission of secured agent data and adopts the customer needs to provide the desired results. 56

57 Semester Project

58 58

59  The original paper has made following assumptions while doing implementation of CoVD concept:  The mail server is assumed to be the same.  The project members are allowed to send mail only to other project members to prevent information leakage.

60  It is proposed to extend the concept of CoVD where the project members are distributed across the various organizations  using different mail servers for sending mails related to the same project instead of using a common mail server.  The project management and project policy is taken care of by a centralized project manager.

61  Requirements  Domain management ▪ Member management required for specifying the project members across the organizations. ▪ Resource management is required for constructing and authenticating virtual resources used in the member environment. ▪ Policy management is required for specifying and distributing the project information sharing policies to the member environments.  Member environment in the workspace ▪ Resource virtualization is required for creating the project specific resources at low cost. ▪ Member authentication across the organizations for allowing only the project members to use the virtual resources. All organizations must adhere to this authentication procedure. ▪ Resource authorization for quarantine. ▪ The information sharing policy must be enforced on the project documents

62  The extension follows the same architecture as original CoVD implementation as shown in Figure.

63  The policy management is governed only by a Project manager.  The policy document is maintained centrally located web server.  The policy enforcer accesses the document using HTTP protocol as in case of original CoVD.  For each application a plug-in module is developed and distributed to various member organizations.  The plug-in module is installed and maintained locally by each organization.

64  Each organization will appoint a project coordinator for the project.  The project manager shall co-ordinate with the project coordinator or creating the project membership across the organizations.  The project coordinator will create a separate user group using directory services for the specific project for all the members of the project in their organization.  The list of members shall be shared with Project manager for necessary authorization.  The project coordinators will take care of installation of requisite framework and related application plug-in modules for the project member’s use.  It is easy to see that a more flexible approach is needed for real project usage Project Manager Project Coordinators

65  A plug in module is developed for each application and it resides within the member organization’s network.  All the requests emanating from the project members are scrutinized by the policy enforcer which monitors network communications.  In case the request is related to the project then it enforces the policy on the exchanged documents as per the project policy.

66  Secure mail exchange  Project member sends a mail,  Recipient check module available locally analyzes the SMTP protocol and identifies recipients.  Checks to see if the recipient is allowed using the allowable recipient list.  If the recipient is allowed, the module mediates the mail. Otherwise, the module drops the mail and closes the network connection to the server.  Mail encryption module also analyzes the SMTP protocol and identifies the mail body.  It encrypts the mail body using the project key and sends the mail to the mail server of the recipient.

67  Tiered Content-Oriented Virtual Domains  Treat Members as a subclass of resource  Add a third parameter to the set of policy actions ▪ (Source Res:SID, Destination Res:SID, Tier)  Introducing Protocols  Consist of resources and the actions upon them  “Port” replaced with “Sid” (Service ID)  Protocols can be seen as the enforcements of policies at certain strengths (tiers)

68  Email can now be divided into local and public  Abstracting  Resources, especially common, can be encapsulated (thought of) as a single unit (cloud)  High-Tier (strong) protocol can always be applied to a less secure resource cloud (internet mail)  Sectioning can be performed on parts of a complex resource system

69  Slicing  Policies can now be cross-sectioned (sliced) according to tier levels for uniformity  Quick requisitioning/authorization of new resources – quick opportunities, constant security  Abstract policies allow for “designing with a focus on security” for project planning and management  Lowers cost and Increases Adaptability

70  The TCoVD extension is a superset of CoVD with the addition of added flexibility in action  Functionality conceptually simplified by seeing Resources interacting with Protocols  Resources can be seen as single units (clouds) composed of various steps or pieces  New usable resources include social networking, P2P, smart phones, and internet email

71  Content oriented virtual domains for secure information sharing across organizations http://portal.acm.org/citation.cfm?id=1866838  Secured Distributed Multi-Agent Role Based Access Control http://portal.acm.org/citation.cfm?id=1980157 http://portal.acm.org/citation.cfm?id=1980157 71

72 72

Download ppt "1 By Fawaz Alsaadi & Fahad Alsolami CS691 - Summer 2011."

Similar presentations

Distributed Data Processing

Distributed Data Processing
Database System Concepts and Architecture

Database System Concepts and Architecture
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.

Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.

1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
Understanding Active Directory

Understanding Active Directory
Introduction To System Analysis and Design

Introduction To System Analysis and Design
XP Browser and E-mail Basics1. XP Browser and E-mail Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.

XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
Introduction to Web Database Processing

Introduction to Web Database Processing
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
Fawaz Alsaadi Fahad Alsolmai.  Secure information sharing across different organizations is an emerging issue for collaborative software development,

Fawaz Alsaadi Fahad Alsolmai.  Secure information sharing across different organizations is an emerging issue for collaborative software development,
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.

SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.
Fawaz Alsaadi Fahad Alsolmai.  Role Based Multi-Agent System for providing effective and secure Bank transaction services  To provide seamless access.

Fawaz Alsaadi Fahad Alsolmai.  Role Based Multi-Agent System for providing effective and secure Bank transaction services  To provide seamless access.
Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.

Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
The chapter will address the following questions:

The chapter will address the following questions:

Similar presentations

Ads by Google