Nicoletta Fornara and Fabio Marfia | Modeling and Enforcing Access Control Obligations for SPARQL-DL...

Nicoletta Fornara, Fabio Marfia

Università della Svizzera italiana (USI) – http://www.usi.ch

13th September 2016

Modeling and EnforcingAccess Control Obligations forSPARQL-DL queries

http://www.usi.ch/

13/09/2016Page 2/27

Università della Svizzera italiana (USI)

SPARQL-DL… hey, what?

SPARQL-DL is a SPARQL-like query language for conjunctive ABox-RBox-TBox queries for OWL 2 DL ontologies

It is thought to be as much similar as possible to SPARQL, while allowing complex queries on the knowledge that can be inferred from an OWL 2 ontology using standard DL reasoning algorithms

A formal description can be found in E. Sirin and B. Parsia. SPARQL-DL: SPARQL Query for OWL-DL. Proceedings of the Third International Workshop on OWL: Experiences and Directions (OWLED '07).

A Java prototype of a SPARQL-DL query interface for OWL 2 has been developed by the DERIVO company (2009)

13/09/2016Page 3/27


Examples of SPARQL-DL queries

Get all Classes:

SELECT ?c WHERE { Class(?c) }

Ask class A is a subclass of B:

ASK { SubClassOf(ex:A, ex:B) }

Get all transitive properties that have John as subject:

SELECT ?p WHERE {PropertyValue(ex:john, ?p, ?o),Transitive(?p)}

13/09/2016Page 4/27


AND, OR operands

Conjunctive conditions are expressed with the use of a comma separator, as in the last example

Disjunctive conditions can be expressed with theOR WHERE clause

Get all transitive or symmetric properties thathave John as subject:

SELECT ?p WHERE {PropertyValue(ex:john, ?p, ?o),Transitive(?p)}

OR WHERE {PropertyValue(ex:john, ?p, ?o),Symmetric(?p)}

13/09/2016Page 5/27


SPARQL-DL syntax

The SPARQL-DL query language allows the expression of composite conjunctions and disjunctions between 18 different atoms:

Type(a,C)ProperyValue(a,p,v)SameAs(a,b)DifferentFrom(a,b)EquivalentClass(C1,C2)SubClassOf(C1,C2)DisjointWith(C1,C2)ComplementOf(C1,C2)EquivalentProperty(p1,p2)

SubPropertyOf(p1,p2)InverseOf(p1,p2)ObjectProperty(p)DatatypeProperty(p)Functional(p)InverseFunctional(p)Transitive(p)Symmetric(p)Annotation(s,p,o)

13/09/2016Page 6/27


Managing Access Control forDL Inferred Knowledge

Different works specify techniques for managing high level and fine-grained access control for RDF graphs

Such works do not rely on reasoning algorithms for protecting data. But using the specification of complex DL expressions for identifying the different pieces of data to be protected appears to represent an interesting approach, as already showed by Sacco et al. (2011), Masoumzadeh et al.(2011)

This is the first time that such interesting approach is applied to a SPARQL-DL query interface

13/09/2016Page 7/27


Why applying Access Control paradigms to a SPARQL-DL query interface?

?

1. It allows mixed ABox-RBox-TBox queries that can not be handled by other query languages

2. It has a clear syntax and semantics

3. The SPARQL-DL Java API released by the DERIVO company is available under LGPL license

4. The same reasoner instance that is used to obtain the results of a SPARQL-DL query can be used for inferring fine-grained access permissions

13/09/2016Page 8/27


Our chosen Access Control approach:Formal Specification of Obligations

We define the general form of an obligation O as a triple

O = <D, A, C>

Where D is a description of the requesting user, A is the activation condition of the obligation and C the content of the obligation

The activation condition of the obligation is the formal specification of a set of condition according to which the obligation activates, in the form of a set of logical axioms

The content of the policy is the set of actions that have to be performed as a consequence of the activation of the obligation

13/09/2016Page 9/27


Obligation Definition Example(Hospital Use Case)

When a user submits a query for statistical purposes, the ID of patients with a diabetic disease have to be anonymized

In our O = <D, A, C> paradigm, D is a description of the requesting user, as, e.g., a statisticalPurposes attribute(we did not focus on such part)

A can be a DL Class axiom identifying each patient with a diabetic disease:

Class: AC01SubClassOf: ACEquivalentTo: Patient and hasRecord

some (hasInfoAbout value diabetes)

13/09/2016Page 10/27


Obligation Definition Example(Hospital Use Case)

C is a pre-defined function to be called passing as an argument p each piece of data identified by the class AC01:

C = anonymize(p, someAnonimizationAlgorithm)

We identified three main types of content functions in our experiments. Such list can be extended:

Remove(p)

Anonymize(p, someAnonimizationAlgorithm)

WriteLogEvent(requestingUser, p, timestamp)

13/09/2016Page 11/27


Obligation Enforcement Module:An Access Control Middle-Layer

13/09/2016Page 12/27


Obligation Enforcement in 4 steps

1. When the Access Control Layer receives a SPARQL-DL query, it is rewritten before submitting it to the final endpoint, in order to retrieve the access control conditions also for each piece of returned data

2. The modified query is submitted to the SPARQL-DL endpoint and executed on both collections of original data and activation conditions

3. The result is returned to the Access Control Layer. Each piece of data on which an obligation is active, is changed according to each obligation content function.

