swrl-based access policies for linked data
DESCRIPTION
Social applications are one of the fastest growing areas in the Web. However, privacy issues ensue if all information of all users of these applica- tions is stored on a single computer system. With small extensions to Semantic Web technologies and Linked Data concepts, a distributed approach to the social web is possible, where users retain fine-grained control over their data and are still able to combine their data with users on different systems. We describe our concept of a Policy-enabled Linked Data Server (PeLDS) obeying user-defined access policies for the stored information. PeLDS also supports configuration- free distributed authentication. Access policies are expressed in a newly devel- oped compact notation for the Semantic Web Rule Language. Authentication is performed using SSL certificates and the FOAF+SSL verification approach. We evaluate our concept using a prototype implementation and a distributed address book application.TRANSCRIPT
SWRL-Based Access Policies for Linked Data
Hannes Mühleisen, Martin Kost and Johann-Christoph Freytag
Databases and Information SystemsDepartment of Computer Science
Humboldt-Universität zu Berlin
“Social Web”
What about the system operator?
2
Overview
1. Linked Data principles (short)
2. Access policies / data classification
3. “Policy enabled Linked Data Server” concept
4. PeLDS implementation and evaluation
3
http://example.com/bob
http://example.com/bob
ex:spouse
http://example.com/alice
ex:phoneex:name
“Bob Ross” “+4930123456”
Literal
Resource
asdf Property
Legende
Graph
“a”
http://example.com/alice
“42° 21′ 32″ N 71° 5′ 34″ W”
“Alice Ross”
http://example.com/alice
ex:pos ex:name
HT
TP R
eq.
Linked Data: URLs as identifiers / dereferencing
4
Access Policies
• Set of rules, its evaluation determines whether a user can access certain information
• Different types: DAC, MAC, RbAC
• Generic system should support many types
• Data classification required
• Linked Data: classify protected parts of a graph
• Different levels of classification conceivable: syntax, model, concepts
5
Resource == http://example.com/bobProperty == ex:nameValue == *
Model-based Classification
• Data classification on a structure-preserving decomposition of the graph (set of triples)
• Resource, property and value of triples can be specified, wildcards select unknown entries.
• Example:http://
example.com/bob
ex:name“Bob Ross”
6
Concept == http://example.com/per#Person
Concept-based Classification
• Data classification on a structure of concepts and properties
• Resources and their properties can be classified using their affiliation with a concept
• Example:http://
example.com/bob
ex:name“Bob Ross”
rdf:type http://example.com/per#Person
7
ConceptPolicy enabled Linked Data Server
• Policy language PsSF
• Policy evaluation algorithms
• Data and policy management operations
• Secure authentication
8
• Description Logic (DL) expressions based on the Semantic Web Rule Language (SWRL)
• Prolog-style syntax for concise notation
• Additional predicates for model- and concept-based data classification:
• permit_triple(...), permit_instance(...)
Policy Language PsSF
9
BobPosRule:QueryAction(?action) && actor(?action, http://example.com/bob)=>permit_triple(http://example.com/alice,ex:pos,*);
“42° 21′ 32″ N 71° 5′ 34″ W”
“Alice Ross”
http://example.com/alice
ex:pos ex:name
PsSF Policy Language: Example
10
Policy evaluation - Query
• For each rule contained in the policy, check whether their preconditions are met
• Approve graph elements classified by matching rules by adding them to a temporary RDF graph for the current user only containing authorized graph elements
• Evaluate queries or dereferencing requests exclusively on those temporary graphs
11
Secured Graph
H
W
Asp
psZwp
“Bob”
nm
Temporary Graph
H
Asp
“Bob”
nm
Access Policy
Rule 1
H *sp
* *nm
✔
✔
Step 1
Query
H *nm
?
Query Result
R1nm
“Bob”
Step 2
12
Required Operations
• Definition & modification of access policies
• Publication & modification of RDF graphs
• Querying RDF graphs
• URL dereferencing
13
Authentication
• Username/password-combinations are unpractical for Linked Data
• Central authority would violate the decentralization principle inherent in the WWW
• FOAF+SSL enables password-free authentication based on SSL certificates
14
PeLDS Implementation
• Linked-Data-Server with HTTP API
• Supports PsSF policy language
• FOAF+SSL for user authentication
• Demo: Distributed Address Book
15
16
Demo Application: Distributed Address Book
Alice’s View
Bob’s View
12,5
25
37,5
50
450 1462,5 2475 3487,5 4500
R! = 0,9959
R! = 0,9943
Pro
cess
ing
tim
e (s)
Triple count
PeLDSJoseki / TDBJoseki / TDB / Pellet
PeLDS prototype - Performance
17
Conclusion
• Access policies and comprehensive data classifications are possible for Linked Data
• PeLDS enables distributed applications with support for access policies
• PeLDS-Implementation is available as open source software from www.pelds.org
18