kaos policy management for semantic web services

32 1541-1672/04/$20.00 © 2004 IEEE IEEE INTELLIGENT SYSTEMSPublished by the IEEE Computer Society

S e m a n t i c W e b S e r v i c e s

KAoS PolicyManagement forSemantic Web ServicesAndrzej Uszok, Jeffrey M. Bradshaw, Matthew Johnson, and Renia Jeffers,Institute for Human and Machine Cognition

Austin Tate, Jeff Dalton, and Stuart Aitken, University of Edinburgh

D espite rapid advances in Web Services, the user community’s demanding require-

ments continue to outstrip available technology solutions. To help close this gap,

Semantic Web Services advocates are defining and implementing many new and sig-

nificant capabilities (www.swsi.org). These new capabilities should more fully harness

Web Services’ power through explicit representa-tions of Web resources’ underlying semantics andthe development of an intelligent Web infrastructurethat can fully exploit them. Semantic Web languages,such as OWL, extend RDF to let users specifyontologies comprising taxonomies of classes andinference rules.

Both people and software agents can effectively useSemantic Web Services.1 Agents will increasingly usethe combination of semantic markup languages andSemantic Web Services to understand and auton-omously manipulate Web content in significant ways.Agents will discover, communicate, and cooperatewith other agents and services and—as we’ll describe—will rely on policy-based management and controlmechanisms to ensure respect for human-imposedconstraints on agent interaction. Policy-based controlsof Semantic Web Services can also help govern inter-action with traditional (nonagent) clients.

In the mid 1990s, we began to define the initialversion of KAoS, a set of platform-independent ser-vices that let people define policies ensuring ade-quate predictability and controllability of both agentsand traditional distributed systems. With variousresearch partners, we’re also developing and evalu-ating a generic model of human-agent teamwork thatincludes policies to assure natural and effective inter-action in mixed teams of people and agents—bothsoftware and robotic.2–4 We’re exploiting the powerof Semantic Web representations to address some ofthe challenges currently limiting Semantic Web Ser-vices’ widespread deployment.

KAoS policy and domain managementservices

KAoS is one of the first efforts for representingpolicy using a Semantic Web language—in this case,OWL (see the sidebar on page 36 for more aboutpolicies and the Semantic Web). Gianluca Tonti andhis colleagues have compared two semantically richpolicy representations, KAoS and Rei,5 and a moretraditional policy language, Ponder.6 KAoS servicesand tools allow for the specification, management,conflict resolution, and enforcement of policies inthe specific contexts established by complex orga-nizational structures represented as domains.2,7–9

Ontological representation of KAoS policies

KAoS uses ontology concepts (encoded in OWL)to build policies. During its bootstrap, KAoS firstloads the core KAoS Policy Ontology defining con-cepts used to describe a generic actor’s environmentand policies in this context (http://ontology.ihmc.us).Then, KAoS loads additional ontologies on top ofthis, extending concepts from the core ontology, withnotions specific to the particular controlled environ-ment and application domain.

The KAoS Policy Service distinguishes betweenpositive and negative authorizations (constraints thatpermit or forbid some action) and positive and nega-tive obligations (constraints that require some actionwhen a state- or event-based trigger occurs or thatserve to waive such a requirement).2,6 Other policyconstructs (for example, delegation or role-based

KAoS policy and

domain services help

with policy

specification, analysis,

disclosure, and

enforcement for

Semantic Web Services.

The authors describe

these capabilities in the

context of three

applications: Grid

Policy Management,

Coalition Search and

Rescue, and the

Semantic Firewall.

authorization) are built from the basic domainprimitives plus the four policy types.

KAoS policy’s OWL definition (see Figure1) is an instance of one of these four basic pol-icy classes: PositiveAuthorization, NegativeAuthoriza-tion, PositiveObligation, or NegativeObligation. Theproperty values determine management infor-mation for a particular policy (for example,its priority). The type of policy instance deter-mines the kind of constraint KAoS shouldapply to the action, while a policy’s actionclass is used to determine a policy’s applica-bility in a given situation. The action class usesOWL restrictions to narrow scopes-of-actionproperties to a particular policy’s needs. Everyaction contains a definition of the range ofactors performing it. This range can be definedusing any available OWL construct. Forexample, the range can be an enumeration ofactor instances, a class of actors defining itstype, or any description of the actor context(for instance, the class of actors executed onsome host and possessing a given resource).The same is true for the action class’s otherproperties. Consequently, policy can containarbitrarily complex definitions of a situation.So, KAoS policies represent policies withoutconditional rules, relying instead on the con-text restrictions associated with the actionclass to determine policy applicability in agiven situation.

An action class helps classify actioninstances that actors intend to take or areundertaking. Components (such as KAoSguards) that are interested in checking policyimpact on these actions construct RDFdescriptions of action instances. KAoS clas-sifies these instances, relying on the inferencecapabilities of Stanford University’s JavaTheorem Prover (JTP, www.ksl.stanford.edu/software/JTP). It then obtains a list of anypolicies whose action classes are relevant tothe current situation. In the next step, KAoSdetermines the relative precedence of theobtained policies and sorts them accordinglyto find the dominating authorization policy.If the dominating authorization is positive,KAoS then collects, in order of precedence,obligations from any triggered obligationpolicies. KAoS returns the result to the inter-ested parties—in most cases, these parties arethe enforcement mechanisms that are jointlyresponsible for blocking forbidden actionsand assuring the performance of obligations.

Representing policies in OWL facilitatesreasoning about the controlled environment,policy relations and disclosure, policy con-flict detection, and harmonization. It also

facilitates reasoning about domain structureand concepts exploiting the description logicsubsumption and instance classification algo-rithms. KAoS can identify and, if desired,harmonize conflicting policies through algo-rithms that we’ve implemented in JTP.

KAoS featuresKAoS has several important features.

Homogeneous policy representation. Be-cause all aspects of KAoS policy represen-tation are encoded purely in OWL, any third-party tool or environment supportingOWL can perform specialized analyses ofthe full knowledge base independently ofKAoS. As the Semantic Web becomes morewidely deployed, this will ease integrationwith an increasingly sophisticated range ofnew OWL tools and language enhancements.

