Transcript 10)SKM-Bhavani-Nov29 - The University of Texas at Dallas

Data and Applications Security
Developments and Directions
Secure Knowledge Management:
Confidentiality, Privacy and Trust
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
November 29, 2005
Outline of the Unit
 Background on Knowledge Management
 Secure Knowledge Management
 Confidentiality: Access Control
 Privacy
 Trust Management
 Integrated System
 Secure Knowledge Management Technologies
 Directions
 Appendix: TrustX Research
References
 Proceedings Secure Knowledge Management Workshop
- Secure Knowledge Management Workshop, Buffalo, NY,
September 2004
- http://www.cse.buffalo.edu/caeiae/skm2004/
 Secure Knowledge Management
- Authors: Thuraisingham, Bertino, Sandhu
- To be published in IEEE Transactions on Systems, Man and
Cybernetics
- This lecture is based on the above paper
What is Knowledge Management
 Knowledge management, or KM, is the process through which
organizations generate value from their intellectual property and
knowledge-based assets
 KM involves the creation, dissemination, and utilization of
knowledge
 Reference: http://www.commerce-database.com/knowledge-
management.htm?source=google
Knowledge Management Components
Knowledge
Components of
Management:
Components,
Cycle and
Technologies
Components:
Strategies
Processes
Metrics
Cycle:
Knowledge, Creation
Sharing, Measurement
And Improvement
Technologies:
Expert systems
Collaboration
Training
Web
Organizational Learning Process
Diffusion Tacit, Explicit
Identification
Source:
Reinhardt and
Pawlowsky
Creation
Metrics
Action
Integration
Modification
Aspects of Secure Knowledge Management
(SKM)
 Protecting the intellectual property of an organization
 Access control including role-based access control
 Security for process/activity management and workflow
- Users must have certain credentials to carry out an activity
 Composing multiple security policies across organizations
 Security for knowledge management strategies and processes
 Risk management and economic tradeoffs
 Digital rights management and trust negotiation
SKM: Strategies, Processes, Metrics, Techniques
 Security Strategies:
- Policies and procedures for sharing data
- Protecting intellectual property
- Should be tightly integrated with business strategy
 Security processes
- Secure workflow
- Processes for contracting, purchasing, order
management, etc.
 Metrics
- What is impact of security on number of documents
published and other metrics gathered
 Techniques
Access control, Trust management
-
SKM: Strategies, Processes, Metrics, Techniques
Aspects of
Secure
Knowledge
Components
Managementof
Security
Strategies:
Policies,
Plans, and
Procedures
Security
Processes:
Processes for
Workflow, Order
Management,
Contracting, - - -
Technologies:
Privacy Preserving
Data Mining,
Secure Semantic
Web
Security
Metrics:
Security
Techniques:
Security impact on
Metrics gathered
for data sharing
Access Control,
Trust Management,
----
Secure Knowledge Management Architecture
Define Security Policies
Knowledge
Creation and
Acquisition
Manager
Enforce Security
Policies for dissemination
Knowledge
Dissemination
and Transfer
Manager
Represent Security Policies
Knowledge
Representation
Manager
Enforce Security
Policies for access
Knowledge
Manipulation
And Sustainment
Manager
SKM Technologies
 Data Mining
- Mining the information and determine resources without
violating security
 Secure Semantic Web
Secure knowledge sharing
 Secure Annotation Management
- Managing annotations about expertise and resources
 Secure content management
Markup technologies and related aspects for managing
content
 Secure multimedia information management
-
-
Confidentiality, Privacy and Trust
 Confidentiality: Ensuring that only authorized individuals get/acquire
the information/knowledge according to the confidentiality policies
 Privacy: Ensuring that my personal information is distributed
according to the policies I enforce
 Trust: Do we believe that the other person will not divulge
confidential and/or private information even though he/she is
authorized to receive the information
Access Control Strategy
 XML to specify policies
 Subjects request access to XML documents under two modes:





