Ontology-Based Policy Translation

  • Cataldo Basile
  • Antonio Lioy
  • Salvatore Scozzi
  • Marco Vallini
Part of the Advances in Intelligent and Soft Computing book series (AINSC, volume 63)

Abstract

Quite often attacks are enabled by mis-configurations generated by human errors. Policy-based network management has been proposed to cope with this problem: goals are expressed as high-level rules that are then translated into low-level configurations for network devices. While the concept is clear, there is a lack of tools supporting this strategy. We propose an ontology-based policy translation approach that mimics the behaviour of expert administrators, without their mistakes. We use ontologies to represent the domain knowledge and then perform reasonings (based on best practice rules) to create the configurations for network-level security controls (e.g. firewall and secure channels). If some information is missing from the ontology, the administrator is guided to provide the missing data. The configurations generated by our approach are represented in a vendor-independent format and therefore can be used with several real devices.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Agrawal, D.: Business impact of research on policy for distributed systems and networks. In: IEEE POLICY 2007, Bologna, Italy (June 2007)Google Scholar
  2. 2.
    Westerinen, A., Schnizlein, J., Strassner, J., et al.: Terminology for Policy-Based Management. RFC-3198 (November 2001)Google Scholar
  3. 3.
    Strassner, J.C.: Policy Based Network Management. Morgan Kauffman Publishers, San Francisco (2004)Google Scholar
  4. 4.
    Gruber, T.R.: Toward Principles for the Design of Ontologies Used for Knowledge Sharing. Int. Journal Human-Computer Studies 43(5-6), 907–928 (1995)CrossRefGoogle Scholar
  5. 5.
    Strassner, J., Neuman de Souza, J., Raymer, D., Samudrala, S., Davy, S., Barrett, K.: The design of a new policy model to support ontology-driven reasoning for autonomic networking. In: LANOMS 2007, Rio de Janeiro, Brasil, September 2007, pp. 114–125 (2007)Google Scholar
  6. 6.
    Tsoumas, B., Gritzalis, D.: Towards an ontology-based security management. In: Int. Conf. on Advanced Information Networking and Applications, Vienna, Austria, pp. 985–992 (2006)Google Scholar
  7. 7.
    Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: ASIACCS, Sydney, Australia, pp. 183–194 (2009)Google Scholar
  8. 8.
    Ekelhart, A., Fenz, S., Klemen, M., Weippl, E.: Security ontologies: Improving quantitative risk analysis. In: Hawaii Int. Conf. on System Sciences, Big Island, Hawaii, p. 156a (2007)Google Scholar
  9. 9.
    Uszok, A., Bradshaw, J.M., Johnson, M., Jeffers, R., Tate, A., Dalton, J., Aitken, S.: KAoS policy management for semantic web services. IEEE Intelligent Systems 19(4), 32–41 (2004)CrossRefGoogle Scholar
  10. 10.
    Uszok, A., Bradshaw, J., Lott, J.: et al.: New developments in ontology-based policy management: Increasing the practicality and comprehensiveness of KAoS. In: IEEE POLICY 2008, Palisades, NY, USA, June 2008, pp. 145–152 (2008)Google Scholar
  11. 11.
    Mayer, A., Wool, A., Ziskind, E.: Offline firewall analysis. Int. J. Inf. Secur. 5(3), 125–144 (2006)CrossRefGoogle Scholar
  12. 12.
    Al-Shaer, E., Hamed, H.: Modeling and Management of Firewall Policies. IEEE Transactions on Network and Service Management 1(1), 2–10 (2004)CrossRefGoogle Scholar
  13. 13.
    Agrawal, D., Calo, S., Lee, K.W., Lobo, J.: Issues in designing a policy language for distributed management of it infrastructures. In: IFIP/IEEE Int. Symp. on Integrated Network Management, Munich, Germany, pp. 30–39 (2007)Google Scholar
  14. 14.
    Moore, B., Ellesson, E., Strassner, J., Westerinen, A.: Policy core information model (RFC-3060) (February 2001)Google Scholar
  15. 15.
    Moore, B.: Policy core information model (PCIM) extensions (RFC-3460) (January 2003)Google Scholar
  16. 16.
    NIST: Role based access control, http://csrc.nist.gov/groups/SNS/rbac/
  17. 17.
    Loscocco, P.A., Smalley, S.D., Muckelbauer, P.A., Taylor, R.C., Turner, S.J., Farrell, J.F.: The inevitability of failure: The flawed assumption of security in modern computing environments. In: National Information Systems Security Conf., Crystal City, VA, USA, pp. 303–314 (1998)Google Scholar
  18. 18.
    SANS: The SANS Security Policy Project, http://www.sans.org/resources/policies/
  19. 19.
    POSITIF Consortium: The POSITIF system description language (P-SDL) (2007), http://www.positif.org/
  20. 20.
    Clark, Parsia: Pellet: The open source OWL DL reasoner, http://clarkparsia.com/pellet
  21. 21.
    Clark, K.G., Feigenbaum, L., Torres, E.: SPARQL protocol for RDF, http://www.w3.org/TR/rdf-sparql-protocol/
  22. 22.
    HP-Labs: Jena a semantic web framework for java, http://jena.sourceforge.net/
  23. 23.
    OASIS: Core and hierarchical role based access control (RBAC) profile of XACML v2.0, http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-pro%file1-spec-os.pdfGoogle Scholar
  24. 24.
    Smith, M.K., Welty, C., McGuinness, D.L.: OWL web ontology language guide (2004), http://www.w3.org/TR/owl-guide/
  25. 25.
    Stanford: Protégé, http://protege.stanford.edu/
  26. 26.
    Bechhofer, S.: The DIG description logic interface: DIG/1.0Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Cataldo Basile
    • 1
  • Antonio Lioy
    • 1
  • Salvatore Scozzi
    • 1
  • Marco Vallini
    • 1
  1. 1.Dip. di Automatica ed InformaticaPolitecnico di TorinoTorinoItaly

Personalised recommendations