1 / 25

WP3: Provenance and Access Policies

WP3: Provenance and Access Policies. Giorgos Flouris (FORTH) - fgeo@ics.forth.gr Irini Fundulaki (CWI & FORTH) - fundul@ics.forth.gr. Part I General Description of WP3. Research Topics, Tasks and Partners.

qamar
Download Presentation

WP3: Provenance and Access Policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. WP3: Provenance and Access Policies Giorgos Flouris (FORTH) - fgeo@ics.forth.gr Irini Fundulaki (CWI & FORTH)- fundul@ics.forth.gr

  2. Part IGeneral Description of WP3

  3. Research Topics, Tasks and Partners • Objective:manage annotations of different forms and semantics over data, related to data access • Research Topics: Provenance, Access Control, Privacy, Digital Rights Management (DRM), Trust Management • Partners: FORTH, EPFL, KIT FORTH (14 PM) KIT (3 PM) EPFL (2 PM) Task 3.1 (M1-M36) Task 3.2 (M1-M42) Task 3.3 (M19-M42)

  4. Deliverables • D3.1 (FORTH, M24): “Access Control Specification Language, Reasoning and Enforcement Mechanisms” • D3.2 (FORTH, M36): “Provenance Management and propagation through SPARQL query and update languages” • D3.3 (FORTH, M42): “Access Control System and Privacy Aware Language” • D3.4 (EPFL, M42): “Trust Management and Inference System” FORTH (14 PM) KIT (3 PM) EPFL (2 PM) Task 3.1 (M1-M36) Task 3.2 (M1-M42) Task 3.3 (M19-M42) D3.2 (M24) D3.1 (M36), D3.3 (M42) D3.4 (M42)

  5. Collaboration (Review Concern) • Paper connecting quality assessment and repair from WP2 with provenance and the work done in WP3 (FUB-FORTH) • Experiments for access control framework to consider datasets used in the project

  6. Part IIResearch on WP3: Access Control

  7. Controlling Access to RDF Data • Refers to the ability to permit or deny the use of a particular resource by a particular entity • Crucial for sensitive content since it ensures the selective exposure of information to different classes of users

  8. Contributions: Access Control • Contributions: • Fine-grained, repository independent, portable across platforms access control framework • High-level access control model for RDF data focusing on read-only permissions • Formal semantics • System implementation & experiments

  9. Abstract Versus Concrete Models • Standard approach • (t, accessible) • Our approach • (t, at5 ⊙ at2) • Concretize at5,at2,⊙ • Compute at5⊙at2 • Determine whether t is accessible or not • Advantages • Can experiment with different semantics and access control policies • Faster updating of access control annotations during changes (additions/deletions of triples and/or annotations)

  10. Abstract Access Control Model • Access Control Model defined by a set of abstract tokens and abstract operators to model • Computation of access labels of implicit RDF triples • Propagation of access labels • Conflicting and missing access labels • Access Control Authorizations associate triples in the RDF/S graph with abstract tokens: quadruples • Entailment rules for computing the access labels of implied quadruples • Propagation rules to specify how access labels are propagated along the subclassOf and subpropertyOf relations.

  11. Computing Abstract Labels Evaluate the authorizations on the RDFS graph to obtain quadruples (i.e., triples annotated with access labels) Apply RDFS Inference on the set of quadruples to obtain the closure of the RDFS graph Apply the propagation rules to compute the propagated labels 9/8/2014

  12. Example: Input p s o A1 : (construct {?x firstName ?y} where {?x type Student }, at1) Student t1: sc Person A2 : (construct {?x sc ?y}, at2) t2: Person Agent sc t3: &a type Student A3 : (construct {?x type Student }, at3) t4: Alice &a firstName A4 : (construct {?x type class}, at4) t5: &a lastName Smith A5 : (construct {?x ?p Person}, at5) t6: Agent type class RDF triples Authorizations (Query, Access Token)

  13. l s p o at2 Student q1: sc Person q2: Person Agent sc at2 q3: &a type Student at3 q4: Alice &a firstName at1  q5: &a lastName Smith at4 q6: Agent type class at5 q7: Student sc Person RDF quadruples Example: Authorizations s p o Student t1: sc Person t2: Person sc Agent t3: &a type Student t4: Alice &a firstName t5: &a lastName Smith class t6: Agent type A1 : (construct {?x firstName ?y} where {?x type Student }, at1) A2 : (construct {?x sc ?y}, at2) A3 : (construct {?x type Student }, at3) A4 : (construct {?x type class}, at4) A5 : (construct {?x ?p Person}, at5)