Browsing and authoring
- With browsing access subject can read/navigate documents
- Authoring access is needed to modify, delete, append
documents
Access control module checks the policy based and applies policy
specs
Views of the document are created based on credentials and policy
specs
In case of conflict, least access privilege rule is enforced
Works for Push/Pull modes
Presentation at MITRE on March 18, 2005
System Architecture for Access Control
Pull/Query
User
Push/result
X-Access
X-Admin
Admin
Tools
Policy
base
Credential
base
XML
Documents
Third-Party Architecture
 The Owner is the
XML Source Credential
base
producer
of information It specifies
access control policies
 The Publisher is responsible
for managing (a portion of)
the Owner information and
answering subject queries
 Goal: Untrusted Publisher
with respect to Authenticity
and Completeness checking
policy base
SE-XML
Owner
credentials
Publisher
Reply
document
Query
User/Subject
RBAC for SKM
 Access to information sources including structured and
unstructured data both within the organization and external to the
organization
 Search Engines and tools for identifying relevant pieces of this
information for a specific purpose
 Knowledge extraction, fusion and discovery programs and services
 Controlled dissemination and sharing of newly produced knowledge
RBAC for SKM
UCON (Usage Control) for SKM
 RBAC model is incorporated into UCON and useful for SKM
- Authorization component
 Obligations
- Obligations are actions required to be performed before
an access is permitted
- Obligations can be used to determine whether an
expensive knowledge search is required
 Attribute Mutability
- Used to control the scope of the knowledge search
 Condition
- Can be used for resource usage policies to be relaxed or
tightened
UCON for SKM
Confidentiality Controller
Interface to the Confidentiality Enhanced Semantic Web
Inference Engine/
Confidentiality Controller
Confidentiality Policies
Ontologies
Rules
Semantic Web
Engine
XML, RDF
Documents
Web Pages,
Databases
Some Privacy concerns
 Medical and Healthcare
- Employers, marketers, or others knowing of private medical
concerns of employees
 Security
- Allowing access to individual’s travel and spending data
- Allowing access to web surfing behavior
 Marketing, Sales, and Finance
- Allowing access to individual’s purchases
Privacy Preserving Data Mining
 Association Rules
- Privacy Preserving Association Rule Mining
 IBM,
---- Decision Trees
- Privacy Preserving Decision Trees
 IBM, - - -  Clustering
- Privacy Preserving Clustering
 Purdue, - - -  Link Analysis
- Privacy Preserving Link Analysis
 UTD, (ICDM Conference Workshop on Privacy
Preserving Data Mining, November 2005)
Privacy Controller
Interface to the Client
Inference Engine/
Privacy Controller
Privacy Policies
Ontologies
Rules
Client
Engine
Client
Database
Trust Negotiation model: Joint Research
with Prof. Elisa Bertino et al at Purdue
and U. Of Milan
 A promising approach for open systems where
most of the interactions occur between strangers
 The goal: establish trust between parties in order
to exchange sensitive information and services
 The approach: establish trust by verifying
properties of the other party
Trust Management for SKM
 Trust Services
- Identify services, authorization services, reputation
services
 Trust negotiation (TN)
Digital credentials, Disclosure policies
 TN Requirements
- Language requirements
 Semantics, constraints, policies
System requirements
 Credential ownership, validity, alternative negotiation
strategies, privacy
 Example TN systems
KeyNote and Trust-X (U of Milan), TrustBuilder (UIUC)
-
-
Trust Management for SKM
Integrated Approach: Confidentiality, Privacy
and Trust
SKM for Coalitions
 Organizations form federations and coalitions work together
to solve a problem
- Universities, Commercial corporations, Government
agencies
 Challenges is to share data/information and at the same time
ensure security and autonomy for the individual
organizations
 How can knowledge be shared across coalitions?
 Incentive compatible knowledge sharing techniques
SKM Coalition Architecture: Joint Research with
Prof. Ravi Sandhu at GMU
Knowledge for Coalition
Export
Knowledge
Export
Knowledge
Export
Knowledge
Component
Knowledge for
Agency A
Component
Knowledge for
Agency C
Component
Knowledge for
Agency B
Directions
 We have identified high level aspects of SKM
- Strategies, Processes. Metrics, techniques, Technologies,
Architecture
 Need to investigate security issues
RBAC, UCON, Trust, Privacy etc.
 CS departments should collaborate with business schools on
KM and SKM
-
Data and Applications Security
Developments and Directions
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Secure Knowledge Management:
Confidentiality, Privacy and Trust
Appendix: TrustX System and Current Research
Joint work with Purdue University and
University of Milan
November 29, 2005
The problem:
Establishing trust in open systems
 Interactions between strangers
- In conventional systems user identity is known in advance
and can be used for performing access control
- In open systems partecipants may have no pre-existing
relationship and may not share a common security domain

