Using Facets of Security within a Knowledge-based Framework to Broker and Manage Semantic Web Services Randy Howard, Larry Kerschberg E-Center for E-Business, http://eceb.gmu.edu George Mason University; Fairfax, VA USA choward@gmu.edu, kersch@gmu.edu More Publications at: http://eceb.gmu.edu/publications.htm September 25, 2004 SKM 2004 1 Research Goals Provide a framework & methodology to create Virtual Organizations (VO) via Semantic Web Services Support end-to-end requirements & life-cycle tasks to create VO on the fly Address layers that correspond to Specification, Design and Implementation Focus here is on Intelligent Middle-ware Services for Secure Knowledge Management September 25, 2004 SKM 2004 2 Where is the VO Knowledge? Humans as part of the VO Intellectual Property wrapped in Semantic Web Services Policies that govern the VO Service-level agreements QoS agreements Security Policies and Protocols Access Control, Authentication Services for VO Virtual Security for GRID Services September 25, 2004 SKM 2004 3 Problem Space Automate Web Services Apply Semantic Web Technologies (Semantic Web Services) Deal w/ Plethora of Standards and Protocols Issues of a Virtual Organization Rapid configuration needed due to temporal nature of requirements; Enterprise Issues of Resource Management, Quality of Service and Negotiation, and Security issues run through every facet of the VO September 25, 2004 SKM 2004 4 Solution Space Knowledge-based Dynamic Semantic Web Services (KDSWS) Framework Meta-Model for Semantic Web Services Meta-Process (Methodology) Specification Languages based on KDM/KDL Specifies: End-to-end tasks of the life-cycle for context, Threads to deal with Management, Workflow, Transaction Control, Interoperation, Security, Transportation and Feedback Enterprise and Local Perspectives Functional Architecture Components September 25, 2004 SKM 2004 5 Brokering and Management Brokering, or matchmaking, involves [Paolucci, 2004]: Services advertising themselves to a broker Broker handling queries about the available services Mediating the results for the requestor Management Levels [Nayak, 2001]: Strategic Asset Value-Chain September 25, 2004 SKM 2004 6 KDSWS Framework-Processes KDSWS Processes Life-Cycle Tasks Prepare for Publish Provider Profile Threads Feedback and/or Fulfilled Request Available Capabilities Requestor Profile (apriori) Confirmed Services Request (dynamic) Publish Certified Services Requestor Prepare for Request Master Service(s) Request Profile Select Request Master Request Provider Service Profile Configure Deploy Deliver Workflow Transactions Quality of Service Security Interoperation Candidate Services Transportation Discover Feedback Interface September 25, 2004 Management Retire SKM 2004 7 KDSWS Framework Design Specification Meta-metamodel Meta-model KDSWS Design Specification Knowledge-based Dynamic Services/Process Model & Language Knowledge/ Data Model & Language Methodology Mappings Map with Knowledge Base Schema(s) Map with BEPLWS Map with KDSWS Objects Map with UDDI September 25, 2004 Map with Semantic Web Services Map with WSDL Map with Grid Interface Map with WSRF SKM 2004 Map with Specialty Stores Map with WS-CDL Map with Agent Profiles Map with OWLooo S 8 KDSWS Functional Architecture KDSWS Functional Architecture Layer Functional Federation Architecture Functional Knowledge Architecture User Services Federate Functions Semantic Web Base Federate Agents NonSemantic Web Base Intelligent Middleware Services Federate Knowledge Functional Agent Services Architecture Virtual Line Agency Agents Agents Request Process Preparation User Agency Publication Planning Preparation Functional Services Agency Web Services Protocols UDDI BEPLWS WSDL OWL-S SOAP ooo Web Services Services Coordination Agency Grid Interface September 25, 2004 SKM 2004 Support Agents User Profile Administration Order Tracking Broker Discovery Ontology Federation Negotiation Curation Feedback Contracting QoS Monitoring Fulfillment Service Mediation Security Publication Workflow Coordination Registration Requesting Transaction Management Certification Deployment Configuration Testing Delivery Classification Metrics 9 KDSWS Brokering Methodology Flow Broker on Security Facets Security Agent Management Establish Search Request Profile Search Policies Prepare for Publish & Request Profile Security Facets Publish Security Profiles Discovery Agent Security Structure Agent Security Facets Request Provider Constraints/ Preferences Invoke Search Knowledge Sifter A Traverse Workflow Master Request Security Negotiation Policy Differentiate Services Shortlist of Services Ranked Web Services Selection Policies Compile Selection Results A Match Protocols Identify Security- related Elements Negotiation Tracking Negotiate Services Manage Alternatives Choose Service Alternative Services Provider /Service History Interrogate Request Security Structure Security Domain Catalog Search Request Profile Selection Agent Selected Web Service(s) Match NonRepudiation & Integrity Signature Identity Establish Security Domain Match Authentication Encryption Isolate Security Constraints