Palanivel Andiappan Kodeswaran

Enforcing security in semantics driven policy based networks

Security is emerging as an important requirement for a number of distributed applications such as online banking, social networking etc. due to the private nature of the data being involved. Further more, the wide spread use of portable devices such as laptops, PDAs etc. allows users to make meaningful ad hoc collaborations. Traditional security solutions are not feasible for these scenarios due to the varying nature of the collaborations in terms of entities involved and their roles, available resources etc. Under these circumstances, we need generic solutions that take into account the semantics of the collaborations in determining the set of allowable operations. In this paper, we propose an extensible framework that uses semantics driven policies for enforcing security. Our policies are rooted in semantic web languages which makes amenable to interoperability, and also enables high level reasoning for conflict resolution and policy adaptation. We describe our policy based network that uses packet content semantics to best handle different streams, and show how our framework can be used to secure enterprise networks and the BGP routing process.

Utilizing semantic policies for managing BGP route dissemination

Policies in BGP are implemented as routing configurations that determine how route information is shared among neighbors to control traffic flows across networks. This process is generally template driven, device centric, limited in its expressibility, time consuming and error prone which can lead to configurations where policies are violated or there are unintended consequences that are difficult to detect and resolve. In this paper, we propose an alternate mechanism for policy based networking that relies on using additional semantic information associated with routes expressed in an OWL ontology. Policies are expressed using SWRL to provide fine-grained control where by the routers can reason over their routes and determine how they need to be exchanged. In this paper, we focus on security related BGP policies and show how our framework can be used in implementing them. Additional contextual information such as affiliations and route restrictions are incorporated into our policy specifications which can then be reasoned over to infer the correct configurations that need to be applied, resulting in a process which is easy to deploy, manage and verify for consistency.

Applying differential privacy to search queries in a policy based interactive framework

Web search logs are of growing importance to researchers as they help understanding search behavior and search engine performance. However, search logs typically contain sensitive information about users and therefore considerable caution must be exercised when considering releasing the logs to the research community. Current approaches to releasing search logs focus on either protecting the privacy of users or enhancing the utility of data to researchers. In this work, we address the privacy-utility tradeoff by providing safe access to search logs, instead of releasing them. We propose a policy based safe interactive framework built on semantic policies and differential privacy to allow researchers access to search logs, while maintaining the privacy of the users. Semantic policies are used to infer the higher levels of information that can be mined from a dataset based on the fields accessed by a researcher. The accessed fields are then used to build research profile(s) that guide the amount of privacy to be enforced using differential privacy. We show the additional utility that can be obtained in our framework by two demonstrative experiments that involve access to user level information. Our results indicate that valid research can be conducted in our framework without forgoing the privacy of individuals.

A Policy Based Infrastructure for Social Data Access with Privacy Guarantees

We present a policy based infrastructure for social data access with the goal of enabling scientific research, while preserving privacy. We describe motivating application scenarios that could be enabled with the growing number of user datasets such as social networks, medical datasets etc. These datasets contain sensitive user information and sufficient caution must be exercised while sharing them with third parties to prevent privacy leaks. One of the goals of our framework is to allow users to control how their data is used, while at the same time enabling the aggregate data to be used for scientific research. We extend existing access control languages to explicitly model user intent in data sharing as well as supporting additional access modes that go beyond the traditional allow/deny binary semantics of access control. We describe our policy infrastructure and show how it can be used to enable the above scenarios while still guaranteeing individual privacy and present a prototype implementation of the framework extending the SecPAL authorization language to account for new roles and operations.

Towards a privacy preserving policy based infrastructure for social data access to enable scientific research

In this paper, we present a policy based infrastructure for social data access with the goal of enabling scientific research, while preserving privacy. We describe motivating application scenarios that could be enabled with the growing number of user datasets such as social networks and medical datasets. These datasets contain sensitive user information and sufficient caution must be exercised while sharing them with third parties to prevent privacy leaks. One of the goals of our framework is to allow users to control how their data is used, while at the same time enable researchers to use the aggregate data for scientific research. We extend existing access control languages to explicitly model user intent in data sharing as well as supporting additional access modes viz. Complete Access, Abstract Access and Statistical Access that go beyond the traditional allow/deny binary semantics of access control. We then describe our policy infrastructure and show how it can be used to enable the above scenarios while still guaranteeing individual privacy. We then present our initial implementation of the framework extending the SecPAL authorization language to account for new roles and operations.

