Your SlideShare is downloading. ×
  • Like
  • Save
Abstract Access Control Model for Dynamic RDF Datasets
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Abstract Access Control Model for Dynamic RDF Datasets

  • 444 views
Published

This talk was given by FORTH, Greece, at the European Data Forum (EDF) 2012 took place on June 6-7, 2012 in Copenhagen (Denmark) at the Copenhagen Business School (CBS). …

This talk was given by FORTH, Greece, at the European Data Forum (EDF) 2012 took place on June 6-7, 2012 in Copenhagen (Denmark) at the Copenhagen Business School (CBS).

Abstract:
Given the increasing amount of sensitive RDF data available on the Web, it becomes increasingly critical to guarantee secure access to this content. Access control is complicated when RDFS inference rules and other dependencies between access permissions of triples need to be considered; this is necessary, e.g., when we want to associate the access permissions of inferred triples with the ones that implied it. In this paper we advocate the use of abstract provenance models that are de fined by means of abstract tokens operators to support fine grained access control for RDF graphs. The access label of a triple is a complex expression that encodes how said label was produced (i.e., the triples that contributed to its computation). This feature allows us to know exactly the e ffects of any possible change, thereby avoiding a complete recomputation of the labels when a change occurs. In addition, the same application can choose to enforce diff erent access control policies or, diff erent applications can enforce di fferent policies on the same data, avoiding the recomputation of the label of a triple. Preliminary experiments have shown the applicability and benefi ts of our approach.

Published in Technology , Education , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
444
On SlideShare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • In the last years we have seen an explosion of massive amounts of graph shaped data coming from a variery of applications that are related to social networks like facebook, twitter, blogs and other on-line media and telecommunication networks. Furthermore, the W3C linking open data initiative has boosted the publication and interlinkage of a large number of datasets on the semantic web resulting to the Linked Data Cloud. These datasets with billions of RDF triples such as Wikipedia, U.S. Census bureau, CIA World Factbook, DBPedia, and government sites have been created and published online. Moreover, numerous datasets and vocabularies from e-science are published nowadays as RDF graphs most notably in life and earth sciences, astronomy in order to facilitate community annotation and interlinkage of both scientific and scholarly data of interest.

Transcript

  • 1. Abstract Access ControlModels for Dynamic RDF Datasets Irini Fundulaki CWI & FORTH-ICS Giorgos Flouris FORTH-ICS Vassilis Papakonstantinou FORTH-ICS & University of Crete European Data Forum 2012
  • 2. Controlling Access to RDF Data• Why RDF Data? • RDF is the de-facto standard for publishing data in the Linked Open Data Cloud • Public Government Data (US, UK, France, Austria, The Netherlands, … ) • E-Science (astronomy, life sciences, earth sciences) • Social Networks • DBPedia, Wikipedia, CIA World FactBook, …• Why Access Control? • Crucial for sensitive content since it ensures the selective exposure of information to different classes of users European Data Forum 2012
  • 3. Controlling Access to RDF Data• Fine-grained Access Control Model for RDF • focus at the RDF triple level • focus on read-only permissions • with support for RDFS inference to infer new knowledge • encodes how an access label has been computed • contributing triples• Implementation of a fine-grained, repository independent, portable across platforms access control framework on top of the MonetDB column store engine European Data Forum 2012
  • 4. Access Control Annotations• Standard access control models associate a concrete access label to a triple s p o permission &a type Student allowed Student sc Person denied• An implied RDF triple can be accessed if and only if all its implying triples can be accessed s p o permission &a type Person denied European Data Forum 2012
  • 5. Access Control Annotations• In the case of any kind of update, the implied triples & their labels must be re-computed s p o permission &a type Student allowed Student sc Person denied allowed ⇐• An implied RDF triple can be accessed if and only if all its implying triples can be accessed s p o permission &a type Person allowed denied the overhead can be substantial when updates occur frequently European Data Forum 2012
  • 6. Access Control Annotations• Annotation models are easy to handle but are not amenable to changes since there is no knowledge of the affected triples• Any change leads to the re-computation of inferred triples and their labels • if the access label of one triple changes • if a triple is deleted, modified or added • if the semantics according to which the labels of inferred triples are computed change • if the policy changes (a liberal policy becomes conservative) European Data Forum 2012
  • 7. Abstract Access Control Models for RDF• Encode how the label of an implied triple was computed• Triples are assigned abstract tokens and not concrete values s p o permission &a type Student l1 Student sc Person l2 s p o permission &a type Person l1 ⊙ l2• l 1 l 2 : abstract tokens• ⊙ : operator that encodes that inference was used to produce the inferred triple European Data Forum 2012
  • 8. Annotation: Computing the Access Labels• Triples are assigned labels through authorization queries• RDFS inference rules are applied to infer new knowledge A1 : (construct {?x firstName ?y} where {?x type Student }, l1) s p o l A2 : (construct {?x sc ?y}, l2) q1: Student sc Person l2A3 : (construct {?x type Student }, l3) q2: Person sc Agent l2 Authorizations q3: &a type Student l3 (Query, abstract token) q4: &a firstName Alice l1 q5: Agent type class l4 q6: Student sc Person l5 RDF quadruples European Data Forum 2012
  • 9. Annotation: Applying RDFS Inference Rules RDFS Inference: quadruple generating rules (A1, sc, A2, l1) (A2, sc, A3, l2) (A1, sc, A3, l1 ⊙ l2) (&r1, type, A1, l1) (A1, sc, A2, l2) (&r1, type, A2, l1 ⊙ l2) s p o l s p o lq1: Student sc Person l2 q8 : Student sc Agent l2 ⊙ l2q2 : Person sc Agent l2 q9 : Student sc Agent l5 ⊙ l2q3 : &a type Student l3 q10: &a type Person l3 ⊙ l2q6 : Student sc Person l5 q11: &a type Agent (l3 ⊙ l2) ⊙ l2 RDF quadruples q12: &a type Agent (l5 ⊙ l2) ⊙ l2 Inferred RDF quadruples European Data Forum 2012
  • 10. Evaluation: Assign Concrete Values to Abstract Expressions• Set of Concrete Tokens and a Mapping from abstract to concrete tokens• Set of Concrete operators that implement the abstract ones• Conflict resolution operator to resolve ambiguous labels• Access Function to decide when a triple is accessible European Data Forum 2012
  • 11. Abstract Access Control Models for RDF• Use of concrete policies to assign concrete values to the abstract tokens and operators s p o permision q11: &a type Student l3 true q12: Student sc Person l2 false• l3 maps to true and l2 maps to false• ⊙ maps to logical conjunction s p o permission &a type Person l3 ⊙ l2 false true and false European Data Forum 2012
  • 12. Abstract Access Control Models for RDF: Updates• If a concrete policy changes, we need to re-compute the expressions s p o permision q11: &a type Student l3 false q12: Student sc Person l2 true• l3 maps to false and l2 maps to true• ⊙ maps to logical disjunction s p o permission &a type Person l3 ⊙ l2 true false or true European Data Forum 2012
  • 13. Pros & Cons of Abstract Access Control Models• Pros: • The same application can experiment with different concrete policies over the same dataset • liberal vs conservative policies for different classes of users • Different applications can experiment with different concrete policies for the same data • In the case of updates there is no need re-compute the inferred triples• Cons: • overhead in the required storage space • algebraic expressions can become complex depending on the structure of the dataset European Data Forum 2012
  • 14. Conclusions & Future Work• Abstract Models to record how the access label of a triple has been computed: beneficial in the case of updates• Currently working towards a robust implementation of the proposed approach using the MonetDB column store engine European Data Forum 2012