If you can't read please download the document
Upload
darius
View
19
Download
1
Embed Size (px)
DESCRIPTION
Data and Applications Security Developments and Directions. Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #19 Digital Libraries, Semantic Web and Security March 22, 2006. Outline. Web Security Secure Digital Libraries Semantic Web Overview - PowerPoint PPT Presentation
Citation preview
Data and Applications Security Developments and DirectionsDr. Bhavani ThuraisinghamThe University of Texas at Dallas
Lecture #19Digital Libraries, Semantic Web and SecurityMarch 22, 2006
OutlineWeb SecuritySecure Digital LibrariesSemantic Web OverviewTechnologies: XML (eXtensible Markup Language) , RDF (Resource Description Framework),, Closed World Machine, Rules ML, Ontologies and InferenceApplications: Web ServicesSecure Semantic WebTechnologies: Secure XML, RDF, Closed World Machine, Rules ML, Security and Ontologies, - - -Applications: Secure web servicesVisionReference: www.w3c.org
Web SecurityEnd-to-end securityNeed to secure the clients, servers, networks, operating systems, transactions, data, and programming languagesThe various systems when put together have to be secureComposable properties for securityAccess control rules, enforce security policies, auditing, intrusion detectionVerification and validationSecurity solutions proposed by W3C and OMGJava SecurityFirewallsDigital signatures and Message Digests, Cryptography
Attacks to Web Security
Secure Web Components
E-Commerce TransactionsE-commerce functions are carried out as transactionsBanking and trading on the internetEach data transaction could contain many tasksDatabase transactions may be built on top of the data transaction serviceDatabase transactions are needed for multiuser access to web databasesNeed to enforce concurrency control and recovery techniques
Types of Transaction SystemsStored Account Paymente.g., Credit and debit card transactionsElectronic payment systemsExamples: First Virtual, CyberCash, Secure Electronic Transaction
Stored Value PaymentUses bearer certificatesModeled after hard cashGoal is to replace hard cash with e-cashExamples: E-cash, Cybercoin, Smart cards
Building Database TransactionsPayments ProtocolTCP/IP ProtocolSocket ProtocolDatabase Transaction ProtocolHTTP Protocol
Secure Digital LibrariesDigital libraries are e-librariesSeveral communities have developed digital librariesMedical, Social, Library of CongressComponents technologiesWeb data management, Multimedia, information retrieval, indexing, browsing, -- - -Security has to be incorporated into all aspectsSecure models for digital libraries, secure functions
Secure Digital Libraries
Secure Web DatabasesDatabase access through the webJDBC and related technologiesQuery, indexing and transaction management E.g., New transaction models for E-commerce applicationsIndex strategies for unstructured dataQuery languages and data modelsXML has become the standard document interchange languageManaging XML databases on the webXML-QL, Extensions to XML, Query and Indexing strategiesIntegrating heterogeneous data sources on the webInformation integration and ontologies are key aspectsMining the data on the webWeb content, usage, structure and content mining
Secure Web databasesSecure data modelsSecure XML, RDF, - - - -Relational, object-oriented, text, images, video, etc.Secure data management functionsSecure query, transactions, storage, metadataKey components for secure digital libraries and information retrieval/browsingSecure data integration
Semantic Web: OverviewAccording to Tim Berners Lee, The Semantic Web supportsMachine readable and understandable web pagesEnterprise application integrationNodes and links that essentially form a very large database
Premise:Semantic Web = Web Database Management + Web Services + Information Integration + Rules Processing + - - - - -
Layered Architecture for Dependable Semantic Web Some Challenges: Interoperability between Layers; Security and Privacy cut across all layers; Integration of Services; ComposabilityAdapted from Tim Berners Lees description of the Semantic Web
What is XML all about?XML is needed due to the limitations of HTML and complexities of SGMLIt is an extensible markup language specified by the W3C (World Wide Web Consortium)Designed to make the interchange of structured documents over the Internet easierKey to XML is Document Type Definitions (DTDs)Defines the role of each element of text in a formal modelAllows users to bring multiple files together to form compound documents
RDFResource Description Framework is the essence of the semantic webAdds semantics with the use of ontologies, XML syntaxSeparates syntax from semanticsRDF Concepts Basic Model Resources, Properties and StatementsContainer ModelBag, Sequence and Alternative
OntologyCommon definitions for any entity, person or thingSeveral ontologies have been defined and available for useDefining common ontology for an entity is a challengeMappings have to be developed for multiple ontologiesSpecific languages have been developed for ontologies including RDF and OIL (Ontology Interface Language)DAML (Darpa Agent Markup Language) is an ontology and inference language based on RDFDAMP + OIL; combines both languages
