Policy-Driven Negotiations and Explanations on the Semantic Web

1
Policy-DrivenNegotiations and Explanationson
the Semantic Web

• Daniel Olmedilla
• L3s Research Center / Hannover University
• CSL Seminar, SRI International
• Menlo Park, CA, 24th October 2005

2
Motivation ScenarioBuying in Internet

• Bob wants to access an electronic AI book at
  E-Book Store (a web site he found while surfing
  in Internet)
• Previously, E-Book requires Bob to register
  providing full name, age, complete address,
  telephone and e-mail
• Bob does not mind to give his full name and age
  but he does not like to provide his complete
  address, telephone and e-mail. However, he does
  not have any other option so he does it (although
  he does not provide his real address and
  telephone).
• E-Book sells that book. Therefore now it asks Bob
  to provide his credit card information. Bob would
  not mind to buy the book because it is not too
  expensive and he is really interested in reading
  it. However, he has never heard about E-Book so
  he decides to not buy it

3
Traditional Access Controlfor Decentralized
Systems

• Assumption I already know you---you have a local
  account!

4
Policy-Driven Negotiation (I)General Picture

• Every party can define policies to control
  outsiders use of its resources
• Service access control (security)
• Credential disclosure control (privacy)
• Business rules
• Decisions are based on parties properties
• Properties are established iteratively and
  bilaterally by the disclosure of certificates and
  declarations, i.e. negotiations

Winsborough, Seamons, Jones. Automated Trust
Negotiation.DARPA Information Survivability
Conference and Exposition, 2000
5
Policy-Driven Negotiation ( II)Example
Security Privacy
Bob
Alice
6
Policy Specification (I)What does policy refers
to?

• The term policy refers to
• Security Policies pose constraints on the
  behavior of a system
• Trust Management Policies typically used to
  collect user properties in open environments
• Business Rules statements about how a business
  is done
• In addition, associated to policies one needs to
  execute actions. Therefore also relevant
• Action Languages used in reactive policy
  specification to execute actions

Bonatti, Shahmehri, Duma, Olmedilla, Nejdl,
Baldoni, Baroglio, Martelli, Patti, Coraggio,
Antoniou, Peer, Fuchs. Rule-based Policy
Specification State of the Art and Future Work.
Project deliverable D1, Working Group I2, EU NoE
REWERSE
7
Policy Specification ( II)Integration of
Policies

• Although many approaches have been described to
  address the above points, there is no common
  solution, integrating them all in a single
  framework.

8
Protune Rule Language (I)Specification

• Based on normal logic program A ? L1,,Ln
• Categories of predicates are
• Decision Predicates
• Allow() queried by the negotiation for access
  control decisions
• Sign() used to issue statements signed by the
  principal owning the policy
• Abbreviation/Abstraction Predicates
• Constraint Predicates comprise usual equality
  and disequality predicates
• State Predicates decisions according the state
• State Query Predicates read the state without
  modifying it
• Provisional Predicates may be made true by means
  of associated actions that may modify the current
  state
• E.g. credential(C,K), declaration(),
  logged(X,logfile_name)

Bonatti, Olmedilla. Driving and Monitoring
Provisional Trust Negotiation with Metapolicies.
IEEE Policies for Distributed Systems and
Networks (POLICY 2005)
9
Protune Language (II)Policy Filtering Example
allow(download(Resource)) ?
public(Resource).
allow(download(Resource)) ?
public(Resource).
file1234.pdf is not public
allow(download(Resource)) ?
authenticated(User), hasSubscription(Use
r).
allow(download(Resource)) ?
authenticated(User), hasSubscription(Use
r).
blurred( )
Alice does not know what authenticated means
authenticated(User) ? credential(C),
C.typeid. authenticated(User) ?
declaration( userUser,
passwordP ),
passwd(User,P).
authenticated(User) ? credential(C),
C.typeid. authenticated(User) ?
declaration( userUser,
passwordP ),
passwd(User,P).
blurred( )
hasSubscription(Alice). hasSubscription(John).
passwd(Alice,1234ab3). passwd(John,
8ca).
Only shared predicates
Only shared predicates
10
Protune Language (III)Filtering Process
11
Protune Language (III)Metapolicies
12
PROTUNE Policy Language ( IV)Metapolicy Examples

• table(Key,Data).evaluationimmediate ?
  ground(Key).
• logged(Msg,File).actionechoMsggtFile.
• credential(_).ontologyURI.
• abbrev(_).explanationthis condition checks

13
Application ScenarioNegotiating on the Web

• Gavriloaie, Nejdl, Olmedilla, Seamons,
  Winslett. No Registration Needed How to Use
  Declarative Policies and Negotiation to Access
  Sensitive Resources on the Semantic Web. 1st
  European Semantic Web Symposium

14
Policy Answering Explanations (I)Motivation

• Suppose Alice's request is rejected
• She may want to ask questions like
• Why didn't you accept my credit card?
• Other possible queries
• How-to queries
• What-if queries
• Would I get the special discount on financial
  products X if I were locally employed?

