retically, by means of an example of a real world policy rule. 1 Introduction .... to secure patient data access and has paid no attention to the many security.
Expressive security policy rules using Layered Conceptual Graphs Madalina Croitoru, Liang Xiao, David Dupplaw, Paul Lewis University of Southampton Southampton, UK
Abstract A method must be provided to support the analysis of security policy rules interdependencies in a (possibly distributed) environment. We propose a Conceptual Graphs based language that will allow us to represent the structure of information and to employ reasoning for consistency checking. We motivate our choice of language by the gained expressivity, the potential for depicting policy associations rigourously and by associated reasoning capabilities. We explain our approach in the context of security requirements for medical systems. We evaluate our work theoretically, by means of an example of a real world policy rule.
1
Introduction
In every organization there are business rules, that is compact statements that lay down what must or must not be the case in some aspect of a business [8]. According to the Object Management Group [9], rules are “declarations of policy or conditions that must be satisfied”. Rules capture requirements including the decisions, guidelines and controls which make up the functionality. As long as inconsistency and ambiguity are identified, either in rules or by rules, they are supposed to be useful for capturing and resolving conflicts, both at the requirements level and at the design level [7]. However, even for explicitly captured rules, (human readable and/or machine process-able form) their interdependencies are usually far from obvious. Usually the rules are set-up separately by stakeholders with different views on the system. This results in the existence of contradictory rules that may affect the behavior of the running system. Therefore, a method must be provided to support the detection of conflicting rules specified in its (possibly distributed) environment as well as the connection of the relevant ones for aggregation applications. To this end we propose a Conceptual Graphs [13] based language, Layered Conceptual Graphs [6] for representing the interdependencies amongst policy rules. The visual, logic based language will advance the state of the art by allowing the hierarchical depiction of information and consistency checking of policy rules interdependencies. Our choice of Layered Conceptual Graphs is 1
thus motivated by the gained expressivity, the potential for depicting policy associations rigourously and by associated reasoning capabilities. We explain our approach in the context of security requirements for medical systems. As an application scenario we use HealthAgents [1], an agentbased, distributed decision support system that employs clinical information, Magnetic Resonance Imaging (MRI) data, Magnetic Resonance Spectroscopy (MRS) data and genomic DNA profile information. The aim of this project is to help and improve brain tumour classification by providing alternative, non invasive techniques. To increase the number of cases HealthAgents is decentralizing its predecessor project, Interpret [14], by building a distributed decision support system (d-DSS). Decentralizing such a system poses interesting challenges from a security point of view. These challenges are further explained in Section 2 along with the motivation for this work. Section 3 explains the security mechanisms for the HealthAgents prototype and how policy rules complement these security mechanisms. Finally, Section 4 presents our proposed language for expressing the policy rules. A real-life example is given and the advantages of this approach are evaluated theoretically by analyzing their expressive power. Section 5 concludes the paper and lays down future work directions.
2
Motivation and background
Security is a growing concern in designing such systems that organizations can trust and use. Well-studied data encryption algorithms and publicly available libraries can alleviate some of the problems, yet more complex considerations are related with the management of the different levels of access rights to multiple types of resources by users distributed among and managed by multiple organizations. Some systems embed security policy modules within the application code. The tight coupling of software architecture with policies that spread all over the application, but which intend to change, makes such systems hard to maintain [15]. A recent access control model that supports efficient management is the widely accepted US National Institute of Standards and Technology model of role based access control (RBAC) [12]. In RBAC roles represent job functions in an organization. They bring together users and permissions. Permissions that describe operations upon resources are associated with roles. Users are assigned to roles to gain permissions that allow them to perform particular job functions. A major benefit of using this type of model is that the reconfiguration of user-role, role-permission, and role-role relationships, directed by administrators, can reflect changing organizational policies. The maintenance of such a sub-system that is independent from the core application minimizes the impact on the overall system of requirements changes with regard to security. RBAC is widely accepted as a best practice and implemented in one form or another in systems including Microsoft Active Directory, SELinux, FreeBSD, Solaris, and Oracle DBMS. However, several weaknesses have been identified. In a hospital,
