SWRL-based Access Policies for Linked Data

19
SWRL-Based Access Policies for Linked Data Hannes Mühleisen, Martin Kost and Johann-Christoph Freytag Databases and Information Systems Department of Computer Science Humboldt-Universität zu Berlin

description

Social applications are one of the fastest growing areas in the Web. However, privacy issues ensue if all information of all users of these applica- tions is stored on a single computer system. With small extensions to Semantic Web technologies and Linked Data concepts, a distributed approach to the social web is possible, where users retain fine-grained control over their data and are still able to combine their data with users on different systems. We describe our concept of a Policy-enabled Linked Data Server (PeLDS) obeying user-defined access policies for the stored information. PeLDS also supports configuration- free distributed authentication. Access policies are expressed in a newly devel- oped compact notation for the Semantic Web Rule Language. Authentication is performed using SSL certificates and the FOAF+SSL verification approach. We evaluate our concept using a prototype implementation and a distributed address book application.

Transcript of SWRL-based Access Policies for Linked Data

Page 1: SWRL-based Access Policies for Linked Data

SWRL-Based Access Policies for Linked Data

Hannes Mühleisen, Martin Kost and Johann-Christoph Freytag

Databases and Information SystemsDepartment of Computer Science

Humboldt-Universität zu Berlin

Page 2: SWRL-based Access Policies for Linked Data

“Social Web”

What about the system operator?

2

Page 3: SWRL-based Access Policies for Linked Data

Overview

1. Linked Data principles (short)

2. Access policies / data classification

3. “Policy enabled Linked Data Server” concept

4. PeLDS implementation and evaluation

3

Page 5: SWRL-based Access Policies for Linked Data

Access Policies

• Set of rules, its evaluation determines whether a user can access certain information

• Different types: DAC, MAC, RbAC

• Generic system should support many types

• Data classification required

• Linked Data: classify protected parts of a graph

• Different levels of classification conceivable: syntax, model, concepts

5

Page 6: SWRL-based Access Policies for Linked Data

Resource == http://example.com/bobProperty == ex:nameValue == *

Model-based Classification

• Data classification on a structure-preserving decomposition of the graph (set of triples)

• Resource, property and value of triples can be specified, wildcards select unknown entries.

• Example:http://

example.com/bob

ex:name“Bob Ross”

6

Page 7: SWRL-based Access Policies for Linked Data

Concept == http://example.com/per#Person

Concept-based Classification

• Data classification on a structure of concepts and properties

• Resources and their properties can be classified using their affiliation with a concept

• Example:http://

example.com/bob

ex:name“Bob Ross”

rdf:type http://example.com/per#Person

7

Page 8: SWRL-based Access Policies for Linked Data

ConceptPolicy enabled Linked Data Server

• Policy language PsSF

• Policy evaluation algorithms

• Data and policy management operations

• Secure authentication

8

Page 9: SWRL-based Access Policies for Linked Data

• Description Logic (DL) expressions based on the Semantic Web Rule Language (SWRL)

• Prolog-style syntax for concise notation

• Additional predicates for model- and concept-based data classification:

• permit_triple(...), permit_instance(...)

Policy Language PsSF

9

Page 10: SWRL-based Access Policies for Linked Data

BobPosRule:QueryAction(?action) && actor(?action, http://example.com/bob)=>permit_triple(http://example.com/alice,ex:pos,*);

“42° 21′ 32″ N 71° 5′ 34″ W”

“Alice Ross”

http://example.com/alice

ex:pos ex:name

PsSF Policy Language: Example

10

Page 11: SWRL-based Access Policies for Linked Data

Policy evaluation - Query

• For each rule contained in the policy, check whether their preconditions are met

• Approve graph elements classified by matching rules by adding them to a temporary RDF graph for the current user only containing authorized graph elements

• Evaluate queries or dereferencing requests exclusively on those temporary graphs

11

Page 12: SWRL-based Access Policies for Linked Data

Secured Graph

H

W

Asp

psZwp

“Bob”

nm

Temporary Graph

H

Asp

“Bob”

nm

Access Policy

Rule 1

H *sp

* *nm

Step 1

Query

H *nm

?

Query Result

R1nm

“Bob”

Step 2

12

Page 13: SWRL-based Access Policies for Linked Data

Required Operations

• Definition & modification of access policies

• Publication & modification of RDF graphs

• Querying RDF graphs

• URL dereferencing

13

Page 14: SWRL-based Access Policies for Linked Data

Authentication

• Username/password-combinations are unpractical for Linked Data

• Central authority would violate the decentralization principle inherent in the WWW

• FOAF+SSL enables password-free authentication based on SSL certificates

14

Page 15: SWRL-based Access Policies for Linked Data

PeLDS Implementation

• Linked-Data-Server with HTTP API

• Supports PsSF policy language

• FOAF+SSL for user authentication

• Demo: Distributed Address Book

15

Page 16: SWRL-based Access Policies for Linked Data

16

Demo Application: Distributed Address Book

Alice’s View

Bob’s View

Page 17: SWRL-based Access Policies for Linked Data

12,5

25

37,5

50

450 1462,5 2475 3487,5 4500

R! = 0,9959

R! = 0,9943

Pro

cess

ing

tim

e (s)

Triple count

PeLDSJoseki / TDBJoseki / TDB / Pellet

PeLDS prototype - Performance

17

Page 18: SWRL-based Access Policies for Linked Data

Conclusion

• Access policies and comprehensive data classifications are possible for Linked Data

• PeLDS enables distributed applications with support for access policies

• PeLDS-Implementation is available as open source software from www.pelds.org

18

Page 19: SWRL-based Access Policies for Linked Data