Maturity. Over the past few years, we’ve usedKAoS services in conjunction with a widerange of applications and operating platforms.

Comprehensiveness. Unlike many ap-proaches that deal with only simple forms ofaccess control or authorization, KAoS sup-ports both authorization and obligationpolicies. Additionally, we’ve implementeda complete infrastructure for policy man-

agement, including a full range of capabili-ties from sophisticated user interfaces forpolicy specification and analysis to a genericpolicy disclosure mechanism. We’re furtherdeveloping facilities for policy enforcementautomation (that is, automatic code genera-tion for enforcers).

Pluggability. A platform-specific and appli-cation-specific ontology is easily loaded ontop of the core concepts. Moreover, we’vestraightforwardly adapted the policy enforce-ment elements to a wide range of computingenvironments, both traditional distributed-computing platforms (for example, Web Ser-vices, grid computing, and CORBA) and vari-ous software and robotic agent platforms (forexample, Nomads, Brahms, SFX, CoABSGrid, and Cougaar).

Scalability and performance. We optimizedthe policy disclosure methods such thatresponse to a query from an enforcer is pro-vided on average in less than 1 ms. This per-formance is due in part to our reliance on effi-cient and logically decideable descriptionlogic subsumption and classification meth-ods. Furthermore, queries can be executedconcurrently by multiple enforcers, lettingKAoS export multiprocessor machines. Inrigorous evaluations in the DARPA UltraLog

JULY/AUGUST 2004 www.computer.org/intelligent 33

Figure 1. The graphical interface of the OWL policy editor and administration tool, theKAoS Policy Administration Tool.

program, we’ve found that performance isacceptable even in large societies of morethan a thousand agents, running on a dozenor more platforms, with hundreds of policies.Here, dynamic policy updates can be com-mitted, deconflicted, and distributed in a mat-ter of a few seconds. Further enhancementsto underlying reasoners (for example, cur-rent work on general “untell” mechanisms)and advances in computer hardware will con-tinue to improve this performance.

Beyond description logic for policy representation

Until recently, KAoS used only OWL-DL(initially DAML) to describe policy-governedentities and their actions. The semantic rich-ness OWL enables in comparison to traditionalpolicy languages allowed us much greaterexpressivity in specifying policies. However,we found ourselves limited in situations wherewe needed to define policies in which one ele-ment of an action’s context depended on thevalue of another part of the context. A simpleexample is an action of loop communication,where you must constrain the source and thedestination of communication so that they’re

one and the same. A more complex examplewould be when we want to constrain the actionto return the results of a calculation to only theparties that provided the data used to performit (or to the specific entities the data’s providersauthorized). Such an action description mightbe needed to specify a policy controlling thedistribution of calculation results. All suchaction descriptions go beyond what OWL-DLcan express.

The required missing aspect of representa-tional semantics has, however, been well stud-ied under the name of role-value maps.10 Thesemaps should express equality or containmentof values that has been reached through twochains of instance properties. The emergingstandard for OWL rules, the Semantic WebRule Language (SWRL, www.daml.org/2003/11/swrl), allows the use of role-value-mapsemantics. However, the required syntax iscomplex, and we’ve begun to think that anOWL-based representation expressing thissame semantics might be valuable for a broadrange of uses. For instance, the OWL-S devel-opers found the need to express similardataflow semantics and developed their ownformulation (process:sameValues) that allowed the

representation of such chains, albeit with thelimitation that they could contain only single-chain elements.11

We’re equipping KAoS with mechanismsthat will allow adding role-value-map seman-tics to defined policy action using the KAoSPolicy Administration Tool. For the interim,we’re basing our syntax for this semantics onthe current version of the SWRL OWL ontol-ogy (www.daml.org/2003/11/swrl/swrl.owl).However, the code that generates this syntaxis encapsulated in a specialized Java classallowing later modification if the SWRLontology changes or if an OWL-based syntaxeventually emerges. Our classification algo-rithm can also use this information to clas-sify action instances. This algorithm verifiesif an instance satisfies the OWL-DL part ofthe action class and, if so, checks the appro-priate role-value-map constraints. For exam-ple, if KAoS needs to determine whether anintercepted communication is a loop com-munication, it would determine whether thecurrent communication source is also one ofthe values of the property describing thecommunication’s destination.

To perform more complex policy analyses


34 www.computer.org/intelligent IEEE INTELLIGENT SYSTEMS

Policies are a means to dynamically constrain and regulate asystem’s behavior without changing code or requiring the coop-eration of the components being governed. They are becomingan increasingly popular approach to dynamic adjustability ofapplications in academia and industry (www.policy-workshop.org). Policy-based approaches have many benefits, includingreusability; efficiency; extensibility; context sensitivity; verifiabil-ity; support for both simple and sophisticated components; pro-tection from poorly designed, buggy, or malicious components;and reasoning about their behavior.1 Policies have importantanalogs in animal societies and human cultures.2

Policy-based network and distributed-system managementhas been researched extensively over the last decade (www-dse.doc.ic.ac.uk/research/policies).3 Policies are often applied toautomate network administration tasks, such as configuration,security, recovery, or quality of service. In network manage-ment, policies govern choices in a network’s behavior. Addition-ally, standardization efforts are heading toward common policyinformation models and frameworks. The Internet EngineeringTask Force, for instance, has been investigating policies as a wayto manage IP-multiservice networks by focusing on the specifi-cation of protocols and object-oriented models for represent-ing policies (www.ietf.org/html.charters/policy-charter.html).

Increasingly, the scope of policy management is going beyondthese traditional applications in significant ways. New challengesfor policy management include

• Sources and methods protection, digital-rights manage-ment, information filtering and transformation, and

capability-based access• Active networks, agile computing, disruption-tolerant net-

works, and pervasive and mobile systems• Organizational modeling, coalition formation, and formaliz-

ing cross-organizational agreements• Trust models, trust management, provenance, and informa-

tion pedigrees• Effective human–machine interaction: interruption and noti-

fication management, presence management, adjustableautonomy, mixed-initiative interaction, teamwork facilita-tion, and safety

• Support for humans trying to retrieve, understand, andanalyze all policies relevant to some situation

Researchers have proposed multiple approaches for policyspecification. They range from formal policy languages that acomputer can easily and directly process and interpret, to rule-based policy notation using an if-then-else format, to the repre-sentation of policies as entries in a table with multiple attributes.

