September 25, 2004 SKM 2004 1
Using Facets of Security within a Knowledge-based Framework to
Broker and Manage Semantic Web Services
Using Facets of Security within a Knowledge-based Framework to
Broker and Manage Semantic Web Services
Randy Howard, Larry KerschbergE-Center for E-Business, http://eceb.gmu.eduGeorge Mason University; Fairfax, VA USA
[email protected], [email protected] Publications at:
http://eceb.gmu.edu/publications.htm
Randy Howard, Larry KerschbergE-Center for E-Business, http://eceb.gmu.eduGeorge Mason University; Fairfax, VA USA
[email protected], [email protected] Publications at:
http://eceb.gmu.edu/publications.htm
September 25, 2004 SKM 2004 2
Research GoalsResearch Goals
� Provide a framework & methodology to create Virtual Organizations (VO) via Semantic Web Services
� Support end-to-end requirements & life-cycle tasks to create VO on the fly
� Address layers that correspond to Specification, Design and Implementation
� Focus here is on Intelligent Middle-ware Services for Secure Knowledge Management
� Provide a framework & methodology to create Virtual Organizations (VO) via Semantic Web Services
� Support end-to-end requirements & life-cycle tasks to create VO on the fly
� Address layers that correspond to Specification, Design and Implementation
� Focus here is on Intelligent Middle-ware Services for Secure Knowledge Management
September 25, 2004 SKM 2004 3
Where is the VO Knowledge?Where is the VO Knowledge?
� Humans as part of the VO� Intellectual Property wrapped in Semantic Web
Services� Policies that govern the VO
� Service-level agreements� QoS agreements
� Security Policies and Protocols� Access Control, Authentication Services for VO� Virtual Security for GRID Services
� Humans as part of the VO� Intellectual Property wrapped in Semantic Web
Services� Policies that govern the VO
� Service-level agreements� QoS agreements
� Security Policies and Protocols� Access Control, Authentication Services for VO� Virtual Security for GRID Services
September 25, 2004 SKM 2004 4
Problem SpaceProblem Space
� Automate Web Services� Apply Semantic Web Technologies (Semantic Web
Services)� Deal w/ Plethora of Standards and Protocols
� Issues of a Virtual Organization� Rapid configuration needed due to temporal nature of
requirements;� Enterprise Issues of Resource Management, Quality
of Service and Negotiation, and � Security issues run through every facet of the VO
� Automate Web Services� Apply Semantic Web Technologies (Semantic Web
Services)� Deal w/ Plethora of Standards and Protocols
� Issues of a Virtual Organization� Rapid configuration needed due to temporal nature of
requirements;� Enterprise Issues of Resource Management, Quality
of Service and Negotiation, and � Security issues run through every facet of the VO
September 25, 2004 SKM 2004 5
Solution SpaceSolution Space
� Knowledge-based Dynamic Semantic Web Services (KDSWS) Framework� Meta-Model for Semantic Web Services� Meta-Process (Methodology)� Specification Languages based on KDM/KDL
� Specifies:� End-to-end tasks of the life-cycle for context,� Threads to deal with Management, Workflow,
Transaction Control, Interoperation, Security, Transportation and Feedback
� Enterprise and Local Perspectives� Functional Architecture Components
� Knowledge-based Dynamic Semantic Web Services (KDSWS) Framework� Meta-Model for Semantic Web Services� Meta-Process (Methodology)� Specification Languages based on KDM/KDL
� Specifies:� End-to-end tasks of the life-cycle for context,� Threads to deal with Management, Workflow,
Transaction Control, Interoperation, Security, Transportation and Feedback
� Enterprise and Local Perspectives� Functional Architecture Components
September 25, 2004 SKM 2004 6
Brokering and ManagementBrokering and Management
� Brokering, or matchmaking, involves [Paolucci, 2004]:
� Services advertising themselves to a broker� Broker handling queries about the available services� Mediating the results for the requestor
� Management Levels [Nayak, 2001]:
� Strategic� Asset� Value-Chain
� Brokering, or matchmaking, involves [Paolucci, 2004]:
� Services advertising themselves to a broker� Broker handling queries about the available services� Mediating the results for the requestor
� Management Levels [Nayak, 2001]:
� Strategic� Asset� Value-Chain
September 25, 2004 SKM 2004 7
KDSWS Processes
Threads
Management
Workflow
Transactions
Quality ofService
Security
Interoperation
Transportation
Feedback
Life-Cycle Tasks
Prepare forPublish
