September 25, 2004 SKM 2004 1

Using Facets of Security within a Knowledge-based Framework to

Broker and Manage Semantic Web Services

Using Facets of Security within a Knowledge-based Framework to

Broker and Manage Semantic Web Services

Randy Howard, Larry KerschbergE-Center for E-Business, http://eceb.gmu.eduGeorge Mason University; Fairfax, VA USA

choward@gmu.edu, kersch@gmu.eduMore Publications at:

http://eceb.gmu.edu/publications.htm

Randy Howard, Larry KerschbergE-Center for E-Business, http://eceb.gmu.eduGeorge Mason University; Fairfax, VA USA

choward@gmu.edu, kersch@gmu.eduMore Publications at:

http://eceb.gmu.edu/publications.htm

September 25, 2004 SKM 2004 2

Research GoalsResearch Goals

� Provide a framework & methodology to create Virtual Organizations (VO) via Semantic Web Services

� Support end-to-end requirements & life-cycle tasks to create VO on the fly

� Address layers that correspond to Specification, Design and Implementation

� Focus here is on Intelligent Middle-ware Services for Secure Knowledge Management

� Provide a framework & methodology to create Virtual Organizations (VO) via Semantic Web Services

� Support end-to-end requirements & life-cycle tasks to create VO on the fly

� Address layers that correspond to Specification, Design and Implementation

� Focus here is on Intelligent Middle-ware Services for Secure Knowledge Management

September 25, 2004 SKM 2004 3

Where is the VO Knowledge?Where is the VO Knowledge?

� Humans as part of the VO� Intellectual Property wrapped in Semantic Web

Services� Policies that govern the VO

� Service-level agreements� QoS agreements

� Security Policies and Protocols� Access Control, Authentication Services for VO� Virtual Security for GRID Services

� Humans as part of the VO� Intellectual Property wrapped in Semantic Web

Services� Policies that govern the VO

� Service-level agreements� QoS agreements

� Security Policies and Protocols� Access Control, Authentication Services for VO� Virtual Security for GRID Services

September 25, 2004 SKM 2004 4

Problem SpaceProblem Space

� Automate Web Services� Apply Semantic Web Technologies (Semantic Web

Services)� Deal w/ Plethora of Standards and Protocols

� Issues of a Virtual Organization� Rapid configuration needed due to temporal nature of

requirements;� Enterprise Issues of Resource Management, Quality

of Service and Negotiation, and � Security issues run through every facet of the VO

� Automate Web Services� Apply Semantic Web Technologies (Semantic Web

Services)� Deal w/ Plethora of Standards and Protocols

� Issues of a Virtual Organization� Rapid configuration needed due to temporal nature of

requirements;� Enterprise Issues of Resource Management, Quality

of Service and Negotiation, and � Security issues run through every facet of the VO

September 25, 2004 SKM 2004 5

Solution SpaceSolution Space

� Knowledge-based Dynamic Semantic Web Services (KDSWS) Framework� Meta-Model for Semantic Web Services� Meta-Process (Methodology)� Specification Languages based on KDM/KDL

� Specifies:� End-to-end tasks of the life-cycle for context,� Threads to deal with Management, Workflow,

Transaction Control, Interoperation, Security, Transportation and Feedback

� Enterprise and Local Perspectives� Functional Architecture Components

� Knowledge-based Dynamic Semantic Web Services (KDSWS) Framework� Meta-Model for Semantic Web Services� Meta-Process (Methodology)� Specification Languages based on KDM/KDL

� Specifies:� End-to-end tasks of the life-cycle for context,� Threads to deal with Management, Workflow,

Transaction Control, Interoperation, Security, Transportation and Feedback

� Enterprise and Local Perspectives� Functional Architecture Components

September 25, 2004 SKM 2004 6

Brokering and ManagementBrokering and Management

� Brokering, or matchmaking, involves [Paolucci, 2004]:

� Services advertising themselves to a broker� Broker handling queries about the available services� Mediating the results for the requestor

� Management Levels [Nayak, 2001]:

� Strategic� Asset� Value-Chain

� Brokering, or matchmaking, involves [Paolucci, 2004]:

� Services advertising themselves to a broker� Broker handling queries about the available services� Mediating the results for the requestor

� Management Levels [Nayak, 2001]:

� Strategic� Asset� Value-Chain

September 25, 2004 SKM 2004 7

KDSWS Processes

Threads

Management

Workflow

Transactions

Quality ofService

Security

Interoperation

Transportation

Feedback

Life-Cycle Tasks

Prepare forPublish

Prepare forRequest

Publish

Request

Discover

Select

Configure

Deploy

DeliverAvailableCapabilities

Service Profile

RequestProfile

Master Request Candidate Services

MasterService(s)

CertifiedServices

ConfirmedServices

Requestor

Feedback and/orFulfilled Request

RequestorProfile (apriori)

Request(dynamic)