In Web Services, standards for SOAP-based message security(for example, www-106.ibm.com/developerworks/webservices/library/ws-secure) and XML-based languages for access control(for example, the eXtensible Access Control Markup Language,www.oasis-open.org/committees/tc_home.php?wg_abbrev=security) have begun to appear. However, the current tools’immaturity along with the new languages’ limited scope andsemantics make them less-than-ideal candidates for the sophis-ticated applications that Semantic Web visionaries have imag-ined for the next decade.4,5

Policies and Semantic Web Services

relying on role-value-map semantics, we’vebegun joint exploration with Stanford onextending JTP to allow subsumption reason-ing on role-value-map semantics.

Example application contextsWe’re extending KAoS to address require-

ments of Semantic Web Services. Wedescribe three examples of the kinds of rolesthat a policy management framework canplay in providing

• Policy management for grid-computingenvironments

• Verification of policy compliance forSemantic Web Services workflow com-position

• Policy enforcement during workflowenactment

Policy management forgrid computing

Our first foray into Web Services was devel-oping an initial OGSA-compliant (Open GridServices Architecture) version of KAoS ser-vices, allowing fine-grained policy-based man-agement of registered grid-computing services

on the Globus platform.12 OGSA is a Web Ser-vices-compatible standard for defining grid-computing services (www.globus.org/ogsa).We’ve aimed to extend and generalize thiscapability to work with Web Services outsideof grid-computing environments.

Globus provides effective resource man-agement, authentication, and local resourcecontrol for the grid-computing environmentbut needs domain and policy services.KAoS seemed to be a perfect complementto the Globus system, providing a widerange of policy management capabilitiesthat rely on platform-specific enforcementmechanisms. By providing an interfacebetween the Globus grid and KAoS, weenable the use of KAoS mechanisms tomanage Grid Security Infrastructure-enabled grid services. GSI was the onlycomponent of the Globus Toolkit (GT3) weused in the integration. The interface itselfis a grid service, which we called a KAoSgrid service. It gives grid clients and ser-vices the ability to register with KAoS ser-vices and to check whether a given actionis authorized on the basis of current poli-cies. Figure 2 shows the basic architecture.

Creating a KAoS grid service. To create aKAoS grid service, we used tools providedwith GT3 to create a normal grid service,then added to it the required KAoS frame-work components to make it KAoS aware.This framework links grid services to theKAoS-implemented JAS (Java Agent Ser-vices, http://sourceforge.net/projects/jas):naming, message transport, and directory. It


Client

JavaAgent

Services

KAoS

Gridservice

stub

Container

KAoSgrid

service

JASservice

root

KAoSguard

Gridservice

stub

Gridservice

stub

Figure 2. The KAoS grid service architecture.

Using XML as a standard for policy expression has advantagesand disadvantages. The major advantage is its straightforwardextensibility (a feature shared with languages such as RDF andOWL, which use XML as a foundation). The problem withmere XML is that its semantics are mostly implicit—meaning isconveyed on the basis of a shared understanding derivedfrom human consensus. Implicit semantics are ambiguous,they promote fragmentation into incompatible representationvariations, and they require extra manual work that a richerrepresentation could eliminate. However, if an implementa-tion requires the use of an XML approach, you could mapSemantic Web-based policy representations, such as those wedescribe, to these lower-level representations by applyingcontextual information.

In addition to KAoS, some initial efforts in using SemanticWeb representations for basic security applications (authenti-cation, access control, data integrity, and encryption) of pol-icy are bearing fruit. For example, Grit Denker and her col-leagues have integrated a set of ontologies (credentials andsecurity mechanisms) and security extensions for OWL-S Ser-vice profiles with Carnegie Mellon University’s SemanticMatchmaker5 to enable security brokering between agentsand services. Future work will let security services be com-posed with other services. Lalana Kagal and her colleaguesare developing Rei, a Semantic Web language-based policylanguage they’re using as part of the OWL-S service profilesextension and other applications.6 In another promising direc-tion, Ninguhi Li, Benjamin Grosof, and Joan Feigenbaum have

developed a logic-based approach to distributed autho-rization in large-scale, open, distributed systems.7

References

1. J.M. Bradshaw et al., “Making Agents Acceptable to People,” Intel-ligent Technologies for Information Analysis: Advances in Agents,Data Mining, and Statistical Learning, N. Zhong and J. Liu, eds.,Springer-Verlag, 2004, pp. 355–400.

2. P. Feltovich et al., “Social Order and Adaptability in Animal, Human,and Agent Communities,” Proc. 4th Int’l Workshop Eng. Societies inthe Agents World, LNAI 3071, Springer-Verlag, 2003, pp. 73–85.

3. S. Wright, R. Chadha, and G. Lapiotis, eds., IEEE Network, specialissue on policy-based networking, vol. 16, no. 2, 2002, pp. 8–56.

4. D. Fensel et al., Spinning the Semantic Web, MIT Press, 2003.

5. K. Sycara et al., “Automated Discovery, Interaction and Composi-tion of Semantic Web Services,” J. Web Semantics, vol. 1, no. 1,2003, pp. 27–46.

6. L. Kagal, T. Finin, and A. Joshi, “A Policy-Based Approach to Secu-rity for the Semantic Web,” Proc. 2nd Int’l Semantic Web Conf.(ISWC 2003), LNCS 2870, Springer-Verlag, 2003, pp. 402–418.

7. N. Li, B.N. Grosof, and J. Feigenbaum, “Delegation Logic: A Logic-Based Approach to Distributed Authorization,” ACM Trans. Infor-mation Systems Security (TISSEC), vol. 6 , no. 1, 2003, pp. 128–171.

K



also associates the KAoS Guard (policy deci-sion point) with the KAoS grid service thatFigure 2 shows.

Registration. To use domain services, weneeded to establish a method for clients andresources to register in a KAoS domain. Theclients or resources use their credential torequest registration in one or more domains.The credential is a standard X.509 certificatethat Globus uses for authentication and isverified using the GT Grid Security Infra-structure. If the certificate is valid, the regis-tration request goes to KAoS for registrationinto the desired domains. If the resource usesan application-specific ontology to describeits capabilities, it must be loaded into theKAoS ontology using a utility KAoS pro-vides. Inside the KAoS grid service, the reg-istration is handled through the associatedguard. This lets KAoS distribute all applica-ble policies to the appropriate guard.

