Teleo-Reactive policies for managing human-centric pervasive services.

Event-Condition-Action (ECA) policies are often used to manage various aspects of adaptation and execution of pervasive systems. Such policies are well suited for services where: 1) given actions are reliably executed when they are requested, 2) there is no priority ordering amongst multiple available actions, and 3) execution is instantaneous with respect to the validity of conditions under which they were initiated. However, for a pervasive service that integrates human agents and human activities, these assumptions do not generally hold. Humans may misbehave by postponing the execution of certain actions or ignoring them all together. Performing an action may take a long time so that the action is no longer needed or more important actions may need to be executed. Managing such behaviours through ECA policies is complex and difficult to implement. This paper introduces a new management policy type, called a Teleo-Reactive policy, whose semantics are based on continuous monitoring of the environment and prioritising available actions. The semantics result in more flexible and concise formulation of management policies for human-centric pervasive services. We demonstrate how these policies can be applied in a real-world use case scenario set in a nursing home and describe the underlying implementation based on the Androids Java platform. © 2010 IEEE

Harnessing Models for Policy Conflict Analysis

Policy conflict analysis processes based solely on the examination of policy language constructs can not readily discern the semantics associated with the managed system for which the policies are being defined. However, by developing analysis processes that can link the constructs of a policy language to the entities of an information model, we can harness knowledge relating to relationships and associations, constraint information, behavioural specifications codified by finite state machines, and extensive semantic information expressed via ontologies to provide powerful policy analysis processes

Executable Graphics for PBNM

Policy-Based Network Management (PBNM) is the application of specific, organisation-level rules in the context of networking, in particular for network management operations. The specification of a policy is performed in a policy language, usually following a textual representation. However, humans process images faster than text and they are prepared to process information presented in two or more dimensions: sometimes it is easier to explain things using figures and their graphical relations than writing textual representations. This paper describes a visual language, in the form of graphics that are executed in a networking environment, to define a network management policy. This approach allows to map visual tokens and corresponding arrangements into other languages to which a mapping is defined

Transaction Logic with (Complex) Events

Sem PDF.This work deals with the problem of combining reactive features, such as the ability to respond to events and define complex events, with the execution of ACID transactions over general Knowledge Bases (KBs). With this as goal, we build on Transaction Logic (T R), a logic precisely designed to model and execute (ACID) transactions in KBs defined by arbitrary logic theories. In it, transactions are written in a logic- programming style, by combining primitive update operations over a general KB, with the usual logic programming connectives and some additional connectives e.g. to express sequence of actions. While T R is a natural choice to deal with transactions, it remains the question whether T R can be used to express complex events, but also to deal simultaneously with the detection of complex events and the execution of transactions. In this paper we show that the former is possible while the latter is not. For that, we start by illustrating how T R can express complex events, and in particular, how SNOOP event expressions can be translated in the logic. Afterwards, we show why T R fails to deal with the two issues together, and propose Transaction Logic with Events to solve the intended problem. The achieved solution is a non-monotonic conservative extension of T R, which guarantees that every complex event detected in a transaction is necessarily responded. Along with its syntax, model theory and executional semantics, we prove some properties, including that it is indeed a conservative extension, and that it enjoys from important properties of non-monotonic logics, like support.publishe

Expressive policy based authorization model for resource-constrained device sensors.

