1 / 19

Semantic Web Policy Systems

Presented By: John Paul Dunning. Semantic Web Policy Systems. Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech. Semantic Web Policy Systems. “A meta-control architecture for orchestrating policy enforcement across heterogeneous information sources”

aloha
Download Presentation

Semantic Web Policy Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presented By: John Paul Dunning Semantic Web Policy Systems Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech

  2. Semantic Web Policy Systems “A meta-control architecture for orchestrating policy enforcement across heterogeneous information sources” Jinghai Rao, Alberto Sardinha, Norman Sadeh Carnegie Mellon University Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech

  3. Overview Context-sensitive security and privacy policies Decentralized trust management Challenges include: sources of information vary from one principal to another sources of information may vary over time sources of information may not be known ahead of time Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech

  4. Contributions of Paper “Development of a semantic web framework and a meta-control model for opportunistically interleaving policy reasoning and web service discovery to enforce context-sensitive policies” Extension of XACML ontology Language independent system

  5. XACML “XACML is an initiative to develop a standard for access control and authorization systems... XACML aims to achieve the following: Create a portable and standard way of describing access control entities and their attributes. Provide a mechanism that offers much finer granular access control than simply denying or granting access -- that is, a mechanism that can enforce some before and after actions along with "permit" or "deny" permission.” http://www.ibm.com/developerworks/xml/library/x-xacml/

  6. Information Disclosure Agent (IDA) Policy Enforcement Agent (PEA) Controls access to information and service access through policies Uses policy enforcement Control policies Obfuscation policies

  7. Information Disclosure Agent (IDA) Interact across various networks Encrypted traffic Language Independent (with interpreter)‏

  8. Information Disclosure Agent (IDA)

  9. Meta-Controller Monitors progress and determines the next step Cycle Meta-Control Housekeeping Module Modules complete tasks

  10. Meta-Controller Query status information includes: A query status ID Status predicates A query ID and query element ID A parent query status ID A time stamp

  11. Meta-Controller

  12. Policy Reasoner Evaluating relevant policies Return policy decisions Modules: Query Decomposition Module Access Control Module Obfuscation Module

  13. Information Collector Gathering facts Modules: Local Information Reasoner Service Discovery Module Service Invocation Module User Interface

  14. Service Discovery and Invocation IDAs are constantly sending queries and results back and forth Multiple queries between IDAs Node deadlock is possible and avoidable Time outs Query dependency graphs

  15. Example Scenario Bob is an employee of SATElectronics Corporation Bob contracts to United GenSat Bob wants the schedule for deployment of SAT 777 from United GenSat, which is a product he has been working on.

  16. Example Scenario

  17. Beyond Access Control Policies

  18. Q&A How easy are the policies to create/update/delete? What is the overhead of this system VS a standard form of authentication?

More Related