different users with the same clinician role may have different permissions to particular resources. For example, one clinician that created a patient case in a hospital might have more rights than other clinicians in the same hospital. Clinicians in one hospital could have more rights to data in that hospital than clinicians from another hospital. Since permissions are not directly assignable to individual users, it is impossible to use RBAC to differentiate users with practically different capabilities in the system. Another insufficiency in the RBAC model is the lack of context access modelling. The DAFMAT approach [4] is based on the RBAC model and applied to healthcare applications. Concepts of user, role, subject and domain are used and their mappings in pairs are defined to declare access modes. Authorization requests are validated using the access modes. However, their subjects represent executable domain functions and other resource types, such as data resources, are not protected. Moreover, the presentation of this model is only for human comprehension. A mechanism of forming security policies in an executable manner has not been considered. The importance of security in the healthcare domain has also been recognized in [16], particularly for managing patient data and its communication in a distributed environment. Security tags are used to mark information with regard to privacy within the patient record structure so that access is restricted to trusted agents only. This approach is limited to secure patient data access and has paid no attention to the many security issues involved in the healthcare service provision process. As a direct consequence we believe that an adaptive security model that is configurable and reusable across applications would represent a significant advance. Therefore we extend the “role” concept, incorporating both role-based agent behavior and role-based access control in a single role interaction model. The easily re-configurable model maintains not only functional requirements but also security constraints in Multi-Agent Systems. Our novel adaptive security model is expressed using a knowledge rich language. This model is applied to HealthAgents, a multi agent distributed decision support system for brain tumor diagnosis. Our approach avoids weaknesses of traditional RBAC approaches and provides a practically usable security model for Multi-Agent Systems (MAS). The proposed unified role interaction model framework incorporates not only functional requirements but also security constraints in MAS. The security policy rule scheme has been used to express security requirements in relation to effective roles. The language proposed for expressing these requirements is an extension to Conceptual Graphs, Layered Conceptual Graphs. Layered Conceptual Graphs are a visual, logic based, knowledge representation formalism allowing for depiction of hierarchical knowledge. To conclude, the major contribution of this work is two fold. First, little redevelopment effort will be required when security is to be engineered into the overall architecture, minimizing the impact of security requirements changes to the MAS. Second, by employing a knowledge rich formalism for expressing policy rules we can then (i) use deduction to minimize the number of written rules for the system (inheritance), (ii) be able to check for consistency and (iii) rigourously depict the policy rules interdependencies.
3
Security mechanisms for HealthAgents
The use of a distributed system for data collection and management is a necessity for medical decision support systems, especially when the number cases to be analyzed is limited per single node. However, the medical context poses extra interesting security requirements including ethical approval and informed consent of the participants. For multinational projects, ethical approval is devolved to regional bodies without any coordinated or uniform decision making. As a consequence, data gathered from different centers may be subject to different restrictions. Allowing for flexibility within the data security model is therefore essential. This section presents the basic security architecture implemented in the prototype for HealthAgents and how policy rules complement the existing security mechanisms. We then explain the expressivity requirements for policy rules and hence motivate the proposed Conceptual Graphs based language detailed in Section 4. In order to put our work in context a brief introduction to HealthAgents and its security requirements is also presented.
3.1
HealthAgents
The HealthAgents project, a Specific Targeted Research or Innovation Project (STREP) plans to create a multi-agent distributed Decision Support System (d-DSS) based on novel medical imaging and laboratory tests to help determine the diagnosis and prognosis of brain tumours. The HealthAgents decision support system implements a series of automated classifiers based on pattern recognition methodologies for the diagnosis and prognosis of brain tumours. These classifiers (implemented as agents) will need to access the data stored in the hospitals both for training and for decision making purposes. Prior to incorporation into clinical practice such methods must be fully tested within a clinical trials setting. Clinical trials commonly use data from which personal information (e.g. name, address, date of birth) is removed but to which a unique patient identifier is added, often termed link-anonymised data. Such a scheme has the advantage of having a high chance of preserving patient anonymity whilst allowing data from the same patient to be added at a later date. This scheme also allows a specific patients data to be located and removed from the project at any time they request, a condition usually imposed by ethics committees. Clinical trials are usually supported by a centralized database where the link-anonymised data are stored. For a distributed system, similarly robust arrangements must be designed to reassure ethics committees and patients that the data are secure. Security systems will need to be in place which can allow each center to potentially limit the type of data transmitted and the locations it is transmitted to.