Los capítulos II, III y IV están sujetos a confidencialidad por el autor 92 p.Upcoming smart scenarios enabled by the Internet of Things (IoT) envision smart objects that expose services that can adapt to user behavior or be managed with the goal of achieving higher productivity, often in multistakeholder applications. In such environments, smart things are cheap sensors (and actuators) and, therefore, constrained devices. However, they are also critical components because of the importance of the provided information. Given that, strong security in general and access control in particular is a must.However, tightness, feasibility and usability of existing access control models do not cope well with the principle of least privilege; they lack both expressiveness and the ability to update the policy to be enforced in the sensors. In fact, (1) traditional access control solutions are not feasible in all constrained devices due their big impact on the performance although they provide the highest effectiveness by means of tightness and flexibility. (2) Recent access control solutions designed for constrained devices can be implemented only in not so constrained ones and lack policy expressiveness in the local authorization enforcement. (3) Access control solutions currently feasible in the most severely constrained devices have been based on authentication and very coarse grained and static policies, scale badly, and lack a feasible policy based access control solution aware of local context of sensors.Therefore, there is a need for a suitable End-to-End (E2E) access control model to provide fine grained authorization services in service oriented open scenarios, where operation and management access is by nature dynamic and that integrate massively deployed constrained but manageable sensors. Precisely, the main contribution of this thesis is the specification of such a highly expressive E2E access control model suitable for all sensors including the most severely constrained ones. Concretely, the proposed E2E access control model consists of three main foundations. (1) A hybrid architecture, which combines advantages of both centralized and distributed architectures to enable multi-step authorization. Fine granularity of the enforcement is enabled by (2) an efficient policy language and codification, which are specifically defined to gain expressiveness in the authorization policies and to ensure viability in very-constrained devices. The policy language definition enables both to make granting decisions based on local context conditions, and to react accordingly to the requests by the execution of additional tasks defined as obligations.The policy evaluation and enforcement is performed not only during the security association establishment but also afterward, while such security association is in use. Moreover, this novel model provides also control over access behavior, since iterative re-evaluation of the policy is enabled during each individual resource access.Finally, (3) the establishment of an E2E security association between two mutually authenticated peers through a security protocol named Hidra. Such Hidra protocol, based on symmetric key cryptography, relies on the hybrid three-party architecture to enable multi-step authorization as well as the instant provisioning of a dynamic security policy in the sensors. Hidra also enables delegated accounting and audit trail. Proposed access control features cope with tightness, feasibility and both dimensions of usability such as scalability and manageability, which are the key unsolved challenges in the foreseen open and dynamic scenarios enabled by IoT. Related to efficiency, the high compression factor of the proposed policy codification and the optimized Hidra security protocol relying on a symmetric cryptographic schema enable the feasibility as it is demonstrated by the validation assessment. Specifically, the security evaluation and both the analytical and experimental performance evaluation demonstrate the feasibility and adequacy of the proposed protocol and access control model.Concretely, the security validation consists of the assessment that the Hidra security protocol meets the security goals of mutual strong authentication, fine-grained authorization, confidentiality and integrity of secret data and accounting. The security analysis of Hidra conveys on the one hand, how the design aspects of the message exchange contribute to the resilience against potential attacks. On the other hand, a formal security validation supported by a software tool named AVISPA ensures the absence of flaws and the correctness of the design of Hidra.The performance validation is based on an analytical performance evaluation and a test-bed implementation of the proposed access control model for the most severely constrained devices. The key performance factor is the length of the policy instance, since it impacts proportionally on the three critical parameters such as the delay, energy consumption, memory footprint and therefore, on the feasibility.Attending to the obtained performance measures, it can be concluded that the proposed policy language keeps such balance since it enables expressive policy instances but always under limited length values. Additionally, the proposed policy codification improves notably the performance of the protocol since it results in the best policy length compression factor compared with currently existing and adopted standards.Therefore, the assessed access control model is the first approach to bring to severely constrained devices a similar expressiveness level for enforcement and accounting as in current Internet. The positive performance evaluation concludes the feasibility and suitability of this access control model, which notably rises the security features on severely constrained devices for the incoming smart scenarios.Additionally, there is no comparable impact assessment of policy expressiveness of any other access control model. That is, the presented analysis models as well as results might be a reference for further analysis and benchmarkingGaur egun darabilzkigun hainbeste gailutan mikroprozesadoreak daude txertatuta, eragiten duten prozesuan neurketak egin eta logika baten ondorioz ekiteko. Horretarako, bai sentsoreak eta baita aktuadoreak erabiltzen dira (hemendik aurrera, komunitatean onartuta dagoenez, sentsoreak esango diegu nahiz eta erabilpen biak izan). Orain arteko erabilpen zabalenetako konekzio motak, banaka edota sare lokaletan konekatuta izan dira. Era honetan, sentsoreak elkarlanean elkarreri eraginez edota zerbitzari nagusi baten agindupean, erakunde baten prozesuak ahalbideratu eta hobetzeko erabili izan dira.Internet of Things (IoT) deritzonak, sentsoreak dituzten gailuak Internet sarearen bidez konektatu eta prozesu zabalagoak eta eraginkorragoak ahalbidetzen ditu. Smartcity, Smartgrid, Smartfactory eta bestelako smart adimendun ekosistemak, gaur egun dauden eta datozen komunikaziorako teknologien aukerak baliatuz, erabilpen berriak ahalbideratu eta eragina areagotzea dute helburu.Era honetan, ekosistema hauek zabalak dira, eremu ezberdinetako erakundeek hartzen dute parte, eta berariazko sentsoreak dituzten gailuen kopurua izugarri handia da. Sentsoreak beraz, berariazkoak, merkeak eta txikiak dira, eta orain arteko lehenengo erabilpen nagusia, magnitude fisikoren bat neurtzea eta neurketa hauek zerbitzari zentralizatu batera bidaltzea izan da. Hau da, inguruan gertatzen direnak neurtu, eta zerbitzari jakin bati neurrien datuak aldiro aldiro edota atari baten baldintzapean igorri. Zerbitzariak logika aplikatu eta sistema osoa adimendun moduan jardungo du. Jokabide honetan, aurretik ezagunak diren entitateen arteko komunikazioen segurtasuna bermatzearen kexka, nahiz eta Internetetik pasatu, hein onargarri batean ebatzita dago gaur egun.Baina adimendun ekosistema aurreratuak sentsoreengandik beste jokabide bat ere aurreikusten dute. Sentsoreek eurekin harremanak izateko moduko zerbitzuak ere eskaintzen dituzte. Erakunde baten prozesuetan, beste jatorri bateko erakundeekin elkarlanean, jokabide honen erabilpen nagusiak bi dira. Batetik, prozesuan parte hartzen duen erabiltzaileak (eta jabeak izan beharrik ez duenak) inguruarekin harremanak izan litzake, eta bere ekintzetan gailuak bere berezitasunetara egokitzearen beharrizana izan litzake. Bestetik, sentsoreen jarduera eta mantenimendua zaintzen duten teknikariek, beroriek egokitzeko zerbitzuen beharrizana izan dezakete.Holako harremanak, sentsoreen eta erabiltzaileen kokalekua zehaztugabea izanik, kasu askotan Internet bidez eta zuzenak (end-to-end) izatea aurreikusten da. Hau da, sentsore txiki asko daude handik hemendik sistemaren adimena ahalbidetuz, eta harreman zuzenetarako zerbitzu ñimiñoak eskainiz. Batetik, zerbitzu zuzena, errazagoa eta eraginkorragoa dena, bestetik erronkak ere baditu. Izan ere, sentsoreak hain txikiak izanik, ezin dituzte gaur egungo protokolo eta mekanismo estandarak gauzatu. Beraz, sare mailatik eta aplikazio mailarainoko berariazko protokoloak sortzen ari dira.Tamalez, protokolo hauek arinak izatea dute helburu eta segurtasuna ez dute behar den moduan aztertu eta gauzatzen. Eta egon badaude berariazko sarbide kontrolerako ereduak baina baliabideen urritasuna dela eta, ez dira ez zorrotzak ez kudeagarriak. Are gehiago, Gartnerren arabera, erabilpen aurreratuetan inbertsioa gaur egun mugatzen duen traba Nagusia segurtasunarekiko mesfidantza da.Eta hauxe da erronka eta tesi honek landu duen gaia: batetik sentsoreak hain txikiak izanik, eta baliabideak hain urriak (10kB RAM, 100 kB Flash eta bateriak, sentsore txikienetarikoetan), eta bestetik Internet sarea hain zabala eta arriskutsua izanik, segurtasuna areagotuko duen sarbide zuzenaren kontrolerako eredu zorrotz, arin eta kudeagarri berri bat zehaztu eta bere erabilgarritasuna aztertu