Provider

ProviderProfile

Retire

Interface

KDSWS Framework-ProcessesKDSWS Framework-Processes

September 25, 2004 SKM 2004 8

KDSWS Design Specification

Map withSemantic Web

Services

Map withWSDL

Map with UDDI Map with OWL-S

Map withBEPLWS

o o o

Knowledge/ DataModel & Language

Knowledge-based DynamicServices/Process Model &

LanguageMeta-modelMethodology

Meta-meta-model

Map with AgentProfiles

Map withKnowledge Base

Schema(s)

Mappings

Map with KDSWSObjects

Map with GridInterface

Map withSpecialty Stores

Map withWSRF

Map withWS-CDL

KDSWS Framework Design Specification

KDSWS Framework Design Specification

September 25, 2004 SKM 2004 9

KDSWS Functional Architecture

FunctionalFederation

Architecture

FederateAgents

FederateFunctions

FederateKnowledge

FunctionalKnowledgeArchitecture

SemanticWeb Base

Non-SemanticWeb Base

Web Services ProtocolsWSDLUDDI

OWL-SBEPLWS o o o

SOAP

Grid Interface

Functional Agent Services Architecture

User Agency

Process

Layer AgencyLine

AgentsSupportAgents

UserServices

IntelligentMiddleware

Services

WebServices

FunctionalServicesAgency

ServicesCoordination

Agency

Planning

Discovery

Negotiation

Contracting

ServiceMediation

WorkflowCoordination

TransactionManagement

Security

Registration

Certification

Ontology

Curation

QoSMonitoring

User ProfileAdministration

Order Tracking

RequestPreparation

VirtualAgents

PublicationPreparation

Broker

Classification

Configuration

Federation

Publication

Requesting

Fulfillment

Feedback

Testing

Metrics

Deployment

Delivery

KDSWS Functional ArchitectureKDSWS Functional Architecture

September 25, 2004 SKM 2004 10

Differentiate on Security Facets

Broker on Security Facets

Selection AgentSecurity A gent Security Structure Agent Discovery A gent

Feed

back

Secu

rity

Man

agem

ent

TraverseW orkflow

Capture Service and Provider Performance

AccessRoles

Prepare for Publish& Request

Profile SecurityFacets

Short-list of

Services

ChooseService

A

Policies

M atch Non-Repudiation &

In tegrity

SelectedW eb

Service(s)

CompileSelectionResults

Receive Request

InterrogateRequest Security

Structure

Isolate SecurityC onstraints and

Preferences

IdentifySecurity- related

E lem ents

SecurityProfiles

SearchRequestProfile

M atchAuthentication

AProvider/ServiceH istory

ProviderConstraints/Preferences

SecurityFacets

N egotiationT racking

SelectionPolicies

EstablishSecurity Domain Encryption

Request

InvokeSearch

AlternativeServices

M atchAuthorization

K nowledgeSifter

MatchProtocols

M anageAlternatives

SearchPolicies

Identity

M atch Trust, AccessControl, R ights

SecurityD omainCatalog

M asterRequest

Publish

Establish SearchRequest P rofile

NegotiationPolicy

Signature

RankedW eb

Services

NegotiateServices

D ifferentiateServices

KDSWS Brokering Methodology FlowKDSWS Brokering Methodology Flow

September 25, 2004 SKM 2004 11

Produce and Compile Search Reslts

Classification AgentDiscovery Agent Decomposition Agent

Feed

back

Wor

kflo

wM

anag

emen

t

CompileSelectionResults

Knowledge Sifter System Architecture

User AgentPreferences

Agent

IntegrationAgent

Web ServicesAgent

OntologyAgent

QueryFormulation

Agent

OwlSchemas

OntologicalSources UDDIWSDL

Dom

ain of Request

EstablishDomain

SelectUDDI

DomainCatalog

Adapt SearchAgent

Adjust SearchRequest Profile

DecomposeComplexServices

Search AgentProfile

A

CommenceDiscovering

Broker Agent

Search AgentCapabilities

Provider Constraints/Preferences

RequestConstraints/Preferences

SearchPriorities

Request

RequestorProfile

Select SearchAgent

Establish SearchRequest Profile

RankedWeb

Services

Select &NegotiateServices

InvokeSearch

Capture AgentPerformance

A

SearchRequestProfile

DecomposeWorkflow

MasterRequest

SearchRequestProfile

KDSWS Brokering Methodology FlowKDSWS Brokering Methodology Flow

September 25, 2004 SKM 2004 12

KDL Specification ExampleKDL Specification ExamplekdsdBlanketsSecurityConstraint

:DESCRIPTION Provider-side security constraints:SUPERTYPES kdsdSecurity

kdsdConstraintkdsdProvider

:SUBTYPES kdsdPrivacy:ATTRIBUTES kdsdDescription :TYPE Object

kdsdAccessLevel :TYPE IntegerkdsdAuthorityLevel :TYPE IntegerkdsdEncryptMethod :TYPE String :CONSTRAINT In ("x508?", "Kerberos")kdsdSignatureSwitch :TYPE BooleankdsdVisibility :TYPE String :CONSTRAINT In ("Public", "Partner", "Internal")kdsdIdentity :TYPE ObjectkdsdAuthorityLevel :TYPE Integer