Expressing policies. The basic components ofany authorization policy are the actors, action,and context. A sample policy would read

It is permitted for actor(s) X to performaction(s) Y in context Z.

Actors requesting to execute an action aremapped to various actor classes and instancesin the KAoS Policy Ontology (KPO). In thiscase, actors consist of various softwareclients and the groups they belong to. Reg-istration adds each client to the existingKAoS knowledge base stored in JTP, offlineor at runtime, letting policies be written aboutthe client or its domain.

The system can represent actions at differ-ent levels of generality. A policy defined on amore general action might permit or forbidoverall access to a service, which is useful forsimple services or services that don’t providevarying access levels. For example, a policydefining overall permissions for a chat servicemight use generic communication concepts inthe existing KPO, as in the following:

It is forbidden for Client X to perform a com-munication action if the action has a destina-tion of Chat Service Y.

The system would use this policy to pre-vent Client X from using Chat Service Y.KAoS already understands the concepts of“forbidden,” “communication action,” and“has destination.” It will also understand“Client X” and “Chat Service Y” once eachentity registers.

More complex services might require newconcepts in the ontologies that map to spe-cific actions on a grid service. For example,Reliable File Transfer Service has variousmethods that might not map to an existingontology. To provide fine-grained control ofthis service, we can extend the KAoS ontol-ogy for the specific domain space and loadit into KAoS using KPAT (KAoS PolicyAdministration Tool), a graphical user inter-face for interacting with KAoS (see Figure 1for an example of a KPAT window). We’reworking on a tool to automatically generatean OWL ontology for a given WSDL (WebServices Description Language, www.w3.org/TR/wsdl) specification of the OGSI-compliant grid service.

The context can refer to objects that are thetargets of action, such as clients or services,or domain-specific entities, such as differentcomputing resources. The context might alsoinclude other information about the situationin which the action is performed. Clients andservices are added to the KAoS ontologywhen they register in the KAoS DirectoryService, while using domain-specific entitiesrequires extensions to the ontology, eitherbefore loading into KAoS or using the graph-ical interface in KPAT.

Policies might be written to restrict aclient’s use of a resource or to restrict the setof access rights delegated to the KAoS gridservice. Recently, we’ve added the capabil-ity of defining simple obligation policies.

Checking authorization. Because the KAoSgrid service has full control of access to agiven resource based on the rights permittedby participating resources, it serves as the pol-icy enforcer using Globus local-enforcementmechanisms. The KAoS grid service coor-dinates with the KAoS guard to determineauthorization for a requested action. Onceregistered, clients will have access to thegrid service on the basis of KAoS policies.As policies are added to KAoS throughKPAT, they’re automatically converted toOWL for use in reasoning and to a simpleand efficient representation in the guardassociated with the KAoS grid service forenforcement purposes. When a client requestsa service, the KAoS grid service will checkif the requested action is authorized on thebasis of current policies by querying theguard. If the guard allows the requestedaction, the KAoS grid service initializes aGIS-restricted proxy certificate by puttingthe permissions needed to execute the action

ReferTo

RefersToRefersTo

CMUMatchmaker

Forward

CMUnotification

agent

Notify

ArabelloCoast Guard

cutterservice

GaoMarine

helicopterservice

USArmy

helicopterservice

USMarine

helicopterservice

Pick

up re

sour

ces

onto

logy

Coalition pick-uprescue resources

Gaohospitalservice

Arabellohospitalservice

Notificationontology

Policy management

Countryhospitalsontology

Medicaltreatmentontology

KAoSPolicy

Ontology

CoSAR coalitionsearch & rescue

coordinator

US downedpilot KAoS Policy

AdministrationTool

Distribute

Distribute

Distribute

Lookup

Notify

Adve

rtise

UseNotify

Coalitioncommander

KAoSPolicy

Service

KAoSEnforcer 1

Ask

Use

Use

AdvertiseJabber IM

KAoS Enforcer 3

Coalitionmedical resources

KAoSEnforcer 2

CoSAR I-Xagent

Figure 3. A CoSAR-TS demo diagram.

in its own end GIS entity certificate. Thiscertificate is the one the resource providedat registration and maps to the local controlmechanism. The KAoS grid service alsosets the proxy lifetime and signs it. It thenreturns the restricted proxy certificate to theclient. The client then uses this proxy cer-tificate to access the given grid service.

When a service receives a request, it checksthe submitted certificate against the localGIS control mechanism. Services can alsocheck permissions by querying the KAoSgrid service directly. The service checks toensure that action requested is covered by theintersection of the rights given to the KAoSservice and the rights the KAoS serviceembedded in the certificate. This lets thelocal resource owner write policies restrict-ing the rights it lets KAoS delegate.

A current limitation of our implementationis that no mechanism exists for proxy certifi-cate revocation. Globus relies on short life-times to limit proxy credentials. An updatedpolicy in KAoS wouldn’t take effect until thecurrent proxy credential expired, forcing theuser to return to KAoS for an update.

Coalition search and rescue In the Coalition Search and Rescue Task

Support project (CoSAR-TS, www.aiai.ed.ac.uk/project/cosar-ts), we’re testing the inte-gration of KAoS and the Artificial Intelli-gence Applications Institute (AIAI)’s I-Xtechnology with Semantic Web Services.Other participants in the CoSAR-TS projectinclude BBN Technologies, the Space andNaval Warfare Systems Command, the AirForce Research Laboratory, and CarnegieMellon University.

Search and rescue operations, especiallycoalition-based ones, require rapid dynamiccomposition of available policy-con-strained heterogeneous resources. A gooduse case is to describe them using Seman-tic Web technologies. Additionally, mili-tary operations are usually conductedaccording to some well-defined procedurethat must be made concrete and groundedto the given situation. Such a scenario isgood for illustrating planning under policy-imposed constraints.