Figure 1: HealthAgents security levels
3.2
Basic Architecture
The HealthAgents framework provides an abstraction of the underlying agent platform, such that developers may implement new agents in a platform– independent way. The framework abstraction is built upon a layered architecture that provides fundamental services to the final agent. Messages that enter the agent are effectively filtered through the layers and only if all layers understand and accept the message’s credentials will the message be acted upon. Therefore, perhaps the most important of these layers is the security layer that will determine whether the credentials in the message are valid for interpretation on this particular agent. The framework has been built such that security modules, that are designed to check the credentials of a message, have to adhere to a specific pattern; that is, an application programmer’s interface has been defined for this module. The agent’s kernel will call upon the appropriate security module (defined by the agent’s configuration) to authenticate the message. Only when a message has been authenticated will the message be provided to the functionality provider of the agent, signified by the Programmatic API in Figure 1.
3.3
Enhanced security: policy rules
In HealthAgents most of the policy rules regulate the access to data of different centers. According to their type, different users/agents will have different access rights to data. In this paper we are going to focus on the following rules (agreed upon clinician feedback): • Only clinicians in the same hospital as the data can fully access them.
Figure 2: HealthAgents Security Model • Clinicians have access to a non empty subset of data from other hospitals. • Classifier sites have access to data only upon accreditation. • Classifiers are not to further redistribute the data. Note that other intrinsic policy rules (such as the fact that one should only access the relevant data for diagnostic purposes) are also considered within HealthAgents but, due to certain knowledge representation challenges, are beyond the scope the current paper. In [17] we extended the RBAC model to avoid its weakness and to meet the unique characteristics of MAS. A security model has been proposed (see Figure 2), motivated by the particular requirements of the HealthAgents project but generic enough so that other domains and applications may use it. In the security model depicted in Figure 2, agent behavior is specified in roles which not only meet functional requirements but also enforce security policy requirements. Figure 3 shows a prototype interaction model for invoking a classification in the HealthAgents system. In [17] we provided an analysis of the security requirements for this prototype model based on the security model shown in Figure 2. The application of the security model was discussed and sample security policies were given in a XML format. However, when expressed in a syntactic language with no attached logical semantics (such as UML, XML etc), policy rule frameworks suffer from a number of drawbacks: • Policy rules are usually presented in natural language. They are often embedded directly into the final software product as part of the implementation. The misinterpretation of policy rules from their original natural
Figure 3: HealthAgents Interaction Model language representation into code by developers with their own assumptions will lead to later re-development. A means must be provided for explicit representation of rules in the running system that supports direct execution (and reasoning). • Inconsistency and ambiguity in policy rules are hard to identify since they may be set-up by various responsible people with different views. This will confuse the running system when contradictory rules come into play at the same time. • Inter-relationships among policy rules must be established but little work so far is in this direction. When a set of rules are found to be applicable and others irrelevant, the system may actually need to be sufficiently intelligent in not ruling out the seemingly irrelevant ones. This is due to the fact that when some rules are applied, extra knowledge is obtained by the system, and then the pre-conditions of other policy rules become satisfied. A graph that interconnects the policy rules to check for their relationships while ensuring validation would support the overall system decision making and human analysis.
4
Policy rules with Conceptual Graphs
We propose a framework for policy rules that employs Layered Conceptual Graphs. We address the current limitations of existing work using a visual, structured, logic based knowledge representation (KR) formalism. Our choice of KR means that we benefit from: • An extension of a KR formalism originally introduced to model natural language. This means that we can tap into existing research (and tools) looking at modelling Conceptual Graphs and natural language. • Layered Conceptual Graphs are a logic based language. This means that reasoning can ensure validation, reuse and consistency. • Hierarchical knowledge can be easily depicted and reasoned upon. This means that we can express the high level policy rules and their interdependencies and then get into more detail as we need to expand those rules. In the remainder of the section we present Conceptual Graphs and Layered Conceptual Graphs informally (for a mathematically rigorous presentation please refer to [5, 6]). We then show how HealthAgents policy rules can be expressed using Layered Conceptual Graphs and what expressivity and reasoning power we gain.
