Nicoletta Fornara and Fabio Marfia | Modeling and Enforcing Access Control Obligations for SPARQL-DL...
-
Upload
semanticsconference -
Category
Technology
-
view
34 -
download
0
Transcript of Nicoletta Fornara and Fabio Marfia | Modeling and Enforcing Access Control Obligations for SPARQL-DL...
Nicoletta Fornara, Fabio Marfia
Università della Svizzera italiana (USI) – http://www.usi.ch
13th September 2016
Modeling and EnforcingAccess Control Obligations forSPARQL-DL queries
13/09/2016Page 2/27
Università della Svizzera italiana (USI)
SPARQL-DL… hey, what?
SPARQL-DL is a SPARQL-like query language for conjunctive ABox-RBox-TBox queries for OWL 2 DL ontologies
It is thought to be as much similar as possible to SPARQL, while allowing complex queries on the knowledge that can be inferred from an OWL 2 ontology using standard DL reasoning algorithms
A formal description can be found in E. Sirin and B. Parsia. SPARQL-DL: SPARQL Query for OWL-DL. Proceedings of the Third International Workshop on OWL: Experiences and Directions (OWLED '07).
A Java prototype of a SPARQL-DL query interface for OWL 2 has been developed by the DERIVO company (2009)
13/09/2016Page 3/27
Università della Svizzera italiana (USI)
Examples of SPARQL-DL queries
Get all Classes:
SELECT ?c WHERE { Class(?c) }
Ask class A is a subclass of B:
ASK { SubClassOf(ex:A, ex:B) }
Get all transitive properties that have John as subject:
SELECT ?p WHERE {PropertyValue(ex:john, ?p, ?o),Transitive(?p)}
13/09/2016Page 4/27
Università della Svizzera italiana (USI)
AND, OR operands
Conjunctive conditions are expressed with the use of a comma separator, as in the last example
Disjunctive conditions can be expressed with theOR WHERE clause
Get all transitive or symmetric properties thathave John as subject:
SELECT ?p WHERE {PropertyValue(ex:john, ?p, ?o),Transitive(?p)}
OR WHERE {PropertyValue(ex:john, ?p, ?o),Symmetric(?p)}
13/09/2016Page 5/27
Università della Svizzera italiana (USI)
SPARQL-DL syntax
The SPARQL-DL query language allows the expression of composite conjunctions and disjunctions between 18 different atoms:
Type(a,C)ProperyValue(a,p,v)SameAs(a,b)DifferentFrom(a,b)EquivalentClass(C1,C2)SubClassOf(C1,C2)DisjointWith(C1,C2)ComplementOf(C1,C2)EquivalentProperty(p1,p2)
SubPropertyOf(p1,p2)InverseOf(p1,p2)ObjectProperty(p)DatatypeProperty(p)Functional(p)InverseFunctional(p)Transitive(p)Symmetric(p)Annotation(s,p,o)
13/09/2016Page 6/27
Università della Svizzera italiana (USI)
Managing Access Control forDL Inferred Knowledge
Different works specify techniques for managing high level and fine-grained access control for RDF graphs
Such works do not rely on reasoning algorithms for protecting data. But using the specification of complex DL expressions for identifying the different pieces of data to be protected appears to represent an interesting approach, as already showed by Sacco et al. (2011), Masoumzadeh et al.(2011)
This is the first time that such interesting approach is applied to a SPARQL-DL query interface
13/09/2016Page 7/27
Università della Svizzera italiana (USI)
Why applying Access Control paradigms to a SPARQL-DL query interface?
?
1. It allows mixed ABox-RBox-TBox queries that can not be handled by other query languages
2. It has a clear syntax and semantics
3. The SPARQL-DL Java API released by the DERIVO company is available under LGPL license
4. The same reasoner instance that is used to obtain the results of a SPARQL-DL query can be used for inferring fine-grained access permissions
13/09/2016Page 8/27
Università della Svizzera italiana (USI)
Our chosen Access Control approach:Formal Specification of Obligations
We define the general form of an obligation O as a triple
O = <D, A, C>
Where D is a description of the requesting user, A is the activation condition of the obligation and C the content of the obligation
The activation condition of the obligation is the formal specification of a set of condition according to which the obligation activates, in the form of a set of logical axioms
The content of the policy is the set of actions that have to be performed as a consequence of the activation of the obligation
13/09/2016Page 9/27
Università della Svizzera italiana (USI)
Obligation Definition Example(Hospital Use Case)
When a user submits a query for statistical purposes, the ID of patients with a diabetic disease have to be anonymized
In our O = <D, A, C> paradigm, D is a description of the requesting user, as, e.g., a statisticalPurposes attribute(we did not focus on such part)
A can be a DL Class axiom identifying each patient with a diabetic disease:
Class: AC01SubClassOf: ACEquivalentTo: Patient and hasRecord
some (hasInfoAbout value diabetes)
13/09/2016Page 10/27
Università della Svizzera italiana (USI)
Obligation Definition Example(Hospital Use Case)
C is a pre-defined function to be called passing as an argument p each piece of data identified by the class AC01:
C = anonymize(p, someAnonimizationAlgorithm)
We identified three main types of content functions in our experiments. Such list can be extended:
Remove(p)
Anonymize(p, someAnonimizationAlgorithm)
WriteLogEvent(requestingUser, p, timestamp)
13/09/2016Page 11/27
Università della Svizzera italiana (USI)
Obligation Enforcement Module:An Access Control Middle-Layer
13/09/2016Page 12/27
Università della Svizzera italiana (USI)
Obligation Enforcement in 4 steps
1. When the Access Control Layer receives a SPARQL-DL query, it is rewritten before submitting it to the final endpoint, in order to retrieve the access control conditions also for each piece of returned data
2. The modified query is submitted to the SPARQL-DL endpoint and executed on both collections of original data and activation conditions
3. The result is returned to the Access Control Layer. Each piece of data on which an obligation is active, is changed according to each obligation content function.