The fictitious scenario (see Figure 3),which extends the well-known CoalitionAgent Experiment (CoAX, www.aiai.ed.ac.uk/project/coax), begins with an event thatreports a downed airman between the coast-lines of four fictional nations bordering theRed Sea: Agadez, Binni, and Gao (to the

west), and Arabello (to the east). In this ini-tial scenario, we assume that excellent loca-tion knowledge is available and that no localthreats exist to counter or avoid in the res-cue. The airman reports his own injuries viahis suit sensors. Next is an investigation ofthe facilities available for rescuing the air-man. Different possibilities exist: a US ship-borne helicopter, a Gaoan helicopter from aland base in Binni, a patrol boat off the Ara-bello coastline, and so on. Finally, there’s aprocess to establish available medical facil-ities for the specialized injury reported,using the information provided about theregion’s countries.

Different policies originate from differentcoalition partners, which constrains selectionof these resources. If, for instance, a hospitalin Arabello has the best treatment facilitiesfor dealing with the airman’s injuries, choicesof rescue resources are then restricted. Addi-tionally, the coalition has a policy prohibitingmembers from using Gaoan helicopters totransport injured airmen.

In addition to relying on KAoS, CoSAR-TS relies on various I-X technologies fromthe AIAI. I-X process panels (http://i-x.info13,14) provide task support by reasoningabout and exchanging with other agents andservices any combination of Issues, Activi-ties, Constraints, and Annotations (elementsof the <I-N-C-A> ontology). I-X can there-fore provide collaborative task support and

exchange of structured messages related toplans, activity, and such activity’s results. Thisinformation can be exchanged with othertools using OWL, RDF, or other languages.The system includes a planner that can com-pose a suitable plan for the given tasks whenit receives a library of standard operating pro-cedures or processes and knowledge of otheragents or services that it can use.

Figure 4 shows an I-X process panel (I-P2)and associated I-X tools. The I-Space toolmaintains agent relationships. I-X can obtainthe relationships from agent services such asKAoS. I-X process panels can also link toSemantic Web information and Web Ser-vices, and can be integrated via “I-Q” adap-tors11 to appear naturally during planning andin plan execution support.

I-X work has concentrated on dynamicallydetermined workflows at execution time,using knowledge of services, other agentavailability, and so on. However, it also offersa process editor for creating process models(I-DE) to populate the domain model and anAI planner (I-Plan), which allows for hierar-chical plan creation, precondition achieve-ment, consistent binding of multiple variables,temporal-constraint checking, and so forth.

The Semantic Firewall We developed the Semantic Firewall

(SFW) project in collaboration with the Uni-versity of Southampton, IT Innovation, and


Figure 4. I-X process panel and task support tools.

Activity editorProcess panel

I-Space

Map tool

Messenger

I-Plan

SRI International.10 (See http://ontology.ihmc.us/Semant icServices /S-F/Example/index.html for an example scenario with poli-cies encoded using the KAoS Policy syntax.)In addition to performing standard policy man-agement functions, KAoS will take as an inputa desired client workflow of grid services invo-cations. It will then verify whether the clientis authorized to execute such a workflow in thedomain controlled by a given instance of theSFW environment. Additionally, the policysystem might generate obligations in the formof grid service invocations. These obligationsmust execute during the original workflow—for example, to preserve provenance (www.pasoa.org/index.html) of the calculation re-sults. In effect, we can modify and amend theinitial workflow with the policies. The systemwill then enforce resulting policies embeddedin the contract governing the transaction as theworkflow is enacted.

Policy compliance verificationin Semantic Web Servicesworkflow composition

As a research topic, automatic composi-tion of feasible workflows from a dynamicset of available Semantic Web Services isdrawing increasing attention. We argue forapplying existing technology and mappingalready developed planners’ input and out-put formats to the emerging Semantic WebServices Process Model standard (www.daml.org/services/owl-s/1.0).15 To this end,we are extending our implementations of I-X and KAoS.

The I-K-C toolIn the context of CoSAR-TS, we’ve inte-

grated KAoS and I-X to let I-X obtaininformation about the role relationshipsamong human and software actors (peers,subordinates, and superiors, for example)represented in domains and stored in KAoSas ontological concepts. I-X can also usethe KAoS policy disclosure interface tolearn about policy impact on its plannedactions. This is the first step toward mutualintegration of the planning and policy ver-ification components.

The new I-K-C tool goes beyond the ini-tial integration of I-X and KAoS to enableSemantic Web Services workflow composi-tion consistent with policies that govern com-position and enactment (see Figure 5). Thisapproach lets I-X import services describedin OWL-S into the planner, augmenting anypredefined processes already in the processlibrary. KAoS verifies constructed partialplans for policy compliance. We can exportthe final plan, represented in OWL-S ontol-ogy form, and use it in various enactmentsystems or to guide the dynamic reactive exe-cution of those plans in I-P2.

Mapping process to actionThe OWL-S concept of process maps

semantically to the KAoS concept of action(http://ontology.ihmc.us/Action.owl).Unfortunately, OWL-S dramatically changedhow it represents workflow processes com-pared with DAML-S. DAML-S representedprocesses as classes whose instances were

process executions and whose input andoutput parameters were defined as proper-ties of those classes. It represented para-meter restrictions as range constraints onthose parameter properties. In contrast,OWL-S represents processes as instancesand defines parameters as instances of theclass Parameter or its subclasses Input and Out-put. Processes’ parameter restrictions aredefined by the value of the process:parameter-Type property for each parameter. This sig-nificant change doesn’t allow for a straight-forward mapping between OWL-S andKAoS concepts using owl:equivalentClass andowl:equivalentProperty, which had been previ-ously possible in the case of DAML-S. Inthe near future, the OWL-S definition ofprocess executions should change again andwill be defined as an instance of a ProcessIn-stance class that refers to the process type.This approach is similar to that taken in theProcess Specification Language.16

To use KAoS reasoning capabilities, wemust create an OWL class based on theOWL-S process definition instance. We dothis by changing the process:parameterType to rep-resent the appropriate restrictions. We’reusing the OWL-S API (www.mindswap.org/2004/owl-s/api) to load OWL-S processworkflows, find all processes in a workflow,and then get detailed definitions to build thecorresponding OWL class—a subclass of theKAoS Action class—using Jena (http://jena.sourceforge.net).

