Using Facets of Security within a Knowledge-based Framework to Broker and Manage Semantic Web Services Randy Howard, Larry Kerschberg E-Center for E-Business, http://eceb.gmu.edu George Mason University; Fairfax, VA USA choward@gmu.edu, kersch@gmu.edu More Publications at: http://eceb.gmu.edu/publications.htm September 25, 2004 SKM 2004 1 Research Goals Provide a framework & methodology to create Virtual Organizations (VO) via Semantic Web Services Support end-to-end requirements & life-cycle tasks to create VO on the fly Address layers that correspond to Specification, Design and Implementation Focus here is on Intelligent Middle-ware Services for Secure Knowledge Management September 25, 2004 SKM 2004 2 Where is the VO Knowledge? Humans as part of the VO Intellectual Property wrapped in Semantic Web Services Policies that govern the VO Service-level agreements QoS agreements Security Policies and Protocols Access Control, Authentication Services for VO Virtual Security for GRID Services September 25, 2004 SKM 2004 3 Problem Space Automate Web Services Apply Semantic Web Technologies (Semantic Web Services) Deal w/ Plethora of Standards and Protocols Issues of a Virtual Organization Rapid configuration needed due to temporal nature of requirements; Enterprise Issues of Resource Management, Quality of Service and Negotiation, and Security issues run through every facet of the VO September 25, 2004 SKM 2004 4 Solution Space Knowledge-based Dynamic Semantic Web Services (KDSWS) Framework Meta-Model for Semantic Web Services Meta-Process (Methodology) Specification Languages based on KDM/KDL Specifies: End-to-end tasks of the life-cycle for context, Threads to deal with Management, Workflow, Transaction Control, Interoperation, Security, Transportation and Feedback Enterprise and Local Perspectives Functional Architecture Components September 25, 2004 SKM 2004 5 Brokering and Management Brokering, or matchmaking, involves [Paolucci, 2004]: Services advertising themselves to a broker Broker handling queries about the available services Mediating the results for the requestor Management Levels [Nayak, 2001]: Strategic Asset Value-Chain September 25, 2004 SKM 2004 6 KDSWS Framework-Processes KDSWS Processes Life-Cycle Tasks Prepare for Publish Provider Profile Feedback and/or Fulfilled Request Available Capabilities Requestor Profile (apriori) Request (dynamic) Publish Threads Retire Master Service(s) Request Profile Select Request Master Request Provider Service Profile Configure Deploy Deliver Workflow Transactions Quality of Service Security Interoperation Candidate Services Transportation Discover Feedback Interface September 25, 2004 Confirmed Services Certified Services Requestor Prepare for Request Management SKM 2004 7 KDSWS Framework Design Specification Meta-metamodel Meta-model KDSWS Design Specification Knowledge-based Dynamic Services/Process Model & Language Knowledge/ Data Model & Language Methodology Mappings Map with Knowledge Base Schema(s) Map with BEPLWS Map with KDSWS Objects Map with UDDI September 25, 2004 Map with Semantic Web Services Map with WSDL Map with Grid Interface Map with WSRF SKM 2004 Map with Specialty Stores Map with WS-CDL Map with Agent Profiles Map with OWLooo S 8 KDSWS Functional Architecture KDSWS Functional Architecture Layer Functional Federation Architecture Functional Knowledge Architecture User Services Federate Functions Semantic Web Base Federate Agents NonSemantic Web Base Intelligent Middleware Services Federate Knowledge Functional Agent Services Architecture Line Virtual Agency Agents Agents Request Process Preparation User Agency Publication Planning Preparation Functional Services Agency Web Services Protocols UDDI BEPLWS WSDL OWL-S SOAP ooo Web Services Services Coordination Agency Grid Interface September 25, 2004 SKM 2004 Support Agents User Profile Administration Order Tracking Broker Discovery Ontology Federation Negotiation Curation Feedback Contracting QoS Monitoring Fulfillment Service Mediation Security Publication Workflow Coordination Registration Requesting Transaction Management Certification Deployment Configuration Testing Delivery Classification Metrics 9 KDSWS Brokering Methodology Flow B roker on Security Facets S ecurity A gent Management P repare for P ublish & R equest P rofile Security Facets S ecurity P rofiles E stablish S earch R equest P rofile S earch P olicies P ublish D iscovery A gent S ecurity S tructure A gent S ecurity F acets R equest P rovider C o nstraints/ P references Invoke S earch K now ledge S ifter A M aster R equest T raverse W orkflow Security N egotiation P olicy D iffe ren tiate S e rvice s S hortlist of Services R anked W eb S ervices S election P olicies C om pile S election R esults A M a tch P rotoco ls Identify Security- related E lem ents N egotiation T racking N e go tiate S e rvice s M anage A lternatives C h oo se S e rvic e A lternative Services P rovider /S ervice H istory Interrogate R equest Security Structure S ecurity D o m ain C atalog S earch R equest P rofile Selection A gent S elected W eb S ervice(s) M atch N on R ep u dia tio n & In te g rity S ignature Identity E stablish S ecurity D om ain M a tch A u th en tica tion E