Sei sulla pagina 1di 10


Dual Encrypted Global Metadata: an approach to secure metadata

S. M. Khalid Jamal and Naz. A.
Abstract Mobile phones are becoming a necessity for everyone in the world. But they do not have enough storage space to store all of a users data, as compared to computers. So, instead of using a central repository, device transparency is being used nowadays. Device transparency provides an identical, unified and complete collection of data objects to the user, either the device is connected or disconnected from the network or the device is turned off. Thus it represents the scenario for global metadata. In this paper, we proposed Dual Encrypted Global Metadata model called DEGM, for providing dual encryption to the sensitive data present in this coherent collection of data, in order to secure the sensitive data from adversary. For providing communication between mobile phones, we used Bluetooth technology in DEGM. Also query responses are encrypted with the confidentiality policies, so that sensitive data can not be accessed by unauthorized inference. Categories and Subject Descriptors C.2.1 [Computer-Communication Networks]: Network Architecture and DesignWireless communication, Distributed networks; C.2.2 [Computer-Communication Networks]: Network ProtocolsApplications (SMTP, FTP, etc.); C.2.4 [Computer-Communication Networks]: Distributed SystemsDistributed databases; C.2.4 [Distributed Systems]: Distributed applications; D.4.6 [Operating Systems]: Security and Protectionaccess controls, authentication; K.6.5 [Management of Computing and Information Systems]: Security and Protection authentication. General Terms Algorithms, Design, Reliability, Security. Keywords DEGM, Mobile Phones, Mobile Devices, Bluetooth, Storage System, Global Metadata, Dual Encryption, Caching Mechanism, Version Case, Mobile Database, Data Access, Device Transparency, Integrity, Digital Signature, Cryptographic Storage.

Mobile database is used to exchange the data remotely without worrying about time and space. Mobile database actually provides connection to the mobile devices wirelessly. So, for these mobile devices, caching mechanism [1] is necessary to store the frequently used data so that due to disconnection from network or due to any failure, data can not be lost. Since the use of mobile devices is increasing rapidly but to manage their data objects is a very difficult task. Data objects can be lost or dislocated. So, device transparency [2] provides a scenario for metadata everywhere. This provides an identical, unified, complete and coherent collection of data objects to the user even if device is turned off. This metadata everywhere allows devices to know about all the data objects of each other including the one that is stored locally. Metadata everywhere allows accessing the data from database even when any of the devices is disconnected from network [2]. In mobile ad hoc network, all mobile nodes are wirelessly connected to each node and each node can discover its own route to send the packets. In federated database system, all the mobile nodes represent one

logical integrated view of heterogeneous and distributed data objects. The Bluetooth technology is used to achieve connectivity between mobile devices wirelessly [3]. The dual encryption scheme [7] is used to secure the sensitive knowledge. In this scheme, we select a subset of data and encrypt it with one key. Another different key is applied to the original data. After decryption, both must provide the same results. But if the results are not same then it will detect the attack. In this scheme also secret key and functions are provided. In this research paper, we proposed a model called Dual Encrypted Global Metadata (DEGM). This model provides enhancement to the incompatibilities in [2, 3, 7, 8], as the concepts presented in [2, 3] can be enhanced with respect to the limited storage space of mobile phones. So our model provides the illusion of device transparency, in which each mobile phone has the information of all other mobile phones data objects, also including the one that is stored locally. In this model four types of applications are running on each mobile phone. Some policy rules are discussed for the placement of data objects and their related version numbers. Cache storage mechanism is also introduced



for the storage of most frequently used data. For the appliance of dual encryption, rules are provided that must be followed for securing the cryptographic storage. Layered structure is introduced for the metadata application. This model also represents the concept of encrypting the remote query responses by enforcing the confidentiality policies. Actually these policies will determine the list of users, who are authorized to receive the data. The rest of the paper is organized as follow: In section 2, definitions regarding the distributed database are provided. Section 3 presents the related work for device transparency. Section 4 provides an overview of related research for the implementation of federated database on Bluetooth enabled mobile devices. In section 5, types of cryptographic algorithms are discussed. The work for dual encryption scheme is discussed in section 6. In section 7, we describe our DEGM model. We then conclude in section 8.

