|
Safelayer has opted for semantic technologies to improve processes for obtaining security and trust. Using semantic standards such as RDF and OWL, we can intelligently structure the information, although to do this we must first determine the ontologies to be used in our applications for modeling the concepts.
For this reason, Safelayer carried out a study on published ontologies related to the concepts of security and trust. These were adopted or extended and new ontologies were also created for expressing all the concepts and relations we wanted to deal with in our applications. The result is Safelayer's proposal for Security and Trust Ontologies that constitutes the starting point for our semantic knowledge base.
The following figure outlines the concepts and relations dealt with in Safelayer applications:
The trust concepts are obtained by applying an inference layer on other basic concepts. The syntax proposed by the W3C is used via the RDF and OWL (DL variant) standards. It provides a high level of expressiveness and is also decidable.
Important concepts:
- Context. The environment in which the actions to be assessed for their trust take place. It is defined semantically with Safelayer's context ontology.
- Security & Trust. Includes basic security concepts, such as protocols, mechanisms and security policies, which were included in the NRL ontologies. It also includes all the elements related to the PKI, for which there have been very few ontologies defined, or at least published, up until now. To compensate for this shortage, ontologies for the following concepts were developed:
- PKI Entities. From authorities to end entities (users) in the PKI domain.
- X.509 Certificates. Regarded as the core of the PKI, as specified in RFC 5280.
- Certification Practice Statement. The procedures that govern the entities involved in the PKI, as defined in RFC 3647.
- Trust lists. The Trust-Service Status List concept, defined in the ETSI TS 102 231standard, describes the format of the lists where a given entity can specify the services it trusts.
- Evaluation. To be able to model a typically-Web 2.0 concept: user-evaluation ratings.
- Vulnerabilities & Risk. When it comes to security, it is essential to take into account the concepts of risk-analysis, which can facilitate in evaluating the trust an electronic transaction deserves. For this purpose, A. Herzog's SECOnt ontology includes a vocabulary of threats, safeguards and vulnerabilities.
- Identity. The definition of identity is based on the FOAF ontology that is currently very popular in Web environments and especially in social networks. The high level of this ontology supports easily including information on other ontologies to enrich the definition of the identity.
- Resource. As its name suggests, the RDF language supports referencing any resource using the URIs.
On top of the semantic knowledge base sit the inference layers and trust concepts:
- Inference. One of the major advantages of semantic technologies is that they support the use of inference or reasoning techniques. Languages such as SPARQL and SWRL support creating 'intelligent' applications that use, for example, the description of semantic rules to infer new knowledge.
- Trust. Safelayer's final aim is to evaluate and specify the degree of trust of any transaction or resource that has anything to do with security and trust. This is obtained by the inference layer or directly from the concepts.
This collection of ontologies and concepts is the base for the new Safelayer applications, in which the aim is to provide users with the perception of trust.
This work contains collaborations that were co-funded by the Centro para el Desarrollo Tecnológico Industrial (CDTI) as part of the SEGUR@ project, ref. CENIT-2007 2004 in the CENIT program (under the INGENIO 2010 initiative), and the Ministerio de Industria, Turismo y Comercio (Spanish Ministry for Industry, Tourism and Trade) under the SAT2 project, refs. TSI-020100-2008-365 and TSI-020100-2009-374 of the AVANZA I+D sub-program. |