ncryption Isolate S ecurity C o nstraints and P references R e ceive R e qu est A ccess R oles M a tch A u tho rizatio n P olicies M atch T ru st, A cce ss C on tro l, R ig hts Feedback D iffe re ntia te o n S e cu rity F ace ts C apture S ervice and P rovider P erform ance September 25, 2004 SKM 2004 10 KDSWS Brokering Methodology Flow Produce and Compile Search Reslts Discovery Agent Master Request Request Request Constraints/ Preferences Management Search Priorities Feedback Workflow Search Request Profile Invoke Search Preferences Agent User Agent Ontology Agent Query Formulation Agent Owl Schemas Ontological Sources Capture Agent Performance September 25, 2004 Ranked Web Services Integration Agent Select UDDI Web Services Agent WSDL Provider Constraints/ Preferences Decompose Complex Services Compile Selection Results UDDI Search Agent Capabilities Adjust Search Request Profile Domain Catalog Broker Agent Knowledge Sifter System Architecture Select Search Agent A Search Request Profile Establish Domain Decomposition Agent Domain of Request Establish Search Request Profile Requestor Profile Commence Discovering Classification Agent A Select & Negotiate Services Decompose Workflow Adapt Search Agent Search Agent Profile SKM 2004 11 KDL Specification Example kdsdBlanketsSecurityConstraint :DESCRIPTION Provider-side security constraints :SUPERTYPES kdsdSecurity kdsdConstraint kdsdProvider :SUBTYPES kdsdPrivacy :ATTRIBUTES kdsdDescription :TYPE Object kdsdAccessLevel :TYPE Integer kdsdAuthorityLevel :TYPE Integer kdsdEncryptMethod :TYPE String :CONSTRAINT In ("x508?", "Kerberos") kdsdSignatureSwitch :TYPE Boolean kdsdVisibility :TYPE String :CONSTRAINT In ("Public", "Partner", "Internal") kdsdIdentity :TYPE Object kdsdAuthorityLevel :TYPE Integer :CONSTRAINTS :CONSTRAINT-ID C-02-1 :CONSTRAINT-CATEGORIESSupply, Security Allow only partners to access :PREFERENCES :PREFERENCE-ID P-02-1 :PREFERENCE-CATEGORIES Supply, Security Prefer medium security for assurace of fund transfer :HEURISTICS :HEURISTIC-ID H-02-1 :HEURISTIC-CATEGORIES Supply, Security Don't let security impede acquisition :METHODS :METHOD-ID M-02-1 Check for partner and access level September 25, 2004 SKM 2004 12 Knowledge-based Dynamic Services/Process Language Specification Example kdspSearchForProviders :DESCRIPTION Core Broker activities :GOALS ProviderSearchGoal (Find services fromproviders that meet the goals of the request) :TASK kdspDiscover :THREAD kdspManagement :OWNER kdsdSearchAgent :STEWARD kdsdKnowledgeSifter :PREDECESSORSkdspClassifyRequest :SUCCESSORS kdspCompileSearchResults :STEPS :STEPNAME kdspSearchUDDI :SEQUENCE-NUMBER 1 :STEP-DESCRIPTION Search the UDDI registry for acceptable providers and services :DELEGATE kdsdKnowledgeSifter :DELEGATE-TYPE AGENT :DELEGATE-ROLE LINE :OPERATION searchUDDI :METHOD-NAME kdsdKnowledgeSifter.Search :STEP-SUCCESSORS :STEP-SUCCESSOR-MODE Decision :STEP-SUCCESSOR-BRANCH kdspAdjustSearchParameters :STEP-CONTROL-CONDITION Insufficient Results :STEP-SUCCESSOR-MODE Sequential :STEP-SUCCESSOR-BRANCH kdspRankResults :STEP-CONTROL-CONDITION Sufficient Results :CONTRAINTS :CONSTRAINT-ID C-13-1 :CONSTRAINT-CATEGORIES Search kdsdSearchReturnLimit (Return only the top 25) :CONSTRAINT-ID C-13-2 :CONSTRAINT-CATEGORIES Security Select only partners that support PKI H-13-1 :HEURISTICS :HEURISTIC-ID :HEURISTIC-CATEGORIES Search Partners who are in bankruptcy are a bad risk; therefore, do not use services fromproviders who are in bankruptcy" September 25, 2004 SKM 2004 13 KDSWS Contributions Three-tiered framework for specification, design and implementation of Virtual Organizations using Semantic Web Services. Languages for enhanced specification of Semantic Web Service requirements for the VO. Security issues are addressed in specification, design and implementation phases of VO lifecycle. Agency-based functional architecture allows for agent specialization of functional capabilities including security. Workflow management of VO “transactions” with end-to-end security. September 25, 2004 SKM 2004 14 Future Work - Prototype WfMS Expert Systems Workflow Patterns Rules Objects KDSWS Specification Import Agent Mapped KDL Objects Aggregated KDL Objects Mapping Agent KDL KDSPL Export Agent Atomic KDL Objects Knowledge Objects Mapped KDSPL Objects Atomic KDSPL Objects Master Request Agent Profiles Policies KDSWS Functional Architecture Publish Agent UDDI+ OWL-S+ Aggregated KDSPL Objects WSDL+ Request Handling Agent Workflow Agent Ontologies September 25, 2004 Broker Agent Knowledge Sifter Master Services Configuration Package SKM 2004 Delivery Agent Fulfillment Package 15 Conclusions Web Services and Semantic Web Services are still in their infancy so new tools and techniques are needed for Secure Knowledge Management within the Virtual Organization. The KDSWS Framework is one approach to meeting the above goal. Meta-models capture the data organization, Methodology helps to integrate the plethora of standards Languages embody the meta-model & methodology to allow for “security semantics” specification Integrated specification, design and implementation environment. September 25, 2004 SKM 2004 16 Questions and Answers September 25, 2004 SKM 2004 17