Using Facets of Security within a Knowledge-based Framework to Services

advertisement
Using Facets of Security within a
Knowledge-based Framework to
Broker and Manage Semantic Web
Services
Randy Howard, Larry Kerschberg
E-Center for E-Business, http://eceb.gmu.edu
George Mason University; Fairfax, VA USA
choward@gmu.edu, kersch@gmu.edu
More Publications at:
http://eceb.gmu.edu/publications.htm
September 25, 2004
SKM 2004
1
Research Goals
Provide a framework & methodology to create
Virtual Organizations (VO) via Semantic Web
Services
Support end-to-end requirements & life-cycle
tasks to create VO on the fly
Address layers that correspond to Specification,
Design and Implementation
Focus here is on Intelligent Middle-ware
Services for Secure Knowledge Management
September 25, 2004
SKM 2004
2
Where is the VO Knowledge?
Humans as part of the VO
Intellectual Property wrapped in Semantic Web
Services
Policies that govern the VO
Service-level agreements
QoS agreements
Security Policies and Protocols
Access Control, Authentication Services for VO
Virtual Security for GRID Services
September 25, 2004
SKM 2004
3
Problem Space
Automate Web Services
Apply Semantic Web Technologies (Semantic Web
Services)
Deal w/ Plethora of Standards and Protocols
Issues of a Virtual Organization
Rapid configuration needed due to temporal nature of
requirements;
Enterprise Issues of Resource Management, Quality
of Service and Negotiation, and
Security issues run through every facet of the VO
September 25, 2004
SKM 2004
4
Solution Space
Knowledge-based Dynamic Semantic Web
Services (KDSWS) Framework
Meta-Model for Semantic Web Services
Meta-Process (Methodology)
Specification Languages based on KDM/KDL
Specifies:
End-to-end tasks of the life-cycle for context,
Threads to deal with Management, Workflow,
Transaction Control, Interoperation, Security,
Transportation and Feedback
Enterprise and Local Perspectives
Functional Architecture Components
September 25, 2004
SKM 2004
5
Brokering and Management
Brokering, or matchmaking, involves [Paolucci,
2004]:
Services advertising themselves to a broker
Broker handling queries about the available services
Mediating the results for the requestor
Management Levels [Nayak, 2001]:
Strategic
Asset
Value-Chain
September 25, 2004
SKM 2004
6
KDSWS Framework-Processes
KDSWS Processes
Life-Cycle Tasks
Prepare for
Publish
Provider
Profile
Feedback and/or
Fulfilled Request
Available
Capabilities
Requestor
Profile (apriori)
Request
(dynamic)
Publish
Threads
Retire
Master
Service(s)
Request
Profile
Select
Request
Master Request
Provider
Service Profile
Configure
Deploy
Deliver
Workflow
Transactions
Quality of
Service
Security
Interoperation
Candidate Services
Transportation
Discover
Feedback
Interface
September 25, 2004
Confirmed
Services
Certified
Services
Requestor
Prepare for
Request
Management
SKM 2004
7
KDSWS Framework Design
Specification
Meta-metamodel
Meta-model
KDSWS Design Specification
Knowledge-based Dynamic
Services/Process Model &
Language
Knowledge/ Data
Model & Language
Methodology
Mappings
Map with
Knowledge Base
Schema(s)
Map with
BEPLWS
Map with KDSWS
Objects
Map with UDDI
September 25, 2004
Map with
Semantic Web
Services
Map with
WSDL
Map with Grid
Interface
Map with
WSRF
SKM 2004
Map with
Specialty Stores
Map with
WS-CDL
Map with Agent
Profiles
Map with OWLooo
S
8
KDSWS Functional Architecture
KDSWS Functional Architecture
Layer
Functional
Federation
Architecture
Functional
Knowledge
Architecture
User
Services
Federate
Functions
Semantic
