Data and Applications Security Developments and DirectionsDr. Bhavani ThuraisinghamThe University of Texas at Dallas

Lecture #19Digital Libraries, Semantic Web and SecurityMarch 22, 2006

OutlineWeb SecuritySecure Digital LibrariesSemantic Web OverviewTechnologies: XML (eXtensible Markup Language) , RDF (Resource Description Framework),, Closed World Machine, Rules ML, Ontologies and InferenceApplications: Web ServicesSecure Semantic WebTechnologies: Secure XML, RDF, Closed World Machine, Rules ML, Security and Ontologies, - - -Applications: Secure web servicesVisionReference: www.w3c.org

Web SecurityEnd-to-end securityNeed to secure the clients, servers, networks, operating systems, transactions, data, and programming languagesThe various systems when put together have to be secureComposable properties for securityAccess control rules, enforce security policies, auditing, intrusion detectionVerification and validationSecurity solutions proposed by W3C and OMGJava SecurityFirewallsDigital signatures and Message Digests, Cryptography

Attacks to Web Security

Secure Web Components

E-Commerce TransactionsE-commerce functions are carried out as transactionsBanking and trading on the internetEach data transaction could contain many tasksDatabase transactions may be built on top of the data transaction serviceDatabase transactions are needed for multiuser access to web databasesNeed to enforce concurrency control and recovery techniques

Types of Transaction SystemsStored Account Paymente.g., Credit and debit card transactionsElectronic payment systemsExamples: First Virtual, CyberCash, Secure Electronic Transaction

Stored Value PaymentUses bearer certificatesModeled after hard cashGoal is to replace hard cash with e-cashExamples: E-cash, Cybercoin, Smart cards

Building Database TransactionsPayments ProtocolTCP/IP ProtocolSocket ProtocolDatabase Transaction ProtocolHTTP Protocol

Secure Digital LibrariesDigital libraries are e-librariesSeveral communities have developed digital librariesMedical, Social, Library of CongressComponents technologiesWeb data management, Multimedia, information retrieval, indexing, browsing, -- - -Security has to be incorporated into all aspectsSecure models for digital libraries, secure functions

Secure Digital Libraries

Secure Web DatabasesDatabase access through the webJDBC and related technologiesQuery, indexing and transaction management E.g., New transaction models for E-commerce applicationsIndex strategies for unstructured dataQuery languages and data modelsXML has become the standard document interchange languageManaging XML databases on the webXML-QL, Extensions to XML, Query and Indexing strategiesIntegrating heterogeneous data sources on the webInformation integration and ontologies are key aspectsMining the data on the webWeb content, usage, structure and content mining

Secure Web databasesSecure data modelsSecure XML, RDF, - - - -Relational, object-oriented, text, images, video, etc.Secure data management functionsSecure query, transactions, storage, metadataKey components for secure digital libraries and information retrieval/browsingSecure data integration

Semantic Web: OverviewAccording to Tim Berners Lee, The Semantic Web supportsMachine readable and understandable web pagesEnterprise application integrationNodes and links that essentially form a very large database

Premise:Semantic Web = Web Database Management + Web Services + Information Integration + Rules Processing + - - - - -

Layered Architecture for Dependable Semantic Web Some Challenges: Interoperability between Layers; Security and Privacy cut across all layers; Integration of Services; ComposabilityAdapted from Tim Berners Lees description of the Semantic Web

What is XML all about?XML is needed due to the limitations of HTML and complexities of SGMLIt is an extensible markup language specified by the W3C (World Wide Web Consortium)Designed to make the interchange of structured documents over the Internet easierKey to XML is Document Type Definitions (DTDs)Defines the role of each element of text in a formal modelAllows users to bring multiple files together to form compound documents

RDFResource Description Framework is the essence of the semantic webAdds semantics with the use of ontologies, XML syntaxSeparates syntax from semanticsRDF Concepts Basic Model Resources, Properties and StatementsContainer ModelBag, Sequence and Alternative

OntologyCommon definitions for any entity, person or thingSeveral ontologies have been defined and available for useDefining common ontology for an entity is a challengeMappings have to be developed for multiple ontologiesSpecific languages have been developed for ontologies including RDF and OIL (Ontology Interface Language)DAML (Darpa Agent Markup Language) is an ontology and inference language based on RDFDAMP + OIL; combines both languages