15
Policy Answering Explanations ( II)Analysis
and Requirements

• Easy instantiation in any given app. domain
• One step extra creating literal verbalization
  rules
• Performance
• Should not increase significantly the
  computational load of servers
• Constructed at client side
• Explanation method
• Focus on the parts of the search space relevant
  to the user
• Concise (pruned irrelevant information) vs.
  detailed
• Presentation strategies
• Different kind of queries why/why-not, how-to,
  what-if
• Breaking up and pruning of proofs and
  explanations
• Explanation navigation Proof as a (potentially
  cyclic) hypertext
• Based on
• Set of (computed) answer substitutions
• Tabled explanation structure
• Verbalization patterns

Bonatti, Olmedilla, Peer. Advance Policy
Queries.Project deliverable D4, Working Group
I2, EU NoE REWERSE
16
How-To Queries (I) how-to allow(download(Resourc
e))
POLICY allow(download(Resource)) ?
public(Resource). allow(download(Resource))
? authenticated(User), hasSubscription(User).
allow(download(Resource) ? authenticated(User),
paid(User,Resource). METAPOLICY allow(download(
Resource)).explanation it,is,allowed,to,downloa
d,Resource. public(Resource).explanation Reso
urce,is,public. authenticated(User).explanation
User,is,authenticated. hasSubscription(User).
explanation User,has,subscription. paid(User,
Resource).explanation User,has,paid,for,Resourc
e.

• TO MAKE SURE THAT it is allowed to download
  Resource
• NOTHING NEEDS TO BE DONE IF
• Resource is public details
• ALTERNATIVELY
• PLEASE MAKE SURE THAT FOR SOME User
• User is authenticated details
• AND
• User has subscription details
• ALTERNATIVELY
• PLEASE MAKE SURE THAT FOR SOME User
• User is authenticated details
• AND

17
How-To Queries ( II) how-to authenticated(User)
POLICY authenticated(User) ? credential(Credentia
l), Credential.typeid, Credential.nameUser,
Credential.issuerCA, blurred(trusted_for(CA,id
)). authenticated(User) ?
declaration( userUser,
passwordP ),
blurred(passwd(User,P)). METAPOLICY authentica
ted(User).explanation User,is,authenticated.
trusted_for(CA,Type).explanation CA,is,trusted,
for,Type. passwd(User,P).explanation P,is,the
,correct,password,for,User.

• TO MAKE SURE THAT User is authenticated
• PLEASE MAKE SURE THAT FOR SOME
• User, Credential and CA
• Credential has type id, name User and issuer
  CA
• AND
• CA is trusted for id details
• which has solutions (click for proof details)
• Credentialc012,UserJohn,CAL3S apply
  it
• Credentialc015,UserJohn,CASRI apply
  it
• ALTERNATIVELY
• PLEASE DECLARE THAT
• username User and password P info
• WHERE
• P is the correct password for User

Existence of solutions may be applied in order to
see its global consequences
18
Why-Not Queries (I)concise why-not
allow(download(paper14.pdf)
authenticated depends on a credential.
hasSubscription depends on authenticated
POLICY r3 allow(download(Resource))
? authenticated(User), hasSubscription(User).
r4 allow(download(Resource)
? authenticated(User), paid(User,Resource). MET
APOLICY allow(download(Resource)).explanation i
t,is,allowed,to,download,Resource. public(Resour
ce).explanation Resource,is,public. authentic
ated(User).explanation User,is,authenticated.
hasSubscription(User).explanation User,has,sub
scription. paid(User,Resource).explanation Us
er,has,paid,for,Resource.