2.2.3 Replication Copy of fragment may be maintained at several sites. The transparencies in distributed database management system are of following types: a) b) c) d) In distribution transparency, the user has to consider the distributed database as a single unified logically interrelated entity. So, related to distribution transparency, below are types: Data allocation transparency, fragment transparency, replication transparency and naming transparency. Distribution transparency. Transaction transparency. Performance transparency. Database management system transparency.


This section presents the definitions [4] for distributed database, distributed database management system. Also definitions for the data allocation, fragmentation and replication are presented, which are the design issues of distributed database. 2.1 Distributed Database A distributed database is logically interrelated collection of shared data, physically distributed over a computer network. 2.2 Distributed Database Management System A distributed database management system is a software system that permits the management of distributed database and makes distribution transparent to user. Distributed database provides sharing of data in order to make the data accessible by all the units and to store the data close to where it is most frequently used. The issues for designing the distributed database are: 2.2.1 Data Allocation Where the data is to be placed, data should be stored at site with optimal distribution. 2.2.2 Fragmentation Relation may be divided into a number of sub relations (fragments), which are stored in different sites. A mobile database connects small devices, such as mobile phones, pocket cameras or media players. So, device transparency provides a single, identified and coherent view of storage collection of data objects to the user [2]. All the devices in the group will be having their own locally stored data but also will be having the undue burden of others devices data [2]. So that if user can not find the required data object from hers own device, then application provides the information, that which device is responsible for that required data object, even if that device is turned off due to any reason. In device transparency, it is the application and user that specifies which device is to be selected for which data object. So, it is the application that operates different tasks such as, to create and manipulate the data objects, to ignore or resolve the conflicts among data objects by using unique identity of data objects, versions and contents. Also, these applications provide placement rules and event notification. But sometimes it is unpredictable for the user, that which data is present on which device. So, thats why user must also participate in the grouping of the data objects. Since there could be a number of versions of a single data object, due to updates, then the older version should be evicted but only under the condition if all the devices have known about all the older versions of that data object. Eviction is necessary as it acquires extra cost and space in the storage. This collection of data is only



for small group and not for an organization as all these small devices can store only a small size of metadata [2].

The Bluetooth technology is implemented to achieve connectivity between small mobile devices, as cell phones, digital cameras, printers, modems, headsets and so on, wirelessly. Bluetooth actually provides a replacement for cable wires. All devices in a group should have the Bluetooth so that they can communicate with each other, with same protocols. It is a part of "unlicensed spectrum "i.e. when we are using it, we dont have to pay for the license from time to time, it is free, only we have to buy it [3]. It provides communication among the devices only for a short range, i.e. up to 100m. When only two devices communicate to each other, that is one is master and other is slave, then this case is point-to-point connection or piconet. Also the active number of slaves can be increased up to seven. But the inactive number of slaves can go up to 255, which can be active whenever master allows. The collection of the piconet is called scatternet. Only piconet is used, as in the market there is no such mobile phone that can support scatternet [3]. So, for this technology, Microsoft Visual Studio 2005, the Integrated Development Environment (IDE) is used. It makes use of C#, as it is in favor of Bluetooth protocol for communication among devices. And the database engine that is used is SQL server CE, as it provides GUI based query analyzer [3]. It is the application which is controlling mobiles operation. So, there are three types of applications, running on three different types of mobile nodes (mobile devices) [3], as shown in Figure 1: Node Operations Applicatio performed n Requesting node (RN) Database node (DBN) Send request to DD Contains local database and also a part of unified collection of data objects Contains schemas for all DBN, send RN applications with GUI DBN application with user less interface DD applications with user less

queries to DBNs then also provides query result


Figure 1. Applications running on different types of mobile nodes. The working flow of applications [3] is as follow: i. First the request node sends the query to DD. ii. Then DD discovers only one Bluetooth device at a time, since only a single device to device connection is allowed at a time, if Bluetooth is being used. This Bluetooth device should have its name like DBN 1 or DBN 2 so on. iii. DD then sends that request to DBN 1 and then delete DBNs entry from the list and wait for the acknowledgement in form of schema-filename- xml. iv. On acquiring that file, DD then reads the records from file and then store it in the DBNs schema database. v. DD then sends the result of the request back to RN. The caching mechanism [1] is important to store the frequently used data so that it can not be lost due to disorganization of data or due to any failure. Also the queries and their responses can be cached on mobile nodes.