Web Base
Federate
Agents
NonSemantic
Web Base
Intelligent
Middleware
Services
Federate
Knowledge
Functional Agent Services Architecture
Line
Virtual
Agency
Agents
Agents
Request
Process
Preparation
User Agency
Publication
Planning
Preparation
Functional
Services
Agency
Web Services Protocols
UDDI
BEPLWS
WSDL
OWL-S
SOAP
ooo
Web
Services
Services
Coordination
Agency
Grid Interface
September 25, 2004
SKM 2004
Support
Agents
User Profile
Administration
Order Tracking
Broker
Discovery
Ontology
Federation
Negotiation
Curation
Feedback
Contracting
QoS
Monitoring
Fulfillment
Service
Mediation
Security
Publication
Workflow
Coordination
Registration
Requesting
Transaction
Management
Certification
Deployment
Configuration
Testing
Delivery
Classification
Metrics
9
KDSWS Brokering Methodology Flow
B roker on Security Facets
S ecurity A gent
Management
P repare for P ublish
& R equest
P rofile Security
Facets
S ecurity
P rofiles
E stablish S earch
R equest P rofile
S earch
P olicies
P ublish
D iscovery A gent
S ecurity S tructure A gent
S ecurity
F acets
R equest
P rovider
C o nstraints/
P references
Invoke
S earch
K now ledge
S ifter
A
M aster
R equest
T raverse
W orkflow
Security
N egotiation
P olicy
D iffe ren tiate
S e rvice s
S hortlist of
Services
R anked
W eb
S ervices
S election
P olicies
C om pile
S election
R esults
A
M a tch
P rotoco ls
Identify
Security- related
E lem ents
N egotiation
T racking
N e go tiate
S e rvice s
M anage
A lternatives
C h oo se
S e rvic e
A lternative
Services
P rovider
/S ervice
H istory
Interrogate
R equest Security
Structure
S ecurity
D o m ain
C atalog
S earch
R equest
P rofile
Selection A gent
S elected
W eb
S ervice(s)
M atch N on R ep u dia tio n &
In te g rity
S ignature
Identity
E stablish
S ecurity D om ain
M a tch
A u th en tica tion
E ncryption
Isolate S ecurity
C o nstraints and
P references
R e ceive R e qu est
A ccess
R oles
M a tch
A u tho rizatio n
P olicies
M atch T ru st, A cce ss
C on tro l, R ig hts
Feedback
D iffe re ntia te o n S e cu rity F ace ts
C apture S ervice and P rovider P erform ance
September 25, 2004
SKM 2004
10
KDSWS Brokering Methodology Flow
Produce and Compile Search Reslts
Discovery Agent
Master
Request
Request
Request
Constraints/
Preferences
Management
Search
Priorities
Feedback Workflow
Search
Request
Profile
Invoke
Search
Preferences
Agent
User Agent
Ontology
Agent
Query
Formulation
Agent
Owl
Schemas
Ontological
Sources
Capture Agent
Performance
September 25, 2004
Ranked
Web
Services
Integration
Agent
Select
UDDI
Web Services
Agent
WSDL
Provider Constraints/
Preferences
Decompose
Complex
Services
Compile
Selection
Results
UDDI
Search Agent
Capabilities
Adjust Search
Request Profile
Domain
Catalog
Broker Agent
Knowledge Sifter System Architecture
Select Search
Agent
A
Search
Request
Profile
Establish
Domain
Decomposition Agent
Domain of Request
Establish Search
Request Profile
Requestor
Profile
Commence
Discovering
Classification Agent
A
Select &
Negotiate
Services
Decompose
Workflow
Adapt Search
Agent
Search Agent
Profile
SKM 2004
11
KDL Specification Example
kdsdBlanketsSecurityConstraint
:DESCRIPTION Provider-side security constraints
:SUPERTYPES kdsdSecurity
kdsdConstraint
kdsdProvider
:SUBTYPES
kdsdPrivacy
:ATTRIBUTES kdsdDescription
:TYPE Object
kdsdAccessLevel
:TYPE Integer
kdsdAuthorityLevel
:TYPE Integer
kdsdEncryptMethod
:TYPE String :CONSTRAINT In ("x508?", "Kerberos")
kdsdSignatureSwitch
:TYPE Boolean
kdsdVisibility
:TYPE String :CONSTRAINT In ("Public", "Partner", "Internal")