Rules ML, Inference and CWMRules ML is a Rules Markup Language for specifying rulesInferencing is about making deductionsDeductions based on rules specified in Rules ML or DAML+OILBased on denotational logicCWM: Closed World MachineInference engine for the semantic web written as a Python program
Web ServicesWeb Services are about services on the web for carrying out many functions including directory management, source location, subscribe and publish, etc.Web services description language (WSDL) exists for web services specificationWeb services architectures have been developedChallenge now is to compose web services; how do you integrate multiple web services and provide composed web service in a seamless fashionUltimate goal is to have web services for information integration
Web service architectureService requestor
Aspects of XML SecurityControlling access to XML documentsGranularity of access: parts of documents, entire documentsSpecifying policies and credentials in XMLThird party publication of XML documentsEncryption (www.w3c.org)
Specifying User Credentials in XML
Alice Brown University of X CS Security
John James University of X CS Senior
Specifying Security Policies in XML
Access Control StrategySubjects request access to XML documents under two modes: Browsing and authoringWith browsing access subject can read/navigate documentsAuthoring access is needed to modify, delete, append documentsAccess control module checks the policy based and applies policy specsViews of the document are created based on credentials and policy specsIn case of conflict, least access privilege rule is enforcedWorks for Push/Pull modes
System Architecture for Access Control
Third-Party ArchitectureThe Owner is the producer of information It specifies access control policiesThe Publisher is responsible for managing (a portion of) the Owner information and answering subject queriesGoal: Untrusted Publisher with respect to Authenticity and Completeness checking
Credential basepolicy baseXML SourceUser/SubjectOwnerPublisherQueryReply documentSE-XMLcredentials
RDF and SecurityXML Security for the Syntax of RDFAccess control, Third party publishing, Specifying g policies and credentialsSecuring RDF GraphsUTD research (MS and PhD work in progress)Securing semanticsApproach: Take semantic specifications in RDF and incorporate securitySecurity policies embedded into the semantics
Security and OntologyOntologies used to specify security policiesExample: Use DAML + OIL to specify security policiesChoice between XML, RDF, Rules ML, DAML+OILSecurity for OntologiesAccess control on OntologiesGive access to certain parts of the Ontology
Security and InferencingSpecify security policies in Rules MLInferencing is part of the semantic web; deduced information could be sensitiveExtend CWM to handle the inference and privacy problemExtended Python program?
Rule-ProcessingPoliciesOntologies RulesSemantic Web EngineXML, RDF DocumentsWeb Pages, DatabasesInference Engine/Rules ProcessorInterface to the Semantic WebTechnologyBy W3C
Secure Web Service ArchitectureConfidentiality, Authenticity, IntegrityService providerBusinessEntityBusinessServiceBindingTemplate
tModelPublisherAssertion
Coalition Application Testbed: A SuggestionIdentify Coalition Identify Coalition Example: A good starting point will be the Coalition experiments conduced under DARPAs CoABS program that includes MBP (Master Battle Planner) and CAMPS (Consolidated Air Mobility Planning System) applicationsDevelop scenarios and determine the roles are of the coalition partnersIdentify information to be accessed/shared and how the semantic web may be used by the coalitionDesign PoliciesDesign policies (e.g., security, privacy, trust) for the coalition when accessing information resourcesImplement Test BedDevelop a test bed that uses ontologies for information integration and enforces the policies
Vision for Dependable Semantic WebCore Semantic Web Technologies:Systems, Networks, Agents, AI, Machine Learning, Data Mining, Languages, Software Engineering, Information IntegrationNeed research to bring together the above technologiesDirections:Security/Trust/Privacy, Integrate sensor technologies, Pervasive computing, Social impactDomain specific semantic webs:DoD, Intelligence, Medical, Treasury,- - - Some Challenges: Secure Semantic Interoperability; Secure Information Integration; Integrating Pervasive computing and sensors
Summary and DirectionsEnd-to-end securitySecure networks, clients, servers, middlewareSecure Web databases, agents, information retrieval systems, browsers, search engines, - - -As technologies evolve, more security problemsData mining, intrusion detection, encryption are some of the technologies for securityNext stepsSecure semantic web, Secure knowledge management
The scenario we have