Key is a knowledge without which it is impossible to read cipher text [5]. The three divisions of cryptographic algorithms on the basis of number of keys [6] are as follow: 5.1 Public Key (Asymmetric Cryptography) It contains two keys, one for encryption and other for decryption. That is public key and private key. Todays most dominantly used public key is RSA [5]. In public key, one key uses the mathematical functions as multiplication or exponentiation and the other key uses their inverse functions as factorization or logarithms. So the actual point is to determine what two

Database directory (DD)



pairs of numbers that one has used to encrypt the plaintext [6]. It does not matter which key is used first. So, this approach is implemented by RSA. Diffie-Hellman algorithm is used for secret-key key exchange only and not for authentication or digital signature. It provides the functionality of exchanging or user authentication and non-repudiation (to prove that the sender really sends this message) [6]. 5.2 Secret Key (Symmetric Cryptography) Same key is used for both encryption and decryption. Todays most dominantly used secret key is DES. So, larger the key, the more it is difficult for the adversary to break it [5]. The two types of secret key are: First, stream cipher key operates on single byte, which is constantly changing due to feedback mechanism. Second, block cipher key that operates on a block of data but remains constant. So, DES (block cipher) is a 56 bit key and operates on a 64 bit block of data. It provides functionality of encrypting the message to acquire privacy and confidentiality [6]. 5.3 Hash Function (One Way Cryptography) (Message Digest) To irreversible the encrypted information, it uses a mathematical transformation. It doesnt have any key, but a fixed length hash value, so plain text can not be recoverable from cipher text [6]. There are infinite numbers of files that can have same hash values. Message digest (MD) algorithm is the common one. For any length of message, it provides 128 bit hash value. It is a series of byte-oriented algorithm. It provides the functionality of data integrity, digital fingerprints of files contents and to encrypt the password [6]. 5.3.1 Digital Envelope It comprises of encrypted message and encrypted session key. Session key is generated at random at each session [6]. 5.3.2 Digital Signature It is formed in two steps: First, the hash function is computed for the sensitive data to be sent; next this hash value is encrypted with the private key [6].

The only goal of the attacker is to process queries on a subset of data in order to save the resources. So to secure the data, dual encryption is used. Cross examination is very similar to dual encryption. In dual encryption a subset of data is selected and encrypts it with one key. Then other key is applied on the original data. The results of both encrypted data must be same since both data belong to same plaintext [7]. But if adversary does not know this, then any modification in any one of the encrypted data will detect the disclosure of data, as the other encrypted data will remains the same. So, it transforms the original data in two different encrypted data [7]. To more secure this dual encryption, secret key is used. It is very difficult to find out the secret key (e) for a given data object. So, for any data object d, its dual information, ddual [7] is computed by one way hash function H () as, ddual = { H (e, d) H (e, d) +1 H (e, d) +2

So, one can check whether dual information is among {H (e, d), H (e, d) +1, H (e, d) +2}. If it is not among them then one can know that d is not a valid data object in the original collection of data. Also when we query any encrypted data, the query must also be itself encrypted [7]. 6.1 Policies for Queries To encrypt the remote query responses, the confidentiality policies are enforced by each data provider. So, with each query, there is a list of only those entities (users) who are authorized to view the response by satisfying these confidentiality policies [8]. 6.2 Functionalities of Dual Encryption Dual encryption provides two functionalities [7] of:



6.2.1 Data Integrity It refers to obtain the accurate data from the stored data that is available at that time. 6.2.2 Query Integrity It is the validity of the query result, i.e. we want to ensure that the response is correct and complete.

objects. But instead, it is used for other data objects to be stored. Also all the versions related to one data object should be present on the mobile having that related data object. So that upon query, only one mobile phone should response. Since the storage space is less so the query should provide the response that is minimal but should be strictly according to the requirements of the user. 7.1.2 Components It is the application that handles all the operations of a mobile phone. Like real player is an application and the data object is the songs. In our model, we named it mobile node (MN) application. So in MN application, there will be two other applications embedded, as shown in Figure 2. One is metadata (MD) application and other is local data (LD) application.