The change from DAML-S to OWL-S hasother consequences:

• You can’t build process hierarchies atdifferent abstraction levels using rdfs:sub-ClassOf, while you can in the KAoS ontol-ogy of actions.

• You can’t represent an actual instance of aprocess—a very concrete realization of theprocess. Again, in KAoS we use the instanceof an action to describe the currently enactedevent and then to find whether policies existthat apply to this situation. The envisionedprocess control ontology, announced as partof OWL-S’s future release, will clearly needmethods to represent actual events and theirrelation to processes.

• The process instance doesn’t represent theactual event anymore, so the fact that theprocess in OWL-S is a subclass of time-entry:IntervalEvent carried over from DAML-Sis a self-contradiction. (OWL-S’s develop-ers have promised to resolve this issue inthe near future.)



OWL-S KAoS - OWL-Smapping

KAoSontology

ReferTo

I-Plan(planning service)

KAoSpolicy services

Policiesconstraining

services usage

Collection ofavailableSemantic

Web Services

Select service

<I-N-C-A->

Partial planamended withpolicy-relatedcommentary

Goal

Final plan

Consultpolicies

UseUse

Use UseUse

Use

Use

Use

Partialplan

Figure 5. Cooperation between I-X and KAoS in the process of semantic workflowcomposition.

In short, difficulties related to usingprocess classes in collections and other issuesmotivated changing the representation ofprocesses between DAML-S and OWL-S.However, addressing this problem has cre-ated the challenges in the representation ofpolicies in KAoS we just mentioned. Wehope that the promised improvements infuture versions of OWL-S will help resolvethese issues.

KAoS capabilities for analyzing action classes

After KAoS extracts a particular actionfrom the workflow and converts it to a cor-responding action class, we examine theaction to determine its compliance with therelevant policies in force. The process ofworkflow policy compliance checking dif-fers from that of checking authorization andobligations of an action instance in policyenforcement, which we described earlier. Inworkflow policy compliance checking,we’re not dealing with an action instance butan action class. So, we must use subsump-tion reasoning instead of classification rea-soning—KAoS must find relations betweenthe current action class and action classesassociated with policies. Fortunately, we usethis kind of reasoning to perform policyanalyses such as policy deconfliction.6 Theseanalyses also involve discovering relations(subsumption or disjointness, for example)between action classes associated withpolicies.

Such analyses will often lead to deter-ministic conclusions—for example, that agiven process will be authorized or forbid-den or that it will definitely generate anobligation. Results will always be deter-ministic if the given action class represent-ing the investigated process is a subclass ofeither a single policy action class or a unionof some policy action classes, respectivelyrepresenting either authorization or obliga-tion policies.

Sometimes, however, the analyses can benondeterministic—that is, we might be ableto conclude only that a given process instancecould possibly be authorized or that it mightgenerate obligations. This kind of result willoccur if the given action class, representingthe process in question, is neither fully sub-sumed nor fully disjoint, with a single pol-icy action class or their unions respectivelyrepresenting either authorization or obliga-tion policies. In this case, KAoS can build arepresentation of the action class (either the

class that corresponds to the portion of theaction class in the authorization request orthe one that generates a given obligation) bycomputing the difference between the cur-rent action class and the relevant policyaction class. The algorithm is identical to theone we previously described7 for policy har-monization. However, we’re still working outhow to generically translate that new class toan OWL-S process instance representation.

We’ve developed a first cut of additionalKAoS ontology components, enabling work-flow annotation with the results of the pol-icy analyses we described. The appropriatemarkup was added to the original OWL-Sworkflow using the OWL-S API and sentback from KAoS to the I-X planner.

Example: Planning a rescueoperation under coalition policyconstraints

Project participants are using the CoSAR-TS scenario to test the capabilities we justdescribed. With each new search-and-rescuesituation, the SAR coordinator gathers avail-able information about the accident and con-structs an appropriate goal for the planner.The goal could, for instance, contain infor-mation about the kind of injuries the victimsustained and his or her approximate loca-tion. The planner begins by selecting the bestinitial plan template for the given situation.It then builds OWL-S profiles for each nec-essary service and queries the CoalitionMatchmaker to learn about OWL-S descrip-tions of registered SAR resources. Thisresults in the first approximation of the planexpressed as the OWL-S Process Model. Forinstance, if the downed pilot has serious burninjuries, the planner will ask the Matchmakerwhich services are offered by the burn

injuries treatment unit in each medical carecenter. Subsequently, it will ask for availablerescue resources that can pick up a pilot fromthe sea and deliver him or her to the chosenhospital (that is, Arabello). The systemselects the best result and submits the OWL-Sprocess model for verification. During work-flow analysis, KAoS determines that anobligation policy exists requiring that thecoalition commander receive notificationwhen the downed pilot is successfully recov-ered. It inserts the appropriate process, invok-ing the notification service—available in theenvironment as the Web Service—into themodel, and returns it to the planner.

Policy enforcement duringworkflow enactment

KAoS can’t check every aspect of policycompliance at planning time. So, we’vedesigned it so that the policy service canindependently enforce policies during work-flow execution. The policies governing bothauthorization and obligation of clients andservers are stored in KAoS and checked byauthorized parties. Other approaches tosecuring Semantic Web Services are limited.They can mark service advertisements withrequirements for authentication and com-munication and enforce compliance withthese requirements,17 or they attach condi-tions to inputs, outputs, and effects of ser-vices. KAoS, on the other hand, can auto-matically enforce any sort of policy byintegrating Semantic Web Services withKAoS enforcers, components that interceptrequests to a service and consult KAoS abouttheir authorization and obligation. KAoS canreason about the entire action the servicesperform, not just about security credentialsattached to the request. Additionally, KAoShelps generate obligations created when theservices are used. We describe three applica-tions of KAoS during workflow enactment:Matchmaker policy enforcement, a genericSemantic Web Service enforcer, and agree-ments and contracts in the Semantic Firewallapplication.