A declarative approach for secure and robust routing

Many Internet failures are caused by misconfigurations of the BGP routers that manage routing of traffic between domains. The problems are usually due to a combination of human errors and the lack of a high-level language for specifying routing policies that can be used to generate router configurations. We describe an implemented approach that uses a declarative language for specifying network-wide routing policies to automatically configure routers and show how it can also be used by software agents to diagnose and correct some networking problems. The language is grounded in an ontology defined in OWL and polices expressed in it are automatically compiled into low-level router configurations. A distributed collection of software agents use the high-level policies and a custom argumentation protocol to share and reason over information about routing failures, diagnose probable causes, and correct them by reconfiguring routers and/or recommending actions to human operators. We have evaluated the framework in both a simulator and on a small physical network. Our results show that the framework performs well in identifying failure causes and automatically correcting them by reconfiguring routers when permitted by the policies.

Enforcing secure and robust routing with declarative policies

Internet routers must adhere to many polices governing the selection of paths that meet potentially complex constraints on length, security, symmetry and organizational preferences. Many routing problems are caused by their misconfigura-tion, usually due to a combination of human errors and the lack of a high-level formal language for specifying routing policies that can be used to generate router configurations. We describe an approach that obviates many problems by using a declarative language for specifying network-wide routing policies to automatically configure routers and also inform software agents that can diagnose and correct networking problems. Our policy language is grounded in ontologies encoded in the Semantic Web language OWL, supporting machine understanding and interoperability. Polices expressed in it can be automatically compiled into low-level router configurations and intelligent agents can reason with them to diagnose and correct routing problems. We have prototyped the approach and evaluated the results both in a simulator and on a small physical network. Our results show that the framework performs well on a number of use cases, including checking for policy coherence, preventing asymmetric routing patterns, applying organizational preferences, and diagnosing and correcting failures.

Managing and Securing Critical Infrastructure – A Semantic Policy- and Trust-Driven Approach

Cyber-physical systems (CPSs) and cyber infrastructure are the key elements of the national infrastructure, and securing them is of vital importance to national security. There is ample evidence that these systems are vulnerable to disruption and damage due to natural disasters, social crises, and terrorism. CPS applications are becoming more widespread, ranging from health-care patient monitoring systems to autonomous vehicles to integrated electrical power grids. Often, the new application domains cross administrative boundaries and are not under the supervisory control of a single domain. This introduces critical issues of policy and trust that have not been traditionally addressed in their design and management. Most work in securing CPS and cyber infrastructure has focused on security of the communication links between the sensing and actuating elements. We describe a more holistic approach that is based on the concepts of situation awareness for monitoring the state of a CPS and high-level policies to manage its functioning and security. Such a framework can manage the trust relationship among entities as well as external contextual information when detecting, evaluating, and responding to threats. We illustrate the framework by showing how it can protect the traditional Internet backbone by automatically configuring BGP router systems, defending against attacks, and recovering from accidental or malicious damage. We also illustrate how the same framework can be used to secure devices and information in mobile networks.

Towards a Declarative Framework for Managing Application and Network Adaptations

Cross layer optimizations are increasingly being used in a variety of applications to improve application performance. However most of these implementations are ad hoc and performed on a per application basis. In this paper we propose a declarative framework for managing application and network adaptations. The declarative paradigm provides a much needed clean line of separation between the high level goals and the low level implementations. Our framework exposes the tunable features of both the application and the network across layers of the network stack which can then be jointly optimized. We allow operators to control the adaptation process through operator specified policies. This enables operators to retain control over their networks while the application and the network adapt in response to changing conditions. To support evolution, we pursue an ontological approach and use semantic web languages such as OWL and RDF in our framework for the policy and declarative specifications, thereby also leveraging the inherent reasoning and conflict resolution features of these languages. We then describe our framework developed on top of NS2 to demonstrate the utility of our approach in the easy implementation of cross layer optimizations through sample application scenarios.