Mutual authentication
-
Assumption on the counterpart honesty no longer holds
Both participants need to authenticate each other
Trust Negotiation model
 A promising approach for open systems where
most of the interactions occur between strangers
 The goal: establish trust between parties in order
to exchange sensitive information and services
 The approach: establish trust by verifying
properties of the other party
Trust negotiation: the approach
Interactions between strangers in open systems
are different from traditional access control models
Policies and mechanisms developed in conventional
systems need to be revised
USER ID’s
VS.
SUBJECT PROPERTIES
ACCESS CONTROL
POLICIES
VS.
DISCLOSURE POLICIES
Subject properties: digital credentials
 Assertion about the credential owner issued and certified by a Certification
Authority.
 Each entity has an associated set of credentials,
describing properties and attributes of the owner.
CA
CA
CA
CA
Use of Credentials
Digital Credentials
Issuer
-Julie
-3 kids
Alice
-Married
Check
-American
-Julie
- American
Credential
Check
-Julie
- Married
Company B
Want to know marital status
Company A
Want to know citizenship
Referenced from http://www.credentica.com/technology/overview.pdf
Credentials
 Credentials can be expressed through the Security Assertion
Mark-up Language (SAML)
 SAML allows a party to express security statements about a
given subject
Authentication statements
- Attribute statements
- Authorization decision statements
-
Disclosure policies
 Disclosure policies govern:
Disclosure
policies
Access to protected resources
Access to sensitive information
Disclosure of sensitive credentials
 Disclosure policies express trust requirements by means of credential
combinations that must be disclosed to obtain authorization
Disclosure policies - Example
 Suppose NBG Bank offers loans to students
 To check the eligibility of the requester, the Bank asks the
student to present the following credentials
The student card
- The ID card
- Social Security Card
- Financial information – either a copy of the Federal Income Tax
-
Return or a bank statement
Disclosure policies - Example
p1= ({}, Student_Loan  Student_Card());
p2= ({p1}), Student_Loan  Social_Security_Card());
p3= ({p2}, Student_Loan 
Federal_Income_Tax_Return());
p4= ({p2}, Student_Loan  Bank_Statement());
P5=({p3,p4}, Student_Loan  DELIV);
These policies result in two distinct “policy chains” that lead to
disclosure
[p1, p2, p3, p5]
[p1, p2, p4, p5]
Trust Negotiation - definition
The gradual disclosure of credentials and requests
for credentials between two strangers, with the goal
of establishing sufficient trust so that the parties
can exchange sensitive information and/or resources
Trust-X system: Joint Research with University
of Milan and Purdue University
 A comprehensive XML based framework for trust negotiations:
Trust negotiation language (X-TNL)
System architecture
Algorithms and strategies to carry out the negotiation process
Trust-X language: X-TNL
Able to handle mutliple and heterogeneus certificate
specifications:
 Credentials
 Declarations
Able to
help the user in customizing the management of
his/her own certificates
 X-Profile
 Data Set
Able to
define a wide range of protection requirements by
means of disclosure policies
X-TNL: Credential type system
X-TNL simplifies the
task of
credential
specification by
using a set of templates
called credential types
Uniqueness is ensured by
use of XML Namespaces
Credential types
are defined by using
Document Type Definition
<!DOCTYPE library_badge[
<!ELEMENT library_badge (name, address, phone_number*,
email?, release_date, profession,Issuer)>
<!ELEMENT name
(fname, lname)>
<!ELEMENT address
(#PCDATA)>
<!ELEMENT phone_number
(#PCDATA)>
<!ELEMENT email
(#PCDATA)>
<!ELEMENT release_date
(#PCDATA)>
<!ELEMENT profession
(#PCDATA)>
<!ELEMENT fname
(#PCDATA)>
<!ELEMENT lname
(#PCDATA)>
<!ELEMENT Issuer
ANY>
<!ATTLIST Issuer
XML:LINK
CDATA
#FIXED “SIMPLE”
HREF
CDATA
#REQUIRED
TITLE
CDATA
#IMPLIED>
<!ATTLIST
library_badge CredID ID #REQUIRED>
<!ATTLIST
library_badge SENS CDATA #REQUIRED>
]>
Trust-X negotiation phasesbasic model
Introduction
1.


Send a request for a resource/service
Introductory policy exchanges
Policy evaluation phase
2.


3.
Disclosure policy exchange
Evaluation of the exchanged policies in order to determine secure solutions
for both the parties.
Certificate exchange phase

Exchange of the sequence of certificates determined at step n. 2.
Trust-X Architecture
Trust-X has been specifically designed for a peer-to-peer environment in
that each party is equipped with the same functional modules and thus it
can alternatively act as a requester or resource controller during different
negotiations.
REQUESTER
CONTROLLER
POLICY
X-
BASE
POLICY
PROFILE
BASE
X-
POLICY EXCHANGE
COMPLIANCE
CHECKER
PROFILE
COMPLIANCE
CHECKER
POLICY EXCHANGE
TREE
MANAGER
TREE
MANAGER
How a policy is processed
Upon receiving a disclosure policy the compliance checker
determines if it can be satisfied by any certificate of the local Xprofile.
Then, the module checks in the policy base the protection needs
associated with the certificates, if any.
The state of the negotiation is anyway updated by the tree
manager, which records whether new policies and credentials
have been involved or not.
Disclosure Policies
TREE
MANAGER
COMPLIANCE
CHECKER
X-Profile
Policy
Base
Policy Reply
Current Research
 How can we ensure privacy in Trust Negotiation Systems
 Joint work with U. of Milan and Purdue
 Squichinari, Bertino, Ferrari and Thuraisingham et al
 To appear in ACM Transactions on Information and Systems
Security