Provenance Requirements of the Semantic Firewall Project

Author: Simon Miles
Project: This work was conducted as part of the PASOA project (EPSRC GR/S67623/01)
Last modified: 27th October 2004

This document describes the provenance-related requirements of the Semantic Firewall project. We are grateful to Ron Ashri for the requirements below.


The Semantic Firewall project aims to deal with the security implications of supporting complex, dynamics relationships between service providers and clients that operate from within different domains, where different security policies may hold and different security capabilities exist [1]. For instance, if a client wishes to delegate their access to data to another service, a complex interaction between the services may be necessary to ensure security requirements are met. They wish to deploy a semantic firewall which will reason about the multiple security policies and allow different operations to take place on the basis of that reasoning. The reasoning can be dependent on the entities interacting and other contextual information provided to and from the existing security infrastructures. The semantic firewall can be seen as guiding the interacting parties through a series of interaction protocol states on the basis of reasoning, ensuring that interactions follow the security policies of individual domains.

[1] Towards a Semantic Web Security Infrastructure. Ronald Ashri, Terry Payne, Darren Marvin, Mike Surridge, Steve Taylor. Semantic Web Services Spring Symposium 2004.

Use Cases

Use of provenance 1: Justifying denial of access

The infrastructure must be able to provide justification, i.e. records of its reasoning, regarding why it permitted or denied an interaction to take place. Without this, the infrastructure will not be trusted.

Use of provenance 2: Network forensics

It should not be assumed that everything will always work as it should. It is important that the records of interactions between clients, services and semantic firewalls be monitored and recorded so that they can be examined after a potential attack. This will help determine whether anything did actually go wrong and whether policies should be changed to rectify the problem.