Rules ML, Inference and CWMRules ML is a Rules Markup Language for specifying rulesInferencing is about making deductionsDeductions based on rules specified in Rules ML or DAML+OILBased on denotational logicCWM: Closed World MachineInference engine for the semantic web written as a Python program

Web ServicesWeb Services are about services on the web for carrying out many functions including directory management, source location, subscribe and publish, etc.Web services description language (WSDL) exists for web services specificationWeb services architectures have been developedChallenge now is to compose web services; how do you integrate multiple web services and provide composed web service in a seamless fashionUltimate goal is to have web services for information integration

Web service architectureService requestor

Aspects of XML SecurityControlling access to XML documentsGranularity of access: parts of documents, entire documentsSpecifying policies and credentials in XMLThird party publication of XML documentsEncryption (www.w3c.org)

Specifying User Credentials in XML

Alice Brown University of X CS Security

John James University of X CS Senior

Specifying Security Policies in XML

Access Control StrategySubjects request access to XML documents under two modes: Browsing and authoringWith browsing access subject can read/navigate documentsAuthoring access is needed to modify, delete, append documentsAccess control module checks the policy based and applies policy specsViews of the document are created based on credentials and policy specsIn case of conflict, least access privilege rule is enforcedWorks for Push/Pull modes

System Architecture for Access Control

Third-Party ArchitectureThe Owner is the producer of information It specifies access control policiesThe Publisher is responsible for managing (a portion of) the Owner information and answering subject queriesGoal: Untrusted Publisher with respect to Authenticity and Completeness checking

Credential basepolicy baseXML SourceUser/SubjectOwnerPublisherQueryReply documentSE-XMLcredentials

RDF and SecurityXML Security for the Syntax of RDFAccess control, Third party publishing, Specifying g policies and credentialsSecuring RDF GraphsUTD research (MS and PhD work in progress)Securing semanticsApproach: Take semantic specifications in RDF and incorporate securitySecurity policies embedded into the semantics

Security and OntologyOntologies used to specify security policiesExample: Use DAML + OIL to specify security policiesChoice between XML, RDF, Rules ML, DAML+OILSecurity for OntologiesAccess control on OntologiesGive access to certain parts of the Ontology

Security and InferencingSpecify security policies in Rules MLInferencing is part of the semantic web; deduced information could be sensitiveExtend CWM to handle the inference and privacy problemExtended Python program?

Rule-ProcessingPoliciesOntologies RulesSemantic Web EngineXML, RDF DocumentsWeb Pages, DatabasesInference Engine/Rules ProcessorInterface to the Semantic WebTechnologyBy W3C

Secure Web Service ArchitectureConfidentiality, Authenticity, IntegrityService providerBusinessEntityBusinessServiceBindingTemplate

tModelPublisherAssertion

Coalition Application Testbed: A SuggestionIdentify Coalition Identify Coalition Example: A good starting point will be the Coalition experiments conduced under DARPAs CoABS program that includes MBP (Master Battle Planner) and CAMPS (Consolidated Air Mobility Planning System) applicationsDevelop scenarios and determine the roles are of the coalition partnersIdentify information to be accessed/shared and how the semantic web may be used by the coalitionDesign PoliciesDesign policies (e.g., security, privacy, trust) for the coalition when accessing information resourcesImplement Test BedDevelop a test bed that uses ontologies for information integration and enforces the policies

Vision for Dependable Semantic WebCore Semantic Web Technologies:Systems, Networks, Agents, AI, Machine Learning, Data Mining, Languages, Software Engineering, Information IntegrationNeed research to bring together the above technologiesDirections:Security/Trust/Privacy, Integrate sensor technologies, Pervasive computing, Social impactDomain specific semantic webs:DoD, Intelligence, Medical, Treasury,- - - Some Challenges: Secure Semantic Interoperability; Secure Information Integration; Integrating Pervasive computing and sensors

Summary and DirectionsEnd-to-end securitySecure networks, clients, servers, middlewareSecure Web databases, agents, information retrieval systems, browsers, search engines, - - -As technologies evolve, more security problemsData mining, intrusion detection, encryption are some of the technologies for securityNext stepsSecure semantic web, Secure knowledge management

The scenario we have