SWRL-based Access Policies for Linked Data


Published on

Social applications are one of the fastest growing areas in the Web. However, privacy issues ensue if all information of all users of these applica- tions is stored on a single computer system. With small extensions to Semantic Web technologies and Linked Data concepts, a distributed approach to the social web is possible, where users retain fine-grained control over their data and are still able to combine their data with users on different systems. We describe our concept of a Policy-enabled Linked Data Server (PeLDS) obeying user-defined access policies for the stored information. PeLDS also supports configuration- free distributed authentication. Access policies are expressed in a newly devel- oped compact notation for the Semantic Web Rule Language. Authentication is performed using SSL certificates and the FOAF+SSL verification approach. We evaluate our concept using a prototype implementation and a distributed address book application.

Published in: Technology, Education
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SWRL-based Access Policies for Linked Data

  1. 1. SWRL-Based Access Policies for Linked Data Hannes Mühleisen, Martin Kost and Johann-Christoph Freytag Databases and Information Systems Department of Computer Science Humboldt-Universität zu Berlin
  2. 2. “Social Web” What about the system operator? 2
  3. 3. Overview 1. Linked Data principles (short) 2. Access policies / data classification 3. “Policy enabled Linked Data Server” concept 4. PeLDS implementation and evaluation 3
  4. 4. Linked Data: URLs as identifiers / dereferencing ex:spouse http:// example.com/bob http:// example.com/alice ex:name ex:phone HTTP Req. “Bob Ross” “+4930123456” http://example.com/bob “42° 21′ 32″ N “Alice Ross” 71° 5′ 34″ W” Legende ex:pos ex:name Resource http:// asdf Property example.com/alice “a” Literal Graph http://example.com/alice 4
  5. 5. Access Policies • Set of rules, its evaluation determines whether a user can access certain information • Different types: DAC, MAC, RbAC • Generic system should support many types • Data classification required • Linked Data: classify protected parts of a graph • Different levels of classification conceivable: syntax, model, concepts 5
  6. 6. Model-based Classification • Data classification on a structure-preserving decomposition of the graph (set of triples) • Resource, property and value of triples can be specified, wildcards select unknown entries. • Example: http:// ex:name “Bob Ross” example.com/bob Resource == http://example.com/bob Property == ex:name Value == * 6
  7. 7. Concept-based Classification • Data classification on a structure of concepts and properties • Resources and their properties can be classified using their affiliation with a concept • Example: http:// ex:name “Bob Ross” example.com/bob rdf:type http:// example.com/ per#Person Concept == http://example.com/per#Person 7
  8. 8. Concept Policy enabled Linked Data Server • Policy language PsSF • Policy evaluation algorithms • Data and policy management operations • Secure authentication 8
  9. 9. Policy Language PsSF • Description Logic (DL) expressions based on the Semantic Web Rule Language (SWRL) • Prolog-style syntax for concise notation • Additional predicates for model- and concept-based data classification: • permit_triple(...), permit_instance(...) 9
  10. 10. PsSF Policy Language: Example BobPosRule: QueryAction(?action) && actor(?action, http://example.com/bob) => permit_triple(http://example.com/alice,ex:pos,*); “42° 21′ 32″ N “Alice Ross” 71° 5′ 34″ W” ex:pos ex:name http:// example.com/alice 10
  11. 11. Policy evaluation - Query • For each rule contained in the policy, check whether their preconditions are met • Approve graph elements classified by matching rules by adding them to a temporary RDF graph for the current user only containing authorized graph elements • Evaluate queries or dereferencing requests exclusively on those temporary graphs 11
  12. 12. sp sp A H * ✔ H wp nm ps Z * * ✔ W nm Rule 1 “Bob” Access Policy Step 1 Secured Graph sp A H nm nm H * ? “Bob” Query Temporary Graph Step 2 nm R1 “Bob” 12 Query Result
  13. 13. Required Operations • Definition & modification of access policies • Publication & modification of RDF graphs • Querying RDF graphs • URL dereferencing 13
  14. 14. Authentication • Username/password-combinations are unpractical for Linked Data • Central authority would violate the decentralization principle inherent in the WWW • FOAF+SSL enables password-free authentication based on SSL certificates 14
  15. 15. PeLDS Implementation • Linked-Data-Server with HTTP API • Supports PsSF policy language • FOAF+SSL for user authentication • Demo: Distributed Address Book 15
  16. 16. Demo Application: Distributed Address Book Bob’s View Alice’s View 16
  17. 17. PeLDS prototype - Performance 50 PeLDS R! = 0,9943 Joseki / TDB Joseki / TDB / Pellet 37,5 Processing time (s) 25 R! = 0,9959 12,5 450 1462,5 2475 3487,5 4500 Triple count 17
  18. 18. Conclusion • Access policies and comprehensive data classifications are possible for Linked Data • PeLDS enables distributed applications with support for access policies • PeLDS-Implementation is available as open source software from www.pelds.org 18