4.1
Conceptual Graphs
During the past 30 years, a wide variety of knowledge representation schemes have been developed, each of which have their own benefits and drawbacks. Expressiveness and efficiency are the key factors that greatly affect the competence of a representational scheme. The system KL-ONE [3] and its descendants are the main representative descendants of semantic networks [11]. The lack of a clear formal semantics of the first members of KL-ONE family has been successfully repaired by the most prominent KR languages, Description Logics (DLs) [2]. John Sowa developed Conceptual Graphs (CGs) on the basis of semantic networks and Peirce’s Existential Graphs [10]. These graphs can be viewed as a diagrammatic system of logic, with the purpose “to express meaning in a form that is logically precise, humanly readable, and computationally tractable” [13]. Conceptual Graphs(CGs) represent background knowledge, i.e. basic ontological knowledge, in a structure called support, which is implicitly used in the representation of factual knowledge as labelled graphs. A support consists of a concept type hierarchy, a relation type hierarchy, a set of individual markers that refer to specific concepts and a generic marker, denoted by *, which refers to an unspecified concept. The support defines the main concepts and relations that exist in the world we are trying to describe. These concepts and relations are going to be linked together by the means of an ordered bipartite
graph that will describe the facts we are interested in. The ordered bipartite graph is going to represent the “stencil” which is going to be “filled in” with the concepts/relations taken from the support. A CG can be viewed as a bipartite graph that provides a semantic set of pointers to two ontologies. This means that we can reuse sources’ ontologies, database schemas etc. for the purpose of describing those sources by means of a CG. Moreover, the attached semantics of Conceptual Graphs make them a powerful reasoning knowledge representation and reasoning formalism [5]. Layered Conceptual Graphs (LCGs for short) is a rigorously defined representation formalism evolved from Conceptual Graphs. It allows highlighting a new type of rendering based on the additional expansion of concept / relation nodes. This way hierarchical knowledge can be represented in a mathematically sound manner. The semantics associated with layered conceptual graphs are based on the semantics of conceptual graphs and are described in more detail in [6]. LCGs preserve the bipartite graph structure of the original model by defining transitional descriptions which allow a successive construction of bipartite graphs. Unlike existing approaches the knowledge detailed on a level of a hierarchy is put in context by using descriptions for relation nodes as well. A transitional description of a bipartite graph G provides a set D of complex nodes in one of the classes of the bipartition, each complex node having associated a description. Complex nodes are visually depicted in bold. Their descriptions are disjoint bipartite graphs. The neighbors of complex nodes either have empty descriptions or are described as bipartite graphs. These bipartite graphs contain in one of the classes of the bipartition, (VC ), all the atomic neighbors of the initial graph. The remaining nodes in each of these classes are new nodes or are taken from the descriptions of the corresponding complex neighbors of the initial graph. In other words, if we have a interconnected world described by a CG and if we can provide details about both some complex concepts and their relationships, then we can construct a second level of knowledge about this world, describing these new details as Conceptual Graphs and applying the corresponding substitutions. This process can be similarly performed with the last constructed level, thus obtaining a coherent set of layered representations of the initial world. We will use Layered Conceptual Graphs for representing the policy rules and then their associated “expansion” properties for highlighting the interdependencies between such rules.
