data and applications security developments and directions n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Data and Applications Security Developments and Directions PowerPoint Presentation
Download Presentation
Data and Applications Security Developments and Directions

Loading in 2 Seconds...

play fullscreen
1 / 34

Data and Applications Security Developments and Directions - PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on

Data and Applications Security Developments and Directions. Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #19 Digital Libraries, Semantic Web and Security March 22, 2006. Outline. Web Security Secure Digital Libraries Semantic Web Overview

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Data and Applications Security Developments and Directions' - darius


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
data and applications security developments and directions

Data and Applications Security Developments and Directions

Dr. Bhavani Thuraisingham

The University of Texas at Dallas

Lecture #19

Digital Libraries, Semantic Web and Security

March 22, 2006

outline
Outline
  • Web Security
  • Secure Digital Libraries
  • Semantic Web Overview
    • Technologies: XML (eXtensible Markup Language) , RDF (Resource Description Framework),, Closed World Machine, Rules ML, Ontologies and Inference
    • Applications: Web Services
  • Secure Semantic Web
    • Technologies: Secure XML, RDF, Closed World Machine, Rules ML, Security and Ontologies, - - -
    • Applications: Secure web services
  • Vision
  • Reference: www.w3c.org
web security
Web Security
  • End-to-end security
    • Need to secure the clients, servers, networks, operating systems, transactions, data, and programming languages
    • The various systems when put together have to be secure
      • Composable properties for security
  • Access control rules, enforce security policies, auditing, intrusion detection
  • Verification and validation
  • Security solutions proposed by W3C and OMG
  • Java Security
  • Firewalls
  • Digital signatures and Message Digests, Cryptography
e commerce transactions
E-Commerce Transactions
  • E-commerce functions are carried out as transactions
    • Banking and trading on the internet
    • Each data transaction could contain many tasks
  • Database transactions may be built on top of the data transaction service
    • Database transactions are needed for multiuser access to web databases
    • Need to enforce concurrency control and recovery techniques
types of transaction systems
Types of Transaction Systems
  • Stored Account Payment
    • e.g., Credit and debit card transactions
    • Electronic payment systems
    • Examples: First Virtual, CyberCash, Secure Electronic Transaction
  • Stored Value Payment
    • Uses bearer certificates
    • Modeled after hard cash
      • Goal is to replace hard cash with e-cash
    • Examples: E-cash, Cybercoin, Smart cards
building database transactions
Building Database Transactions

Database Transaction Protocol

Payments Protocol

HTTP Protocol

Socket Protocol

TCP/IP Protocol

secure digital libraries
Secure Digital Libraries
  • Digital libraries are e-libraries
    • Several communities have developed digital libraries
      • Medical, Social, Library of Congress
  • Components technologies
    • Web data management, Multimedia, information retrieval, indexing, browsing, -- - -
  • Security has to be incorporated into all aspects
    • Secure models for digital libraries, secure functions
secure web databases
Secure Web Databases
  • Database access through the web
    • JDBC and related technologies
  • Query, indexing and transaction management
    • E.g., New transaction models for E-commerce applications
    • Index strategies for unstructured data
  • Query languages and data models
    • XML has become the standard document interchange language
  • Managing XML databases on the web
    • XML-QL, Extensions to XML, Query and Indexing strategies
  • Integrating heterogeneous data sources on the web
    • Information integration and ontologies are key aspects
  • Mining the data on the web
    • Web content, usage, structure and content mining
secure web databases1
Secure Web databases
  • Secure data models
    • Secure XML, RDF, - - - -
    • Relational, object-oriented, text, images, video, etc.
  • Secure data management functions
    • Secure query, transactions, storage, metadata
  • Key components for secure digital libraries and information retrieval/browsing
  • Secure data integration
semantic web overview
Semantic Web: Overview
  • According to Tim Berners Lee, The Semantic Web supports
    • Machine readable and understandable web pages
    • Enterprise application integration
    • Nodes and links that essentially form a very large database