Matchmaker policy enforcement—CoSAR-TS scenario

Although annotating the Semantic Match-maker service profiles lets registered serviceproviders describe required security profiles,15

it doesn’t let owners of infrastructure re-sources (for example, computers or networks),client organizations (coalition organizationsor national interest groups), or individuals


KAoS can’t check every aspect of

policy compliance at planning

time. So, we’ve designed it

so that the policy service can

independently enforce policies

during workflow execution.



specify or enforce policy from their uniqueperspectives. For example, the policy thatcoalition members can’t use Gaoan transportscan’t always be anticipated and specified inthe Matchmaker service profile. Neitherwould Matchmaker service profile annotationsbe an adequate implementation for a US pol-icy obligating encryption, prioritizing networkbandwidth allocation, or requiring the loggingof certain sorts of messages.

Moreover, these policies’ semantics can’tcurrently be expressed in terms of the currentOWL-S specification of conditional con-straints. Even if they could be, organizationsand individuals might prefer to keep policystores, reasoners, and enforcement capabilitiesin their private enclaves. This might be moti-vated by the desire to both maintain securecontrol over sensitive components and keepother coalition members from becoming awareof private policies. For example, coalitionmembers might not want Gao to know that pol-icy will automatically filter out the offer of theirhelicopters to rescue the downed airman.

A generic Semantic Web Serviceenforcer

We have defined enforcers that interceptSOAP messages from the Matchmaker andfilter results consistent with coalition poli-cies. In our CoSAR-TS demonstration, thesepolicies prevent the use of Gaoan resources.

We’re enhancing the SOAP-enabledenforcers to understand arbitrary SemanticWeb Service invocations so that they canapply appropriate authorization policies tothem. The enforcer is equipped with amechanism to perform obligation policies,which are in the form of other Web Serviceinvocations. For instance, you can imaginethat some policy might require consultationor registration of performed transactions insome logging service available as a WebService audit entity.

Agreements and contracts—a Semantic Firewall application

A necessary requirement for supportingcomplex, dynamic groups of service providersin a business context is the notion of a con-tract. Although KAoS policies represent con-straints on behavior involuntarily imposedon software entities, contracts represent vol-untary agreements that mutually bind the par-ticipants to various authorizations, obliga-tions, and modes of interaction. As anexample of the application of contracts toSemantic Web Services, Benjamin Grosof

and Terrence Poon have developed Sweet-Deal, a rule-based approach to automating“law in the small.”18 SweetDeal representsbusiness contracts to let software agents cre-ate, evaluate, negotiate, and execute contractsamong themselves for the performance ofSemantic Web Services.

Within KAoS, we plan to extend theexisting representation of policy sets toinclude the representation and reasoningconstructs necessary to allow for creatingand executing agreements and contracts. Aspart of contract creation, KAoS can alreadydetect policy conflicts and suggest harmo-nization. We’re extending these and com-bining them with new facilities for negoti-ation and extensions of existing capabilitiesfor enforcement.

Contracts can be stored in instances ofKAoS (or perhaps some other interopera-ble policy service) associated with eachWeb Service or, when stakeholders prefer,as independent KAoS instances represent-ing neutral third parties.

KAoS provides capabilities for verify-ing and enforcing user-defined policy

when automatically planning and executingsemantically described process workflows.To advance this, we plan to investigate howto take a context surrounding the process(that is, processes and control constructs) ina given workflow into account during policyanalyses.

Currently, KAoS can analyze OWL-Sencoded workflows; however, we can imag-ine how to extend it to understand otherforms of descriptions (for example, the WebService Modeling Ontology, www.wsmo.org)that share similar concepts of basic processand workflow composition abstractions.

AcknowledgmentsOur research was sponsored by the DARPA

CoABS, DAML, and UltraLog programs at the USAir Force Research Laboratory under agreementsF30602-00-2-0577 and F30602-03-2-0014. TheUS government, the Institute for Human andMachine Cognition, and the University of Edin-burgh are authorized to reproduce and distributereprints and online copies for their purposesnotwithstanding any copyright annotation hereon.Thanks to the other members of the KAoS projectteam: Maggie Breedy, Larry Bunch, HyuckchulJung, Shri Kulkarni, James Lott, William Taysom,

and Gianluca Tonti. We are also grateful for thecontributions of Mark Burstein, Pat Hayes, LucMoreau, Niranjan Suri, Paul Feltovich, RichardFikes, Jessica Jenkins, Bill Millaar, DeborahMcGuinness, Rich Feiertag, Timothy Redmond,Rebecca Montanari, Sue Rho, Ken Ford, MarkGreaves, Jack Hansen, James Allen, Ron Ashri,Terry Payne, Mike Surridge, Darren Marvin, GritDenker, Kate Keahey, Katia Sycara, MassimoPaolucci, Naveen Srinivasan, and Robert Hoffman.

References

1. S.A. McIlraith, T.C. Son, and H. Zeng,“Semantic Web Services,” IEEE IntelligentSystems, vol. 16, no. 2, 2001, pp. 46–53.

2. J.M. Bradshaw et al., “Making Agents Accept-able to People,” Intelligent Technologies forInformation Analysis: Advances in Agents,Data Mining, and Statistical Learning, N.Zhong and J. Liu, eds., Springer-Verlag, 2004,pp. 355–400.

3. J.M. Bradshaw et al., “Dimensions of Adjust-able Autonomy and Mixed-Initiative Interac-tion,” to be published in ComputationalAnatomy, Springer-Verlag, 2004.

4. G. Klein et al., “Common Ground and Coor-dination in Joint Activity,” OrganizationalSimulation, John Wiley & Sons, 2004.

5. G. Tonti et al., “Semantic Web Languages forPolicy Representation and Reasoning: AComparison of KAoS, Rei, and Ponder,” TheSemantic Web–ISWC 2003: 2nd Int’l Seman-tic Web Conf., LNCS 2870, Springer-Verlag,2003, pp. 419–437.

6. N. Damianou et al., Ponder: A Language forSpecifying Security and Management Policiesfor Distributed Systems, tech. report Doc2000/1, Dept. of Computing, Imperial College ofScience, Technology and Medicine, 20 Oct.2000.

7. J.M. Bradshaw et al., “Representation and Rea-soning for DAML-Based Policy and DomainServices in KAoS and Nomads,” Proc. 2ndInt’l Joint Conf. Autonomous Agents and Multi-Agent Systems (AAMAS 2003), ACM Press,2003, pp. 835–842.