  14. Example: ⊙ Entailment Operator RDFS Inference: triple-generating rules (A1, sc, A2, l1) (A2, sc, A3, l2) (A1, sc, A3, l1 ⊙l2) (&r1, type, A2, l1 ⊙l2) (&r1, type, A1, l1) (A1, sc, A2, l2) l s p o q1: at2 Student sc Person l s p o q2: Person Agent sc at2 at2 ⊙ at2 Student q8: sc Agent q3: &a type Student at3 q9: Student Agent sc at5 ⊙ at2 q7: Person at5 Student sc q10: &a type Person at3 ⊙ at2 q11: Agent &a type (at3 ⊙ at2) ⊙ at2 (at5 ⊙ at2) ⊙ at2 q12: &a type Agent

  15. Example:  Propagation Operator Propagating labels: no new triples are created (A1, type, class, l1) (&a, type, A1, l2) (&a, type, A1,  (l1 ))  ((l1)) = (l1) (idempotence) l s p o q6: Agent class type at4 (at3 ⊙ at2) ⊙ at2 Agent q11: &a type l s p o  at4 q13: &a Agent type

  16. Concrete Access Control Policy (1) • How do you determine the accessibility of a triple? • Need to evaluate the abstract label(s) associated with said triple • Concrete access control policy • Set of concrete Tokens (e.g., true-false, high-medium-low, etc) • Mappingfrom abstract to concrete tokens (e.g., at4false) • Concrete operators (i.e., implementation of abstract ones, e.g., ⊙=) • Conflict resolution operator (used when more that one abstract labels are associated with the same triple to resolve ambiguity) • Access function (to decide whether a triple is accessible, depending on the evaluation result)

  17. Concrete Access Control Policy (2) • Example: • Set of concrete tokens:LP = { true, false} • Mapping: at1, at2, at3  true, at4, at5  false • Entailment operator⊙: • al1 ⊙ al2 = • Propagation operator : al = al al1 al2 if al1 and al2 are different from  ali if ali = , alj different from   if al1 , al2 equal to 

  18. Concrete Access Control Policy (3) • Conflict resolution operator: • If a token is assigned n labels: al1,…,aln, then: • {al1,...,aln} = • Access function: triples with label true are accessible, otherwise, inaccessible false if false is in {al1,...,aln} true if false is not in {al1,...,aln}, but true is  if neither false nor true are in {al1,...,aln}

  19. Example: Evaluation Process • Is (&a, type, Agent) accessible? • Find all labels of (&a, type, Agent), i.e., all quadruples involving said triple: • (&a, type, Agent, (at3 ⊙ at2) ⊙ at2 ) • (&a, type, Agent, (at5 ⊙ at2) ⊙ at2 ) • (&a, type, Agent, at4) • Evaluate them: • (&a, type, Agent, true) • (&a, type, Agent, false) • (&a, type, Agent, false) • Resolve conflicts (i.e., “combine” labels): • (&a, type, Agent, false) • Run access function to determine accessibility: • Not accessible

  20. Implementation: Use of a relational schema to store the quadruples Quad(qid, s, p, o, propop, inferop, label) inferop, propop: boolean values indicating whether the label is obtained through propagation or inference LabelStore(qid, qid_uses) Stores the access label of a triple qid: the quadruple whose label is stored qid_uses: the quadruple used by quadruple with qid to compute the label of the latter. Implementation

  21. Experiments: Description • Experiment 1:annotation time (the time required to compute the inferred triples with their labels and the propagated labels) • Experiment 2:evaluation time (a) (the time needed to compute for a concrete policy, the concrete access label all the RDF triples) • Experiment 3:evaluation time (b) (the time needed to compute for a concrete policy, the concrete access label of a % of the RDF triples in a graph)

  22. Experiments: Setting and Process • MonetDB/Postgresql to store the quadruples • Stored Procedures to • Compute the abstract access labels (complex expressions) (Experiment 1) • Given a concrete policy, to compute the concrete access labels of triples (Experiments 2 and 3) • Datasets: • Synthetic schemas produced with Powergen • CIDOC & GO ontologies

  23. Experiments: Results • Annotation time increases linearly with respect to implied triples • 45 secs for 900K implied triples (MonetDB) • Evaluation time increases linearly with respect to the number of triples evaluated • 60 secs for 30K evaluated triples (MonetDB) • MonetDB is faster than Postgresql • Working on improved schemata to get better performance

  24. References • Flouris G., Fundulaki I., Michou M., Antoniou G.Controlling Access to RDF Graphs.In FIS 2010. • Flouris G., Fundulaki I., Michou M., Papakonstantinou V., Antoniou G. Access Control for RDFS Graphs Using Abstract Models. To appear in SACMAT 2012.

  25. Thank you !

More Related