Premise:

Semantic Web = Web Database Management + Web Services + Information Integration + Rules Processing + - - - - -

layered architecture for dependable semantic web

SECURITY

P

R

I

V

A

C

Y

Logic, Proof and Trust

Rules/Query

Other

Services

RDF, Ontologies

XML, XML Schemas

URI, UNICODE

Layered Architecture for Dependable Semantic Web
  • Adapted from Tim Berners Lee’s description of the Semantic Web
  • Some Challenges: Interoperability between Layers; Security and Privacy cut across all layers; Integration of Services; Composability
what is xml all about
What is XML all about?
  • XML is needed due to the limitations of HTML and complexities of SGML
  • It is an extensible markup language specified by the W3C (World Wide Web Consortium)
  • Designed to make the interchange of structured documents over the Internet easier
  • Key to XML is Document Type Definitions (DTDs)
    • Defines the role of each element of text in a formal model
  • Allows users to bring multiple files together to form compound documents
slide16
RDF
  • Resource Description Framework is the essence of the semantic web
  • Adds semantics with the use of ontologies, XML syntax
    • Separates syntax from semantics
  • RDF Concepts
    • Basic Model
      • Resources, Properties and Statements
    • Container Model
      • Bag, Sequence and Alternative
ontology
Ontology
  • Common definitions for any entity, person or thing
  • Several ontologies have been defined and available for use
  • Defining common ontology for an entity is a challenge
  • Mappings have to be developed for multiple ontologies
  • Specific languages have been developed for ontologies including RDF and OIL (Ontology Interface Language)
  • DAML (Darpa Agent Markup Language) is an ontology and inference language based on RDF
  • DAMP + OIL; combines both languages
rules ml inference and cwm
Rules ML, Inference and CWM
  • Rules ML is a Rules Markup Language for specifying rules
  • Inferencing is about making deductions
    • Deductions based on rules specified in Rules ML or DAML+OIL
    • Based on denotational logic
  • CWM: Closed World Machine
    • Inference engine for the semantic web written as a Python program
web services
Web Services
  • Web Services are about services on the web for carrying out many functions including directory management, source location, subscribe and publish, etc.
  • Web services description language (WSDL) exists for web services specification
  • Web services architectures have been developed
  • Challenge now is to compose web services; how do you integrate multiple web services and provide composed web service in a seamless fashion
  • Ultimate goal is to have web services for information integration
web service architecture

Publish

Query

UDDI

Answer

Request the

service

Service providers

Web service architecture

Service requestor

aspects of xml security
Aspects of XML Security
  • Controlling access to XML documents
    • Granularity of access: parts of documents, entire documents
  • Specifying policies and credentials in XML
  • Third party publication of XML documents
  • Encryption (www.w3c.org)
specifying user credentials in xml
Specifying User Credentials in XML

<Professor credID=“9” subID = “16: CIssuer = “2”>

<name> Alice Brown </name>

<university> University of X <university/>

<department> CS </department>

<research-group> Security </research-group>

</Professor>

<Secretary credID=“12” subID = “4: CIssuer = “2”>

<name> John James </name>

<university> University of X <university/>

<department> CS </department>

<level> Senior </level>

</Secretary>

specifying security policies in xml
Specifying Security Policies in XML

<? Xml VERSION = “1.0” ENCODING = “utf-8”?>

<Policy–base>

<policy-spec cred-expr = “//Professor[department = ‘CS’]” target =

“annual_ report.xml” path = “//Patent[@Dept = ‘CS’]//Node()” priv = “VIEW”/>

<policy-spec cred-expr = “//Professor[department = ‘CS’]” target =

“annual_ report.xml” path = “//Patent[@Dept = ‘EE’] /Short-descr/Node() and

//Patent [@Dept = ‘EE’]/authors” priv = “VIEW”/>

<policy-spec cred-expr = - - - -

<policy-spec cred-expr = - - --

</Policy-base>

Explantaion: CS professors are entitled to access all the patents of their department. They are entitled to see only the short descriptions and authors of patents of the EE department

access control strategy
Access Control Strategy
  • Subjects request access to XML documents under two modes: Browsing and authoring
    • With browsing access subject can read/navigate documents
    • Authoring access is needed to modify, delete, append documents
  • Access control module checks the policy based and applies policy specs
  • Views of the document are created based on credentials and policy specs
  • In case of conflict, least access privilege rule is enforced
  • Works for Push/Pull modes
system architecture for access control