4.2
Intelligent policy rules
This section will present a simple real-world example of policy rules for HealthAgents. Figure 4 depicts the support for our framework. Please note that the support is not exhaustive, being intended for illustration purposes only. The concept hierarchy is comprised of the top, universal type, further refined as a subject, resource, policy rule or attribute. Policy rule is a stand alone
T
Policy Rule
Resource
Subject
Agent
User
Clinician
Database Agent
Classifier Agent
Attribute
Location
Type
Yellow Pages Agent Concept Hierarchy
T(T,T,T)
T(T,T)
hasAttribute (T,Attribute)
access(T,T)
managed (Resource, Subject)
associated (Subject, Subject,Policy Rule)
requests (Subject, Resource) Relation Hierarchy
Figure 4: Intelligent Policy Rules Support concept as one of our aims is to represent their interdependencies. The agents are further specialised in database agent, classifier agent and yellow pages agent. The relation hierarchy is made out of binary relations: access and attribute; and ternary relations: associate. For simplicity reasons we only consider two very generic access relations: managed and requests. Database Agent: *
associated
Policy Rule: PR1
Clinician: *
associated
Policy Rule: PR2
Classifier Agent: *
associated
Policy Rule: PR3
Yellow Pages Agent: *
associated
Policy Rule: PR4
Figure 5: Some Policy Rules between Different Agents In Figure 5 a bipartite graph is depicted for four policy rules. The policy rules are depicted on the right hand side of the picture while the subjects are represented on the left. To increase readability the edges are not explicitly ordered in the Figure. The bolded out nodes stand for complex nodes, that is, nodes can be further expanded. The four agents from the interaction are:
• Clinical GUI Agent: the clinician, working in a given hospital, requesting the d-DSS for a case to be classified. In Figure 5 we used the term “clinician” for clarity purposes. • Database Agent: gives access to the data from a given hospital. • Classifier Agent: a software that classifies brain tumor cases based on their characteristics (MRS spectra, case meta-data, etc.) • Yellow Pages Agent. The policy rules depicted in Figure 5 address the following scenarios: • P R1 : A clinician wants to view data from a hospital. • P R2 : A clinician directly asks a specific classifier for a case to be categorized. • P R3 : A user asks the yellow pages for a classifier and the classifier is found by the yellow pages. • P R4 : Classifiers want to exchange information for combination. Due to space limitations we only focus on a subset of the first scenario, namely the clinicians accessing data from a hospital. We want to reinforce the fact that only clinicians within the same hospital as the data have access to them. This information is captured in Figure 6. Indeed, the bolded out nodes (the relation node associates and the concept node policy rule) will be expanded to capture this information. Please note that the concepts database agent and clinician remain unchanged, but are now linked to several relations to express the required information. Figure 6 represents the fact that a clinician, which has a certain location, is allowed to access a resource which is at the same location as him and is managed by a database agent. Based on the example above we have demonstrated that we can represent hierarchical information in a consistent, mathematically correct manner. However, beside their representational capabilities, Layered Conceptual Graphs also have attached rigorous reasoning mechanisms. In the remainder of the section we will present a simple example that illustrate some of the reasoning capabilities we can benefit from. Consider the example presented in Figure 7. On the left hand side the expanded P R1 policy rule graph is depicted. On the right hand side we consider the query graph that wants to check if Maurice, a user from Birmingham is allowed to request data from Valencia. Checking whether the rules allow for that query is done by the means of projection, a labelled graph homomorphism between the query graph and the rules graph. More precisely, the relation nodes are projected into relation nodes and concept nodes into concept nodes. The structure of the graph also has to be preserved. We can see that, in this example, the answer to the query is “no”. This is due to the fact that the structure of the query graph does not match the rule (more precisely, there is
Clinician: * associated
Policy Rule: PR1
Database Agent: *
Clinician:*
hasAttribute access
Location: *
sameAs Resource: * hasAttribute
}
Location: * Database Agent: *
managed
Figure 6: Policy Rule 1 expanded no “sameAs” relation in the query graph). Please note that information from the support is also considered while performing the projection. For example the concept type user from the query graph has been projected onto the concept type clinician (according to the concept type hierarchy). In the same way, according to the relation hierarchy, the relation node request was projected onto the relation node access.
Clinician:*
hasAttribute
Location: *
access
Resource: *
sameAs
Location: * Database Agent: *
hasAttribute managed
hasAttribute
User:Maurice
request
Location: Bham Resource:*
hasAttribute
Location: Valencia
managed
Database Agent: 12
Figure 7: Policy Rule 1 Query Projection
5
Conclusions and future work
In this paper we proposed a knowledge intensive approach to expressing policy rules. We have motivated our approach based on current limitations of existing work: no reasoning capabilities to manage rule interdependencies. Our work was explained in the context of HealthAgents, a distributed decision support system for brain tumor diagnosis. We evaluated our work theoretically, by showing gained representational and reasoning power. The examples were based on real-life policy rules considered for the HealthAgents prototype. Future work will consider looking at further exploring policy rules interdependencies from a knowledge representation point of view. It will be interesting (both from a policy rule and a conceptual Graph research point of view) to clearly state what redundancy or incoherence means. For instance it would be interesting to investigate the reasons why a policy rule cannot be projected onto another policy rule (structural mismatch, type mismatch etc).