The underlying model presents the use of limited storage space of mobile phone in an optimized manner. Also the sensitive data is powerfully secured by using dual encryption so that no eavesdropper can disclose the sensitive data. 7.1 Description of Global Metadata The use of mobile phone is increasing rapidly. But their storage capacity is a serious problem. So if any central repository is used, then data will be inaccessible if there is disconnection of network or any failure occurrence. So in this model global meta data is discussed to provide a single, coherent view of all the a users dispersed and separate data objects, which are present on multiple mobile phones, even when the mobile phones are turned off. So the model consists of moving nodes, all with the implementation of Bluetooth technology, so that they all can communicate with each other wirelessly with the same protocol. In this model all mobile phones must know each others data objects along with the data stored locally. 7.1.1 Policies The application that is running on each mobile phone and the user both should form the decision rules, that which data object should reside on which mobile phone, depending on their storage capacity. Also care should be taken that which data is normal and which is sensitive, so that they can be placed in separate layers. Sometimes it becomes unpredictable for the user, the placement of data objects so thats why users participation is also necessary. So, the placement of the data objects should be like that no two mobile nodes get the same data objects, so that conflicts do not occur. Other reason is that there is a limited storage space of the mobile phone, so this limited space does not have to be wasted by keeping the same

Figure 2. Applications running on each mobile phone. Metadata applications (MD) contains the complete information of all of a users data objects and also the information about which device is responsible for which data object whether that device is turned on or off. Local data (LD) application contains only the local data objects of that particular mobile phone. The local data application also contains the updates for its respective data object. Then the entire moving nodes MD applications will receive the information about the new version number for its related data object automatically. These both applications are user interface less and are running in the background. There is also another application, query application, as shown in Figure 2, which is running with graphical interface on the mobile phone for interfacing with the user. This application can send and receive the queries. So in the DEGM model, all the above applications will be running on all the mobile nodes.



7.1.3 Version Case A data object can have a number of versions. This version history is due to a number of updates for a given data object. And each version is identified by its own unique version number. So, in the case if the required data object has a number of versions. Then the sender mobile phone will send all the related versions of that required data object. The user will then keep the required version(s) and evict the rest of version(s), as shown in Figure 3. Also the important point is that all the older versions of a given data object must be truncated, but only under the condition if all the older versions of that data object have been advertised to all the rest of the phones. This eviction of older version history is necessary from time to time as it acquires extra cost and storage space. Also mobile phones have already limited storage space.

communication and protecting password and sensitive data. In our model, we used dual encryption to provide security for sensitive data present on multiple mobile phones. 7.2.1 Rules for Securing Cryptographic Storage Before the appliance of dual encryption, there are some rules [9] to be followed for securing the cryptographic storage: 1. 2. Only encrypt the sensitive data. Use of strong cryptography, which is defined as: cryptography based on industry tested and accepted algorithms, along with strong key length and proper key management practices. Cryptography is a method to protect the data and includes both encryption and hashing. 3. Random numbers and long length keys are always used for strong cryptography. 4. Use hashed and salted value of password. 5. If database access controls (user name, password) fails then cryptographic protection must remains secure by using the key layer. 6. Always store the keys away from encrypted data so that if data is accessed by adversary then keys will remain protected. 7. Keys should be protected in a separate key layer. 8. Keys should be changed periodically (key rotation). 9. Rekey the data at least every one to three years, to protect it from undetected. 10. Access to perform the strong key management must be restricted to small amount of users for the encryption and decryption of data. They should be highly trusted and trained key custodian and they must have to sign a form to understand their responsibilities.

Figure 3. Version case and cache storage mechanism. 7.1.4 Cache Storage Mechanism It is a temporary storage area i.e. if user is not using the data in the cache storage then MN application will remove it after a specified period of time. The caching mechanism is important to hold the frequently used data so that it can not be lost due to disorganization of data or due to any malfunction. Also the queries and their responses can be cached on the mobile nodes, as shown in Figure 3. 7.2 Dual Encryption on Global Metadata To secure the sensitive data which is being sent over the air interface, present in the global metadata is very important. The only goal of eavesdropper is to process the queries on a subset of collection of data and not on the entire collection, in order to save the resources. So cryptography provides security for commerce, private



7.2.2 Layered Metadata Application Structure This layered structure of MD application is present on every mobile node. The structure is shown in Figure 4. In this layered structure, normal data layer is placed at the bottom. It is the data that is not sensitive and if adversary has accessed it then there is no need to be bothered for it.

different public key (k') is used on the subset of that sensitive data. The approach is shown in Figure 5.