Suppl: A Flexible Language for Policies

Abstract. We present the Simple Unified Policy Programming Lan-guage (Suppl), a domain-neutral language for stating, executing, and analyzing event-condition-action policies. Suppl uses a novel combina-tion of pure logic programming and disciplined imperative programming features to make it easy for non-expert users to express common policy idioms. The language is strongly typed and moded to allow static detec-tion of common programming errors, and it supports a novel logic-based static analysis that can detect internally inconsistent policies. Suppl has been implemented as a compiler to Prolog and used to build several network security applications in a Java framework.

Security Management System for 4G Heterogeneous Networks

There is constant demand for the development of mobile networks to meet the service requirements of users, and their development is a significant topic of research. The current fourth generation (4G) of mobile networks are expected to provide high speed connections anywhere at any time. Various existing 4G architectures such as LTE and WiMax support only wireless technologies, while an alternative architecture, Y-Comm, has been proposed to combine both existing wired and wireless networks. Y-Comm seeks to meet the main service requirements of 4G by converging the existing networks, so that the user can get better service anywhere and at any time. One of the major characteristics of Y-Comm is heterogeneity, which means that networks with different topologies work together to provide seamless communication to the end user. However, this heterogeneity leads to technical issues which may compromise quality of service, vertical handover and security. Due to the convergence characteristic of Y-Comm, security is considered more significant than in the existing LTE and WiMax networks. These security concerns have motivated this research study to propose a novel security management system. The research aims to meet the security requirements of 4G mobile networks, e.g. preventing end user devices from being used as attack tools. This requirement has not been met clearly in previous studies of Y-Comm, but this study proposes a security management system which does this. This research follows the ITU-T recommendation M.3400 dealing with security violations within Y-Comm networks. It proposes a policy-based security management system to deal with events that trigger actions in the system and uses Ponder2 to implement it. The proposed system, located in the top layer of the Y-Comm architecture, interacts with components of Y-Comm to enforce the appropriate policies. Its four main components are the Intelligent Agent, the Security Engine, the Security Policies Database and the Security Administrator. These are represented in this research as managed objects to meet design considerations such as extensibility and modifiability. This research demonstrates that the proposed system meets the security requirements of the Y-Comm environment. Its deployment is possible with managed objects built with Ponder2 for all of the components of Y-Comm, which means that the security management system is able to prevent end user devices from being used as attack tools. It can also achieve other security goals of Y-Comm networks

