1. Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #24 Semantic Web and Security April 7, 2005

2. Outline l Semantic Web Overview - Web Data Management and Web Services, XML (eXtensible Markup Language), RDF (Resource Description Framework),, Closed World Machine, Rules ML, Ontologies and Inference, Trust and Proof l Secure Semantic Web - Security for Web data management and web services, XML, RDF, Closed World Machine, Rules ML, Security and Ontologies, - - - l Vision l Reference: www.w3c.org

3. Semantic Web: Overview l According to Tim Berners Lee, The Semantic Web supports - Machine readable and understandable web pages - Enterprise application integration - Nodes and links that essentially form a very large database Premise: Semantic Web = Web Database Management + Web Services + Information Integration + Rules Processing + - - - - -

4. Layered Architecture for Dependable Semantic Web 0 Some Challenges: Interoperability between Layers; Security and Privacy cut across all layers; Integration of Services; Composability XML, XML Schemas Rules/Query Logic, Proof and Trust SECURITYSECURITY Other Services RDF, Ontologies URI, UNICODE PRIVACYPRIVACY 0 Adapted from Tim Berners Lee’s description of the Semantic Web

5. Relationships between Dependability, Confidentiality, Privacy, Trust Dependability Confidentiality Privacy Trust Dependability: Security, Privacy, Trust, Real-time Processing, Fault Tolerance; also sometimes referred to as “Trustworthiness” Confidentiality: Preventing the release of unauthorized information considered sensitive Privacy: Preventing the release of unauthorized information about individuals considered sensitive Trust: Confidence one has that an individual will give him/her correct information or an individual will protect sensitive information

6. Web Database Management: Developments and Directions l Database access through the web - JDBC and related technologies l Query, indexing and transaction management - E.g., New transaction models for E-commerce applications - Index strategies for unstructured data l Query languages and data models - XML has become the standard document interchange language l Managing XML databases on the web - XML-QL, Extensions to XML, Query and Indexing strategies l Integrating heterogeneous data sources on the web - Information integration and ontologies are key aspects l Mining the data on the web - Web content, usage, structure and content mining

7. Web Services l Web Services are about services on the web for carrying out many functions including directory management, source location, subscribe and publish, etc. l Web services description language (WSDL) exists for web services specification l Web services architectures have been developed l Challenge now is to compose web services; how do you integrate multiple web services and provide composed web service in a seamless fashion l Ultimate goal is to have web services for information integration

8. Web service architecture Service requestor Service providers UDDI Publish Query Answer Request the service

9. What is XML all about? l XML is needed due to the limitations of HTML and complexities of SGML l It is an extensible markup language specified by the W3C (World Wide Web Consortium) l Designed to make the interchange of structured documents over the Internet easier l Key to XML is Document Type Definitions (DTDs) - Defines the role of each element of text in a formal model l Allows users to bring multiple files together to form compound documents

10. RDF l Resource Description Framework is the essence of the semantic web l Adds semantics with the use of ontologies, XML syntax - Separates syntax from semantics l RDF Concepts - Basic Model l Resources, Properties and Statements - Container Model l Bag, Sequence and Alternative

11. Ontology l Common definitions for any entity, person or thing l Several ontologies have been defined and available for use l Defining common ontology for an entity is a challenge l Mappings have to be developed for multiple ontologies l Specific languages have been developed for ontologies including RDF and OIL (Ontology Interface Language) l DAML (Darpa Agent Markup Language) is an ontology and inference language based on RDF l DAMP + OIL; combines both languages

12. Rules ML, Inference and CWM l Rules ML is a Rules Markup Language for specifying rules l Inferencing is about making deductions - Deductions based on rules specified in Rules ML or DAML+OIL - Based on denotational logic l CWM: Closed World Machine - Inference engine for the semantic web written as a Python program

13. Trust and Proof l Context - Based on the context specify to what extent one trusts the statements l Digital signatures - Verifies that one wrote a particular document l Proof - Using proof languages we prove whether or not a statement is true - Proofs based on logical systems

14. Secure Web databases l Secure data models - Secure XML, RDF, - - - - - Relational, object-oriented, text, images, video, etc. l Secure data management functions - Secure query, transactions, storage, metadata l Key components for secure digital libraries and information retrieval/browsing

15. Secure Web Service Architecture Confidentiality, Authenticity, Integrity Service requestor Service provider UDDI Query BusinessEntity BusinessService BindingTemplate BusinessService tModel PublisherAssertion