6
Acknowledgements
This work is supported under the HealthAgents STREP project funded by EU Framework 6 under Grant number IST-FP6- 027213. We would also like to thank Javier Vincente Robledo, Srinandan Dasmahapatra, Andrew Peet, Horacio Gonzalez-Velez and Alex Gibb for useful feedback on earlier versions of this paper.
References [1] C. Ar´ us, B. Celda, S. Dasmahapatra, D. Dupplaw, H. Gonz´alez-V´elez, S. van Huffel, P. Lewis, M. Lluch i Ariet, M. Mier, A. Peet, and M. Robles. On the design of a web-based decision support system for brain tumour diagnosis using distributed agents. In WI-IATW’06: 2006 IEEE/WIC/ACM Int Conf on Web Intelligence & Intelligent Agent Technology, pages 208– 211, Hong Kong, December 2006. IEEE. [2] F. Baader et al., editors. The Description Logic Handbook. Cambridge Univ. Press, 2003. [3] R. J. Brachman and J. G. Schmolze. An Overview of the KL-ONE Representation System. Cognitive Science, 9(2):171–216, 1985. [4] R. Chandramouli. A framework for multiple authorization types in a healthcare application system. Proceedings of the 17th Annual Computer Security Applications Conference, 1:137–148, 2001. [5] M. Chein and M.-L. Mugnier. Conceptual graphs: Fundamental notions. Revue d’Intelligence Artificielle, 6(4):365–406, 1992.
[6] M. Croitoru, E. Compatangelo, and C. Mellish. Hierarchical knowledge integration using layered conceptual graphs. In Proc. of the 13th Int’l Conf. on Conceptual Structures (ICCS’2005), number 3596 in Lect. Notes in Artif. Intell., pages 267–280. Springer, 2005. [7] A. Kleppe, J. Warmer, and W. Bast. MDA Explained: The Model Driven Architecture: Practice and Promise. Addison, 2003. [8] T. Morgan. Business Rules and Information Systems. Addison, 2002. [9] Object Management Group (OMG). The OMG Unified Modeling Language (UML) Specification Ver. 1.5, March 2003. [10] C. S. Peirce. Manuscript 514, http://www.jfsowa.com/peirce/ms514.htm.
1909.
Available
at
[11] M. Quillian. Semantic memory. In M. Minsky, editor, Semantic Information Processing, pages 227–270. MIT Press, 1968. [12] R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-based access control models. Computer, 29:38–47, 1996. [13] J. F. Sowa. Conceptual Structures: Information Processing in Mind and Machine. Addison-Wesley, 1984. [14] A. R. Tate, J. Underwood, D. M. Acosta, M. . Julia-Sape, C. Majos, A. Moreno-Torres, F. A. Howe, M. van der Graaf, M. M. Lefournier, F. Murphy, A. Loosemore, C. Ladroue, P. Wesseling, J. L. Bosson, A. W. Simonetti, W. Gajewicz, J. Calvar, A. Capdevila, P. Wilkins, A. C. Bell, C. Remy, A. Heerschap, D. Watson, J. R. Griffiths, and C. Arus. Development of a decision support system for diagnosis and grading of brain tumours using in vivo magnetic resonance single voxel spectra. NMR Biomed, 19:411–434, 2006. [15] T. Verhanneman, F. Piessens, E. Win, B.D. andTruyen, and W. Joosen. A modular access control service for supporting application-specific policies. IEEE Distributed Systems Online, 7:367–398, 2006. [16] J. Wimalasiri, P. Ray, and C. Wilson. Maintaining security in an ontology driven multi-agent system for electronic health records. Proceedings of the 6th International Workshop on Enterprise Networking and Computing in Healthcare Industry, 1:19–34, 2004. [17] L. Xiao, L. Peet, P. Lewis, S. Dasmahapatra, C. Saez, M. Croitoru, J. Vicente, H. Gonzalez-Valez, and M. Lluch. An adaptive security model for multi-agent systems and application to a clinical trials environment. In The First IEEE International Workshop on Security in Software Engineering, 2007.