4. The final result is returned to the Data Consumer

13/09/2016Page 13/27


1. SPARQL-DL Query Rewriting

For each variable and individual in the query, information must be added in order to retrieve the conditions that are active for each piece of data

Example query: identifying all people living in Oxford or Birmingham

SELECT ?xWHERE {PropertyValue(?x, livesIn, oxford),

Type(?x, Person)}OR WHERE {PropertyValue(?x, livesIn, birmingham),

Type(?x, Person)}

13/09/2016Page 14/27



For each variable in in each WHERE clause, another WHEREclause is added for identifying its activated conditions. Example:

SELECT ?xWHERE {PropertyValue(?x, livesIn, oxford),


Type(?x, Person)}

13/09/2016Page 15/27




SELECT ?x, ?xACWHERE {PropertyValue(?x, livesIn, oxford),


Type(?x, Person)}OR WHERE {PropertyValue(?x, livesIn, oxford),

Type(?x, Person),SubClassOf(?xAC, AC), Type(?x, ?xAC)}

13/09/2016Page 16/27




SELECT ?x, ?xACWHERE {PropertyValue(?x, livesIn, oxford),


Type(?x, Person)}[…]OR WHERE {PropertyValue(?x, livesIn, birmingham),

Type(?x, Person),SubClassOf(?xAC, AC), Type(?x, ?xAC)}

13/09/2016Page 17/27



For each named individual, a WHERE clause is added for identifying its own activated conditions:

SELECT ?x, ?xAC, ?oxfACWHERE {PropertyValue(?x, livesIn, oxford),


Type(?x, Person)}[…]OR WHERE {SubClassOf(?oxfAC, AC),

Type(oxford, ?oxfAC)}

13/09/2016Page 18/27




SELECT ?x, ?xAC, ?oxfAC, ?birACWHERE {PropertyValue(?x, livesIn, oxford),


Type(?x, Person)}[…]OR WHERE {SubClassOf(?birAC, AC),

Type(birmingham, ?birAC)}

13/09/2016Page 19/27




SELECT ?x, ?xAC, ?oxfAC, ?birAC, ?perACWHERE {PropertyValue(?x, livesIn, oxford),


Type(?x, Person)}[…]OR WHERE {SubClassOf(?perAC, AC),

SubClassOf(Person, ?perAC)}

13/09/2016Page 20/27


2. Enhanced response

The query rewriting process obtains a query having as results all the results of the original query, plus the information about the activated conditions on each piece of data

Sample response for the presented original query

?x

bob

carl

alice

eleanor

donald

13/09/2016Page 21/27


2. Enhanced response

Sample enhanced response

?x ?xAC ?oxfAC ?birAC ?perAC

bob

carl

alice

eleanor

donald

bob AC01

bob AC02

carl AC02

eleanor AC01

AC03

13/09/2016Page 22/27


3. Obligation Enforcement

The table is splitted into two sets


bob

carl

alice

eleanor

donald

bob AC01

bob AC02

carl AC02

eleanor AC01

AC03

StandardResponse

Enforcementdirectives

13/09/2016Page 23/27



Data is changed in the standard response according to obligations functions (e.g. bob is removed…)


bob

carl

alice

anonym01

donald

bob AC01

bob AC02

carl AC02

eleanor AC01

AC03

StandardResponse


WriteLogAnonymize

Remove

13/09/2016Page 24/27



Data is changed in the standard response according to obligations functions (e.g. bob is removed…)


alice

anonym01

donald

bob AC01

bob AC02

carl AC02

eleanor AC01

AC03

StandardResponse


13/09/2016Page 25/27


4. Final Response

Enforcement directives are removed


alice

anonym01

donald

Originalvariables

Access ControlVariables

13/09/2016Page 26/27


4. Final Response

Access Control variables are removed

?x

alice

anonym01

donald

That is ourFinal response

13/09/2016Page 27/27


Performances

13/09/2016Page 28/27


Conclusion and Future Work

We presented an approach for defining and enforcing expressive data provider obligations for performing fine-grained protection on OWL 2 DL data

A private-by-default environment can be chosen, permissions can be expressed at the same manner as the proposed obligations, and introducing a little change in the enforcement algorithm

The concept of Institutional power for generating policies can be added, by studying its relationship with the proposed model

DL policies can be transmitted as Sticky Policies

Nicoletta Fornara, Fabio Marfia

Università della Svizzera italiana (USI) – http://www.usi.ch

13th September 2016

Modeling and EnforcingAccess Control Obligations forSPARQL-DL queries

http://www.usi.ch/

13/09/2016Page 30/27


Citations

E. Sirin and B. Parsia. SPARQL-DL: SPARQL Query for OWL-DL. Proceedings of the Third International Workshop on OWL: Experiences and Directions (OWLED '07)O. Sacco, A. Passant, and S. Decker: An access control framework for the web of data. In 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (2011)A. Masoumzadeh and J. Joshi: Ontology-based access control for social network systems. IJIPSI (2015)T. T. Nguyen, N. Fornara, and F. Marfia: Automatic policy enforcement on semantic social data. Multiagent and Grid Systems Journal (2015)

Date post:	14-Jan-2017
Category:	Technology
Upload:	semanticsconference
View:	33 times
Download:	0 times

Nicoletta Fornara and Fabio Marfia | Modeling and Enforcing Access Control Obligations for SPARQL-DL...

Technology