Handling Emergent Conflicts in Adaptable Rule-based Sensor Networks

This thesis presents a study into conflicts that emerge amongst sensor device rules when such devices are formed into networks. It describes conflicting patterns of communication and computation that can disturb the monitoring of subjects, and lower the quality of service. Such conflicts can negatively affect the lifetimes of the devices and cause incorrect information to be reported. A novel approach to detecting and resolving conflicts is presented. The approach is considered within the context of home-based psychiatric Ambulatory Assessment (AA). Rules are considered that can be used to control the behaviours of devices in a sensor network for AA. The research provides examples of rule conflict that can be found for AA sensor networks. Sensor networks and AA are active areas of research and many questions remain open regarding collaboration amongst collections of heterogeneous devices to collect data, process information in-network, and report personalised findings. This thesis presents an investigation into reliable rule-based service provisioning for a variety of stakeholders, including care providers, patients and technicians. It contributes a collection of rules for controlling AA sensor networks. This research makes a number of contributions to the field of rule-based sensor networks, including areas of knowledge representation, heterogeneous device support, system personalisation, and in particular, system reliability. This thesis provides evidence to support the conclusion that conflicts can be detected and resolved in adaptable rule-based sensor networks

Konfliktbehandlung im policy–basierten Management mittels a priori Modellierung

Das policy–basierte Management nimmt sowohl in der Forschung als auch in der Industrie einen steigenden Stellenwert ein. Durch die verteilte Spezifikation und aufgrund divergenter Ziele können Policies zueinander in Konflikt stehen. Die bereits existierenden Ansätze zur Policy–Konfliktbehandlung sind nur begrenzt einsetzbar, da sie häufig auf eine dediziert Policy–Sprache limitiert sind, wichtige Konfliktarten per se nicht erkennen können oder für neuartige Konfliktarten keine Methodik zur Integration bieten. Diese Arbeit zeigt, dass unter Berücksichtigung von Managementmodellen neue Konfliktarten nachgewiesen werden können, die bis jetzt mit den Ansätzen in der Literatur nicht behandelbar sind. Dazu werden Managementmodelle als a priori Modelle aufgefasst. Ein a priori Modell beschreibt den Sollzustand eines Systems und definiert somit eine Menge von einzuhaltenden Bedingungen. Unter dieser Prämisse werden neuartige Konflikte — Konflikte zwischen Beziehungen von Managementobjekten — nachgewiesen. Den Kern der Lösungsidee bildet eine Methodik zur Ableitung von Konfliktdefinitionen aus Modellaspekten. Dabei werden ausgehend von Modellaspekten Invarianten abgeleitet, mit Policy–Aktionen verknüpft und schließlich Vorbedingungen definiert, deren Einhaltung Konflikte verhindert. Die breite Anwendbarkeit der Methodik wird anhand eines statischen Beziehungsmodells für die Beziehungen der funktionalen Abhängigkeit und Enthaltenseinsrelationen gezeigt. Ebenso wird die Anwendbarkeit der Methodik für Vertreter von dynamischen Modellen, den endlichen Automaten demonstriert. Zur Konfliktbehandlung wurde ein neuer Algorithmus entwickelt, der aus den Phasen Konfliktlokalisierung, Konflikterkennung und Konfliktlösung besteht. In der ersten Phase wird durch Teilmengenbildung die Anzahl der zu betrachtenden Policies schnell reduziert. In der letzten Phase werden für die einzelnen Konfliktarten Strategien entwickelt, die eine optimale Konfliktlösung gewährleisten. Der Algorithmus ist sowohl für die präventive als auch die reaktive Konfliktbehandlung anwendbar. Damit eine generische Lösung erreicht wird, sind wichtige Designziele für die Methodik und dem Algorithmus: die Unabhängigkeit von einer dedizierten Policy–Sprache, die Breite der behandelbaren Konfliktarten sowie die Unabhängigkeit von einem spezifischen Managementinformationsmodell. Die Anwendbarkeit der Lösung in der Praxis wird durch eine exemplarische Abbildung der Konfliktdefinitionen in das Common Information Model gezeigt