A Policy Based Approach to Security for the Semantic Web

  • Lalana Kagal
  • Tim Finin
  • Anupam Joshi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2870)


Along with developing specifications for the description of meta-data and the extraction of information for the Semantic Web, it is important to maximize security in this environment, which is fundamentally dynamic, open and devoid of many of the clues human societies have relied on for security assessment. Our research investigates the marking up of web entities with a semantic policy language and the use of distributed policy management as an alternative to traditional authentication and access control schemes. The policy language allows policies to be described in terms of deontic concepts and models speech acts, which allows the dynamic modification of existing policies, decentralized security control and less exhaustive policies. We present a security framework, based on this policy language, which addresses security issues for web resources, agents and services in the Semantic Web.


Access Control Policy Language Security Policy Policy Rule Role Base Access Control 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Cost, R., Finin, T., Joshi, A., Peng, Y., Nicholas, C., Soboroff, I., Chen, H., Kagal, L., Perich, F., Zou, Y., Tolia, S.: ITTALKS: A Case Study in DAML and the Semantic Web. IEEE Intelligent Systems Special Issue 2002 (2002)Google Scholar
  2. 2.
    Horrocks, I., van Harmelen, F., Patel-Schneider, P., Berners-Lee, T., Brickley, D., Connolly, D., Dean, M., Decker, S., Fensel, D., Fikes, R., Hayes, P., Heflin, J., Hendler, J., Lassila, O., McGuinness, D., Stein, L.A.: DAML+OIL Language Specifications (2002),
  3. 3.
  4. 4.
    Dean, M., Barber, K.: DAML Crawler,
  5. 5.
    Kalyanpur, A., Hendler, J.: RDF Web Scraper Version 1.1. (2002),
  6. 6.
    Kogut, P., Holmes, W.: AeroDAML: Applying Information Extraction to Generate DAML Annotations from Web Pages. In: First International Conference on Knowledge Capture (K-CAP 2001) Workshop on Knowledge Markup and Semantic Annotation, Victoria (2001)Google Scholar
  7. 7.
    Eastlake, D., Reagle, J., Solo, D.: XML-Signature Syntax and Processing. RFC 3275 (March 2002)Google Scholar
  8. 8.
    Eastlake, D., Reagle, J.: XML Encryption Syntax and Processing. W3C Candidate Recommendation (August 2002)Google Scholar
  9. 9.
    Housley, R., Polk, W., Ford, W., Solo, D.: Internet x.509 public key infrastructure certificate and certificate revocation list (crl) profile. RFC 3280 (April 2002)Google Scholar
  10. 10.
    W3C: Extensible Markup Language. W3C Recommendation,
  11. 11.
    Godik, S., Moses, T.: Oasis extensible access control markup language (xacml). OASIS Committee Secification cs-xacml-specification-1.0 (November 2002)Google Scholar
  12. 12.
    Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J.: Platform for privacy preferences (p3p) (2002)Google Scholar
  13. 13.
    Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)Google Scholar
  14. 14.
    Guiri, L.: A new model for role-based access control (1995)Google Scholar
  15. 15.
    Sandhu, R.S.: Role-based access control. In: Zerkowitz, M. (ed.) Advances in Computers, vol. 48. Academic Press, London (1998)Google Scholar
  16. 16.
    Yialelis, N., Lupu, E., Sloman, M.: Role-based security for distributed object systems (1996)Google Scholar
  17. 17.
    Barka, E., Sandhu, R.: Framework for role-based delegation models. In: Annual Computer Security Applications Conference (2000)Google Scholar
  18. 18.
    Herzberg, A., Mass, Y., Mihaeli, J., Naor, D., Ravid, Y.: Access control meets public key infrastructure : Or assigning roles to strangers. In: 2000 IEEE Symposium on Security and Privacy, Oakland (May 2000)Google Scholar
  19. 19.
    Hildmann, T., Barholdt, J.: Managing trust between collaborating companies using outsourced role based access control. In: Fourth ACM workshop on Role-based access control, Fairfax, Virginia, United States (1999)Google Scholar
  20. 20.
    Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.: The keynote trust management system version (1999)Google Scholar
  21. 21.
    Keromytis, A., Ioannidis, S., Greenwald, M., Smith, J.: The strongman architecture. In: Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C, April 22–24 (2003)Google Scholar
  22. 22.
    Undercoffer, J., Perich, F., Cedilnik, A., Kagal, L., Joshi, A., Finin, T.: A Secure Infrastructure for Service Discovery and Management in Pervasive Computing. The Journal of Special Issues on Mobility of Systems, Users, Data and Computing (2003)Google Scholar
  23. 23.
    Kagal, L., Finin, T., Joshi, A.: Trust based security for pervasive computing enviroments. IEEE Communications (December 2001)Google Scholar
  24. 24.
    Kagal, L., Finin, T., Peng, Y.: A Framework for Distributed Trust Management. In: Proceedings of IJCAI 2001 Workshop on Autonomy, Delegation and Control (2001)Google Scholar
  25. 25.
    W3C: Resource Description Framework. W3C Recommendation (2002),
  26. 26.
    Swedish Institute, S.I.o.C.S.: SICStus Prolog (2001),
  27. 27.
    Kagal, L., Finin, T., Joshi, A.: A policy language for pervasive systems. In: Fourth IEEE International Workshop on Policies for Distributed Systems and Networks (2003)Google Scholar
  28. 28.
    Moffett, J., Sloman, M.: Policy conflict analysis in distributed systems management. Journal of Organizational Computing (1993)Google Scholar
  29. 29.
    Berners-Lee, T.: Notation 3 (2001),
  30. 30.
    Lupu, E.C., Sloman, M.: Conflicts in policy-based distributed systems management. IEEE Transactions on Software Engineering (1999)Google Scholar
  31. 31.
    Denker, G.: Access control and data integrity for daml+oil and daml-s. White paper (2002)Google Scholar
  32. 32.
    Chodhari, A., Kagal, L., Joshi, A., Finin, T., Yesha, Y.: Patientservice: A policy based information service for ehealthcare. In: Fifth International Workshop on Enterprise Networking and Computing in Healthcare Industry, Santa Monica (June 2003)Google Scholar
  33. 33.
    FIPA: FIPA Agent Management Specification. In: FIPA website (2001),
  34. 34.
    Paolucci, M., Kawamura, T., Payne, T.R., Sycara, K.: Semantic matching of web services capabilities. In: Horrocks, I., Hendler, J. (eds.) ISWC 2002. LNCS, vol. 2342, p. 333. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  35. 35.
    Ingersoll Rand (Woodcliff Lake, NJ) and QAD (Carpenteria, CA) and Berclain Group (Schaumburg, IL) and IBM Corporation (Somers, NY): CIIMPLEX Consortium, Consortium for Integrated Intelligent Manufacturing PLanning and EXecution (2000),
  36. 36.
    Kagal, L., Finin, T., Joshi, A.: Developing secure agent systems using delegation based trust management. In: Security of Mobile MultiAgent Systems held at Autonomous Agents and MultiAgent Systems (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Lalana Kagal
    • 1
  • Tim Finin
    • 1
  • Anupam Joshi
    • 1
  1. 1.Computer Science and Electrical Engineering DepartmentUniversity of Maryland Baltimore CountyBaltimoreUSA

Personalised recommendations