and Preferences Access Roles Match Authorization Policies Match Trust, Access Control, Rights Receive Request Feedback Differentiate on Security Facets Capture Service and Provider Performance September 25, 2004 SKM 2004 10 KDSWS Brokering Methodology Flow Produce and Compile Search Reslts Discovery Agent Request Constraints/ Preferences Establish Search Request Profile Management Search Priorities Feedback Workflow Search Request Profile Search Request Profile Establish Domain Broker Agent Knowledge Sifter System Architecture Select Search Agent A Commence Discovering Invoke Search Preferences Agent User Agent Ontology Agent Query Formulation Agent Owl Schemas Ontological Sources Capture Agent Performance Select UDDI Web Services Agent WSDL Provider Constraints/ Preferences September 25, 2004 Decompose Complex Services Compile Selection Results UDDI Search Agent Capabilities Adjust Search Request Profile Ranked Web Services Integration Agent Domain of Request Requestor Profile Decomposition Agent Domain Catalog Master Request Request Classification Agent A Select & Negotiate Services Decompose Workflow Adapt Search Agent Search Agent Profile SKM 2004 11 KDL Specification Example kdsdBlanketsSecurityConstraint :DESCRIPTION Provider-side security constraints :SUPERTYPES kdsdSecurity kdsdConstraint kdsdProvider :SUBTYPES kdsdPrivacy :ATTRIBUTES kdsdDescription :TYPE Object kdsdAccessLevel :TYPE Integer kdsdAuthorityLevel :TYPE Integer kdsdEncryptMethod :TYPE String :CONSTRAINT In ("x508?", "Kerberos") kdsdSignatureSwitch :TYPE Boolean kdsdVisibility :TYPE String :CONSTRAINT In ("Public", "Partner", "Internal") kdsdIdentity :TYPE Object kdsdAuthorityLevel :TYPE Integer :CONSTRAINTS :CONSTRAINT-ID C-02-1 :CONSTRAINT-CATEGORIES Supply, Security Allow only partners to access :PREFERENCES :PREFERENCE-ID P-02-1 :PREFERENCE-CATEGORIES Supply, Security Prefer medium security for assurace of fund transfer :HEURISTICS :HEURISTIC-ID H-02-1 :HEURISTIC-CATEGORIES Supply, Security Don't let security impede acquisition :METHODS :METHOD-ID M-02-1 Check for partner and access level September 25, 2004 SKM 2004 12 Knowledge-based Dynamic Services/Process Language Specification Example kdspSearchForProviders :DESCRIPTION Core Broker activities :GOALS ProviderSearchGoal (Find services from providers that meet the goals of the request) :TASK kdspDiscover :THREAD kdspManagement :OWNER kdsdSearchAgent :STEWARD kdsdKnowledgeSifter :PREDECESSORS kdspClassifyRequest :SUCCESSORS kdspCompileSearchResults :STEPS :STEPNAME kdspSearchUDDI :SEQUENCE-NUMBER 1 :STEP-DESCRIPTION Search the UDDI registry for acceptable providers and services :DELEGATE kdsdKnowledgeSifter :DELEGATE-TYPE AGENT :DELEGATE-ROLE LINE :OPERATION searchUDDI :METHOD-NAME kdsdKnowledgeSifter.Search :STEP-SUCCESSORS :STEP-SUCCESSOR-MODE Decision :STEP-SUCCESSOR-BRANCH kdspAdjustSearchParameters :STEP-CONTROL-CONDITION Insufficient Results :STEP-SUCCESSOR-MODE Sequential :STEP-SUCCESSOR-BRANCH kdspRankResults :STEP-CONTROL-CONDITION Sufficient Results :CONTRAINTS :CONSTRAINT-ID C-13-1 :CONSTRAINT-CATEGORIES Search kdsdSearchReturnLimit (Return only the top 25) :CONSTRAINT-ID C-13-2 :CONSTRAINT-CATEGORIES Security Select only partners that support PKI :HEURISTIC-ID H-13-1 :HEURISTICS :HEURISTIC-CATEGORIES Search Partners who are in bankruptcy are a bad risk; therefore, do not use services from providers who are in bankruptcy" September 25, 2004 SKM 2004 13 KDSWS Contributions Three-tiered framework for specification, design and implementation of Virtual Organizations using Semantic Web Services. Languages for enhanced specification of Semantic Web Service requirements for the VO. Security issues are addressed in specification, design and implementation phases of VO lifecycle. Agency-based functional architecture allows for agent specialization of functional capabilities including security. Workflow management of VO “transactions” with end-to-end security. September 25, 2004 SKM 2004 14 Future Work - Prototype WfMS Expert Systems Workflow Patterns Rules Objects KDSWS Specification Import Agent Mapped KDL Objects Aggregated KDL Objects Mapping Agent KDL KDSPL Export Agent Atomic KDL Objects Knowledge Objects Mapped KDSPL Objects Atomic KDSPL Objects Master Request Agent Profiles Policies KDSWS Functional Architecture Publish Agent UDDI+ OWL-S+ Aggregated KDSPL Objects WSDL+ Request Handling Agent Workflow Agent Ontologies September 25, 2004 Broker Agent Knowledge Sifter Master Services Configuration Package SKM 2004 Delivery Agent Fulfillment Package 15 Conclusions Web Services and Semantic Web Services are still in their infancy so new tools and techniques are needed for Secure Knowledge Management within the Virtual Organization. The KDSWS Framework is one approach to meeting the above goal. Meta-models capture the data organization, Methodology helps to integrate the plethora of standards Languages embody the meta-model & methodology to allow for “security semantics” specification Integrated specification, design and implementation environment. September 25, 2004 SKM 2004 16 Questions and Answers September 25, 2004 SKM 2004 17