16. Aspects of XML Security l Controlling access to XML documents - Granularity of access: parts of documents, entire documents l Specifying policies and credentials in XML l Third party publication of XML documents l Encryption (www.w3c.org)

17. Specifying User Credentials in XML Alice Brown University of X CS Security John James University of X CS Senior

18. Specifying Security Policies in XML <policy-spec cred-expr = “//Professor[department = ‘CS’]” target = “annual_ report.xml” path = “//Patent[@Dept = ‘CS’]//Node()” priv = “VIEW”/> <policy-spec cred-expr = “//Professor[department = ‘CS’]” target = “annual_ report.xml” path = “//Patent[@Dept = ‘EE’] /Short-descr/Node() and //Patent [@Dept = ‘EE’]/authors” priv = “VIEW”/> <policy-spec cred-expr = - - - - Explantaion: CS professors are entitled to access all the patents of their department. They are entitled to see only the short descriptions and authors of patents of the EE department

19. Access Control Strategy l Subjects request access to XML documents under two modes: Browsing and authoring - With browsing access subject can read/navigate documents - Authoring access is needed to modify, delete, append documents l Access control module checks the policy based and applies policy specs l Views of the document are created based on credentials and policy specs l In case of conflict, least access privilege rule is enforced l Works for Push/Pull modes

20. System Architecture for Access Control User Pull/Query Push/result XML Documents X-AccessX-Admin Admin Tools Policy base Credential base

21. Third-Party Architecture Credential base policy base XML Source User/Subject Owner Publisher Query Reply document SE-XML credentials l The Owner is the producer of information It specifies access control policies l The Publisher is responsible for managing (a portion of) the Owner information and answering subject queries l Goal: Untrusted Publisher with respect to Authenticity and Completeness checking

22. RDF and Security l XML Security for the Syntax of RDF - Access control, Third party publishing, Specifying g policies and credentials l Securing RDF Graphs - UTD research (MS and PhD work in progress) l Securing semantics - Approach: Take semantic specifications in RDF and incorporate security l Security policies embedded into the semantics

23. Security and Ontology l Ontologies used to specify security policies - Example: Use DAML + OIL to specify security policies - Choice between XML, RDF, Rules ML, DAML+OIL l Security for Ontologies - Access control on Ontologies l Give access to certain parts of the Ontology

24. Security and Inferencing l Specify security policies in Rules ML l Inferencing is part of the semantic web; deduced information could be sensitive l Extend CWM to handle the inference and privacy problem - Extended Python program?

25. Rules Processing User Interface Manager Constraint Manager Rules/ Constraints Query Processor: Constraints during query and release operations Update Processor: Constraints during update operation XML Database Design Tool Constraints during database design operation XML Database XML Document Manager

26. Rule-Processing (Concluded) Policies Ontologies Rules Semantic Web Engine XML, RDF Documents Web Pages, Databases Inference Engine/ Rules Processor Interface to the Semantic Web Technology By W3C

27. Security, Trust and Proof l Extend trust management and Trust negotiation techniques for semantic web l Trust Services, Trust negotiation (TN) - Applicability of KeyNote and Trust-X (U of Milan), TrustBuilder (UIUC) l Use proof to reason about security and trust - Is the semantic web secure? - Is the semantic web trustworthy? - Are there security/trust violations?

28. Coalition Application Testbed: A Suggestion l Identify Coalition - Identify Coalition Example: A good starting point will be the Coalition experiments conduced under DARPA’s CoABS program that includes MBP (Master Battle Planner) and CAMPS (Consolidated Air Mobility Planning System) applications - Develop scenarios and determine the roles are of the coalition partners - Identify information to be accessed/shared and how the semantic web may be used by the coalition l Design Policies - Design policies (e.g., security, privacy, trust) for the coalition when accessing information resources l Implement Test Bed - Develop a test bed that uses ontologies for information integration and enforces the policies

29. Vision for Dependable Semantic Web Core Semantic Web Technologies: Systems, Networks, Agents, AI, Machine Learning, Data Mining, Languages, Software Engineering, Information Integration Need research to bring together the above technologies Directions: Security/Trust/Privacy, Integrate sensor technologies, Pervasive computing, Social impact Domain specific semantic webs: DoD, Intelligence, Medical, Treasury,- - - 0 Some Challenges: Secure Semantic Interoperability; Secure Information Integration; Integrating Pervasive computing and sensors