Figure 5. Dual encryption approach. Figure 4. Layered structure of MD application. Above normal data layer, encrypted data layer is present. It is the important and sensitive data that must be protected from unauthorized inferences and also to be protected from risk of loss of confidential information including transaction, commerce etc. Then access control (password) layer is specified, providing defense in depth. This is also another layer of protection. In order to have decrypted data user must pass through the authentication process. There is an additional layer of protection that will continue to protect the sensitive data, even if the attacker subverts the database access control layer. This is the key layer (at the top). It is mandate to store the key in a separate layer away from encrypted data. If the keys are stored with the sensitive data then any compromise of the data will easily compromise the keys as well. So keys should never reside with the sensitive data. These keys are for decryption. 7.2.3 Dual Encryption Approach As there are three types of cryptographic algorithms: Public key, Secret key and Hash functions. Public key is used for dual encryption, as these schemes are used for user authentication and non-repudiation. Dual encryption approach makes use of encryption twice. Thus for the first primary appliance of encryption, a different public key (k) is used on sensitive data. Then for the second appliance of encryption, a new and Then these both data are grouped together. As these both are two different encrypted texts of same data i.e. after decryption, both will provide the same results, but if eavesdropper does not know this, then deleting or modifying any one of the text will detect the disclosure of the sensitive data, as the other text will remain the same. In order to more secure this encryption approach, secret key(s) is used along with hash functions. Secret key is used to provide privacy and confidentiality. So for any data d, its dual information is generated as: ddual = { H (s, d) H (s, d) +1 H (s, d) +2 Where, H (s, d): represents the original sensitive data, H (s, d) +1: represents sensitive data with primary encryption, H (s, d) +2: represents subset of sensitive data with secondary encryption. As the hash functions are well-suited for assuring the data integrity, so for accessing the data integrity, the text after decryption should be among the results of above dual information, But if not, then data have been accessed by any unauthorized inference. The longer the key, the more it is difficult to break the key. So its not so easy to access the sensitive data. Also the keys for decryption should be resided away from the encrypted data. So that if encrypted data is accessed by adversary then keys will remain protected. So thats why all the keys for decryption, that is either the decryption key for public key system or for secret key system or a



fixed length value for computing the hash function, are stored in a separate layer at the top. For more securing the sensitive data transfer, digital data signature is also used. It is formed in two steps. First the hash function is computed for the sensitive data to be sent; next this hash value is encrypted with the private key. These steps are shown in Figure 6. The key requires recovering the hash value for decrypting the digital signature, is also stored in the key layer, at the top.

Figure 6. Digital signature. 7.2.4 Enforcement of Policies for Remote Queries The query response for a sensitive data should be confidential and accessed only by the authorized receivers. So for this, there are integrity and confidential policies provided by the sender along with query for sensitive data. These policies provide a list of authorized entities who are allowed to view the response. So for this, remote query responses are encrypted by enforcing these policies using the secret key shared by only authorized receivers. 7.3 Working Mechanism of DEGM Model The overall working mechanism of DEGM model is shown in Figure 7. Figure 7. Process diagram for DEGM model. But for the ease of description; there are two cases for the function of this model. First, query for the normal data. Second, query for the encrypted data. These both cases are described in the following sections: 7.3.1 Normal Data Case When user can not find the required data object, which is not present locally on that mobile phone in the LD application. Then MD application will provide the information, that which mobile phones LD application is responsible for the required data object. Then the user sends a query through the query application to that device. Receiver mobile will receive the query. Then this mobile will send the required data object, using the Bluetooth technology, as shown in Figure 8. Also the responses of query should be minimal and strictly according to the requirement of the user due to the limited storage space of the mobile phone.



through the authentication process to have the decrypted data, as shown in Figure 10.

Figure 8. Query for normal data. 7.3.2 Encrypted Data Case In the case if we query for any encrypted data. Then this query is accomplished by a list of authorized entities who are allowed to receive the response of query by satisfying the confidentiality policies. So when receiver mobile receives the query, it then sends the already encrypted data that is required for query. So in this way the policy of encrypted response of query is also fulfilled. When the authorized entity receives the response, then in order to view the decrypted data, entity must pass through the authentication process by giving the valid password. Then the keys for decryption are applied on the encrypted data, as shown in Figure 9. Figure 10. Steps performed to view the encrypted local data on a user mobile phone. All this authorization and policies are necessary to prevent eavesdropper from accessing the sensitive data.