8. A. Uszok, J.M. Bradshaw, and R. Jeffers,“KAoS: A Policy and Domain ServicesFramework for Grid Computing and GridComputing and Semantic Web Services,”Trust Management: 2nd Int’l Conf. Proc.(iTrust 2004), LNCS 2995, Springer-Verlag,2004, pp. 16–26.

9. A. Uszok et al., “KAoS Policy and Domain Ser-vices: Toward a Description-Logic Approachto Policy Representation, Deconfliction, andEnforcement,” Proc. IEEE 4th Int’l Workshop

Policies for Distributed Systems and Net-works, IEEE CS Press, 2003, pp. 93–96.

10. R. Ashri, T.R. Payne, and M. Surridge,“Towards a Semantic Web Security Infra-structure,” Proc. AAAI Spring Symp. Seman-tic Web Services, AAAI Press, 2004, pp.84–91.

11. S. Potter, A. Tate, and J. Dalton, “I-X TaskSupport on the Semantic Web,” Poster Proc.2nd Int’l Semantic Web Conf., 2003; http://i-x.info/documents/2003/2003-iswc-poster-potter-ix.pdf.

12. M. Johnson et al., “KAoS Semantic Policyand Domain Services: An Application ofDAML to Web Services-Based Grid Ar-chitectures,” Proc. AAMAS 03 Workshop Web Services and Agent-Based Eng., 2003;www.ihmc.us/research/projects/KAoS/OGSAIntegration.pdf.

13. A. Tate, “Coalition Task Support Using I-Xand <I-N-C-A>,” Proc. 3rd Int’l Central andEastern European Conf. Multi-Agent Systems(CEEMAS 2003), LNAI 2691, Springer-Verlag, 2003, pp. 7–16.

14. A. Tate, J. Dalton, and S. Potter, “IntelligibleMessaging: Activity-Oriented Instant Mes-saging,” submitted to Proc. 14th Int’l Conf.Automated Planning and Scheduling (ICAPS2004), AAAI Press, 2004; http://i-x.info/documents/2004/2004-x-tate-ime.pdf.

15. D. Wu et al., “Automating DAML-S Web Ser-vices Composition Using SHOP2,” TheSemantic Web—ISWC 2003: 2nd Int’l Seman-tic Web Conf., LNCS 2870, Springer-Verlag,pp. 195–210.

16. C. Schlenoff et al., The Process SpecificationLanguage (PSL): Overview and Version 1.0Specification, NISTIR 6459, Nat’l Inst. Stan-dards and Technology, 2000.

17. G. Denker et al., “Security for DAML WebServices:Annotation and Matchmaking,” TheSemantic Web—ISWC 2003: 2nd Int’lSemantic Web Conf., LNCS 2870, Springer-Verlag, 2003, pp. 335–350.

18. B.N. Grosof and T.C. Poon, “SweetDeal:Representing Agent Contracts with Excep-tions using XML Rules, Ontologies, andProcess Descriptions,” Proc. 12th Int’l Conf.World Wide Web, ACM Press, 2003, pp.340–349.


T h e A u t h o r sAndrzej Uszok is a research scientist at the Institute for Human and MachineCognition. His research interests include ontology, policy specification, agentsystems, and transparent interoperability. He received his PhD in computerscience from the AGH University, Krakow. He is a member of the AAAI.Contact him at the Inst. for Human and Machine Cognition, 40 S. Alcaniz,Pensacola, FL 32502; [email protected].

Jeffrey M. Bradshaw is a senior research scientist at the Institute for Humanand Machine Cognition. His research interests include knowledge acquisi-tion, software and robotic agent technology, human–agent teamwork,adjustable autonomy, and mixed-initiative interaction. He received his PhDin cognitive science from the University of Washington. He is a member ofthe AAAI, the ACM, and the IEEE Computer Society. Contact him at theInst. for Human and Machine Cognition, 40 S. Alcaniz, Pensacola, FL 32502;[email protected].

Renia Jeffers is a research associate at the Institute for Human and MachineCognition and a lead designer and developer for the KAoS policy and domainservices. Her research interests include software agent technologies; policyspecification, management, and enforcement; and human–robotic teamwork.She received her MS in software engineering from Seattle University. Con-tact her at the Inst. for Human and Machine Cognition, 40 S. Alcaniz, Pen-sacola, FL 32502; [email protected].

Matthew Johnson is a research associate at the Institute for Human andMachine Cognition. His research interests include human–machine inter-face, teamwork, policy, and mixed-initiative interactions. He received his MSin computer science from Texas A&M University at Corpus Christi. Contacthim at the Inst. for Human and Machine Cognition, 40 S. Alcaniz, Pensacola,FL 32502; [email protected].

Austin Tate is the technical director of the Artificial Intelligence Applica-tions Institute and holds the Personal Chair of Knowledge-Based Systems atthe University of Edinburgh. His research interests include AI planning (O-Plan and I-X/I-Plan), collaboration and process, and Web Services standardsactivities. He received his PhD in machine intelligence at the University ofEdinburgh. He is a fellow of the Royal Society of Edinburgh (Scotland’sNational Academy) and the AAAI. Contact him at the Artificial IntelligenceApplications Inst., Univ. of Edinburgh, Appleton Tower, Crichton St., Edin-burgh EH8 9LE, UK; [email protected].

Jeff Dalton is a research scientist at the University of Edinburgh’s Artificial Intelligence ApplicationsInstitute. His research interests include planning, simulation, Web-based software, and programminglanguage design and implementation. He received his BA in mathematics from Dartmouth College.Contact him at the Artificial Intelligence Applications Inst., Univ. of Edinburgh, Appleton Tower,Crichton St., Edinburgh EH8 9LE, UK; [email protected].

Stuart Aitken is a member of the University of Edinburgh’s Artificial Intel-ligence Applications Institute. His research interests include ontology, bioin-formatics, intelligent tools for knowledge acquisition, and machine learning.He received his PhD in computer science from the University of Glasgow.Contact him at the Artificial Intelligence Applications Inst., Univ. of Edin-burgh, Appleton Tower, Crichton St., Edinburgh EH8 9LE, UK; [email protected].

For more information on this or any other com-puting topic, please visit our Digital Library atwww.computer.org/publications/dlib.

kaos policy management for semantic web services

Documents