• I CANT PROVE THAT
• it is allowed to download paper14.pdf
• BECAUSE
• Rule r3 is not applicable
• THERE IS NO User SUCH THAT
• User is authenticated details
• AND
• Rule r4 is not applicable
• THERE IS NO User SUCH THAT
• User is authenticated details
• MOREOVER
• THERE IS NO User SUCH THAT
• User has paid for paper14.pdf details

Pruning User is not authenticated so it makes no
sense to inspect her subscriptions
19
Why-Not Queries ( II)concise why-not
authenticated(User)
POLICY r6 authenticated(User)
? credential(Credential), Credential.typeid,
Credential.nameUser, Credential.issuerCA, blu
rred(trusted_for(CA,id)). r7
authenticated(User) ? declaration(
userUser,
passwordP ),
blurred(passwd(User,P)). METAPOLICY authenticated
(User).explanation User,is,authenticated. tru
sted_for(CA,Type).explanation CA,is,trusted,for
,Type. passwd(User,P).explanation P,is,the,co
rrect,password,for,User.

• I CANT FIND ANY User SUCH THAT
• User is authenticated
• BECAUSE
• c012 is a credential with
• type id,name John and issuer
  L3S details
• BUT
• IT IS NOT THE CASE THAT
• L3S is trusted for id details
• AND
• Rule r7 is not applicable
• THERE ARE NO User AND P SUCH THAT
• IT HAS BEEN DECLARED THAT
• username User and password P

20
Advanced Explanations (I)Tabled Explanation
Structure

• Given atom A and a program P
• Explanation node X set of (r,?) such that
• Navigation links
• Detail Links expand proof details for subgoal
• Refinement Links apply answer substitutions
  locally
• Explanation Graph XG (V,ED, ER)
• Explanation Structure Graph computed answers

21
Advanced Explanations ( II)Novel Aspects

• Tabled explanation structure
• vs. single derivations or proof trees
• Show simultaneously different proof attempts
• Allow to see local (intra-proof) and global
  (inter-proof)
• Heuristics to remove irrelevant information
• But provide full explanations too
• Heuristics are generic, domain independent
• Lightweight and scalable
• Most of computational effort is delegated to
  clients

22
REWERSE WG I2 (I)Mission

• Integration of policies
• Security policies, Trust management
• Business rules, Quality of service specs.
• Enhance user control and awareness on system
  behavior
• Reduce the cost of building and maintaining
  cooperative systems

23
REWERSE WG I2 ( II)Current Actions

• Adopt a rule-based policy specification language
  PROTUNE
• Flexible and structurally similar to the natural
  way policies are expressed
• Advanced explanation mechanisms
• To help the user to understand what policies
  prescribe and control
• Controlled Natural Language front-end
• To translate natural language text into rules
• Generate automatically explanations in natural
  language

24
Further WorkOther REWERSE I2 Objectives

• Negotiation Strategies
• Integration of policy-based and reputation-based
  trust management
• Integrate event-condition-action (ECA) rules
• Natural language front-end to the policy domain
• Natural Language Processing (NLP)
• Automatic generation of natural language
  explanations from proofs and filtered policies

25
Thanks!
Questions? olmedilla_at_l3s.de -
http//www.l3s.de/olmedilla/
26
Application Scenario (II)Grid Limitations
27
Application Scenarios ( III)Negotiating on the
Grid
Basney, Nejdl, Olmedilla, Welch, Winslett.
Negotiating Trust on the Grid.2nd Workshop on
Semantics in P2P and Grid Computing at WWW04
28
Reference Scenario ( IV)Natural Language

• We are aiming at natural rule/query formulation
• Users can download the files in folder
  historical_data if the creation date precedes
  1/1/2000
• Policy enforcement, negotiations, query answering
  should all be automatically derived from such
  specifications
• Attempto Controlled English

29
Trust ManagementReputation-based vs Policy-based
Reputation-based
Policy-based
accessGranted(Res) ? credential(X,VISA), X.type
credit card, X.owner B.
trust(A,B, download(file), 80-100)
? credential(X, VISA), X.type credit card,
X.owner B . allow(visaCard) ? credential(member
(Requester),bbb), trust(self, Requester, buying,
X), X gt 0.8. in(trust(X,Y ,A, L), reputation pckg
eval trust()))
Staab,Bhargava,Lilien,Rosenthal,Winslett,Sloman,D
illon,Chang,Hussain,Nejdl,Olmedilla,Kashya The
Pudding of Trust. IEEE Intelligent Systems
Journal, Vol. 19(5), Sep./Oct. 2004 Bonatti,
Duma, Olmedilla, Shahmehri. An Integration of
Reputation-based and Policy-based Trust
Management. Submitted for Publication