Embed Size (px)
DESCRIPTION
Social applications are one of the fastest growing areas in the Web. However, privacy issues ensue if all information of all users of these applica- tions is stored on a single computer system. With small extensions to Semantic Web technologies and Linked Data concepts, a distributed approach to the social web is possible, where users retain fine-grained control over their data and are still able to combine their data with users on different systems. We describe our concept of a Policy-enabled Linked Data Server (PeLDS) obeying user-defined access policies for the stored information. PeLDS also supports configuration- free distributed authentication. Access policies are expressed in a newly devel- oped compact notation for the Semantic Web Rule Language. Authentication is performed using SSL certificates and the FOAF+SSL verification approach. We evaluate our concept using a prototype implementation and a distributed address book application.
Citation preview
SWRL-Based Access Policies for Linked Data
Hannes Mühleisen, Martin Kost and Johann-Christoph Freytag
Databases and Information SystemsDepartment of Computer Science
Humboldt-Universität zu Berlin
“Social Web”
What about the system operator?
2
Overview
1. Linked Data principles (short)
2. Access policies / data classification
3. “Policy enabled Linked Data Server” concept
4. PeLDS implementation and evaluation
3
http://example.com/bob
http://example.com/bob
ex:spouse
http://example.com/alice
ex:phoneex:name
“Bob Ross” “+4930123456”
Literal
Resource
asdf Property
Legende
Graph
“a”
http://example.com/alice
“42° 21′ 32″ N 71° 5′ 34″ W”
“Alice Ross”
http://example.com/alice
ex:pos ex:name
HT
TP R
eq.
Linked Data: URLs as identifiers / dereferencing
4
Access Policies
• Set of rules, its evaluation determines whether a user can access certain information
• Different types: DAC, MAC, RbAC
• Generic system should support many types
• Data classification required
• Linked Data: classify protected parts of a graph
• Different levels of classification conceivable: syntax, model, concepts
5
Resource == http://example.com/bobProperty == ex:nameValue == *
Model-based Classification
• Data classification on a structure-preserving decomposition of the graph (set of triples)
• Resource, property and value of triples can be specified, wildcards select unknown entries.
• Example:http://
example.com/bob
ex:name“Bob Ross”
6
Concept == http://example.com/per#Person
Concept-based Classification
• Data classification on a structure of concepts and properties
• Resources and their properties can be classified using their affiliation with a concept
• Example:http://
example.com/bob
ex:name“Bob Ross”
rdf:type http://example.com/per#Person
7
ConceptPolicy enabled Linked Data Server
• Policy language PsSF
• Policy evaluation algorithms
• Data and policy management operations
• Secure authentication
8
• Description Logic (DL) expressions based on the Semantic Web Rule Language (SWRL)
• Prolog-style syntax for concise notation
• Additional predicates for model- and concept-based data classification:
• permit_triple(...), permit_instance(...)
Policy Language PsSF
9
BobPosRule:QueryAction(?action) && actor(?action, http://example.com/bob)=>permit_triple(http://example.com/alice,ex:pos,*);
“42° 21′ 32″ N 71° 5′ 34″ W”
“Alice Ross”
http://example.com/alice
ex:pos ex:name
PsSF Policy Language: Example
10
Policy evaluation - Query
• For each rule contained in the policy, check whether their preconditions are met
• Approve graph elements classified by matching rules by adding them to a temporary RDF graph for the current user only containing authorized graph elements
• Evaluate queries or dereferencing requests exclusively on those temporary graphs
11
Secured Graph
H
W
Asp
psZwp
“Bob”
nm
Temporary Graph
H
Asp
“Bob”
nm
Access Policy
Rule 1
H *sp
* *nm
✔
✔
Step 1
Query
H *nm
?
Query Result
R1nm
“Bob”
Step 2
12
Required Operations
• Definition & modification of access policies
• Publication & modification of RDF graphs
• Querying RDF graphs
• URL dereferencing
13
Authentication
• Username/password-combinations are unpractical for Linked Data
• Central authority would violate the decentralization principle inherent in the WWW
• FOAF+SSL enables password-free authentication based on SSL certificates
14
PeLDS Implementation
• Linked-Data-Server with HTTP API
• Supports PsSF policy language
• FOAF+SSL for user authentication
• Demo: Distributed Address Book
15
16
Demo Application: Distributed Address Book
Alice’s View
Bob’s View
12,5
25
37,5
50
450 1462,5 2475 3487,5 4500
R! = 0,9959
R! = 0,9943
Pro
cess
ing
tim
e (s)
Triple count
PeLDSJoseki / TDBJoseki / TDB / Pellet
PeLDS prototype - Performance
17
Conclusion
• Access policies and comprehensive data classifications are possible for Linked Data
• PeLDS enables distributed applications with support for access policies
• PeLDS-Implementation is available as open source software from www.pelds.org
18