Along with the internet, mobile phones are also becoming insecure by the adversaries. Lack of authentication allows the eavesdropper to access the sensitive information. So, in this research paper we have proposed, Dual Encrypted Global Metadata model. This model provides dual encryption to the sensitive data that is present in a unified, single, identified and coherent collection of dispersed data which is being sent over the air interface. Dispersed in a sense that this collection of data is present on multiple mobile phones, and so Bluetooth technology is used to achieve connectivity between them, providing the illusion of device transparency. Dual Encryption scheme provides two different encryptions on the sensitive data. This scheme is used to achieve the data and query integrity. It also maintains the privacy for the sensitive data. To more secure the encryption, one way hash function and secret key are also included. The query responses are encrypted with the confidentiality policies, so that only authorized entities can view the response and so prevents the disclosure of sensitive data to unauthorized inference. We will implement and evaluate this model in the near future to examine these ideas in more detail.

Figure 9. Sequential steps for query on encrypted data. But, if the required encrypted data is present locally on that mobile phone, also then the users have to pass



9. REFERENCES [1] Juan Piernas, Toni Cortes, Jos M. Garca. DualFS: a new journaling file system without meta-data duplication. In ICS '02 Proceedings of the 16th international conference on Supercomputing, Pages 137 - 146, 2002, ACM.
[2] John

[9] Public Key vs. Secret Key Encryption. [Online].

Available at: blic-Key-vs-Secret-Key- Encryption.html

[10] Michael J. Fischer. Evolution of distributed

R Friedrich. Meta-data version and configuration management in multi-vendor environments. In SIGMOD '05 Proceedings of the 2005 ACM SIGMOD international conference on Management of data, Pages 799-804, 2005, ACM. Trajcevski, Alok Choudhary, Peter Scheuermann. Sensing, Triggers and Mobile (Meta) Data. In Proceeding MDM '10 Proceedings of the 2010 Eleventh International Conference on Mobile Data Management, Pages 331-335, 2010, IEEE Computer Society. Database. [Online]. Available at:

computing theory: from concurrency to networks and beyond. In Proceeding, PODC '08 Proceedings of the twenty-seventh ACM symposium on Principles of distributed computing, Pages 460-460, 2008, ACM.
[11] An Overview of Cryptography. [Online]. Available

[12] Haixun Wang, Jian Yin, Chang-Shing Perng, and

[3] Goce

Philip S. Yu. Dual Encryption for Query Integrity Assurance. In Proceedings of the ACM CIKM, 863-872, 2008, ACM.
[13] Adam J. Lee, Kazuhiro Minami and Marianne

[4] Mobile [5] Jacob

Strauss, Chris Lesniewski-Laas, Justin Mazzola Paluska, Bryan Ford, Robert Morris, Frans Kaashoek. Device Transparency: a New Model for Mobile Storage. In Proceedings of the ACM SIGOPS, 5- 9, 2010, ACM. Artail, Haidar Safa, Manal Shihab. Implementation of a Federated Database on Bluetooth-Enabled Mobile Devices. In Proceedings of the ACM ICPS, 202-211, 2008, ACM. DDB-notes.pdf

Winslett. Lightweight Consistency Enforcement Schemes for Distributed Proofs with Hidden Subtrees. In Proceedings of the ACM SACMAT, 101- 110, 2007, ACM.
[14] Cryptographic Storage Cheat Sheet - OWASP.

[Online]. Available at: orage_Cheat_Sheet

S. M. Khalid Jamal is an Academic Scholar, Researcher and Faculty Member and is associated as Assistant Professor with Department of Computer Science, Karachi University (the largest and primeval Higher Education institution of Pakistan) since 2001. He is currently author of various research publications at National & international level. Naz. A. is associated with NIC Institute of Engineering & Technological Training, Pakistan, since for the last several years, and has contributed with several research papers.

[6] Hassan

[7] Distributed Databases. [Online]. Available at:

[8] Engin Kirda, Pascal Fenkam, Gerald Reif, Harald

Gall. A service architecture for mobile teamwork. In Proceeding SEKE '02 Proceedings of the 14th international conference on Software engineering and knowledge engineering, Pages 513-518, 2002, ACM.