Prepare forRequest
Publish
Request
Discover
Select
Configure
Deploy
DeliverAvailableCapabilities
Service Profile
RequestProfile
Master Request Candidate Services
MasterService(s)
CertifiedServices
ConfirmedServices
Requestor
Feedback and/orFulfilled Request
RequestorProfile (apriori)
Request(dynamic)
Provider
ProviderProfile
Retire
Interface
KDSWS Framework-ProcessesKDSWS Framework-Processes
September 25, 2004 SKM 2004 8
KDSWS Design Specification
Map withSemantic Web
Services
Map withWSDL
Map with UDDI Map with OWL-S
Map withBEPLWS
o o o
Knowledge/ DataModel & Language
Knowledge-based DynamicServices/Process Model &
LanguageMeta-modelMethodology
Meta-meta-model
Map with AgentProfiles
Map withKnowledge Base
Schema(s)
Mappings
Map with KDSWSObjects
Map with GridInterface
Map withSpecialty Stores
Map withWSRF
Map withWS-CDL
KDSWS Framework Design Specification
KDSWS Framework Design Specification
September 25, 2004 SKM 2004 9
KDSWS Functional Architecture
FunctionalFederation
Architecture
FederateAgents
FederateFunctions
FederateKnowledge
FunctionalKnowledgeArchitecture
SemanticWeb Base
Non-SemanticWeb Base
Web Services ProtocolsWSDLUDDI
OWL-SBEPLWS o o o
SOAP
Grid Interface
Functional Agent Services Architecture
User Agency
Process
Layer AgencyLine
AgentsSupportAgents
UserServices
IntelligentMiddleware
Services
WebServices
FunctionalServicesAgency
ServicesCoordination
Agency
Planning
Discovery
Negotiation
Contracting
ServiceMediation
WorkflowCoordination
TransactionManagement
Security
Registration
Certification
Ontology
Curation
QoSMonitoring
User ProfileAdministration
Order Tracking
RequestPreparation
VirtualAgents
PublicationPreparation
Broker
Classification
Configuration
Federation
Publication
Requesting
Fulfillment
Feedback
Testing
Metrics
Deployment
Delivery
KDSWS Functional ArchitectureKDSWS Functional Architecture
September 25, 2004 SKM 2004 10
Differentiate on Security Facets
Broker on Security Facets
Selection AgentSecurity A gent Security Structure Agent Discovery A gent
Feed
back
Secu
rity
Man
agem
ent
TraverseW orkflow
Capture Service and Provider Performance
AccessRoles
Prepare for Publish& Request
Profile SecurityFacets
Short-list of
Services
ChooseService
A
Policies
M atch Non-Repudiation &
In tegrity
SelectedW eb
Service(s)
CompileSelectionResults
Receive Request
InterrogateRequest Security
Structure
Isolate SecurityC onstraints and
Preferences
IdentifySecurity- related
E lem ents
SecurityProfiles
SearchRequestProfile
M atchAuthentication
AProvider/ServiceH istory
ProviderConstraints/Preferences
SecurityFacets
N egotiationT racking
SelectionPolicies
EstablishSecurity Domain Encryption
Request
InvokeSearch
AlternativeServices
M atchAuthorization
K nowledgeSifter
MatchProtocols
M anageAlternatives
SearchPolicies
Identity
M atch Trust, AccessControl, R ights
SecurityD omainCatalog
M asterRequest
Publish
Establish SearchRequest P rofile
NegotiationPolicy
Signature
RankedW eb
Services
NegotiateServices
D ifferentiateServices
KDSWS Brokering Methodology FlowKDSWS Brokering Methodology Flow
September 25, 2004 SKM 2004 11
Produce and Compile Search Reslts
Classification AgentDiscovery Agent Decomposition Agent
Feed
back
Wor
kflo
wM
anag
emen
t
CompileSelectionResults
Knowledge Sifter System Architecture
User AgentPreferences
Agent
IntegrationAgent
Web ServicesAgent
OntologyAgent
QueryFormulation
Agent
OwlSchemas
OntologicalSources UDDIWSDL
Dom
ain of Request
EstablishDomain
SelectUDDI
DomainCatalog
Adapt SearchAgent
Adjust SearchRequest Profile
DecomposeComplexServices
Search AgentProfile
A
CommenceDiscovering
Broker Agent
Search AgentCapabilities
Provider Constraints/Preferences
RequestConstraints/Preferences
SearchPriorities
Request
RequestorProfile
Select SearchAgent
Establish SearchRequest Profile
RankedWeb
Services
Select &NegotiateServices
InvokeSearch
Capture AgentPerformance
A
SearchRequestProfile
DecomposeWorkflow
MasterRequest
SearchRequestProfile
KDSWS Brokering Methodology FlowKDSWS Brokering Methodology Flow
September 25, 2004 SKM 2004 12
KDL Specification ExampleKDL Specification ExamplekdsdBlanketsSecurityConstraint
:DESCRIPTION Provider-side security constraints:SUPERTYPES kdsdSecurity
kdsdConstraintkdsdProvider
:SUBTYPES kdsdPrivacy:ATTRIBUTES kdsdDescription :TYPE Object
kdsdAccessLevel :TYPE IntegerkdsdAuthorityLevel :TYPE IntegerkdsdEncryptMethod :TYPE String :CONSTRAINT In ("x508?", "Kerberos")kdsdSignatureSwitch :TYPE BooleankdsdVisibility :TYPE String :CONSTRAINT In ("Public", "Partner", "Internal")kdsdIdentity :TYPE ObjectkdsdAuthorityLevel :TYPE Integer