kdsdIdentity
:TYPE Object
kdsdAuthorityLevel
:TYPE Integer
:CONSTRAINTS :CONSTRAINT-ID
C-02-1
:CONSTRAINT-CATEGORIESSupply, Security
Allow only partners to access
:PREFERENCES :PREFERENCE-ID
P-02-1
:PREFERENCE-CATEGORIES Supply, Security
Prefer medium security for assurace of fund transfer
:HEURISTICS :HEURISTIC-ID
H-02-1
:HEURISTIC-CATEGORIES Supply, Security
Don't let security impede acquisition
:METHODS
:METHOD-ID
M-02-1
Check for partner and access level
September 25, 2004
SKM 2004
12
Knowledge-based Dynamic Services/Process
Language Specification Example
kdspSearchForProviders
:DESCRIPTION Core Broker activities
:GOALS
ProviderSearchGoal (Find services fromproviders that meet the goals of the request)
:TASK
kdspDiscover
:THREAD
kdspManagement
:OWNER
kdsdSearchAgent
:STEWARD
kdsdKnowledgeSifter
:PREDECESSORSkdspClassifyRequest
:SUCCESSORS kdspCompileSearchResults
:STEPS
:STEPNAME
kdspSearchUDDI
:SEQUENCE-NUMBER
1
:STEP-DESCRIPTION
Search the UDDI registry for acceptable providers and services
:DELEGATE
kdsdKnowledgeSifter
:DELEGATE-TYPE
AGENT
:DELEGATE-ROLE
LINE
:OPERATION
searchUDDI
:METHOD-NAME
kdsdKnowledgeSifter.Search
:STEP-SUCCESSORS
:STEP-SUCCESSOR-MODE Decision
:STEP-SUCCESSOR-BRANCH kdspAdjustSearchParameters :STEP-CONTROL-CONDITION Insufficient Results
:STEP-SUCCESSOR-MODE Sequential
:STEP-SUCCESSOR-BRANCH kdspRankResults
:STEP-CONTROL-CONDITION Sufficient Results
:CONTRAINTS :CONSTRAINT-ID
C-13-1
:CONSTRAINT-CATEGORIES Search
kdsdSearchReturnLimit (Return only the top 25)
:CONSTRAINT-ID
C-13-2
:CONSTRAINT-CATEGORIES Security
Select only partners that support PKI
H-13-1
:HEURISTICS :HEURISTIC-ID
:HEURISTIC-CATEGORIES Search
Partners who are in bankruptcy are a bad risk; therefore, do not use services fromproviders who are in bankruptcy"
September 25, 2004
SKM 2004
13
KDSWS Contributions
Three-tiered framework for specification, design
and implementation of Virtual Organizations
using Semantic Web Services.
Languages for enhanced specification of
Semantic Web Service requirements for the VO.
Security issues are addressed in specification,
design and implementation phases of VO lifecycle.
Agency-based functional architecture allows for
agent specialization of functional capabilities
including security.
Workflow management of VO “transactions” with
end-to-end security.
September 25, 2004
SKM 2004
14
Future Work - Prototype
WfMS
Expert
Systems
Workflow
Patterns
Rules
Objects
KDSWS Specification
Import
Agent
Mapped KDL
Objects
Aggregated
KDL Objects
Mapping
Agent
KDL
KDSPL
Export
Agent
Atomic KDL
Objects
Knowledge
Objects
Mapped KDSPL
Objects
Atomic
KDSPL Objects
Master
Request
Agent
Profiles
Policies
KDSWS Functional Architecture
Publish
Agent
UDDI+
OWL-S+
Aggregated
KDSPL Objects
WSDL+
Request
Handling
Agent
Workflow
Agent
Ontologies
September 25, 2004
Broker
Agent
Knowledge
Sifter
Master
Services
Configuration
Package
SKM 2004
Delivery
Agent
Fulfillment
Package
15
Conclusions
Web Services and Semantic Web Services are
still in their infancy so new tools and techniques
are needed for Secure Knowledge Management
within the Virtual Organization.
The KDSWS Framework is one approach to
meeting the above goal.
Meta-models capture the data organization,
Methodology helps to integrate the plethora of
standards
Languages embody the meta-model & methodology
to allow for “security semantics” specification
Integrated specification, design and implementation
environment.
September 25, 2004
SKM 2004
16
Questions and Answers
September 25, 2004
SKM 2004
17
Download