:CONSTRAINTS :CONSTRAINT-ID C-02-1:CONSTRAINT-CATEGORIESSupply, SecurityAllow only partners to access

:PREFERENCES :PREFERENCE-ID P-02-1:PREFERENCE-CATEGORIESSupply, SecurityPrefer medium security for assurace of fund transfer

:HEURISTICS :HEURISTIC-ID H-02-1:HEURISTIC-CATEGORIES Supply, SecurityDon't let security impede acquisition

:METHODS :METHOD-ID M-02-1Check for partner and access level

September 25, 2004 SKM 2004 13

Knowledge-based Dynamic Services/Process Language Specification Example

Knowledge-based Dynamic Services/Process Language Specification Example

kdspSearchForProviders:DESCRIPTION Core Broker activities:GOALS ProviderSearchGoal (Find services from providers that meet the goals of the request):TASK kdspDiscover:THREAD kdspManagement:OWNER kdsdSearchAgent:STEWARD kdsdKnowledgeSifter:PREDECESSORSkdspClassifyRequest:SUCCESSORS kdspCompileSearchResults:STEPS :STEPNAME kdspSearchUDDI

:SEQUENCE-NUMBER 1:STEP-DESCRIPTION Search the UDDI registry for acceptable providers and services:DELEGATE kdsdKnowledgeSifter

:DELEGATE-TYPE AGENT:DELEGATE-ROLE LINE

:OPERATION searchUDDI:METHOD-NAME kdsdKnowledgeSifter.Search

:STEP-SUCCESSORS :STEP-SUCCESSOR-MODE Decision:STEP-SUCCESSOR-BRANCH kdspAdjustSearchParameters :STEP-CONTROL-CONDITION Insufficient Results:STEP-SUCCESSOR-MODE Sequential:STEP-SUCCESSOR-BRANCH kdspRankResults :STEP-CONTROL-CONDITION Sufficient Results

:CONTRAINTS :CONSTRAINT-ID C-13-1:CONSTRAINT-CATEGORIES SearchkdsdSearchReturnLimit (Return only the top 25):CONSTRAINT-ID C-13-2:CONSTRAINT-CATEGORIES SecuritySelect only partners that support PKI

:HEURISTICS :HEURISTIC-ID H-13-1:HEURISTIC-CATEGORIES SearchPartners who are in bankruptcy are a bad risk; therefore, do not use services from providers who are in bankruptcy"

September 25, 2004 SKM 2004 14

KDSWS ContributionsKDSWS Contributions� Three-tiered framework for specification, design

and implementation of Virtual Organizations using Semantic Web Services.

� Languages for enhanced specification ofSemantic Web Service requirements for the VO.

� Security issues are addressed in specification, design and implementation phases of VO life-cycle.

� Agency-based functional architecture allows for agent specialization of functional capabilities including security.

� Workflow management of VO “transactions” with end-to-end security.

� Three-tiered framework for specification, design and implementation of Virtual Organizations using Semantic Web Services.

� Languages for enhanced specification ofSemantic Web Service requirements for the VO.

� Security issues are addressed in specification, design and implementation phases of VO life-cycle.

� Agency-based functional architecture allows for agent specialization of functional capabilities including security.

� Workflow management of VO “transactions” with end-to-end security.

September 25, 2004 SKM 2004 15

KDSWS Specification

KDSWS Functional Architecture

ExportAgent

KDL KDSPL

DeliveryAgent

BrokerAgent

WSDL+UDDI+OWL-S+

Atomic KDLObjects

MasterServices

WorkflowAgent

Ontologies

FulfillmentPackage

ConfigurationPackageKnowledge

Sifter

MasterRequest

ExpertSystemsWfMS

AggregatedKDL Objects

AggregatedKDSPL Objects

AtomicKDSPL Objects

Mapped KDSPLObjects

AgentProfiles

WorkflowPatterns

RulesObjects

Policies

ImportAgent

Mapped KDLObjects

MappingAgent

KnowledgeObjects

PublishAgent

RequestHandling

Agent

Future Work - PrototypeFuture Work - Prototype

September 25, 2004 SKM 2004 16

ConclusionsConclusions� Web Services and Semantic Web Services are

still in their infancy so new tools and techniques are needed for Secure Knowledge Management within the Virtual Organization.

� The KDSWS Framework is one approach to meeting the above goal.� Meta-models capture the data organization,� Methodology helps to integrate the plethora of

standards� Languages embody the meta-model & methodology

to allow for “security semantics” specification� Integrated specification, design and implementation

environment.

� Web Services and Semantic Web Services are still in their infancy so new tools and techniques are needed for Secure Knowledge Management within the Virtual Organization.

� The KDSWS Framework is one approach to meeting the above goal.� Meta-models capture the data organization,� Methodology helps to integrate the plethora of

standards� Languages embody the meta-model & methodology

to allow for “security semantics” specification� Integrated specification, design and implementation

environment.

September 25, 2004 SKM 2004 17

Questions and AnswersQuestions and Answers