SWRL-based Access Policies for Linked Data

882
-1

Published on

Social applications are one of the fastest growing areas in the Web. However, privacy issues ensue if all information of all users of these applica- tions is stored on a single computer system. With small extensions to Semantic Web technologies and Linked Data concepts, a distributed approach to the social web is possible, where users retain fine-grained control over their data and are still able to combine their data with users on different systems. We describe our concept of a Policy-enabled Linked Data Server (PeLDS) obeying user-defined access policies for the stored information. PeLDS also supports configuration- free distributed authentication. Access policies are expressed in a newly devel- oped compact notation for the Semantic Web Rule Language. Authentication is performed using SSL certificates and the FOAF+SSL verification approach. We evaluate our concept using a prototype implementation and a distributed address book application.

Published in: Technology, Education
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
882
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

SWRL-based Access Policies for Linked Data

  1. 1. SWRL-Based Access Policies for Linked Data Hannes Mühleisen, Martin Kost and Johann-Christoph Freytag Databases and Information Systems Department of Computer Science Humboldt-Universität zu Berlin
  2. 2. “Social Web” What about the system operator? 2
  3. 3. Overview 1. Linked Data principles (short) 2. Access policies / data classification 3. “Policy enabled Linked Data Server” concept 4. PeLDS implementation and evaluation 3
  4. 4. Linked Data: URLs as identifiers / dereferencing ex:spouse http:// example.com/bob http:// example.com/alice ex:name ex:phone HTTP Req. “Bob Ross” “+4930123456” http://example.com/bob “42° 21′ 32″ N “Alice Ross” 71° 5′ 34″ W” Legende ex:pos ex:name Resource http:// asdf Property example.com/alice “a” Literal Graph http://example.com/alice 4
  5. 5. Access Policies • Set of rules, its evaluation determines whether a user can access certain information • Different types: DAC, MAC, RbAC • Generic system should support many types • Data classification required • Linked Data: classify protected parts of a graph • Different levels of classification conceivable: syntax, model, concepts 5
  6. 6. Model-based Classification • Data classification on a structure-preserving decomposition of the graph (set of triples) • Resource, property and value of triples can be specified, wildcards select unknown entries. • Example: http:// ex:name “Bob Ross” example.com/bob Resource == http://example.com/bob Property == ex:name Value == * 6
  7. 7. Concept-based Classification • Data classification on a structure of concepts and properties • Resources and their properties can be classified using their affiliation with a concept • Example: http:// ex:name “Bob Ross” example.com/bob rdf:type http:// example.com/ per#Person Concept == http://example.com/per#Person 7
  8. 8. Concept Policy enabled Linked Data Server • Policy language PsSF • Policy evaluation algorithms • Data and policy management operations • Secure authentication 8
  9. 9. Policy Language PsSF • Description Logic (DL) expressions based on the Semantic Web Rule Language (SWRL) • Prolog-style syntax for concise notation • Additional predicates for model- and concept-based data classification: • permit_triple(...), permit_instance(...) 9
  10. 10. PsSF Policy Language: Example BobPosRule: QueryAction(?action) && actor(?action, http://example.com/bob) => permit_triple(http://example.com/alice,ex:pos,*); “42° 21′ 32″ N “Alice Ross” 71° 5′ 34″ W” ex:pos ex:name http:// example.com/alice 10
  11. 11. Policy evaluation - Query • For each rule contained in the policy, check whether their preconditions are met • Approve graph elements classified by matching rules by adding them to a temporary RDF graph for the current user only containing authorized graph elements • Evaluate queries or dereferencing requests exclusively on those temporary graphs 11
  12. 12. sp sp A H * ✔ H wp nm ps Z * * ✔ W nm Rule 1 “Bob” Access Policy Step 1 Secured Graph sp A H nm nm H * ? “Bob” Query Temporary Graph Step 2 nm R1 “Bob” 12 Query Result
  13. 13. Required Operations • Definition & modification of access policies • Publication & modification of RDF graphs • Querying RDF graphs • URL dereferencing 13
  14. 14. Authentication • Username/password-combinations are unpractical for Linked Data • Central authority would violate the decentralization principle inherent in the WWW • FOAF+SSL enables password-free authentication based on SSL certificates 14
  15. 15. PeLDS Implementation • Linked-Data-Server with HTTP API • Supports PsSF policy language • FOAF+SSL for user authentication • Demo: Distributed Address Book 15
  16. 16. Demo Application: Distributed Address Book Bob’s View Alice’s View 16
  17. 17. PeLDS prototype - Performance 50 PeLDS R! = 0,9943 Joseki / TDB Joseki / TDB / Pellet 37,5 Processing time (s) 25 R! = 0,9959 12,5 450 1462,5 2475 3487,5 4500 Triple count 17
  18. 18. Conclusion • Access policies and comprehensive data classifications are possible for Linked Data • PeLDS enables distributed applications with support for access policies • PeLDS-Implementation is available as open source software from www.pelds.org 18

×