:CONSTRAINTS :CONSTRAINT-ID C-02-1:CONSTRAINT-CATEGORIESSupply, SecurityAllow only partners to access
:PREFERENCES :PREFERENCE-ID P-02-1:PREFERENCE-CATEGORIESSupply, SecurityPrefer medium security for assurace of fund transfer
:HEURISTICS :HEURISTIC-ID H-02-1:HEURISTIC-CATEGORIES Supply, SecurityDon't let security impede acquisition
:METHODS :METHOD-ID M-02-1Check for partner and access level
September 25, 2004 SKM 2004 13
Knowledge-based Dynamic Services/Process Language Specification Example
Knowledge-based Dynamic Services/Process Language Specification Example
kdspSearchForProviders:DESCRIPTION Core Broker activities:GOALS ProviderSearchGoal (Find services from providers that meet the goals of the request):TASK kdspDiscover:THREAD kdspManagement:OWNER kdsdSearchAgent:STEWARD kdsdKnowledgeSifter:PREDECESSORSkdspClassifyRequest:SUCCESSORS kdspCompileSearchResults:STEPS :STEPNAME kdspSearchUDDI
:SEQUENCE-NUMBER 1:STEP-DESCRIPTION Search the UDDI registry for acceptable providers and services:DELEGATE kdsdKnowledgeSifter
:DELEGATE-TYPE AGENT:DELEGATE-ROLE LINE
:OPERATION searchUDDI:METHOD-NAME kdsdKnowledgeSifter.Search
:STEP-SUCCESSORS :STEP-SUCCESSOR-MODE Decision:STEP-SUCCESSOR-BRANCH kdspAdjustSearchParameters :STEP-CONTROL-CONDITION Insufficient Results:STEP-SUCCESSOR-MODE Sequential:STEP-SUCCESSOR-BRANCH kdspRankResults :STEP-CONTROL-CONDITION Sufficient Results
:CONTRAINTS :CONSTRAINT-ID C-13-1:CONSTRAINT-CATEGORIES SearchkdsdSearchReturnLimit (Return only the top 25):CONSTRAINT-ID C-13-2:CONSTRAINT-CATEGORIES SecuritySelect only partners that support PKI
:HEURISTICS :HEURISTIC-ID H-13-1:HEURISTIC-CATEGORIES SearchPartners who are in bankruptcy are a bad risk; therefore, do not use services from providers who are in bankruptcy"
September 25, 2004 SKM 2004 14
KDSWS ContributionsKDSWS Contributions� Three-tiered framework for specification, design
and implementation of Virtual Organizations using Semantic Web Services.
� Languages for enhanced specification ofSemantic Web Service requirements for the VO.
� Security issues are addressed in specification, design and implementation phases of VO life-cycle.
� Agency-based functional architecture allows for agent specialization of functional capabilities including security.
� Workflow management of VO “transactions” with end-to-end security.
� Three-tiered framework for specification, design and implementation of Virtual Organizations using Semantic Web Services.
� Languages for enhanced specification ofSemantic Web Service requirements for the VO.
� Security issues are addressed in specification, design and implementation phases of VO life-cycle.
� Agency-based functional architecture allows for agent specialization of functional capabilities including security.
� Workflow management of VO “transactions” with end-to-end security.
September 25, 2004 SKM 2004 15
KDSWS Specification
KDSWS Functional Architecture
ExportAgent
KDL KDSPL
DeliveryAgent
BrokerAgent
WSDL+UDDI+OWL-S+
Atomic KDLObjects
MasterServices
WorkflowAgent
Ontologies
FulfillmentPackage
ConfigurationPackageKnowledge
Sifter
MasterRequest
ExpertSystemsWfMS
AggregatedKDL Objects
AggregatedKDSPL Objects
AtomicKDSPL Objects
Mapped KDSPLObjects
AgentProfiles
WorkflowPatterns
RulesObjects
Policies
ImportAgent
Mapped KDLObjects
MappingAgent
KnowledgeObjects
PublishAgent
RequestHandling
Agent
Future Work - PrototypeFuture Work - Prototype
September 25, 2004 SKM 2004 16
ConclusionsConclusions� Web Services and Semantic Web Services are
still in their infancy so new tools and techniques are needed for Secure Knowledge Management within the Virtual Organization.
� The KDSWS Framework is one approach to meeting the above goal.� Meta-models capture the data organization,� Methodology helps to integrate the plethora of
standards� Languages embody the meta-model & methodology
to allow for “security semantics” specification� Integrated specification, design and implementation
environment.
� Web Services and Semantic Web Services are still in their infancy so new tools and techniques are needed for Secure Knowledge Management within the Virtual Organization.
� The KDSWS Framework is one approach to meeting the above goal.� Meta-models capture the data organization,� Methodology helps to integrate the plethora of
standards� Languages embody the meta-model & methodology
to allow for “security semantics” specification� Integrated specification, design and implementation
environment.