User

Pull/Query

Push/result

X-Access

X-Admin

Admin

Tools

Credential

base

Policy

base

XML Documents

System Architecture for Access Control
third party architecture
Third-Party Architecture
  • The Owner is the producer of informationIt specifies access control policies
  • The Publisher is responsible for managing (a portion of) the Owner information and answering subject queries
  • Goal: Untrusted Publisher with respect to Authenticity and Completeness checking

XML Source

policy base

Credential

base

SE-XML

Owner

Publisher

Reply

document

credentials

Query

User/Subject

rdf and security
RDF and Security
  • XML Security for the Syntax of RDF
    • Access control, Third party publishing, Specifying g policies and credentials
  • Securing RDF Graphs
    • UTD research (MS and PhD work in progress)
  • Securing semantics
    • Approach: Take semantic specifications in RDF and incorporate security
      • Security policies embedded into the semantics
security and ontology
Security and Ontology
  • Ontologies used to specify security policies
    • Example: Use DAML + OIL to specify security policies
    • Choice between XML, RDF, Rules ML, DAML+OIL
  • Security for Ontologies
    • Access control on Ontologies
      • Give access to certain parts of the Ontology
security and inferencing
Security and Inferencing
  • Specify security policies in Rules ML
  • Inferencing is part of the semantic web; deduced information could be sensitive
  • Extend CWM to handle the inference and privacy problem
    • Extended Python program?
rule processing
Rule-Processing

Interface to the Semantic Web

Technology

By W3C

Inference Engine/

Rules Processor

Policies

Ontologies

Rules

XML, RDF

Documents

Web Pages,

Databases

Semantic Web

Engine

secure web service architecture

Query

UDDI

Service requestor

BusinessService

Secure Web Service Architecture

Confidentiality, Authenticity, Integrity

BusinessEntity

<dsig:Signature>

tModel

BusinessService

PublisherAssertion

BindingTemplate

Service provider

coalition application testbed a suggestion
Coalition Application Testbed: A Suggestion
  • Identify Coalition
    • Identify Coalition Example: A good starting point will be the Coalition experiments conduced under DARPA’s CoABS program that includes MBP (Master Battle Planner) and CAMPS (Consolidated Air Mobility Planning System) applications
    • Develop scenarios and determine the roles are of the coalition partners
    • Identify information to be accessed/shared and how the semantic web may be used by the coalition
  • Design Policies
    • Design policies (e.g., security, privacy, trust) for the coalition when accessing information resources
  • Implement Test Bed
    • Develop a test bed that uses ontologies for information integration and enforces the policies
vision for dependable semantic web
Vision for Dependable Semantic Web

Core Semantic Web Technologies:

Systems, Networks, Agents, AI, Machine Learning, Data Mining, Languages, Software Engineering, Information Integration

Need research to bring together the above technologies

Directions:

Security/Trust/Privacy, Integrate sensor technologies, Pervasive computing, Social impact

Domain specific semantic webs:

DoD, Intelligence, Medical, Treasury,- - -

  • Some Challenges: Secure Semantic Interoperability; Secure Information Integration; Integrating Pervasive computing and sensors
summary and directions
Summary and Directions
  • End-to-end security
    • Secure networks, clients, servers, middleware
    • Secure Web databases, agents, information retrieval systems, browsers, search engines, - - -
  • As technologies evolve, more security problems
    • Data mining, intrusion detection, encryption are some of the technologies for security
  • Next steps
    • Secure semantic web, Secure knowledge management