4. The final result is returned to the Data Consumer
13/09/2016Page 13/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each variable and individual in the query, information must be added in order to retrieve the conditions that are active for each piece of data
Example query: identifying all people living in Oxford or Birmingham
SELECT ?xWHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}
13/09/2016Page 14/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each variable in in each WHERE clause, another WHEREclause is added for identifying its activated conditions. Example:
SELECT ?xWHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}
13/09/2016Page 15/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each variable in in each WHERE clause, another WHEREclause is added for identifying its activated conditions. Example:
SELECT ?x, ?xACWHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}OR WHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person),SubClassOf(?xAC, AC), Type(?x, ?xAC)}
13/09/2016Page 16/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each variable in in each WHERE clause, another WHEREclause is added for identifying its activated conditions. Example:
SELECT ?x, ?xACWHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}[…]OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person),SubClassOf(?xAC, AC), Type(?x, ?xAC)}
13/09/2016Page 17/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each named individual, a WHERE clause is added for identifying its own activated conditions:
SELECT ?x, ?xAC, ?oxfACWHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}[…]OR WHERE {SubClassOf(?oxfAC, AC),
Type(oxford, ?oxfAC)}
13/09/2016Page 18/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each named individual, a WHERE clause is added for identifying its own activated conditions:
SELECT ?x, ?xAC, ?oxfAC, ?birACWHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}[…]OR WHERE {SubClassOf(?birAC, AC),
Type(birmingham, ?birAC)}
13/09/2016Page 19/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each named individual, a WHERE clause is added for identifying its own activated conditions:
SELECT ?x, ?xAC, ?oxfAC, ?birAC, ?perACWHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}[…]OR WHERE {SubClassOf(?perAC, AC),
SubClassOf(Person, ?perAC)}
13/09/2016Page 20/27
Università della Svizzera italiana (USI)
2. Enhanced response
The query rewriting process obtains a query having as results all the results of the original query, plus the information about the activated conditions on each piece of data
Sample response for the presented original query
?x
bob
carl
alice
eleanor
donald
13/09/2016Page 21/27
Università della Svizzera italiana (USI)
2. Enhanced response
Sample enhanced response
?x ?xAC ?oxfAC ?birAC ?perAC
bob
carl
alice
eleanor
donald
bob AC01
bob AC02
carl AC02
eleanor AC01
AC03
13/09/2016Page 22/27
Università della Svizzera italiana (USI)
3. Obligation Enforcement
The table is splitted into two sets
?x ?xAC ?oxfAC ?birAC ?perAC
bob
carl
alice
eleanor
donald
bob AC01
bob AC02
carl AC02
eleanor AC01
AC03
StandardResponse
Enforcementdirectives
13/09/2016Page 23/27
Università della Svizzera italiana (USI)
3. Obligation Enforcement
Data is changed in the standard response according to obligations functions (e.g. bob is removed…)
?x ?xAC ?oxfAC ?birAC ?perAC
bob
carl
alice
anonym01
donald
bob AC01
bob AC02
carl AC02
eleanor AC01
AC03
StandardResponse
Enforcementdirectives
WriteLogAnonymize
Remove
13/09/2016Page 24/27
Università della Svizzera italiana (USI)
3. Obligation Enforcement
Data is changed in the standard response according to obligations functions (e.g. bob is removed…)
?x ?xAC ?oxfAC ?birAC ?perAC
alice
anonym01
donald
bob AC01
bob AC02
carl AC02
eleanor AC01
AC03
StandardResponse
Enforcementdirectives
13/09/2016Page 25/27
Università della Svizzera italiana (USI)
4. Final Response
Enforcement directives are removed
?x ?xAC ?oxfAC ?birAC ?perAC
alice
anonym01
donald
Originalvariables
Access ControlVariables
13/09/2016Page 26/27
Università della Svizzera italiana (USI)
4. Final Response
Access Control variables are removed
?x
alice
anonym01
donald
That is ourFinal response
13/09/2016Page 27/27
Università della Svizzera italiana (USI)
Performances
13/09/2016Page 28/27
Università della Svizzera italiana (USI)
Conclusion and Future Work
We presented an approach for defining and enforcing expressive data provider obligations for performing fine-grained protection on OWL 2 DL data
A private-by-default environment can be chosen, permissions can be expressed at the same manner as the proposed obligations, and introducing a little change in the enforcement algorithm
The concept of Institutional power for generating policies can be added, by studying its relationship with the proposed model
DL policies can be transmitted as Sticky Policies
Nicoletta Fornara, Fabio Marfia
Università della Svizzera italiana (USI) – http://www.usi.ch
13th September 2016
Modeling and EnforcingAccess Control Obligations forSPARQL-DL queries
13/09/2016Page 30/27
Università della Svizzera italiana (USI)
Citations
E. Sirin and B. Parsia. SPARQL-DL: SPARQL Query for OWL-DL. Proceedings of the Third International Workshop on OWL: Experiences and Directions (OWLED '07)O. Sacco, A. Passant, and S. Decker: An access control framework for the web of data. In 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (2011)A. Masoumzadeh and J. Joshi: Ontology-based access control for social network systems. IJIPSI (2015)T. T. Nguyen, N. Fornara, and F. Marfia: Automatic policy enforcement on semantic social data. Multiagent and Grid Systems Journal (2015)